Is Your Router One of the Six Million Vulnerable Devices on the Internet?

I last spoke about the benefits of using a NAT Router for your home and office when connecting to the Internet. As discussed this provides added security because it hides or masks the computers on the LAN or internal private side of the router from unwanted inbound traffic originating from Internet scanning, worms and hackers.

For your router to provide its full security benefits it has to be configured correctly. By leaving the manufacturer’s default passwords and allowing the administrative interface to be accessible from the Internet has left many a device vulnerable. How big a problem is this?

A report by Wired showed that 21,000 devices were open to remote attack because they failed to change the manufacturer’s default password and their administrative interface was viewable from anywhere on the Internet. Wired also reports that the researchers, extrapolating from the numbers they gathered were able to estimate that 6 million devices connected to the Internet are likely vulnerable.

So don’t become a victim. One of the first things you need to do is change the manufacturer’s default password on your router. You should also disable remote administrative access on the Internet facing interface . You can administer the router from the private wired LAN side of the router. There should be no need to administer the router from the Internet. If this is something that you must do and if your router supports it, then configure your router to accept VPN client connections. This way you will be able to connect to your router from the Internet through a secure IPSEC tunnel. Once connected you can administer your router just as if you were home or in the office connected to the private LAN side. This method is secure and doesn’t expose you to brute-force password-cracking attacks which you may be vulnerable to if you have remote administration enabled.

Some additional router configuration options to think about. Universal Plug and Play should be disabled. This feature allows Windows to configure your router on the fly opening a potential whole through your router. Almost all NAT routers also double as an SPI (Stateful Packet Inspection) firewall. Make sure you have this feature enabled. Also unless you or your business need to provide some kind of service for Internet users such as web, ftp, or mail services, you should have port forwarding disabled as well as the DMZ option disabled. These options allow you to give access from the Internet to your computers on the private LAN side of the router. Giving access to your internal network and computers can expose you to all the dangers the Internet has to offer.

Next time I will discuss how you can provide services to Internet users on your home or office network securely.

Dave
Computer Repair and Network Security

Online Marketing

Why Use a NAT Router?

Every computer connected to the Internet is exposed to dangers.   For myself and many others the benefits of using the Internet far exceed the possible dangers.  We can minimize the dangers if we follow some basic security principles both for our home and office computers.

Let’s start with how we connect to the Internet using a wired connection.  Many home users and small businesses connect to the Internet through a Cable/DSL modem.  This type of connection is an always on connection.  As long as our computers are powered on we are connected to the Internet and exposed to dangers.  We increase the danger if we connect our PC directly to the Cable/DSL modem.  Computers connected in this way will receive a DHCP public IP address from their Internet Service Provider.  What this means is that our PC is both visible and accessible directly from the Internet.  This exposes us to Internet scanning, worms, and hackers.  If we don’t have a software firewall installed then our PC can be easily compromised and our data stolen.

Even though a software firewall can lessen the dangers we are exposed to when we connect in this way, I don’t recommend this method.  A better solution would be to use a Cable/DSL NAT router.  The NAT router would connect directly to the Cable/DSL modem and then our computer or computers would connect to the NAT router.  Why is this safer?

One of the key benefits of NAT (Network Address Translation) routers is that the router hides the internal IP address of your computer or computers.  The Internet sees you as a single machine with a single IP address.  This effectively masks the fact that one or many computers on the LAN side of the router may be sharing that one IP address.  This not only provides security benefits but also financial ones.  NAT enables you to have more than one computer on your home or office network while you only have to pay for one public IP address from your ISP.

How does NAT work?  When you turn on your computer you will receive an RFC1918 private IP address from your router.  Usually with most Cable/DSL routers this will be on an 192.168.x.x subnet.   This internal private IP will have to be changed or NATTED to a public address in order for you to be able to access the Internet.  Since all computers on the LAN side of the router will share the same single IP address, the router keeps track of these outbound connections through PAT (Port Address Translation).   Here is what happens.  When you make an outbound call to Google, the NAT router receives this request and changes your private IP of (192.168.1.20 for example) to a public IP address say (12.46.115.225) and a port number of 2500 making it (12.46.115.225:2500).   A second computer on the same LAN with an IP of (192.168.1.21) also makes an outbound request at the same time.  This computer will be assigned the same public IP but a different port number say 2501 making it (12.46.115.225:2501).  The NAT router keeps track of these connections in a table.  It uses this table to match return connections to the correct computer on the private LAN side of the router.

This is the really good part and why the router provides added security.  All traffic arriving at the NAT router that does not exactly match the traffic in the router’s table is discarded as unwanted traffic.  This basically stops all unwanted inbound traffic originating from Internet scanning, worms, and hackers, protecting our computers on the private LAN side of the router from unwanted traffic from the Internet.  So if you don’t already have a NAT router why not get one.  The added security benefits are certainly worth the added expense.

Of course for a NAT router to provide its full benefits it has to be configured correctly.  I will discuss this as well as the following subjects in future articles:
how to secure wireless networks, how to make a server available to Internet users through port forwarding safely, what is a DMZ and what are its benefits,
and how can adding a second NAT router provide even greater security. Please feel free to contact me with any questions or comments.

Dave
Computer Repair and Network Security

Online Marketing

Content Protected Using Blog Protector By: PcDrome.