Vulnerability Development mailing list archives
Re: Linksys 4-port Router NAT/Firewall
From: Ed Padin <epadin () WAGWEB COM>
Date: Fri, 25 Aug 2000 17:17:31 -0400
I have a friend using the Linksys router for RAS/PPOE on a bell atlantic DSL connection. I scanned his with nmap and all tcp ports where closed and in 'stealth mode' so that no reponses where sent about closed ports. UDP was another story. I was able to quickly scan the first 1448 ports with nmap and got the following: Interesting ports on (X.X.X.X): (The 1442 ports scanned but not shown below are in state: closed) Port State Service 67/udp open bootps 69/udp open tftp 520/udp open route 1080/udp open socks <---- hmmm.... 1083/udp open ansoft-lm-1 1084/udp open ansoft-lm-2 It didn't even throttle the ICMP port closed packets the way Solaris and other unices do so nicely. I'm not sure what's exploitable here and if anything really is listening.. It's so hard to tell with UDP. I tried using netcat to connect to each port but could net get it to send me back any data. It could be that it just doesn't send an ICMP port unreachble for these ports.
-----Original Message----- From: Michael Wojcik [mailto:Michael.Wojcik () MERANT COM] Sent: Friday, August 25, 2000 11:56 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Linksys 4-port Router NAT/Firewall-----Original Message----- From: Larry D'Anna [mailto:larry () pink dhs org] Sent: Thursday, August 24, 2000 7:32 PM* Litscher, Steven (Steven.Litscher () OJA STATE WI US) [000824 20:08]:[using Linksys home router / NATting firewall w/ ZoneAlarm]As Bruce Schneier would say, security is a process, not a product.One of the implications of this statement is that security aspects - including risks - change over time.A firewall is one way to make life more difficult for anattacker, but itdoesn't guarantee security by any means. What does the linksys do? What does ZoneAlarm do? If they are doing basicly the same things (and I suspect they are) and neither of them has knownvulnerabilitiesthen it probably doesn't matter which you use.I humbly submit that new vulnerabilities may be found in the future in one or the other product; hence it is probably best to continue using both. Checking for known vulnerabilities is a good idea, but a lack of them shouldn't be taken as evidence that no vulnerabilities exist. Of course, it's always possible that two security products in combination may be weaker than only one. (Indeed, it's not even particularly unlikely.) My sense, from evaluating the particular combination I have, is that the whole set is stronger than any proper subset under my threat model, and that similarly Steven would be better off keeping ZoneAlarm, since he apparently already has it installed and working.All I'm trying to say is that you shouldn't think of afirewall as being"safe" or "unsafe" or "safe enough". You should think of it in terms the specific functionality it provides.True, but you should also consider whether overlapping functionality may help one product cover unexpected deficiencies in another, and whether their combination may produce an unexpected deficiency that does not exist in one or the other used separately. In general, I wouldn't advise retiring a level of protection merely because it seems redundant. Just because I have a NATting firewall router doesn't mean I don't want to use tcp_wrappers to restrict incoming connections to my LAN.See the recent thread in bugtraq about using brownorrifice to totally bypass almost any firewall that lets web traffic through.This is an instance where a connection-monitoring utility like ZA might (I haven't tested it, nor researched the behavior of ZA and BrO sufficiently to make an educated guess) provide protection against an exploit that a NATting router would not handle. Connector monitors are generally fairly good at detecting network activity by trojans; external firewalls cannot do this, except in the cases where trojan activity has a detectable signature in the traffic itself, which are relatively rare and easy for trojan authors to avoid. Michael Wojcik michael.wojcik () merant com MERANT Department of English, Miami University
Current thread:
- Linksys 4-port Router NAT/Firewall Litscher, Steven (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall Larry D'Anna (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall David Knaack (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall Bluefish (P.Magnusson) (Aug 25)
- Re: Linksys 4-port Router NAT/Firewall Dragos Ruiu (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall Jonathan Rickman (Aug 24)
- <Possible follow-ups>
- Re: Linksys 4-port Router NAT/Firewall Michael Wojcik (Aug 25)
- Re: Linksys 4-port Router NAT/Firewall Ed Padin (Aug 25)
- Message not available
- Re: Linksys 4-port Router NAT/Firewall Dragos Ruiu (Aug 26)
- Message not available
- Re: Linksys 4-port Router NAT/Firewall Dragos Ruiu (Aug 26)