More Routers

It’s interesting to me how obstinately we refuse to take basic network security precautions.  Usually, introducing the topic for conversation is met with contempt for nerds, as if I were attempting to discuss comic books and card games with high school jocks (neither of which have I associated in my adult life).  But concern for such trivialities is gradually waning in light of big news’ headlines (Russia!), so people are now at least acknowledging that infosec is something we might casually entertain (though only in outrage that our government isn’t protecting us).

But elsewhere, in the tech community, network technology itself is becoming increasingly under fire–specifically, consumer-grade NAT routers.  I had previously covered my recent transition to a more commercial-class router, the Ubiquiti Edgerouter X, and I had been pleased with its performance for the time I used it.  Alas, a botched firmware upgrade left the device bricked, so I was forced back to my old D-Link while I considered options.  The experience had taught me a lesson: I wanted the security and features of a commercial grade router, with the hand-holding of a consumer grade one.  But that seemed an unfilled niche.

Eventually, I went back to my NAS’ manufacturer, Synology.  Their NAS management software has proven incredibly robust, with timely and automatic patches immediately following a CVE disclosure.  They had formerly tried to introduce a router but had discontinued it.  But now they were trying again with a new model.  It was hard to find an expert review on the device, as most of the Amazon community’s comments boiled down to “It’s fast and doesn’t drop connections”–something I consider to be bare minimum requirements for $200 piece of network equipment.  Still, I discovered enough information elsewhere that compared its router management software to that of its NAS products, so I decided to bite.

RT2600AT

I could go on at length, exulting its software, but for the sake of keeping this post within the casual Internet-peruser’s attention span, I’d like to call attention to its simple and effective firewall.

Configuring a firewall shouldn’t be difficult, but until now I had never owned a router that managed to balance simplicity with effectiveness.  I was delighted with the level of customization.  For example, I decided to block all inbound connections from geolocated Russian and Chinese IPs.  I was disturbed to find out that two days later, 1800+ connection attempts from these regions had been blocked.  I suppose it’s mostly just Internet noise–passive scanning–but it’s still disconcerting.

Next up–a particularly troublesome IP range that my ISP uses to perform DNS and reverse-DNS queries.  To be clear, I don’t want my ISP messing with my DNS traffic, but as DNS is largely unencrypted, there’s not much I can do to stop them.  I specified my preferred DNS servers, but they appear to be bypassed when the lookup returns a 404, and my ISP serves me a “helpful” page of suggested results.pithy

Fortunately, their DNS servers appear to be static, and using a Whois service I pithynarrowed down the IP range and blocked it outright.  The router has since blocked 48 connection requests to these IPs, so while I might not be able to prevent my ISP from intercepting my DNS queries, I don’t have to look at what they decide to serve me back.

Lastly, and equally unsettling, was my cable modem’s hard-coded internal IP: 192.168.100.1–the address used by the majority of modem manufacturers.  In reality, there is no reason that a LAN-side device should need to contact the modem (that’s the router’s job), other than the remote possibility that the modem might need some user administration.  But that’s a stretch.

And the modem lacks any form of user authentication.  While there isn’t much someone could mess around with (apart from rebooting and resetting it), I still don’t think it should be open to anything on the LAN.  So, just no.  I blocked all traffic to its IP.  I didn’t count on anything trying to access it regularly, but the router counts 48 attempts now.  I’d really like to know what was trying to access it and why, but the conventional logs don’t provide that level of detail.  Oh well.

In conclusion, my router upgrade has increased my network security at the cost of equal paranoia.

I’d end with something pithly snarky, but I just realized I’m out a aluminum foil.

–Simon