Better home network security

  • SpinRite v6.1 is Released!
    Guest:
    That's right. SpinRite v6.1 is finished and released. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


Yoon

New member
Sep 25, 2020
3
0
Hi, I am interested in improving my home network security. I know a little about NAT routers and such. Recommendations on good NAT routers would be greatly appreciated. In particular, I am interested in improving my results from the Shields Up port probe test. I passed all port probes except ping. My system responded to ICMP packets and thus failed the test. How can I plug this hole? Will getting a NAT router fix this problem? We are using verzion fios with a built in router and wifi.

Thank you for your advice.
 
Frequently the router configuration has an "advanced" option to disable things like ping. They will call it different things in different routers, so it's hard to give specific advice. On my ASUS RT-AC3200 it is called out as "Respond ICMP Echo (ping) Request from WAN" on the Firewall page. ICMP is the technical name of the protocol for such things.
 
What sort of router do you have?

As @PHolder mentions, some consumer routers will surface this options. I used to use an arguably more advance router software called ddWRT which, if I recall, had such an option.

Most routers, though, I suspect translate this setting into a firewall ALLOW rule. This can get fairly geeky, but if there's no seemingly obvious setting, you could look into the rules and remove the ALLOW rule for ICMP packets. A word of caution, though. These rules are important to get right and not "play around" with, or you could alter the security of the router to a dangerous degree.

For example, I'm using a prosumer device now (Ubiquity's Unifi) and it has a default DROP rule for any packets on the WAN side, regardless of protocol, unless an ALLOW rule supersedes it (such a port forwards, established connections, etc). So I would have to create an ALLOW for WAN ICMP if I wanted it.

Anyway, it all depends on your router software.
 
Last edited:
Thank you very much for your replies. I gained enough confidence to go into my router settings, browse around for specific terminology, and uncheck the first checkbox shown below

Capture4.PNG


My router did not blow up. I still have internet access. And more importantly, my ShieldsUp test now passes with flying colors! You guys are awesome!
 
Bear in mind if you ever have connection problems and ask your ISP to investigate, these changes will block some of their diagnostics. Unless you tell them that you have blocked pings etc, they may think you have a line fault.
 
  • Like
Reactions: Yoon
@Yoon I wrote a couple of articles on my blog a few years ago on this topic. Some of the info is a bit dated but still pretty relevant. I also mention some of Steve's work in the articles. You said above "Will getting a NAT router fix this problem?" I see you already fixed the ping reply problem. But, just for reference, pretty much all IPV4 routers, even the one built into your fios modem, are NAT routers. So, while you could get another one, you do already have one. IPV6 routers probably are not doing NAT. If you try to access my blog and have any problems, send me a private message using the start conversation feature after hovering your mouse over my picture. That conversation can then be accessed by clicking the envelope in the lower right of the top brown tool bar on the forum.

Beefing Up Your Router Security


Here's a summary of the main points, with MUCH more detail in the article.

01) Put your own home router behind your cable / dsl modem between the modem and your home network.

02) Turn off all unneeded features in the router’s control panel and, in particular, anything that allows outside access to your inside network.

03) Make sure the DMZ is OFF.

04) Turn off ALL outside remote administration, be it web based (http, https), or ftp, or telnet, or just a general setting, or whatever.

05) Turn off all “servers” or “services” that expose any router features to the outside world.

06) Turn off UPNP.

07) You may test your external IP address for open TCP ports within limits benignly using the “Shields UP” web service at GRC (Gibson Research Corp.).

but you knew that already :cool:

08) Put your IOT things on their own router as described in the “Three Dumb Routers” philosophy.

You Yes You Should Care About IOT Security


Note Steve and Leo have recently discussed IOT stuff. Since Steve posts transcripts of the podcast, you can use google to search for something like this:

iot security site:grc.com

09) If you hear a security notice through sources such as Security Now or others that your router has a security vulnerability, see if you can get a firmware update from the factory and install it.

10) Absolutely change your router’s default management password.

11) For your WIFI password, not the management or control panel password, use a long random string of characters and numbers.

I would also add the following that's not in the article:

12) Turn off IPV6 outgoing and incoming unless you need it.

Hope this helps.

Sincerely,

Ron
 
Thank you very much for your replies. I gained enough confidence to go into my router settings, browse around for specific terminology, and uncheck the first checkbox shown below

View attachment 39

My router did not blow up. I still have internet access. And more importantly, my ShieldsUp test now passes with flying colors! You guys are awesome!

You should be able to untick both without much issue.
The first one prevents your router from answering ping packets.
The second one prevents your router from answering traceroute packets, which is abit like a more detailed ping.
Both aren't necessary and can be used by an attacker to find out if there is a machine is at a particular IP address.
 
Is anyone offering a "home user" version of the exterprise umbrella? At work we're under the Fortinet umbrella. It's too expensive for the average home user, seems like there's a market there waiting to be exploited ... somehow.
 
Is anyone offering a "home user" version of the exterprise umbrella? At work we're under the Fortinet umbrella. It's too expensive for the average home user, seems like there's a market there waiting to be exploited ... somehow.
pfSense offers reasonably priced hardware through Netgate, Eg. SG1000 or 1100, which brings Enterprise grade hardware and software. No subscription fees etc. Of course you don't get the AV and Malware protection side of things, but those can be easily added on through other services.
 
@Yoon I wrote a couple of articles on my blog a few years ago on this topic. Some of the info is a bit dated but still pretty relevant. I also mention some of Steve's work in the articles. You said above "Will getting a NAT router fix this problem?" I see you already fixed the ping reply problem. But, just for reference, pretty much all IPV4 routers, even the one built into your fios modem, are NAT routers. So, while you could get another one, you do already have one. IPV6 routers probably are not doing NAT. If you try to access my blog and have any problems, send me a private message using the start conversation feature after hovering your mouse over my picture. That conversation can then be accessed by clicking the envelope in the lower right of the top brown tool bar on the forum.

Beefing Up Your Router Security


Here's a summary of the main points, with MUCH more detail in the article.

01) Put your own home router behind your cable / dsl modem between the modem and your home network.

02) Turn off all unneeded features in the router’s control panel and, in particular, anything that allows outside access to your inside network.

03) Make sure the DMZ is OFF.

04) Turn off ALL outside remote administration, be it web based (http, https), or ftp, or telnet, or just a general setting, or whatever.

05) Turn off all “servers” or “services” that expose any router features to the outside world.

06) Turn off UPNP.

07) You may test your external IP address for open TCP ports within limits benignly using the “Shields UP” web service at GRC (Gibson Research Corp.).

but you knew that already :cool:

08) Put your IOT things on their own router as described in the “Three Dumb Routers” philosophy.

You Yes You Should Care About IOT Security


Note Steve and Leo have recently discussed IOT stuff. Since Steve posts transcripts of the podcast, you can use google to search for something like this:

iot security site:grc.com

09) If you hear a security notice through sources such as Security Now or others that your router has a security vulnerability, see if you can get a firmware update from the factory and install it.

10) Absolutely change your router’s default management password.

11) For your WIFI password, not the management or control panel password, use a long random string of characters and numbers.

I would also add the following that's not in the article:

12) Turn off IPV6 outgoing and incoming unless you need it.

Hope this helps.

Sincerely,

Ron

@rfrazier , Regarding DMZ...is it no longer a valid technique to use the DMZ and point it at a IP address that will not be assigned by the router. Long, long, ago, I read the technique would send any unsolicited traffic to a dead end with no response. As I recall, attempts from outside the router would receive no indication there was any device at that IP address. Is that no longer true? Are there methods to exploit a router set up this way? Thanks,

Gatorgrad
 
@rfrazier , Regarding DMZ...is it no longer a valid technique to use the DMZ and point it at a IP address that will not be assigned by the router. Long, long, ago, I read the technique would send any unsolicited traffic to a dead end with no response. As I recall, attempts from outside the router would receive no indication there was any device at that IP address. Is that no longer true? Are there methods to exploit a router set up this way? Thanks,

Gatorgrad
@Gatorgrad It's actually been years since I've looked into DMZ, and I never personally use it. Let me do a bit of research and I'll try to give you a credible answer within a day or two. Maybe tonight if I can quickly find some info. Also, maybe others will chime in. Sorry to put you off, but I want to give you correct data.

Ron
 
@Gatorgrad OK, I think I've found some info that can be useful. Caveat I'm a serious amateur security fan, and much of what I've learned is from Steve and Leo and his fans. There are many people more knowledgeable than me. But, I try to make it accessible to average people through things I write. So, here's my opinion. @Steve or others may also wish to comment. Bear in mind that we're talking about IPV4. I don't know about IPV6. Bear in mind also that I'm discussing home networks, not commercial ones.

I did a google search of dmz site:grc.com, which you can do since Steve publishes podcast transcripts. I got a couple of hits. These tell about using DMZ conventionally. Search for dmz within the web page.

SN EP 3, 2005

NAT Router and Security Solutions

SN EP 393, 2013 - Steve talks about your question. But, this content is a bit old.

Help Screen for DMZ in my DD-WRT router.

"Demilitarized Zone (DMZ)
The DMZ (DeMilitarized Zone) hosting feature allows one local user to be exposed to the Internet for use of a special-purpose service such as Internet gaming or videoconferencing. DMZ hosting forwards all the ports at the same time to one PC. The Port Forwarding feature is more secure because it only opens the ports you want to have opened, while DMZ hosting opens all the ports of one computer, exposing the computer so the Internet can see it.

Note
Any PC whose port is being forwarded must should have a new static IP address assigned to it because its IP address may change when using the DHCP function.
DMZ Host IP Address
To expose one PC to the Internet, select Enable and enter the computer's IP address in the DMZ Host IP Address field.

To disable the DMZ, keep the default setting, Disable."

When and How to Set Up DMZ

This quote is interesting:

"Thus, when you are setting up a “home” DMZ or DMZ host, you have to be really careful. In fact, you generally should not use the home router’s DMZ function at all if you can avoid it."

They point out that, in the conventional usage, if one PC is getting all the unsolicited traffic, and if it is compromised, it can compromise your whole network.

With the exception of SN 393, all these are talking about conventional DMZ usage.

I googled dmz to nowhere and dmz to unused address and didn't get much.

Assuming that the router is working properly and bug free, I THINK DMZ to nowhere might be pretty safe.

But, personally, it makes me nervous for a few reasons. First, normally, the firewall blocks out all unsolicited packets. But, with DMZ, ALL that traffic coming to your public IP is getting inside your network, even if bound for a nowhere IP. That just sounds like a bad idea to me. Second, there might be a way that it could get to other computers, maybe with broadcast port numbers, etc. I don't know. Third, if you needed the DMZ for a game or something (still not recommended), you'd have to change it then change it back. This leads to possible mistakes. Fourth, you have to be REALLY sure the IP address will never be assigned by DHCP to anything on your network. If something ever gets that address, it's now outside the firewall effectively, and in danger.

If you want to shut down response to a certain port or range of ports, it's better to port forward just that port or range of ports to a nowhere IP. You can do that and still forward other ports to somewhere, if needed.

Steve mentions this process in this page.

Port Authority Database for 113

I'm not a gamer. And I don't run servers in my house. So, maybe I have a biased and simplistic point of view. But, my philosophy is no holes in the firewall, EVER.

Long answer to a short question. But, in my opinion, I'd still say avoid DMZ unless you have a pressing need for it.

Others are free to jump in here too. :cool:

Hope it helps.

Ron
 
Setting the “DMZ host” to an unused IPv4 address should not result in traffic entering your network if your router is working properly. That’s because the router will not find a Layer 2 (for Ethernet and Wi-Fi, MAC) address to send the traffic to. I would strongly advise against setting a DMZ host, even if you’re getting all your teeth pulled out to do so, for all the reasons @rfrazier mentioned.

Regarding IPv6, there is no notion of “DMZ hosts” in IPv6, since there is no notion of NAT/NAPT in IPv6. All IPv6-enabled hosts connected to an IPv6-enabled network have a globally routable address. You simply open, or not, the necessary ports in the firewall in front of that host.
 
  • Like
Reactions: rfrazier
Setting the “DMZ host” to an unused IPv4 address should not result in traffic entering your network if your router is working properly. That’s because the router will not find a Layer 2 (for Ethernet and Wi-Fi, MAC) address to send the traffic to. I would strongly advise against setting a DMZ host, even if you’re getting all your teeth pulled out to do so, for all the reasons @rfrazier mentioned.

Regarding IPv6, there is no notion of “DMZ hosts” in IPv6, since there is no notion of NAT/NAPT in IPv6. All IPv6-enabled hosts connected to an IPv6-enabled network have a globally routable address. You simply open, or not, the necessary ports in the firewall in front of that host.

@Ed7789 I have some questions about IPV6. I will admit I've never studied it. In IPV4 with NAT, we have non routable addresses (192.68.x.x etc.) that can never go out on to the internet. When we send stuff out on the internet, NAT translates it to our public IP, with a port number appropriate to the request. The return port is opened only by the router when a response is expected. Thus you have inherent security. So, first, it seems like a really terrible idea for all addresses to be routable. Second, does the router do dynamic port opening and closing so that only requested packets are allowed back in? To not do that would also seem like a terrible idea. I have no need of IPV6 at home, and I keep it turned off on my systems.

Ron
 
non routable addresses
This is technically the wrong name for them. They are private network IP addresses and they ARE routable, inside your own private network, but they are NOT to be routed onto the public Internet. https://en.wikipedia.org/wiki/Private_network IPv6 has them too, in different flavours, one of which is mandatory for all devices. (Here's one from my Virtual Box virtual NIC: Link-local IPv6 Address . . . . . : fe80::9427:dce2:e2c:6172%9(Preferred) ) There's lots to read, if that is your mood: https://tools.ietf.org/html/rfc4193
 
This is technically the wrong name for them. They are private network IP addresses and they ARE routable, inside your own private network, but they are NOT to be routed onto the public Internet. https://en.wikipedia.org/wiki/Private_network IPv6 has them too, in different flavours, one of which is mandatory for all devices. (Here's one from my Virtual Box virtual NIC: Link-local IPv6 Address . . . . . : fe80::9427:dce2:e2c:6172%9(Preferred) ) There's lots to read, if that is your mood: https://tools.ietf.org/html/rfc4193

@PHolder Hi. Thanks very much for posting that reference. For now, I think that's way above my BEETCF - Brainwave Energy Expansion Time Consumption Factor. But I'm saving all this for reference if needed. :cool:

Ron
 
@Ed7789 I have some questions about IPV6. I will admit I've never studied it. In IPV4 with NAT, we have non routable addresses (192.68.x.x etc.) that can never go out on to the internet. When we send stuff out on the internet, NAT translates it to our public IP, with a port number appropriate to the request. The return port is opened only by the router when a response is expected. Thus you have inherent security. So, first, it seems like a really terrible idea for all addresses to be routable. Second, does the router do dynamic port opening and closing so that only requested packets are allowed back in? To not do that would also seem like a terrible idea. I have no need of IPV6 at home, and I keep it turned off on my systems.
In practice, IPv4 NAPT or NAT are several features that we usually see as a single feature. They are often bundled together.

  • NAPT: Network Address and Port Translation, this is what we most commonly use. It’s responsible of the translation of IPv4 address and part combination into another, typically from RFC 1918 (private) IPv4 addresses to non-RFC 1918 (publicly) addresses.
  • NAT: Network Address Translation. It’s responsible of the translation of IPv4 address into another; it doesn’t include port translation.
  • Stateful firewall: This is what makes sure that the port is open only when a communication is expected. It tracks the IP quadruplet, with the TCP connection state if it’s available.
NAPT/NAT doesn’t offer security on its own. It is easy to attack a device behind NAT, because the router will do the translation if it receives traffic destined for the public address. What offers protection is the stateful firewall, which tracks the connection issued by your computer and allows the reply to come back.

The stateful firewall also exists in IPv6, and as long as it is configured properly, you are not more or less secure than in IPv4. It’s just a matter of doing the homework.

It is important to not apply the IPv4 presumptions to IPv6 networking, like blocking ICMPv6 in full … you will end up with connectivity issues (been there, done that!)
Another common presumption, the link-local fe80:: range is not routable in any situation, as any NIC will always have an fe80:: assigned, and one or more global IPv6 addresses; temporary and permanent addresses. This differs from IPv4 which doesn’t have a link-local address unless no other address Is configured.
 
  • Like
Reactions: rfrazier
That's interesting, and it clears things up a bit. I didn't know about those 3 separate services you mentioned. I think I'll just stick with IPV4 here at home as it seems the complexity and potential risks quickly increase with IPV6. I have IPV6 turned off in the router settings.

Besides which, Steve's Shields UP works on IPV4. :cool:

Ron