routers, gateways, firewalls, dns etc...

J. Francois jlf@magusnet.gilbert.az.us
Fri, 18 Feb 2000 19:00:26 -0700 

Hang on here comes a long ramble :)

I have a document I am working on for Jay at WiredGlobal.
Here is some insight on what I found so far.

In short, the FlowPoint router is a decent router for DSL.
It does filtering, DHCP, and NAT so it is full featured.
The problem is that its default configuration is sorely lacking.
First I threw away the Win CDROM that came with the router.
The CLI is your friend. Routers should be configured manually
if for no other reason than if it has a problem the TTY may 
be the only way to talk to the router and fix it.
The FlowPoint comes with the connectors and cable to go to a serial port.

So let us begin:
I logged into the router and found one good thing, it does not
allow directed broadcasts ( SMURF ) by default so I wont be
part of any DoS attacks.
If you are familiar with Cisco config that is the 
"no ip directed-broadcast" setting.

So next I moved on to disbling telnet and SNMP to the router to prevent
any nastiness there.
I found that disabling the telnet and SNMP ports was not enuff, it still
allowed telnet and SNMP! ( nasty bug )
You have to go in and configure an IP range to allow to keep the riffraff
from getting a login and brute forcing a password.
Like a Cisco it will let you set an initial login password and another
password for performing admin functions. Use Both!

Next I headed out to my favorite black hat cracker pages and found a few
exploits for my Flowpoint router.
I have downloaded the upgraded firmware but have not installed it yet.
I want to test the exploits first and see what the signatures are.

Don't forget to have a tftp server somewhere so that you can back up 
the router and if needed boot it from the network with the saved images.
The Flowpoint also can be set up to selectivly filter NetBIOS.

I had Dierk T. run NMAP against my IP range and send me the result.
NMAP was not able to get *any* information about my OS or ports.
If someone wants to run NESSUS against my IPs let me know first
or you may lose connectivity and be meeting the AG.

If you have a router connecting you to any service provider, do
some research and learn how to configure and back up your router settings.
Routers are designed to route traffic and do that one thing well.

*Do Not* assume that the router has not or cannot be compromised.
*Do Not* assume that the router has been setup by your ISP.
*Do Not* make any changes in your router without making a backup of
all settings and a copy of the IOS/Kernel/Firmware.

Configure a firewall behind the router to prevent a compromised router 
from allowing traffic into your network you do not want.
I use:
router <-> Firewall/Proxy <-> Private Lan
The Firewall/Proxy considers the router and Private LAN to be hostile
so it is very restrictive on what is allowed.
Remember this rule, "Whatever is not specifically allowed is denied."
I am happy with the router and I am still tweaking some of my settings.

I would tell you to keep your network configured as is.
Relying on the router as little as possible for Internal LAN services
means that if the router dies or you change ISPs all you have to renumber
is the Ethernet Interface and default gateway.

my /usr/doc/HOWTO directory has a doc called Networking-Overview-HOWTO
check yours and that should answer the rest of your questions.

Practice safe TCP/IP.

Jean Francois
President & CEO MagusNet, Inc.
MagusNet.com
CTO EBIZ Enterprises, Inc.
TheLinuxStore.com,TheLinuxLab.com,LinuxWired.net


It seems like on Fri, Feb 18, 2000 at 11:51:41PM +0000, arson smith scribbled:
Orig Msg> I have used linux ipchains/ipmasq for my firewalls and
Orig Msg> gateways at home for dial up and at our temporary office here
Orig Msg> over the dsl line.  I haven't messed with anything bigger
Orig Msg> than that.  I am wondering now about routers mostly.  what
Orig Msg> exactly does a router do that my ipmasq linux box doesn't
Orig Msg> I don't really want a complete lesson on this just a quick
Orig Msg> overview of what it is for.  basicly I am setting up a net
Orig Msg> work for a t1 line.  from the t1 it goes into a router, from
Orig Msg> there it goes into my linux firewall with ipmasq being used
Orig Msg> as the gateway to the internet.  then going to a 192.168.x.x
Orig Msg> network in our lan.  I have a dhcp/samba/dns server running
Orig Msg> inside the firewall for the lan also.
Orig Msg> 
Orig Msg> now for the real questions. Is this what I should be
Orig Msg> doing? and could I get a basic explination of networking
Orig Msg> from the lan to the internet?
Orig Msg> 
Orig Msg> These questions almost seem trivial to what I feel I should
Orig Msg> know but don't.  It just seems my knowladge is really full
Orig Msg> of holes. also is there any good reading I could pick
Orig Msg> up for explaining this kind of stuff that is 900+ pages?
Orig Msg> 
Orig Msg> Bill Warner
Orig Msg> ______________________________________________________