Shorewall users - Aug 2002 - Broadband Router Question / A Little Off Topic

Hi,

I had a disscussion with somebody and I need a professional 3ed oppinion.

The customer has a ip network with "stolen" IP addresses.
Let´ s say 192.123.123.0/24.

There are two router in this network:
1. A broadband router (SMC7004BR) connecting the network to the Internet
(PPPoE with dynamic IP addresses) using NAT. This is the default gateway
(IP 192.123.123.254).

2. The second router is a Cisco 800 connecting the network to a another
company (IP 192.123.123.1). This company has a IBM host system witch
needs to be accessed (IP 123.123.123.123). The access is maid possible
by a host route entry on every PC (the SMC doesn´t support host routes):
123.123.123.123/255.255.255.255 gw 192.123.123.1

There are 10 Win95/98 PCs in this network.

The "stolen" IPs are needed because the Cisco router is configurated
for
those IPs (by the other company; I have no access). They refuse to change
this. I told them that this is a very bad practice.


So my questions:
1. Do you think that the broadband router is insecure? Do you think that
there is a need for an extra firewall (the router has some kind of firewall
functionality)?

2. Do you think that the boradband router bring some kind of insecurity to
the network attached to the Cisco router?



Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57°59''52.4"
E11°20''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Sascha Knific schrieb:
> 
> Hi,
> 
> I had a disscussion with somebody and I need a professional 3ed oppinion.
> 
> The customer has a ip network with "stolen" IP addresses.
> Let´ s say 192.123.123.0/24.
> 
> There are two router in this network:
> 1. A broadband router (SMC7004BR) connecting the network to the Internet
> (PPPoE with dynamic IP addresses) using NAT. This is the default gateway
> (IP 192.123.123.254).
> 
> 2. The second router is a Cisco 800 connecting the network to a another
> company (IP 192.123.123.1). This company has a IBM host system witch
> needs to be accessed (IP 123.123.123.123). The access is maid possible
> by a host route entry on every PC (the SMC doesn´t support host routes):
> 123.123.123.123/255.255.255.255 gw 192.123.123.1
> 
> There are 10 Win95/98 PCs in this network.
> 
> The "stolen" IPs are needed because the Cisco router is
configurated for
> those IPs (by the other company; I have no access). They refuse to change
> this. I told them that this is a very bad practice.
> 
> So my questions:
> 1. Do you think that the broadband router is insecure? Do you think that
> there is a need for an extra firewall (the router has some kind of firewall
> functionality)?
I don''t think ''some kind of firewall functionality''
is secure. A
firewall can be secure if you know exactly what it does and how it does
it, and if you know exactly how to configure it.
> 
> 2. Do you think that the boradband router bring some kind of insecurity to
> the network attached to the Cisco router?
The question is whether the Cisco is connected to a firewall in the
other company. If not and we consider the 192.123.123.0/24 as insecure,
then it brings insecurity to the other company as well.

I recommend the following:

a)
Change the network to an rfc1918 adress. Some people believe using
"stolen" IPs gives them additional security but it seems nonsense to
me.
b)
Put a well configured linux/shorewall firewall between the local network
and the two routers. No need for any host route anymore, you can do
everything on the firewall.

Simon
> 
> Sascha
> 
> --------------------------------------------------------
> Sascha Knific           K Systems & Design
> Tel. +49-8151-773260    Wittelsbacherstr. 6a
> Fax. +49-8151-773262    82319 Starnberg, Germany
> Leo  +49-8151-773261    WGS84: N57°59''52.4"
E11°20''34.3"
> knific@k-sysdes.net     http://www.k-sysdes.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

Can you please clarify what you mean by stolen ip address?

-----Original Message-----
From: Simon Matter [mailto:simon.matter@ch.sauter-bc.com]
Sent: Wednesday, August 14, 2002 11:00 AM
To: Sascha Knific
Cc: shorewall-users
Subject: Re: [Shorewall-users] Broadband Router Question / A Little Off Topic

Sascha Knific schrieb:
>
> Hi,
>
> I had a disscussion with somebody and I need a professional 3ed oppinion.
>
> The customer has a ip network with "stolen" IP addresses.
> Let=B4 s say 192.123.123.0/24.
>
> There are two router in this network:
> 1. A broadband router (SMC7004BR) connecting the network to the Internet
> (PPPoE with dynamic IP addresses) using NAT. This is the default gateway
> (IP 192.123.123.254).
>
> 2. The second router is a Cisco 800 connecting the network to a another
> company (IP 192.123.123.1). This company has a IBM host system witch
> needs to be accessed (IP 123.123.123.123). The access is maid possible
> by a host route entry on every PC (the SMC doesn=B4t support host routes):
> 123.123.123.123/255.255.255.255 gw 192.123.123.1
>
> There are 10 Win95/98 PCs in this network.
>
> The "stolen" IPs are needed because the Cisco router is
configurated for
> those IPs (by the other company; I have no access). They refuse to change
> this. I told them that this is a very bad practice.
>
> So my questions:
> 1. Do you think that the broadband router is insecure? Do you think that
> there is a need for an extra firewall (the router has some kind of firewall
> functionality)?
I don''t think ''some kind of firewall functionality''
is secure. A
firewall can be secure if you know exactly what it does and how it does
it, and if you know exactly how to configure it.
>
> 2. Do you think that the boradband router bring some kind of insecurity to
> the network attached to the Cisco router?
The question is whether the Cisco is connected to a firewall in the
other company. If not and we consider the 192.123.123.0/24 as insecure,
then it brings insecurity to the other company as well.

I recommend the following:

a)
Change the network to an rfc1918 adress. Some people believe using
"stolen" IPs gives them additional security but it seems nonsense to
me.
b)
Put a well configured linux/shorewall firewall between the local network
and the two routers. No need for any host route anymore, you can do
everything on the firewall.

Simon
>
> Sascha
>
> --------------------------------------------------------
> Sascha Knific           K Systems & Design
> Tel. +49-8151-773260    Wittelsbacherstr. 6a
> Fax. +49-8151-773262    82319 Starnberg, Germany
> Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
> knific@k-sysdes.net     http://www.k-sysdes.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

On 14 Aug 2002 at 14:46, Thad Marsh wrote:
> Can you please clarify what you mean by stolen ip address?
I thought it was clear.  

Stolen, usurped, used without permission.
Its not assigned to them, they just grabbed it.

Where one would normally use a rfc1918 such as
192.168.x.x or 10.x.x.x they just used a subnet
at randon, (actually used what was pre-programmed
into their routers).

As long as its not routed outside your local
lan and you have no need to access the REAL
owner of that subnet (such as another web site
or something) you can get away with this.

Its a cheap shot, used in this case (as simon explained)
because they can''t/wont reprogram the cisco router).




> -----Original Message-----
> From: Simon Matter [mailto:simon.matter@ch.sauter-bc.com]
> Sent: Wednesday, August 14, 2002 11:00 AM
> To: Sascha Knific
> Cc: shorewall-users
> Subject: Re: [Shorewall-users] Broadband Router Question / A Little Off
> Topic
> 
> Sascha Knific schrieb:
> >
> > Hi,
> >
> > I had a disscussion with somebody and I need a professional 3ed
> > oppinion.
> >
> > The customer has a ip network with "stolen" IP addresses.
> > Let=B4 s say 192.123.123.0/24.
> >
> > There are two router in this network:
> > 1. A broadband router (SMC7004BR) connecting the network to the
Internet
> > (PPPoE with dynamic IP addresses) using NAT. This is the default
gateway
> > (IP 192.123.123.254).
> >
> > 2. The second router is a Cisco 800 connecting the network to a
another
> > company (IP 192.123.123.1). This company has a IBM host system witch
> > needs to be accessed (IP 123.123.123.123). The access is maid possible
> > by a host route entry on every PC (the SMC doesn=B4t support host
routes):
> > 123.123.123.123/255.255.255.255 gw 192.123.123.1
> >
> > There are 10 Win95/98 PCs in this network.
> >
> > The "stolen" IPs are needed because the Cisco router is
configurated for
> > those IPs (by the other company; I have no access). They refuse to
> > change this. I told them that this is a very bad practice.
> >
> > So my questions:
> > 1. Do you think that the broadband router is insecure? Do you think
that
> > there is a need for an extra firewall (the router has some kind of
> > firewall functionality)?
> 
> I don''t think ''some kind of firewall
functionality'' is secure. A
> firewall can be secure if you know exactly what it does and how it does
> it, and if you know exactly how to configure it.
> 
> >
> > 2. Do you think that the boradband router bring some kind of
insecurity
> > to the network attached to the Cisco router?
> 
> The question is whether the Cisco is connected to a firewall in the
> other company. If not and we consider the 192.123.123.0/24 as insecure,
> then it brings insecurity to the other company as well.
> 
> I recommend the following:
> 
> a)
> Change the network to an rfc1918 adress. Some people believe using
> "stolen" IPs gives them additional security but it seems nonsense
to me.
> b) Put a well configured linux/shorewall firewall between the local
> network and the two routers. No need for any host route anymore, you can
> do everything on the firewall.
> 
> Simon
> 
> >
> > Sascha
> >
> > --------------------------------------------------------
> > Sascha Knific           K Systems & Design
> > Tel. +49-8151-773260    Wittelsbacherstr. 6a
> > Fax. +49-8151-773262    82319 Starnberg, Germany
> > Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
> > knific@k-sysdes.net     http://www.k-sysdes.net
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
> 

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

Sorry I missed the bit about being on the internal network.  No it makes sense. 
Thanks!

-----Original Message-----
From: John Andersen [mailto:JAndersen@screenio.com]
Sent: Wednesday, August 14, 2002 2:54 PM
To: Thad Marsh
Cc: shorewall-users
Subject: RE: [Shorewall-users] Broadband Router Question / A Little Off Topic

On 14 Aug 2002 at 14:46, Thad Marsh wrote:
> Can you please clarify what you mean by stolen ip address?
I thought it was clear.=20

Stolen, usurped, used without permission.
Its not assigned to them, they just grabbed it.

Where one would normally use a rfc1918 such as
192.168.x.x or 10.x.x.x they just used a subnet
at randon, (actually used what was pre-programmed
into their routers).

As long as its not routed outside your local
lan and you have no need to access the REAL
owner of that subnet (such as another web site
or something) you can get away with this.

Its a cheap shot, used in this case (as simon explained)
because they can''t/wont reprogram the cisco router).




> -----Original Message-----
> From: Simon Matter [mailto:simon.matter@ch.sauter-bc.com]
> Sent: Wednesday, August 14, 2002 11:00 AM
> To: Sascha Knific
> Cc: shorewall-users
> Subject: Re: [Shorewall-users] Broadband Router Question / A Little Off
> Topic
>
> Sascha Knific schrieb:
> >
> > Hi,
> >
> > I had a disscussion with somebody and I need a professional 3ed
> > oppinion.
> >
> > The customer has a ip network with "stolen" IP addresses.
> > Let=B4 s say 192.123.123.0/24.
> >
> > There are two router in this network:
> > 1. A broadband router (SMC7004BR) connecting the network to the
Internet
> > (PPPoE with dynamic IP addresses) using NAT. This is the default
gateway
> > (IP 192.123.123.254).
> >
> > 2. The second router is a Cisco 800 connecting the network to a
another
> > company (IP 192.123.123.1). This company has a IBM host system witch
> > needs to be accessed (IP 123.123.123.123). The access is maid possible
> > by a host route entry on every PC (the SMC doesn=B4t support host
routes):
> > 123.123.123.123/255.255.255.255 gw 192.123.123.1
> >
> > There are 10 Win95/98 PCs in this network.
> >
> > The "stolen" IPs are needed because the Cisco router is
configurated for
> > those IPs (by the other company; I have no access). They refuse to
> > change this. I told them that this is a very bad practice.
> >
> > So my questions:
> > 1. Do you think that the broadband router is insecure? Do you think
that
> > there is a need for an extra firewall (the router has some kind of
> > firewall functionality)?
>
> I don''t think ''some kind of firewall
functionality'' is secure. A
> firewall can be secure if you know exactly what it does and how it does
> it, and if you know exactly how to configure it.
>
> >
> > 2. Do you think that the boradband router bring some kind of
insecurity
> > to the network attached to the Cisco router?
>
> The question is whether the Cisco is connected to a firewall in the
> other company. If not and we consider the 192.123.123.0/24 as insecure,
> then it brings insecurity to the other company as well.
>
> I recommend the following:
>
> a)
> Change the network to an rfc1918 adress. Some people believe using
> "stolen" IPs gives them additional security but it seems nonsense
to me.
> b) Put a well configured linux/shorewall firewall between the local
> network and the two routers. No need for any host route anymore, you can
> do everything on the firewall.
>
> Simon
>
> >
> > Sascha
> >
> > --------------------------------------------------------
> > Sascha Knific           K Systems & Design
> > Tel. +49-8151-773260    Wittelsbacherstr. 6a
> > Fax. +49-8151-773262    82319 Starnberg, Germany
> > Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
> > knific@k-sysdes.net     http://www.k-sysdes.net
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

Hi,

Simon Matter wrote:
>
>I don''t think ''some kind of firewall
functionality'' is secure. A
>firewall can be secure if you know exactly what it does and how it does
>it, and if you know exactly how to configure it.
>
SMC calls it NAT-Firewall. There are no ports open to the internet side.
On the local net side there is a web interface for admin (password 
protected)
& monitoring.

I would de interested in the effort you need to take to compromise such an
embedded system. Would also be interesting what kind of OS SMC and 
others use.

>>2. Do you think that the boradband router bring some kind of insecurity
to
>>the network attached to the Cisco router?
>>
>
>The question is whether the Cisco is connected to a firewall in the
>other company. If not and we consider the 192.123.123.0/24 as insecure,
>then it brings insecurity to the other company as well.
>
The Cisco supposed not to be protected by a firewall on the other 
companies side.

But on the other hand the SMC router doesn´t know about the second 
router. There
are no routing enties. Only the PCs know of the routes.
>
>
>I recommend the following:
>
>a)
>Change the network to an rfc1918 adress. Some people believe using
>"stolen" IPs gives them additional security but it seems nonsense
to me.
>b)
>Put a well configured linux/shorewall firewall between the local network
>and the two routers. No need for any host route anymore, you can do
>everything on the firewall.
>
Changing the IPs is not an option as the Cisco router is not controlled by
me. :-( I would have done that allready.

The company is going to change most of their equipment and all the problem
are going to be addessed.



The bottom line of my question is:

How secure are embedded router with NAT enabled?
> 
>
>
>Sascha
>
>--------------------------------------------------------
>Sascha Knific           K Systems & Design
>Tel. +49-8151-773260    Wittelsbacherstr. 6a
>Fax. +49-8151-773262    82319 Starnberg, Germany
>Leo  +49-8151-773261    WGS84: N57°59''52.4"
E11°20''34.3"
>knific@k-sysdes.net     http://www.k-sysdes.net
>