Sunday, April 22, 2012

How Does a Router Protect


I posed the question to myself of "How does a router protect" based on my curiosity on what something I remembered that a router is already acting as a firewall. So I googled on the topic and found some very interesting results. The google results are listed below. But first, my summary is this:

1. Router uses NAT to protect computers connected behind the router.
2. The Router NAT technique protects outside attempts to talk to the computers behind the router - ie blocks inbound traffic.
3. But Router NAT does not by default block outbound traffic. A computer already infected may call outside to its base and get information or commands back.
4. Some say router is enough, other say software firewall is necessary.
5. Router NAT does not protect against computers or configuration which uses:
- VPN - to connect into a company's network from home securely.
- Port Forwarding - required when running a web server.
- DMZ - used by gamers sometimes to enable playing network games.
Any of these will by pass the NAT protection mechanism and expose the home computer and others on the network.

Setting up Cascading Router (LAN to LAN or WAN to LAN)
http://www.linksys.com/au/support-article?articleNum=132275

Using A Modem and Router combination
Internet -> ADSL Modem -> Router -> Device

(WAN stands for Wide Area Network and is the IP address given to you by the Internet service provider)

Double Nat
http://www.howtogeek.com/255206/how-use-your-router-and-isps-modemrouter-combo-in-tandem/
To overcome the Double NAT problem, one way is to use Bridging.
Switch the Modem into Bridge mode.
"Bridging is simply an old networking technique that transparently links two different networks."
Consequences:
- the modem will become a modem only, with have no effective routing functions.
- no devices can be connected directly to the modem unit
- no devices cab be wirelessly connected directly to the modem unit

https://www.cnet.com/how-to/home-networking-explained-part-8-cable-modem-shopping-tips/
On the other hand, it's a little bit more work to add a Wi-Fi router to your existing gateway.
1.you need to connect the new router's WAN (or Internet) port to the gateway.
2.make sure that the new router has a different IP address from that of the gateway. (Chances are they are already different, but if not, you will need to change that of the new router before plugging it to the gateway.)
3. And finally, apart from turning off the Wi-Fi network of the old gateway, if you want the new router to get the WAN IP address, you will need to configure the gateway to pass that to the router. The means of doing this varies depending on the gateway itself. The passing of the WAN IP address is only necessary if you want to set up customized Internet-related services, such as those mentioned in Part 9 of this series.


The Ultimate Modem/Router Setup Thread
http://www.tomshardware.com/forum/33700-42-ultimate-modem-router-setup-thread

When is an NAT router inadequate protection?
http://www.dslreports.com/faq/9787
temporary mirrored at:
http://xtechnotes.blogspot.com.au/2012/04/when-is-nat-router-inadequate.html

How Does A Router Protect My Computer?
http://www.askageek.com/2006/10/17/how-does-a-router-protect-my-computer/

A Router Can Protect your Computer
http://www.compukiss.com/articles/a-router-can-protect-your-computer.html

To what extent does the firewall on a router protect you?
http://askville.amazon.com/extent-firewall-router-protect/AnswerViewer.do?requestId=747083

How does a router protect you?
http://forums.cnet.com/7726-6035_102-5152551.html

Does my router have a firewall or not?
http://ask-leo.com/does_my_router_have_a_firewall_or_not.html

How do I protect users on my network from each other?
http://ask-leo.com/how_do_i_protect_users_on_my_network_from_each_other.html
info on dual router layer / double NATing architecture.


When is an NAT router inadequate protection

This article is mirroring the article at : http://www.dslreports.com/faq/9787 . The dslreports.com website seems to be down, and has no expected online time.

24 Apr 2012 - The original site seems to be working again. So go to http://www.dslreports.com/faq/9787

The main points of the article is extracted here:

----------------------------------------------------------------------
1. Depending on your network configuration, an NAT router can be a very cost-effective, inexpensive and reliable addition to your computer's security. At US$40 to $70, they can be worth getting even if you only have one computer.

1.1 You should definitely run a software firewall on any computer that connects to AOL using a different Internet Service Provider (AOL's Bring-Your-Own-Access plan or AOL MAX using an ISP) no matter what kind hardware firewall or NAT router you have.


1.2 If you have to turn on port forwarding or the DMZ to run servers or other applications you should consider either a software firewall or a more expensive SPI firewall.


1.3 Generally software firewalls provide valuable additional protection that supplements the protection provided by NAT routers and SPI firewalls.

Ideally a software firewall should be an additional layer of protection behind an NAT router or external firewall. For homes a free version of a software firewall is normally adequate for this additional layer of protection.

- ZoneAlarm Free
»www.zonelabs.com/store/content/home.jsp
Look for the free version / free download, and continue to ask for it rather than the Pro version.

- Sygate Personal Firewall
»download.com.com/3000-2092-10049···g=button

- Kerio Personal Firewall Limited Free Version (Sunbelt Kerio Personal Firewall)
»www.kerio.com/kpf_download.html
Look for the "limited free" version.

For businesses, computers running public servers, and computers on wireless networks, a paid-for version of a software firewall provides more protection by allowing more customization and more precise control.

2. In selecting an NAT router, software firewall, or hardware firewall, consider its logging and alerts capabilities.

3. If the router or firewall is wireless, secure the wireless interface.

4. Firewalls are not a replacement for adequate backups of data. (Firewalls don't protect against real fires, or burglars.) /faq/10194

5. Other security precautions still need to be taken. For example, operating systems and anti-virus software need to be properly installed, configured and updated.

6. There is no hardware or software you can install that will protect against massive amounts of traffic jamming your communications lines. "SPI firewalls" only protect against certain types of denial of service (DoS) attacks involving malformed packets, or protocol sequence violations and vulnerable software.

7. Historically, the original network firewalls did not do packet inspection. They were rule based, using tables of permitted IP addresses and ports. Packet inspection is not historically in the definition of firewalls.

8. The NAT firewall was a major advance. It limited inbound traffic based on the basic state of communications with the external IP address. Outbound traffic triggered permission for inbound traffic.

9. This is basically how a pure many:1 NAT router works. M:1 is the kind of router commonly used for home and SOHO users to provide a connection for many local computers using one public IP address.


10. Port forwarding bypasses the state table and that source of protection provided by the NAT router. Port forwarding (on a pure NAT router) causes almost all traffic that arrives at a particular port to go to a particular local IP address. (Basic packet filtering is the only protection for the port.)



11. The DMZ should be totally avoided on most NAT routers.

A DMZ is not normally required, provided you know your software. Check the software vendor's website, or email their support area, or search here in BBR, to find out what ports you need to set as trigger ports for which ports, or which ports to forward.

If you really do need a DMZ, use a device that treats the computer in the DMZ as though it was an untrusted computer outside your local network. Ordinary NAT routers do not normally provide this type of DMZ; they normally just forward all unsolicited traffic to the machine in the DMZ, leaving it with no NAT protection.


Here are some security testing sites: /faq/5503

Here is more on securing your home computer: /faq/8463

Here is more on securing a wireless router: /faq/8698

For discussion about your individual circumstances you can post a message in the BBR Security Forum here: /forum/security


Friday, April 20, 2012

Security - Phishing examples

This post is a collection of sample phishing emails. Of course there are plenty of variety, I'm just listing the ones here which caught my attention. Feel free to post in the comments any examples of phishing you have encountered.

Case1:
The payload itself is delivered as a zip file which this email tempts the user to open. Obviously the file is not attached here. The point is that the email below looks very very legitimate.


From: HALL GILL [mailto:pilotstation@computerpostage.com]
Sent: Thursday, 19 April 2012 9:26 PM
To: xxxxxxxxxx
Subject: An error at the delivery

Delivery information,
Your parcel can’t be delivered by courier service.
Status deny: Address delivery doesn’t exist in database.
LOCATION OF YOUR PARCEL:Tempe
STATUS: sort order
SERVICE: Expedited Shipping
NUMBER OF YOUR PARCEL:U707019275 NU
INSURANCE: Yes
Postal label is enclosed to the letter.
Print your label and show it in the nearest post office of USPS
Important information! If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it's keeping in the amount of $5.64 for each day of keeping.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for attention.
USPS Global Services.