Sunday, July 17, 2011

How to Secure Your Small-network Firewall Step-by-step

The following procedure walks you through the process of securing your small network firewall.  Specifically, it walks you through securing an integrated cable gateway/firewall device that functions as your small network's primary access point.  This walkthrough is based upon securing the Linksys WCG200 integrated cable gateway modem access pont.  However, the methods presented here are applicable to all home and small network access points.  This walkthrough assumes that you have correctly configured your gateway for ISP connection and that you are able to access the gateway's administration web page.  It assumes a wired network and does not examine wireless security. It does not address all aspects of home network gateway configuration: only those specific aspects associated with firewall security.  This walkthrough is organized into five steps: 1) disabling remote administration, 2) enabling stateful packet inspection, 3) enabling common packet inspection rules, 4) configuring port filtering, and 5) enabling VPN passthrough.  References pointing to additional details on the topics covered in this walkthrough are provided in the References section.  Good Luck!


Step 1: Disable Remote Administration

Remote administration can be hacked using dictionary attack methods.  Best to disable it.  Set Remote Administration to Disable.

The default password on Linksys appliances is often "admin."  Now you know it.  So does everyone else.  Best to change it to something different; something difficult.  Best to create a password that meets the following minimum guidelines:
  • Minimum 8 characters
  • At least one number
  • At least one upper and one lower case numbers
  • At least one special character (subject to what your firewall allows)
One last thing: it's bad practice to allow an external device to be able to remotely reconfigure your gateway/firewall.  What happens if a trojan hijacks your machine and discovers your machine can reconfigure your firewall?  That's what UPnP allows.  Disable it.  It's not worth the trouble to use it.

Step 2: Enable Stateful Packet Inspection

To enable your firewall to look inside packets and filter them based upon their contents, you need to enable Stateful Packet Inspection (SPI). Without SPI switched on, your firewall is handicapped.  Go to the security section of the admin console.  For the WCG200, go: Security > Firewall.  Select Enable for Firewall Protection.

Step 3: Enable common Packet Handling Rules

Some common packet handling rules that you should enable include rules for blocking:
  • Fragmented packets: used to perform IP fragmentation attacks
  • Anonymous Internet requests: used to discover your network topology, including IPs and ports, and to initiate connections to machines on your network - bad news: block these
  • Multicast: used to perform DDoS and remote code execution attacks
Go to the appropriate page to enable these rules.  For the WCG200, go: Security > Firewall.  Then enable options as discussed:

Don't disable Cookies, Java Applets, ActiveX, or popups, as they are needed for most browser viewing of websites. Proxy should be blocked.  It's aslso useful to enable Port Scan alerting: this will log such scans for later analysis. Port scanning is performed by attackers to discover open ports.

Step 4: Configuring Port Filtering

There are 65,535 ports.  You only need to use a few of these.  The rest are open doors to trojans and drive-by surveillance efforts.  A number of ports are known entry/exit points for various trojans, viruses and worms.  Lock them up and block them out.

Before blocking them out, do your homework.  Take an inventory of your special needs: some applications (e.g., games) use special ports; distributed applications may employ special ports; if you VPN to special URLs, log the ports you connect to.  Use terminal commands, such as netstat, to monitor ports and build a baseline inventory of those ports that are commonly used.  TCPView is also a good tool for this.  After a few days of monitoring, you'll build a pretty good idea of what to block and what not to block.  You can do this incrementally: block a certain range; see what happens; if nothing, then block another range - in this fashion, you slowly and inexorably lock down the firewall. Don't panic if you block a port range and then discover that something no longer works.  Just unblock the port range.  That will fix the problem.  Here are common ports you need to keep open:

Port Number Service Description
3389 RDP Remote desktop, both TCP/UDP
995 POP3 Incoming POP3
587 SSL Outgoing SMTP
443 SSL Encrypted website access
110 POP3 Unencrypted email transfer to email server from your machine
80 WWW standard WWW access
68 DHCP Communication with your ISP for modem configuration information
67 DHCP Communication with your ISP for modem configuration information
53 DNS DNS queries
25 SMTP Unencrypted email transfer from email server to your machine
23 SSH Secure shell connection to machine on private network
22 SSH Secure shell connection to machine on private network
21 FTP Ftp command
20 FTP Ftp data transfer

To set up port filter on the WCG200, go: Access Restrictions > Filter Internet Traffic. The WCG200 provides you the ability to specify 10 port filtering ranges. Your own gateway/firewall may be different. On a spreadsheet, map out the ranges that you want to filter. Then enter them into the screen. The following image shows the results of such mapping for a typical home gateway/firewall.

The port filtering rules have been enabled for all devices (0.2-0.254) on the home network.  Note that one special port in the upper range was kept open.  You may need to do likewise.

Step 5: Enable VPN Passthrough

If you connect to a corporate or other private network over the Internet, you must enable virtual private network (VPN) passthrough.  In 2011, most machines use IPsec.  PPTP is still supported for backwards compatability.  Unless you know you need to use PPTP, disable it.


Congratulations!  You've completed this walkthrough.  Bet you didn't think you could configure such a technical device as your  small network firewall.  For further information on the topics discussed in this walkthrough, consult the references.