For your home or small office network, the firewall is probably the single most important piece of hardware.
Note! For the remainder of this post I’ll use the term firewall. I know a firewall and a router is not the same thing, but for homes and small offices it’s almost always the same device)
It’s your first defense against attacks from the Internet, and it usually provides necessary services like DHCP, NAT and probably DNS forwarding.
If your firewall is compromised then a MITM attack is trivial. All devices inside are open to all sorts of attack and manipulation.
So, how secure is your firewall?
Most firewalls today never get updates. And an alarming number of devices have backdoors installed fresh from the factory (by the manufacturers themselves).
Like this TP-link device with remote execution in root context, without any authentication. It’s on the LAN side, but if even one device inside your network is briefly compromised, it would be easy to maintain a persistent presence.
Or quite a few of Netgear and linksys (even a few Cisco). This backdoor gives you full access to the router. You can even reset the password to log in as a authenticated admin.
It got patched, but it turns out that it’s still there:
If that is not enough, some firewalls even have features that doesn’t even require any hacking to gain access.
Asus’ AiCloud feature on higher end consumer devices gave everyone on the Internet full access to your router.
For a good summary of this issue, take a look at this Ars Technica article
Configuration on a home or soho-firewall is usually performed via a Web interface. This means that the firewall is exposing a webserver to the Lan side.
A webserver that is rarely updated is frankly a bit worrying. Especially considering the damage that could be done if your firewall is compromised.
What to do about it?
I strongly recommend that you build your own firewall.
Firewall hardware is cheap and you can use any old computer, but it’s preferable to buy hardware with low power requirements. This will result in less or no noise, smaller device and less generated heat.
I would also recommend to deny access to the web configuration of your firewall, also from LAN side. To do this you need to have 3 network interfaces. 1 for WAN, 1 for LAN and 1 for access to the Web configuration of the device. Of course, this is not a good idea if you regularly need to access your firewall configuration. Most people rarely do, so having a dedicated network port to do configuration is not a big problem
I tried to do this on a Cisco Small Business firewall like the ISA 550 and it just ignores any rules to drop packets from LAN to port 80/443 (web) on any interface.
Building your own firewall will give back control.
An Alix board or an Atom board is recommended (links below).
You need at least two network adapters (but I would recommend 3, so you can dedicate one interface for configuration purposes).
Distributions like pfsense, dd-wrt and ipcop are easy to configure and you’ll have access to regular updates.
I’ve been using pfSense on an Alix board for years, and it’s rock stable. It manages 50mbit without any issue at all.
But iif you need even more throughput, or more features like IDS or VPN, then you’ll need a board with better performance.
Give it a go!
- Alix boards at http://www.pcengines.ch
- One with 3 LAN ports http://www.pcengines.ch/alix2d13.htm
- Or the more powerfull APU series: http://www.pcengines.ch/apu.htm
- A powerfull Atom board: http://www.asrockrack.com/general/productdetail.asp?Model=C2550D4I
Tutorials/getting started links: