[TCLUG] Router/Firewall Security -- Offtopic?

Mon Nov 22 11:42:45 CST 2004

Quoting Ben Neigebauer <Ben.Neigebauer at compellent.com>:

> Everytime I see an exploit for XX version of linux or XX version of
> windows I wonder if there are known vulnerabilities for my little D-Link
> Router?
> 
>  
> 
> How secure are these little guys, and if there is a known hole, will
> D-Link notify me?
> 
>  
> 
> Maybe I should go all out and just plunk down the cash for a used Cisco
> Pix?
> 
I don't see anything on D-Link's site about signing up for notifications of new
software and/or vulnerabilities. My guess would be that they are going to take
no great effort to notify you of something, I doubt that you have a support
contract with them, so there is no financial incentive for them to do so. The
low end manufacturers just don't build that into their business. They may make
an effort if some really, really blatantly bad thing happened that they need to
do a CYA maneuver for. Best way to find out is checking things like the bugtraq
database, http://securityfocus.com/bid, there are entries there for D-Link.

As for how secure is it? Probably good enough. Change the default settings for
passwords and confirm that it has a relatively sane config and you will handle
99.9 of issues. Most of these "firewalls" are just NAT routers, and while NAT
may not be appropriate for security, it does buy you something. 

If you are exposing services to the Internet, i.e. web server, ssh server, mail
server, etc, the bigger issue is making sure that you are current on patches.
Any sort of packet filter, of which the PIX is a variety, will only prevent
allowing access to a service. If you make the choice to allow the Internet to
connect to your apache server, the firewall is not going to stop julie the
script kiddie from running the latest exploit against it. This is where proxy
firewalls, i.e. application layer firewalls, come into play, as well as things
like IDS and IPS.

To make a long story longer, for your home network on a cable modem, you'll
probably be ok. Typically speaking the nasty folks are looking to go after the
low hanging fruit. There are lots of unpatched systems plugged directly into
the cable modem, no sense making an effort to go after yours unless you have
something special to offer.

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list