The Internet is a dangerous place these days, with identity theft scams and
zombie networks among other dangers. The average lifetime of an unprotected
computer on the Internet is about 20 minutes before it gets discovered,
compromised and exploited. The response to these dangers is the network
firewall. There are two types of these devices:
-
software firewalls
-- software built into your computers which attempt to protect it, and
-
hardware firewalls -- a separate devices that can potentially protect an
entire network behind it.
This note is about hardware firewalls, specifically the ones built into the
very popular all-in-one DSL router/firewall devices. Some models include
a built-in wireless access point and a 4 to 6 port network hub/switch.
The firewall function in these routers are only a rudimentary firewall,
it is not a suitable firewall for protecting a corporate network or a
sensitive home network. However these devices are popular because they cost
well under $100, whereas more industrial strength firewalls cost $700 and more.
Even though these firewalls are very basic and a skilled attacker has several
approaches they can use to defeat their defenses nevertheless there are things one can do
in order to improve what security they can provide for you.
Here are some things that you can do in order to enhance their security:
-
Never use remote administration. This feature is supposed to allow someone
outside your network to administer your firewall. The connection is
password protected but this can be defeated, so keep it disabled.
-
Always change the administrative password from the factory default.
The default passwords to many devices are widely known. The password that
you use for this purpose should not be used elsewhere.
-
Never use DHCP from the router. Running DHCP on your firewall makes you
vulnerabile to a DOS (Denial Of Service) attack where an attacker can
crash your firewall and consequently crash your entire LAN even if they
cannot directly gain access to your internal network. It also gives an
intruder easy control of your internal network once they have gained
access to your firewall.
-
Do not use the default internal network address range. The Linksys uses the
default internal network range of 192.168.1.1 to 192.168.1.254 (where the
last .1 designates the router and .255 is the broadcast for the network).
There are many exploits that take advantage of knowing this and that it
was probably not changed from the default. The Internet standards specify
that the following range of addresses can be safely used for private internal
addresses (they will never be assigned to any public servers). 10.Z.X.Y,
172.16.X.Y to 172.31.X.Y, and 192.168.X.Y (where Z and X can be from 0 to 255
and Y can be from 1 to 254 -- 0 is the 'network name' and 255 is the broadcast
for the network).
-
If you do any administration on the firewall, when you are finished FLUSH
YOUR CACHE AND EXIT YOUR BROWSER BEFORE going out to the Internet to do
any normal browsing. There are ways to take advantage of your earlier
session with the firewall in order to compromise your router.
-
Regularly review your firewall logs by logging into the firewall and clicking
to the "View Logs" button in the Log section. Better yet, configure the
device to remotely log to one of your internal machines that you frequently
use. For some routers, such as the Linksys router, this will require installing
special software, which Linksys provides, on the internal machine.
A Note about the DMZ/Game Port. These routers frequently have
a special LAN port which is known variously as a DMZ or
game port. When this port is configured in a special mode,
it is treated as directly connected to the Internet with the firewall functions
off, even if the firewall is enabled. The motivation for this configuration
option is that supposedly Internet games cannot be placed behind a firewall.
This is not actually true, but most Internet games have complicated port
connection requirements which are too complicated for
these simple firewalls to handle.
If you are not doing
Internet gaming, make sure that this port is configured as a normal port.
There are no absolutes when it comes to Internet security, but by taking the
steps outlined above you will have 'raised the bar' to make it harder for
an intruder to gain access to your home network.