[CLUE-Tech] How secure is a Linksys BEFSR41 with these
ports open
Jeffrey Brown
JABrown at co.jefferson.co.us
Fri Aug 16 08:44:57 MDT 2002
Commenting the syntax of your scans below the router isn't blocking
ICMP, which is what will block the ping. I think it's 0 or 8
echo-request, echo-response in the ICMP protocol numbers that you'll not
want to turn off. If the router was blocking ICMP you'd have to change
the syntax of nmap to:
#nmap -sS -P0 123.456.78.9
The P0 doesn't ping the hosts before scanning them. The technical
support only mentions port 80 (TCP) being open what about all the UDP
ports open? Is there some other configuration on the router that lets
you limit which UDP ports you want open? Even though port 80 is open how
does the unit handle redirection to perhaps a webserver you want
accessible from your internal network or does it just leave it open both
ways?
Finally a little bit about stateful packet inspection or a stateful
firewall, this means that only connections that have been established
will the router respond to. An example would be if my client queries a
DNS server which passes over my stateful router the only connection that
router will allow back in is from the IP address of the DNS server. The
router won't respond to any other DNS traffic of other servers, unless
of course I'd want that port open (UDP 53) permanently. There is a state
that is created (expected for the duration of the connection). Usually
this state connection table has to be rebuilt after power cycling the
unit or rebooting of the firewall/router. Regarding port 80 I could pass
out all traffic statefully from my internal network without opening the
port on the internet facing interface.
Most good firewall/routers will allow you, the administrator, full
control over which ports you want open, how to do redirection and
stateful inspection. If you want security I wouldn't go with a LinkSys.
>>> bof at pcisys.net 08/15/02 04:59PM >>>
Hello,
I was seeking a firewall/NAT router for my DSL connection and bought a
Linksys BEFSR41. This post is to see if anyone else could check or
comment on my experiences with it.
Following its instructions to set up blocking WAN requests (according
to
their User's Guide, this would deny ping requests to hide the network
ports (their words)), I then checked how well it was hidden by running
nmap against its IP address.
Here's what I found (the IP address is not shown for privacy and no
longer belongs to me anyway, since it was a DCHP allocation):
~]#nmap -sT XXX.XXX.XX.XX
(The 1553 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
[~]#nmap -sS XXX.XXX.XX.XX
(The 1553 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
[~]#nmap -sU XXX.XXX.XX.XX
(The 1453 ports scanned but not shown below are in state: closed)
Port State Service
53/udp open domain
67/udp open dhcp
69/udp open tftp
161/udp open snmp
520/udp open route
5050/udp open mmcc
[~]#nmap -p 1-65535 XXX.XXX.XX.XX
(The 65534 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
This doesn't seem to be very invisible to me, so I called their Tech
Support. I never did get a coherent answer about the other ports, but I
was told that port 80 was always open, and that there was no way of
closing it --- or for that matter, any of the others, because that is
the way Linksys wrote its Stateful Packet Inspecting firewall.
I would prefer that my system firewall would be completely invisible to
ping requests --- there's no need for any open ports since I don't
offer
any services to the outside world.
Would anyone comment on level of security with all these open ports?
BOF
_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list