dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5739
share rss forum feed


fd97207

@comcast.net

[XP] security implications of turning off a router's firewall

I am trying to use skype and the Belkin Pre N wireless router's firewall does not allow it to function well. The issue has been documented here:
»forum.skype.com/index.php?s=920f···ry460024
where it is advocated to turn off the router's firewall which corrects VOIP malfunctioning. The question I have is: what are the security implications of turning off a router's firewall esp. as it relates to this scenario? Thanks,



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

Re: [XP] security implications of turning off a router's firewal

said by fd97207 :

I am trying to use skype and the Belkin Pre N wireless router's firewall does not allow it to function well. The issue has been documented here:
»forum.skype.com/index.php?s=920f···ry460024
where it is advocated to turn off the router's firewall which corrects VOIP malfunctioning. The question I have is: what are the security implications of turning off a router's firewall esp. as it relates to this scenario? Thanks,


The Stateful Packet Inspection firewall in a NAT router like the Belkin adds protection to the Belkin, by preventing non-stateful attacks against the router WAN port. The NAT component in the router protects the individual computers, even with SPI disabled.

The SPI firewall only protects against malicious Internet traffic, it provides no protection against malicious WiFi traffic. The fact that the router is also a WiFi Access Point has no effect on the safety issues involved in disabling the SPI firewall.

SPI protects against DOS type attacks on your Internet service, and has nothing to do with your WiFi. Disabling SPI won't endanger the computers themselves.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


fd97207

@comcast.net
reply to fd97207

Hi Chuck,

Thanks for your reply. I need some clarifications as I am not very knowledgeable:
+ I just know I disabled the firewall by clicking appropriate setting on the Belkin Pre N router menu as mentioned in the thread to which I previously referred. Nowhere did I encounter the term SPI when I was disabling the firewall fyi. Have I disabled the SPI firewall as you claim?
+ Is it possible for you to explain what SPI is?
+ Would I be better off getting a wired modem in terms of security? If so why?
+ What steps can I take to guard myself against wifi attacks? I have heard of something like WEP - does that help in securing my wireless network? If so how can I set it?
+ When I tried to do testyourvoip the test failed if my computer was wirelessly connected vs. test passed when computer was wired to router. Why should this be so?

thanks,



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

I told you yesterday what SPI is. Why didn't you read the articles?



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

2 edits

1 recommendation

Did the post above confuse you?

Good.

That was a non-stateful reply. I didn't cite any articles, yesterday. You can read about NAT, today.
»nitecruzr.blogspot.com/2005/05/w···ter.html

The bad guys use non-stateful attacks to get your servers or firewalls to drop communications, or maybe to drop a protection, in an effort to keep up with incoming traffic.

Their traffic towards an unprotected server may make as much sense to the server as my reply above must have meant to you.

Apologies if the above post confused you, unacceptably. I've been waiting to try this approach to explaining SPI, for a while.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to fd97207

said by fd97207 :

Hi Chuck,

Thanks for your reply. I need some clarifications as I am not very knowledgeable:
+ I just know I disabled the firewall by clicking appropriate setting on the Belkin Pre N router menu as mentioned in the thread to which I previously referred. Nowhere did I encounter the term SPI when I was disabling the firewall fyi. Have I disabled the SPI firewall as you claim?
+ Is it possible for you to explain what SPI is?
+ Would I be better off getting a wired modem in terms of security? If so why?
+ What steps can I take to guard myself against wifi attacks? I have heard of something like WEP - does that help in securing my wireless network? If so how can I set it?
+ When I tried to do testyourvoip the test failed if my computer was wirelessly connected vs. test passed when computer was wired to router. Why should this be so?


The term "firewall" is pretty vague, there are many firewalls because there are many ways the bad guys have to attack you.

The simplest and earliest firewall would be a filter, that says "Don't accept traffic from IP address nnn.nnn.nnn.nnn". With a NAT router, only solicited traffic is accepted, so filtering isn't necessary.

NAT provides a filter against malicious incoming traffic, by only passing solicited traffic. Your computer asks for communications with a server, and the NAT function gets that communication. Any other communication is ignored. Your individual computers only get solicited incoming traffic, based upon what they asked for. Your computers have to trust the servers that they ask for contact.

So the only way that a bad guy can attack a NAT router is by non-stateful traffic against the router itself. A Stateful Packet Inspection (SPI) firewall examines the content of the incoming traffic, and looks for non-stateful attacks, like what I used on you above. Traffic that just confuses you (or your router).

An SPI firewall is what's commonly added to most domestic (NAT) routers, like the Belkin.

We'll get through the SPI explanation, then we'll move to other security issues, like WiFi. Are you OK so far?
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


fd97207

@microsoft.com
reply to fd97207

Hi Chuck,

thanks. I read your article and also »pcworld.about.com/news/Aug252004id117557.htm. Based on these articles my understanding is that the firewall on the router does really serve a useful purpose. The pc world article says According to the Internet Storm Center, a typical unprotected PC will come under attack within 20 minutes of being connected to the Internet. Is there any way to solve my VOIP woes without compromising the firewall on my router? To recap, I had to turn off the firewall on my router to make skype work. With the firewall on skype just won't work. Does skype work well with perhaps another router and firewall ON? Thanks,



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

1 edit

said by fd97207 :

Hi Chuck,

thanks. I read your article and also »pcworld.about.com/news/Aug252004id117557.htm. Based on these articles my understanding is that the firewall on the router does really serve a useful purpose. The pc world article says According to the Internet Storm Center, a typical unprotected PC will come under attack within 20 minutes of being connected to the Internet. Is there any way to solve my VOIP woes without compromising the firewall on my router? To recap, I had to turn off the firewall on my router to make skype work. With the firewall on skype just won't work. Does skype work well with perhaps another router and firewall ON? Thanks,


Re read the article, please, to understand what is an "unprotected pc".

I am in favour of Layered Security, and preach it constantly.
»nitecruzr.blogspot.com/2005/05/p···our.html
»Security »How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach:

A computer behind a NAT router doesn't qualify as an "unprotected pc". NAT acts as a filter. I'll discuss unprotected computers all the time, as in the British experiment, Jacques' Hack Attack.
»nitecruzr.blogspot.com/2005/05/s···ity.html

Now if you're rereading the PCWorld article, see
I think he went out and bought a Linksys firewall box.
For my money, that refers to a Linksys NAT router. Linksys does make "firewalls", but "NAT Routers" are way more available in stores. PCWorld does not cover the difference between "firewall" and "NAT router", and that is why I find it necessary to didactically explain the difference.
»nitecruzr.blogspot.com/2005/05/w···ter.html

Once installed, the NAT router provides protection to the computers. If a NAT router has SPI, that protects the Internet connection to the NAT router (and to the computers). If the NAT router has an SPI firewall, and you turn the SPI off, your Internet connection is unprotected. But VOIP traffic isn't stateful, and that's why you'll have problems with an SPI firewall and VOIP.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to fd97207

At any rate, having discussed the firewall and NAT router issue, let's cover the WiFi issue.

A firewall / NAT router protects your computers against malicious traffic from the Internet. It's perimeter protection (ie the moat in my castle analogy).
»nitecruzr.blogspot.com/2005/05/p···our.html

The moat didn't protect against arrows shot from outside, nor from rocks thrown by a catapult. Neither a firewall, nor NAT, protects the computers on your LAN from malicious WiFi traffic.

The radio in the WiFi router (access point) is connected to the Ethernet switch that your wired computers connect to. A WiFi access point is a wireless hub, sharing the connection media (radio channel) with all WiFi connected computers. And both the computers connected to the switch through Ethernet, and the computers connected to the WiFi access point, are all at risk from WiFi intruders.

That's why WiFi protection is an essential, in a WiFi LAN. WEP, which isn't secure, is still better than no protection. No business or home LAN, that I ever setup, will have anything less than WPA though.
»nitecruzr.blogspot.com/2005/05/s···ect.html

The issue here is that the router firewall, and WiFi security, are separate concerns. Neither has any effect on the other, and getting an Ethernet router (and giving up the convenience of WiFi) won't mitigate the risk produced (or not) by disabling SPI, to allow VOIP to work.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network



fd97207

@comcast.net
reply to fd97207

thanks a lot Chuck. I am still trying to absorb all this info. In the meantime I have a quick question: Is it possible to selectively disable my router's firewall only for certain devices connected to it? Let me explain. There are two devices connected to my router: my computer and a linksys cit400 skype phone. I only use the linksys phone for skype. So can I turn off the firewall for the phone but not the computer? If so how?

On another note quoting you earlier:
At one point you said:
A computer behind a NAT router doesn't qualify as an "unprotected pc".
At another point you say:
If the NAT router has an SPI firewall, and you turn the SPI off, your Internet connection is unprotected.

Isn't this contradictory? Doesn't a unprotected internet connection qualify as a unprotected PC? Well maybe you implicitly assumed in the first sentence that the firewall is ON? And extrapolating further if what you say is true then IMO the firewall does serve a useful purpose as I postulated earlier. I'll let you clarify.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

said by fd97207 :

thanks a lot Chuck. I am still trying to absorb all this info. In the meantime I have a quick question: Is it possible to selectively disable my router's firewall only for certain devices connected to it? Let me explain. There are two devices connected to my router: my computer and a linksys cit400 skype phone. I only use the linksys phone for skype. So can I turn off the firewall for the phone but not the computer? If so how?

On another note quoting you earlier:
At one point you said:
A computer behind a NAT router doesn't qualify as an "unprotected pc".
At another point you say:
If the NAT router has an SPI firewall, and you turn the SPI off, your Internet connection is unprotected.

Isn't this contradictory? Doesn't a unprotected internet connection qualify as a unprotected PC? Well maybe you implicitly assumed in the first sentence that the firewall is ON? And extrapolating further if what you say is true then IMO the firewall does serve a useful purpose as I postulated earlier. I'll let you clarify.


A real firewall is configurable. The SPI firewall on a NAT router can only be turned on or off. With a real firewall, it should be possible to selectively open holes and allow specific traffic through.

The SPI firewall doesn't block traffic to any specific device or computer, it only protects the WAN port of the router. Directing traffic to an individual computer (and thus endangering it) is the job of the NAT processor, and NAT only sends solicited traffic. Your individual computers aren't at risk, SPI or no SPI.

If one of your computers were connected directly to the Internet, it would be an "unprotected pc". Behind a NAT router, it's not an unprotected pc. SPI doesn't make the individual computers any safer, excepting that if a non-stateful attack were to be carried out successfully against the NAT router, the router might do something unpredictable.

Apparently, VOIP traffic looks like non-stateful traffic to the SPI firewall in the Belkin. The firewall either drops the packets that it can't handle, or it logs them as an attack, and fills up the firewall attack log. Neither is something that you want.

So you're instructed to disable SPI if you want to use VOIP.

It's possible that a different router (with probably a beefier processor - read more $$$) can handle VOIP and SPI simultaneously. You're welcome to find out. Barring that possibility, what do you want to do? If disabling SPI to enable VOIP to work were known to create a major risk to the computers on the LAN, I'd hope that Belkin would have the grace to label the router as "VOIP Router - but don't use it for that because we can't protect the computers!!".

LOL. Maybe Belkin has a firmware upgrade that will let you use SPI and VOIP simultaneously too. Have you checked with Belkin?
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


fd97207

@microsoft.com
reply to fd97207

yes i checked there is no firmware upgrade available although this has been a known issue for about 2 years now.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

said by fd97207 :

yes i checked there is no firmware upgrade available although this has been a known issue for about 2 years now.


OK, I guess that leaves you with 3 choices:

    •Keep this router, disable SPI, and use VOIP.
    •Keep this router, don't disable SPI, and don't use VOIP.
    •Get another router, that is truly SPI / VOIP capable, and use it.

I'd go with #1 or #3. What's your choice?
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


fd97207

@microsoft.com
reply to fd97207

I'm using #1. What router to use if I want to go with option #3? Is there a list of any skype approved routers somewhere? thanks,



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

1 edit

said by fd97207 :

I'm using #1. What router to use if I want to go with option #3? Is there a list of any skype approved routers somewhere? thanks,


It's possible that Skype has a list. You could also try the VOIP forum here, and see who has good experiences with Skype and their router.
»VOIP Tech Chat

I'm not sure, from scanning the topics there, that the focus there is on technical issues, but it is named "VOIP Tech Chat", so give it a go. If you wish, you can link from here to your new thread, so we can track the discussion. See "permalink" in each small window here? That's the link to the post.

As I said above though, I would hope that the current router will serve you adequately, since it is called a "VOIP Router". Maybe the folks in VOIP Tech Chat can sort you on that issue.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


fd97207

@comcast.net

OK I posted a post to that effect. its here:
»Is there a list of skype approved routers?



fd97207

@comcast.net
reply to fd97207

hey chuck, see what these guys say:
»groups.google.com/group/comp.sec···34c18f74



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

said by fd97207 :

hey chuck, see what these guys say:
»groups.google.com/group/comp.sec···34c18f74


LOL.

Welcome to comp. security. firewalls.

Wear asbestos clothing, if you're going in there.

They will argue the firewall vs NAT router issue for days.

But, they do make one point. If you put the Skype unit in the DMZ, it should bypass the firewall (and NAT).

Don't you think it's time to register here? Registration is free, and it will be a lot easier to help you.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network

fd97207

join:2007-11-09
reply to fd97207

Do you think placing the phone in the DMZ is an acceptable solution? Is it possible for someone to do damage to the phone since it will be completely unprotected?

The router does seem to have some sophisticated features. After all it was very expensive. I think it will be really difficult for me to explain since I don't know what these features are. I will copy some things and you can judge if any of following features can help and if so how:
FEATURE 1 (SEE BELOW) CAN THIS BE USEFUL? DOES IT AMOUNT TO SELECTIVELY DISABLING THE FIREWALL FOR CERTAIN DEVICES?
This function will allow you to route external (Internet) calls for services such as a web server (port 80), FTP server (Port 21), or other applications through your Router to your internal network. Since your internal computers are protected by a firewall, machines from the Internet cannot get to them because they cannot be 'seen'. If you need to configure the Virtual Server function for a specific application, a list of common applications has been provided.
I WENT THROUGH THE DROP DOWN LIST PROVIDED. IT HAD MANY GAMES ETC. BUT NO SKYPE OR VOIP.
If your application is not listed, you will need to contact the application vendor to find out which port settings you need. To select from the provided list, select your application from the drop-down list. Select the row that you want to copy the settings to from the drop-down list next to "to row", then click "Enter". The settings will be transferred to the row you specified. Click "Apply Changes" to save the setting for that application. To manually enter settings, enter the IP address in the space provided for the internal (server) machine,
DOES THIS REFER TO IP FOR THE PHONE?
the port(s) required to pass (use a comma between multiple ports), select the port type (TCP or UDP) and click "Apply Changes".
HOW DO I FIND WHAT TO ENTER FOR THESE PARAMETERS?
You can only pass one port per internal IP address. Opening ports in your firewall can pose a security risk. You can enable and disable settings very quickly. It is recommended that you disable the settings when you are not using a specific application.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

A VOIP device is designed to be connected directly to the Internet, even with the threat of hacking that's normal today. It shouldn't contain any attack surface that is accessible from the WAN (Internet) port. And it won't provide any file sharing connectivity to the rest of your LAN, so it won't be an attack vector to your computers either.

It's just a phone, and should be safe. It's a phone that uses IP for connectivity.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network


fd97207

join:2007-11-09
reply to fd97207

hi,

after all that has been said what is have done is to disable the firewall instead of putting the phone in dmz (i resist making changes to something that is working). i don't seem to have any problems and my system passed the shields up test. thanks a lot for your help. You guys are so much more helpful than the tech support. I emailed skype, belkin, linksys and all of them have been completely useless.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA

said by fd97207:

after all that has been said what is have done is to disable the firewall instead of putting the phone in dmz (i resist making changes to something that is working). i don't seem to have any problems and my system passed the shields up test. thanks a lot for your help. You guys are so much more helpful than the tech support. I emailed skype, belkin, linksys and all of them have been completely useless.


I advertise paranoia, but in your case I think you're making the right choice.

In defense of Belkin, Linksys, Skype, et al, they can only support their own product. When you mix and match products, this is a normal situation. And that's where DSLR comes into play.

Come back anytime.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network