11 votes

Which setting on router should be used to secure home network?

Like millions of people, I have a router at home, with WiFi and admin passwords set up.

If an attacker request comes in, there are no port forwarding rules set, and the router should say "hey request from the internet, I don't know to which device you want to go, sorry I'll drop you then", and I'm secure. But I don't think it's that simple. If a packet from the outer network can attack my LAN without using port forwarding, how?

Which router settings should I be really looking for to make home LAN more secure? Or what are the keywords of network security to start with?

16 comments

  1. [11]
    Amarok
    (edited )
    Link
    It actually is that simple! That's most of what a firewall does - prevent incoming connections. When you forward a port, you're telling it to override that default behavior and allow those...
    • Exemplary

    It actually is that simple! That's most of what a firewall does - prevent incoming connections. When you forward a port, you're telling it to override that default behavior and allow those specific connections to whatever machine you've forwarded to, on whatever port(s) you've forwarded.

    Most of the time we don't dive too deep into it and we just use 'zones' as a handy way to gate access for entire groups of computers. That's what you'll be doing in a home network setup. Your firewall will have something like this...

    Zone 1: INTERNET, usual color: RED - that's anything coming in over your internet connection, from chinese hackers to NSA agents to pages from Tildes or facebook. Default behavior is to treat this like cancer and never ever trust it.

    Zone 2: LOCAL, usual color: GREEN - this is everything you've plugged into your network cables at home. Default behavior here is to assume that you trust anything you've plugged in directly.

    You may or may not have these other zones depending on what you're doing.

    Zone 3: WIRELESS, usual color: BLUE - your wireless router probably treats the built-in wireless network as a separate set of devices in their own zone. Some make this part of the green network instead. If your wireless and wired devices all have the same first three numbers for an IP (such as 192.168.1.xxx) they are both in the green zone. If they are different (such as 192.168.1.x and 192.168.2.x) you've got a better router and it keeps them separated. That's good, so you can apply rules differently to the wired and wireless devices.

    Zone 4: DMZ, usual color: ORANGE (sometimes yellow). If you have your own services, such as your own web server, or your own email, this is where you put them. The stuff in the orange zone is intended to be accessed by other people on the internet. If you run your own 'cloud' services (blog, pictures library, etc) this is where they'd live - and doing this right means these things run on their own dedicated computer(s), not on your desktop. :P

    If you get fancy, you may have a VPN zone (purple, usually), which represents any devices on the internet that have connected back to your home network using a virtual private network of some kind. Most over the counter devices don't support this unless you go for the fancy expensive ones. You'd do this for example if you wanted your phone to be able to access your home media library directly, so you can watch movies while you're supposed to be working.

    Home networks tend not to go beyond this in level of complexity. In fact most people just have a RED and GREEN zone for internet and local devices.

    The reason we use simple zones/colors like this is so we don't all go batshit crazy staring at walls of IP addresses all the time. These zones greatly simplify things, since we can just make rules that say 'this zone has access to that zone, but no access to this other zone' - rules that manage based on network, rather than individual computers.

    Each zone is going to have its own set of IP addresses. Your network might look something like this...

    • red: whatever IP address you get from your internet service provider
    • green: 192.168.1.x (where x is 1-255, with your device being .1 on all networks, as the gateway)
    • blue: 192.168.2.x
    • orange: 192.168.3.x
    • purple: 10.0.0.x (don't ask me why it's a bad idea to use 192.168.anything for this :P)

    You can change the IP ranges your firewall is handing out from the defaults to whatever you like, but to stick to internet spec, you really only have the options of using 192.168.x.x, 10.x.x.x, and 172.16.x.x because that's just how we built the internet. Most use 192.168 as the default.

    Now you'd make rules like this:

    • red to anything: deny all, so nothing on the internet can get in to anything
    • green to red, orange to red, blue to red: allow all - this lets all the computers on those zones access the internet, and they probably all need to do that for web, updates, etc.
    • green to blue, blue to green, blue to orange, orange to blue: deny all - this prevents your local devices from talking to wireless devices or dmz services, and wireless devices from talking to your local devices or your local services in the DMZ. This kind of crosstalk is how you get hacked. Anything accessing your orange dmz should route out red and back in again like everything else.
    • green to orange: allow all, because you'll want to be able to log in to your DMZ devices with ssh/remote desktop to manage them, access them directly from your desktop, etc.
    • orange to green: deny all, because you don't want something in your dmz to open a connection back to something in your local network. If someone hacks your website server, that's how they'd get into the other stuff on your network.

    You'd think that orange to green: deny would block things talking back to you on your desktop on the green network, no? That's not how firewalls work, though. They only deal with opening a connection. If you open a connection from green to orange, orange can talk back on that connection even if orange is denied access to green. That deny only prevents orange from opening a connection to green. It's subtle but it's core to how firewalls function.

    So what about port forwarding? That's where you make specific exceptions to these general rules. Let's say you want to use bittorrent. You'll have to forward a range of ports from red:all to green:your desktop's IP and then configure your torrent client to use them. If you want to run a webserver in orange and host something like tildes, you'd forward red:all on 80 and 443 to orange:your webserver's IP address.

    A port is just a number - a mailbox, a place for a service like web or email to listen for incoming connections. 0-1024 are standardized/reserved for the stuff we all know and use like DNS, DHCP, SSH, webservers, email, etc. 1025-65535 are a wild west free for all where programs that make lots of crazy connections all the time (like bittorrent) play.

    That's really all there is to basic firewalling. I was going to link you a guide that explained all this simply but I can't fucking find one which is somewhat horrifying. All I get back are vendor-specific results and pay-for courses, and I'm losing my faith in internet search engines to produce useful not-selling-me-crap information. :P

    Edit: Odds are good that there's an open-source firmware replacement for your router that takes the gloves off and offers more features - such as DDWRT. Also if you want to roll your own, you can use open source firewalls and routers such as VyOS and my personal favorite, pfSense (which is the best there is, full stop). You don't need to get into things this deeply though, it's more of a hobbyist thing. Whatever ships with your device is probably pretty good at its job.

    20 votes
    1. [5]
      Nitta
      Link Parent
      Wow this goes to bookmarks. Let me ask a possibly silly question. When I open a website, there are some outcoming requests, to which servers send incoming responses. These responses are somehow...

      Wow this goes to bookmarks.

      Let me ask a possibly silly question. When I open a website, there are some outcoming requests, to which servers send incoming responses. These responses are somehow routed back to the address in LAN that made requests. Is some kind of temporary port forwarding created to allow responses to the concrete recent requests? Why cannot an external attacker pretend to be a server response which no one requested?

      1 vote
      1. [4]
        Amarok
        (edited )
        Link Parent
        Your firewall keeps track of who is talking to what when and where in something called the 'state table' - which is basically a list of active connections. I'm sure you can find the state table in...

        Your firewall keeps track of who is talking to what when and where in something called the 'state table' - which is basically a list of active connections. I'm sure you can find the state table in the interface somewhere - all firewalls even cheap ones let you see it. That's how a firewall can tell if a connection has been established between any two networks/computers, and also how it knows if it should just pass the data through (established) or if it should apply the rules and filter things out (new connections). Idle connections expire, and you can usually configure how long that takes.

        Firewalls track by connection and by endpoint rather than packet to packet. Conversations, rather than words. Fancier ones can read the data in the conversation and act on it, even change it, but at home you'll never run into that stuff - that's mostly for hyper-paranoid enterprises, and it always amuses me because good basic design can make a lot of that unnecessary. Real security comes from profiling, so you know all the normal conversations, and when a pair of machines start talking that never have before, you get notified. Most hacks come from users who are already legitimately inside the network, too - it's genuinely rare for someone to hack in from outside anymore. Easier to social-engineer your way in, because there's no patch for lazy or stupid. :P

        People do indeed do exactly as you say and pretend to be part of an existing connection to hack past a firewall. Most firewall systems are heavily hardened against this behavior, though, so it's not nearly as easy as it once was to fool them. Most vendors put bounties out on exploits as well, so when someone finds a hack they take it to the vendor for the bounty rather than selling it to criminals. It's never perfect, though, and people do find exploits from time to time that require patching, which is why firewalls and routers should always be kept on the bleeding edge of updates.

        Most hacking doesn't target the firewall directly, though, since that's hard hard work. If you're trying to sneak into a night club, picking a fight with the bouncer is not the best strategy. Most people set up the configs wrong, so hackers just look for loopholes in the configuration they can exploit, or services on the other side they can access legitimately and then hack those services instead - which is how most firewall breaches occur. That's why putting things people connect to into an orange network/dmz is a good idea - when (not if) there's a breach, the hacker can only get to other things on the orange network, rather than the entire network. If you want to get crazy (like my last job) you can have one orange network per computer so that breaches are permanently locked to just that one machine.

        Fun fact about the state table - that's actually the most resource-intensive code in the firewall. If you ever wonder why when you bittorrent behind a cheap router, your download speeds start fast and then dive to a crawl, it's because bittorrent's 500 connections have overloaded that cheap router's state table and it can't keep up with the traffic.

        We had a developer one time (a masters graduate from a good school) whose application was opening a new connection for every single chunk of data it was sending between the client and the server of this application. One single user would generate 800 connections in a minute - and he had the gall to yell at the network team and tell us our firewall wasn't good enough to handle his awesome application. He was burying a dual-cpu multi-core system with a ton of memory due to his bad design. It's rather surprising how far you can go in software without even learning the basics of hardware and communications.

        There's a time/cpu cost associated with opening a new connection (at every layer of the OSI model) and good design means opening one connection and using it for all data for the lifetime of the communication. That's how TCP/IP is supposed to work. ;)

        8 votes
        1. [3]
          Nitta
          Link Parent
          And here the old mystery about my previous router is resolved. Thanks for all this useful info. I feel I understand some network things again.

          download speeds start fast and then dive to a crawl, it's because bittorrent's 500 connections have overloaded that cheap router's state table and it can't keep up with the traffic

          And here the old mystery about my previous router is resolved.

          Thanks for all this useful info. I feel I understand some network things again.

          1 vote
          1. [2]
            Amarok
            Link Parent
            Most torrent clients let you limit the number of connections, and if you're on a cable-based ISP, you really don't want to go over 100, and 50 is better. You'd rather have 50 fast downloads going...

            Most torrent clients let you limit the number of connections, and if you're on a cable-based ISP, you really don't want to go over 100, and 50 is better. You'd rather have 50 fast downloads going than 500 choked-off slow ones. Part of this is the DOCSIS cable network - it's a terrible, shitty hack to patch internet protocols over the cable network. It was never intended to replace a real network, so the connections can choke it off regardless of how good your router itself is.

            3 votes
            1. Nitta
              Link Parent
              It was a cheap router (white TP-Link something 841 with one antenna and standard firmware) plugged into a Docsis modem...

              It was a cheap router (white TP-Link something 841 with one antenna and standard firmware) plugged into a Docsis modem...

    2. [3]
      Parliament
      Link Parent
      Can I ask you some questions about why my pi-hole isn’t fully setup with a netgear router? I used to use DD-WRT but got a new router and reverted back to netgear.

      Can I ask you some questions about why my pi-hole isn’t fully setup with a netgear router? I used to use DD-WRT but got a new router and reverted back to netgear.

      1 vote
      1. [2]
        Amarok
        Link Parent
        Fire away.

        Fire away.

        1 vote
        1. Parliament
          Link Parent
          Sorry for the late response after asking you for help. Tbh I just have no idea what the settings need to be for my router to make it work. Let me compile some info then get back to you.

          Sorry for the late response after asking you for help. Tbh I just have no idea what the settings need to be for my router to make it work. Let me compile some info then get back to you.

    3. [2]
      noah
      Link Parent
      When video game consoles are connected to the outside world, ELI5 NAT filtering strict, moderate, open? Great write-up by the way!

      When video game consoles are connected to the outside world, ELI5 NAT filtering strict, moderate, open?

      Great write-up by the way!

      1 vote
      1. Amarok
        (edited )
        Link Parent
        NAT (network address translation) in a nutshell, is just a fancy way of saying "the 30 devices behind my firewall are all sharing the single IP address I got from my ISP". This exists because IPv4...

        NAT (network address translation) in a nutshell, is just a fancy way of saying "the 30 devices behind my firewall are all sharing the single IP address I got from my ISP". This exists because IPv4 (which is still the most widely used version) is limited to 2^32 IP addresses total, or about 4.2 billion devices. We've got more than that now and we didn't allocate the ones we had very well to start with (giving entire blocks like 13.x to Xerox, don't ask), so we had to invent a fancy way to share that limited number of IP addresses. That's why NAT was born - out of necessity.

        We could have switched to IPv6, but for some reason adoption of that has taken like 20 years and has still barely begun. NAT turned out to be a 'good enough' solution, and in the tech world, there's nothing more permanent than a temporary hack that works. IPv6 is the sequel to v4, and it has 2^128 IP addresses. Right now only ones that start with 2xxx. or 3xxx. are 'valid' but that's still 42 undecillion addresses total - enough to assign one to every molecule in Earth's gravity well. Overkill... or is it? Time will tell, but I digress. :)

        The terminology we use here kinda sucks and confuses the issue. The difference between how strict/moderate/open work is really about the method the firewall uses when it's doing NAT for devices behind it. Think of it as three 'modes' you can use, by telling the firewall which one to use for each zone, or each computer if you want to be more specific. You're doing NAT with all three, but some are more restrictive than others.

        Open nat is the lazy way. A device makes a request for information, and any responses from any machine anywhere get sent right back to the device making the request on the same connection/conversation that device started when it made the request. Wide open, not exactly a paragon of security. If your device wanted to talk to google.com the firewall in this mode would send you responses it got back from ye.random.botnet too, if it got any (which almost never happens unless someone is hacking you). It's not checking.

        Moderate/mixed nat is more secure. If the request was sent to www.google.com, the firewall will double check and reject any responses it gets that didn't come from www.google.com, as far as it can tell.

        Closed/strict nat is yet more secure. It's still checking the host like in moderate, but now it's also checking the port as well - meaning if your device connected to www.google.com:80, the firewall is going to reject anything that comes from www.google.com:anything but 80 as well as anything from not.google.com. This is the most paranoid variety.

        This seems silly (it is) and messy (NAT is a hack after all) but these three modes have some pretty serious consequences on how things function.

        UPNP (universal plug and play) was developed so we could all stop thinking about IP addresses and ports and tech bullshit, just plug in all the toys, and have them all work and auto-discover each other. They do this by chatting in a random-ports random-services not-very-secure yell-at-everything-on-the-network fashion. If your firewall/device combo is on anything other than open, this conversation is liable to piss it off and get whacked/blocked - which means that UPNP stops working between any devices that have to talk through the firewall.

        Modern game consoles are designed to use UPNP over the internet to do things like set up multiplayer, voice chat, etc. It's lazy, it's buggy, and it's also a serious security risk... not that these companies even know what security is as they've proven countless times for decades (I'm looking at you, Microsoft/Sony). Seriously - governments should fine these companies a couple billion a week while they are doing things this poorly.

        If you expect to be able to use these consoles to their fullest, I'd expect you need to make sure the firewall is treating them as open-nat mode, or it'll end up blocking everything. I expect the reason for this is because there's a giant cloud of computers out there in Microsoft/Sony datacenters that all have different IPs/ports, and the one you send a request to isn't necessarily the one you'll be getting a response from - that's just the nature of cloud services. That means only open-nat will work, because only open-nat doesn't care who replies to the request.

        Also if you're in team-chat with 16 other players, that's 16 different computers/consoles out there all trying to talk to your team-chat port on your single device, so in that case you've got 16 different computers all talking back on the same channel through the firewall - which is also exactly what it looks like if you've been hacked to hell and back.

        Yes, this means a single exploit cleverly used could in one day root every single one of these consoles worldwide. Presumably, there's some code in the consoles that's checking and guarding against this (as with most services, they do their own checking above and beyond the network connections, such as encrypting with private keys) - but given the security track record of these companies, I'm quite sure that code is utter garbage and rife with exploits. We'll be hearing about it on the news someday, that's a promise.

        2 votes
  2. Emerald_Knight
    Link
    If you don't have port forwarding set up, then you're generally fine. Your biggest concerns are going to be 1. your router password security, 2. whether your router itself has any vulnerabilities...

    If you don't have port forwarding set up, then you're generally fine. Your biggest concerns are going to be 1. your router password security, 2. whether your router itself has any vulnerabilities (keep the firmware up to date), and 3. personal device security (e.g. malware). You're far more likely to run into problems with an attacker or infected device connected to your network and attacking from the inside, rather than a penetration from the outside.

    Don't worry, it really is that simple :)

    4 votes
  3. [3]
    Parameter
    Link
    I know you're asking a "basic" question but if you wanted to take this further you could look into open source router software. The platforms that are available provide a lot more flexibility and...

    I know you're asking a "basic" question but if you wanted to take this further you could look into open source router software. The platforms that are available provide a lot more flexibility and control over your hardware than stock firmware.

    It can be a fairly technical process depending on your needs and type of router. It sounds like overkill for your needs, I would only check it out if you enjoy the process of learning some basic networking.

    3 votes
    1. [2]
      Nitta
      Link Parent
      I'm using an open source (not sure if completely) firmware already, it's Padavan. There are just more possible settings than I understand well enough...

      I'm using an open source (not sure if completely) firmware already, it's Padavan. There are just more possible settings than I understand well enough...

      1 vote
      1. Parameter
        Link Parent
        Ah, yeah it is a lot to consider. Networking has a lot of depth, a lot of it was beyond my interest so I just have a basic set up.

        Ah, yeah it is a lot to consider. Networking has a lot of depth, a lot of it was beyond my interest so I just have a basic set up.

        1 vote
  4. Octofox
    Link
    I never trust the router firewall to actually work. Or even if it does work there is the possibility that an infected device on your network is forwarding connections to your device. If I need a...

    I never trust the router firewall to actually work. Or even if it does work there is the possibility that an infected device on your network is forwarding connections to your device. If I need a firewall I will set it up on my computer itself. I usually forward all ports to my device because it makes it convenient to host things.

    1 vote