[Dshield] d-link router and security

Chris Brenton cbrenton at chrisbrenton.org
Fri Jan 2 20:17:00 GMT 2004


On Fri, 2004-01-02 at 11:50, Josh Tolley wrote:
>
> Keith Bergen wrote:
> 
> > I am a firm believer that no system should be connected to a Cable or DSL
> > line without a NAT router. The NAT router can protect you from port scans
> > and attacks.

<snip>

> I'll second Keith - I wouldn't turn any computer on without a NAT device 
> in front of it

Actually, I would test the router to ensure it _does not_ support loose
source routing before I would put all my faith into it. If LSR is
supported, an attacker can simply use the IP options field to hop right
over the device and communicate with any privately addressed system
sitting behind it that also supports LSR (every Windows platform I've
tested does by default, as does Linux but its easy to shut off).

About two years ago I went through and tested a number of "home NAT
firewalls" to see if they could be circumvented with LSR. I *think* I
remember D-Link being one of the devices that failed my testing. Could
be they've fixed it since then, but I would test it just to be sure. The
Windows Ping utility can be used for this task with the "-j" switch.

HTH,
C
 




More information about the list mailing list