A simple Q on network security

[peter-h]

Let's say you have an ADSL line, ADSL modem, NAT router, a 16 port unmanaged switch.

Fairly common except of course most consumer routers combine the modem and the router.

Internal LAN is say 192.168.50.1 onwards and you have a load of devices on that, both fixed IP and DHCP.

Due to NAT, there is no way for somebody to place packets on that internal LAN. Well, only if they can find an open NAT channel. The router closes these after 180 seconds.

Now let's say you configure the router to route a second subnet, onto the internal LAN. The router is a "high end" (funny name for a chinese box full of bugs ) Draytek.

Now, if say you have a device on the LAN which responds to 100.101.102.103 then packets sent to that public IP will be placed on the internal LAN. And every device on the LAN potentially sees them. But in theory no other device will respond because they don't recognise that IP.

There is a security hazard, via malformed packets, etc.

But... the LAN is implemented via a 16 port switch. Surely, a switch (as opposed to a hub) builds a mapping table of IP versus port and, after a while of getting itself sorted out, it sends packets only to the devices being addressed. Only broadcast packets (255.255.255.255) get sent to everybody. Is this correct?

How would an attacker attack such a network?

Unfortunately the router doesn't have a facility for putting the 2nd subnet out on a separate RJ45.

Incidentally I don't think a Draytek firewall works on a 2nd subnet...

[steenerson]

Unmanaged switches and home networking equipment in general (besides routers) don't know or care about IPs (layer 3), they work at the mac address / layer 2 level where packets just have source and destination mac addresses. The switch associates macs with ports to know where to send packets, which happens right when the port lights up, it doesn't take time to learn. Only certain things like multicasts should show up on all ports on a switched network, unlike hubs with all traffic mirrored on all ports.

If a device is on your local subnet and responding to a public IP, if local devices try to access that same IP they will:

1. Look up the IP in their routing table, and should find nothing more specific than their default route (0.0.0.0/0) , which is generally the router, so they send packets to the router.
2. The switch only checks source and destination MACs, so they should be sent only to the router and not directly to the local 100.101.102.103 device
3. The router gets the packets, and routes them according to it's routing table. If you give the router a second IP on the internal port in the same subnet (say, 100.101.102.102) it should be possible to route traffic to it.

Vlans would be the proper way to secure this, if your equipment supports it.

[mk_]

But... the LAN is implemented via a 16 port switch. Surely, a switch (as opposed to a hub) builds a mapping table of IP versus port and, after a while of getting itself sorted out, it sends packets only to the devices being addressed. Only broadcast packets (255.255.255.255) get sent to everybody. Is this correct?

No, a switch sees and acts with MAC-adress, IP-adresses are ignored.

How would an attacker attack such a network?

Your hacker don`t neeed to "attack", he is walking throu the draytek as you do when a door is wide open to welcome you.

[mansaxel]

How would an attacker attack such a network?

The hacker gets you or another user on the internal network to execute a trojan payload that opens an outgoing connection that the "firewall" will happily accept, NAT and forward.

Via this connection, other payloads are downloaded, placed in harder-to-eviscerate positions (with autostart, and in competent cases, on things like management and restore partitions, so that they will get reinstated also after you've panic'ed and reinstalled everything. )

Then the mapping of internal network resources including the management traffic to the "firewall" and your internal NAS's shares will start for real, including search for further persisting methods and interesting resources.

Why? Because your computers come with a broadband connection and free power. That, in volume, is a commodity worth having access to. People pay places like Amazon, Google and Microsoft good money to get computer time in the cloud. Here, they don't pay, and there are no terms of service, so storing contraband or mining cryptocurrency is all right. 

You are liable to get hit regardless of who you are, so saying "I'm not interesting and I've got nothing to hide" is only self-deception.

[peter-h]

The Draytek (2955) suppors VLANs but I can see no way to configure them. It looks like an orphan / fossil function. This is the only area where I see any reference to VLANs



As you see, I enabled the feature, suspecting that perhaps one has to enable it here in order to expose config elsewhere. Here
https://www.draytek.co.uk/information/our-technology/vlans
under VLANs they show a config like above but with extra config to the right of it. Bizzare!!



Reading more, it looks like this is what it does (not sure if this URL is publically accessible without registration)
https://www.draytek.co.uk/support/guides/kb-vigor-vlan?highlight=WyJ2bGFuIl0=&return=9511632

This is the relevant bit


Basically it seems to be like client isolation in wifi APs. But no way to tie specific ports (RJ45s) to say the 2nd subnet.

Could a managed switch help? For example the router has two public IPs. One is the one which is NATed and is geneally used for outgoing traffic. The other is a subnet, say 100.101.102.103 and the next say 5 IPs.

The NATed one seems secure. Yes I know you can plant a trojan (via email, etc) which then makes outgoing connections, but that's another debate.

I would like to prevent packets arriving to the public IPs 100.101.102.103 etc being sent to everything on the internal LAN. I don't think there is any way anybody can *address* the devices on that LAN (e.g. no way to address 192.168.50.45 from the outside); is this correct? But the packets are present on the physical layer, so a malformed packet exploit would work.

Would a managed switch work? I have a Netgear JGS542E kicking around. It appears to support VLANs, based on port numbers.

The router has a firewall, which is set up to allow traffic to the subnet IPs to go to those devices only (they happen to be VOIP phones) but I don't think this is working properly, because the log in the phones shows "invalid packet" errors from various chinese IPs, so some stuff is coming though.

I don't want to change the router because it has a load of complex VPN etc config on it. We bought a "Cisco-labelled" £1000 one a year ago and after a day we gave up and sent it back...

[peter-h]

I think all one can do is use the VLAN feature to isolate some devices on the internal LAN from the others, so if somebody manages to plant some code on one, it can't access the others.

[matts-uk]

The Draytek (2955) suppors VLANs but I can see no way to configure them. It looks like an orphan / fossil function. This is the only area where I see any reference to VLANs

Draytek devices can support up to 3 different types of VLAN configuration depending on the model.  At the low end of the model range it is just the simple 'port based' VLAN with nothing more to configure beyond the port interconnect matrix.  In the middle is port based + multi-tenant VLAN. The switch can be partitioned into separate segments with separate private address spaces (subnets) and DHCP configuration.  At the top is port based + multi-tenant + 802.1q tagging.  Each VLAN can be assigned a tag with a different priority.

The admin UI pages only show the configuration fields that are appropriate to the supported feature set.  If you only see the interconnect matrix, your router only supports port based VLANs.

Basically it seems to be like client isolation in wifi APs. But no way to tie specific ports (RJ45s) to say the 2nd subnet.

Port based VLANs can be used to build a multi-tenant configuration but it requires additional infrastructure.  With respect, given the level of knowledge demonstrated, I do not suggest you try it.

Your public subnets are on the outside interface.  Between the outside and inside interfaces is a combined route / NAT / firewall engine and there is only one of those.

Could a managed switch help?

The switch in the Draytek IS a managed switch.  So no, another managed switch is either going to shift the issue downstream, or provide you with even more options to set wrong. 

I would like to prevent packets arriving to the public IPs 100.101.102.103 etc being sent to everything on the internal LAN.

The Draytek LAN interface is switched.  Provided you do not have a hub downstream packets are only forwarded to the switch port ARP associates with the destination IP.  Where the router switch is daisy chained to a second switch all traffic can end up on a single cable in transit, however the downstream switch uses it's own MAC association table to filter traffic onto the right destination port/s.

I don't think there is any way anybody can *address* the devices on that LAN (e.g. no way to address 192.168.50.45 from the outside); is this correct?

The Draytek route / NAT / firewall rules can be configured to forward any TCP/UDP packet on the outside interface to any host connected to the inside interface.  The whole point of an integrated border device is to provide centralised control over what does and does not enter and egress the inside network.

The router has a firewall, which is set up to allow traffic to the subnet IPs to go to those devices only (they happen to be VOIP phones) but I don't think this is working properly, because the log in the phones shows "invalid packet" errors from various chinese IPs, so some stuff is coming though.

If you have configured the phones with public IPs and enabled 'use for routing' in the LAN configuration you have defeated your own firewall 

A malformed packet is only malformed in comparison to a protocol specification.  That is to say, even if you were to air-gap the phones, with a dedicated router and internet connection, you might still see malformed packets appearing in the phone logs.  The errant traffic can most likely be filtered out using the kit you already have but the network infrastructure needs to be considered as a whole.

I don't want to change the router because it has a load of complex VPN etc config on it. We bought a "Cisco-labelled" £1000 one a year ago and after a day we gave up and sent it back...

I became a Draytek reseller before many people had heard of them but I haven't sold a Draytek for years.  There are much better cost/benefit choices available these days.

I doubt you are lacking equipment.  You may be lacking expertise.

[peter-h]

Thanks Matts for your comprehensive reply

It is as I thought, otherwise a switch would be a hub

I have ordered a 2960. The firmware update log is worth reading. Firstly, the remote admin turns on by itself even if disabled (a long known Draytek bug also). The firewall fails to block SMNP packets (a 2955 bug also - I spent hours today proving it). No fixes for the 2955 but the latest 2960 firmware fixes these. The reason we were seeing "untrusted" packets in the SNOM phone logs was because of the Draytek firewall SNMP (port 161) bug. The public subnet is under a constant attack (of course) but only a few of them are port 161. The rest are high VOIP ports.

So the 2955 firewall *does* work for the 2nd Subnet. It just has the port 161 bug. One can check this with syslog on the firewall.

The 2960 also claims to support a facility whereby the subnet is routed through to a specific RJ45, so you have a sort of physical separation. I think they do it by tagging an IP range, and then they use a tagged VLAN feature.

What routers do you think are better? I would prefer something without major bugs... A year ago we bought a CISCO RV320-K9-G5 and after tearing our hair out for a day we sent it back. Lots of weird issues. Even the browser based config UI was unbelievably slow. Probably made by one of the companies Cisco bought, like Linksys, but Linksys stuff was actually mostly ok (still buggy though).

[matts-uk]

Thanks Matts for your comprehensive reply

And thank your for the indulgence.

I have ordered a 2960.

Good luck with that.  I never quite saw the point of spending £500 on what is at heart a cheap Chinese router.

The firewall fails to block SMNP packets (a 2955 bug also - I spent hours today proving it). No fixes for the 2955 but the latest 2960 firmware fixes these.

From what I recall the SNMP bug is mitigated by enabling the SNMP agent and setting an unreachable management IP.  There are similar 'tricks' for the management UI.

The reason we were seeing "untrusted" packets in the SNOM phone logs was because of the Draytek firewall SNMP (port 161) bug. The public subnet is under a constant attack (of course) but only a few of them are port 161. The rest are high VOIP ports.

Hmm...Yes...And no.  The reason you are seeing untrusted packets in the phone logs is because the firewall is not filtering the untrusted packets.  The target of an attack is an interface, the 'subnet' is merely a logical imposition.  The 'outside' interface is under constant attack.  On the 'inside' interface you should only see the packets you want forwarded to/from the outside interface, otherwise the firewall is not doing it's job or the firewall policies are inadequate.

So the 2955 firewall *does* work for the 2nd Subnet. It just has the port 161 bug. One can check this with syslog on the firewall.

The last time I checked the 'use for routing' option did what it said on the tin.  Packets are simply forwarded at Layer 3, bypassing the higher layer functions.  NAT and firewall are Layer 7 functionality.  Syslog is useful for diagnostics but to be sure of what is actually occurring at the interface, one connects a packet sniffer to the wire and learns how to use it.

The 2960 also claims to support a facility whereby the subnet is routed through to a specific RJ45, so you have a sort of physical separation. I think they do it by tagging an IP range, and then they use a tagged VLAN feature.

You are talking about the multi-tenant scenario.  The example use case is a WAN link being shared by separate customers in the same building. 

A simple multi-tenant configuration uses a port based VLAN to partition the switch (Layer 2) into separate 'segments' (broadcast domains).  Above Layer 2 the packets are transiting a software blob and any traffic segregation is entirely logical.  Above Layer 3 a port based VLAN resembles the individual network interfaces in a multi-homed host, allowing a single DHCP server process to provision a different subnet on each segment.  On a single switch or stack you do not need tagging, as traffic at Layer 3 is already classified by IP and subnet mask. 

You can think of a port based VLAN as a 'vertical' partition in a single switch or stack.  Tagging becomes necessary when the VLAN needs to be extended 'horizontally' between switches and stacks connected by standard media (utp, fibre).

What routers do you think are better?

For small businesses with less than 100Mbps of WAN bandwidth and wanting to migrate away from Draytek, my starting point is the Ubiquiti EdgeMax.  At the entry level, £50 buys 5 x 1 Gbe ports, 1.5Gbps of throughput and a half useful web GUI.  I can sell an EdgeMax and include the time to configure it at a similar price to a low end Draytek.

Ubiquiti devices are a very different proposition to the Draytek devices though.  When you buy an EdgeMax you are essentially buying a ready rolled Vyatta platform.

This is just one of my preferences. I won't make recommendations without a requirement.

I would prefer something without major bugs...

Good job you got rid of the RV320 :eek

Every year or so I have to toddle off and renew my Cisco Express certification for the sake of a business I'm partnered with.  Every year or so I am reminded why I no longer bother with Cisco

I would be interested to hear how you get on with the 2960.

[mansaxel]

I'm working full time with Cisco kit, as well as Aristas and other vendors in that space.  They, being software on hardware, naturally suck. Everything sucks. But the enterprise gear, not the growth-by-aquisition SOHO crap, is actually usable. Do note that no one uses the web interface. Ever. Only web interfaces that see usage are the ones on a separate controller, like for wireless or for overlay networks like ACI, DNA or similar.  Command line is king. For the OP, the problem of course is that branch office gear from the big players is very expensive, and is probably out of the question.

If I did not have access to decommissioned enterprise gear (which I have as long as I don't sell it) I'd look at the Czech Turris Omnia. Nice hardware with a customised variant of DD-WRT. Clever people doing development and they're releasing updates.

[Monkeh]

Nice hardware with a customised variant of DD-WRT.

OpenWRT. DD is incredibly, unbelievably ancient and effectively dead. Nobody should be using it.

[mansaxel]

Nice hardware with a customised variant of DD-WRT.

OpenWRT. DD is incredibly, unbelievably ancient and effectively dead. Nobody should be using it.

Ah, thanks for updating and correcting me. I've gotten too comfy over in my corner.

[peter-h]

The main reason I am changing the router is not actually the above described LAN security issue (which I am not sure is really an issue, anyway, because the 2nd subnet can be tightly firewalled). It is because we have a new VOIP phone system, and every minute or two, and usually very soon after the start of any call (in or out) the phone mike goes dead for about 10 seconds. Presumably something is dumping outgoing UDP... Enabling QoS makes no difference. Tried all sorts of things. The phones are SNOM SIP phones. I changed the switch and changed the 2955 router for another 2955 but that may have the same issue, so I got the 2960 and it may solve it. If it doesn't, it must be the ISP (A&A hosted VOIP) or maybe BT (FTTP). Not going back to ISDN2 and the line rental figures, even though the Siemens Hicom lasted 21 years and only at the end the PSU blew up so I bought a complete system on Ebay for £50, just to get a PSU

The 2960 does much more than the 2955 but the configs are only similar. In particular the VPN stuff is quite different and I rate my chances of getting it to work straight off as zero. The 2955 was covered by the excellent Mikey's Guides but Mikey is long gone... On one you have "PAP or CHAP" and on the other you have "CHAPv1 or MS CHAPv2" etc. IF the 2960 fixes the VOIP issue, it will be worth it. If it doesn't I will probably put it back on Ebay.

The 2960 seems ok. A bit like that Cisco POS I sent back, it has an amazingly slow browser interface. Maybe it's all written in Basic and they are running a Z80 emulator on a 50MHz ARM? I got it off Ebay, £200, spent quite a while trying the factory reset to work (eventually it did), loaded latest firmware, and it is sort of familiar.

The firewall config on the 2960 is more convoluted (actually everything is compared to the 2955). On the 2955 one could spec a source IP, dest IP, a port range, all in one screen. On the 2960 you have to define IP objects, and reference them. Fortunately the 2960 can have loads of IPs in one IP group whereas the 2955 was limited to not many so one had to create several groups.

What was in one place on the 2955 is spread around on the 2960.

I reckon it will take me a whole day (say 12hrs) to copy the config over.

[matts-uk]

...It is because we have a new VOIP phone system, and every minute or two, and usually very soon after the start of any call (in or out) the phone mike goes dead for about 10 seconds. Presumably something is dumping outgoing UDP... Enabling QoS makes no difference. Tried all sorts of things. The phones are SNOM SIP phones. I changed the switch and changed the 2955 router for another 2955 but that may have the same issue, so I got the 2960 and it may solve it.

How about starting at the beginning?

How many WAN links (physical internet connections)?
ADSL, vDSL (FTTC), FTTP?
Expected down/up throughput of each WAN link?
How many SIP phones (total)?
Typical number of concurrent SIP calls?
What is this complicated VPN setup?

Not going back to ISDN2 and the line rental figures,

My office and workhsop run 4 SIP phones with 30/10 Mbps from a cheap as chips Plus net business service that provides us with a /29 public subnet.  For most of the day the workshop has GBs of Windows updates downloading.  There are a couple LAN2LAN VPNs, running to my home office and our data-centre rack.  The phones are refurbished GXP2000s and a GXP1200.  We can take four calls simultaneously and it is rare for us to experience any audio dropout.  This is all running through a £50 EdgeMax.  None of this happens by accident though.  There is a carefully considered justification underlying every line in the configuration file.

The 2960 does much more than the 2955 but the configs are only similar.

The 2955 is DrayOS.  The 2960 is built on Linux.  I have zero experience with the Linux based Drayteks.  Useful to know the web UI runs like a dog.  Not an issue with the EdgeMax BTW, the web UI is responsive and the real time monitoring graphs update every second.  You need to go to the CLI to get the very best out of the device but the Web UI is functional and comes with a few template 'Wizards' that step through the initial setup of most common configurations.

The 2960 seems ok. A bit like that Cisco POS I sent back, it has an amazingly slow browser interface.

If you can spare £50 you might want to take a look at the EdgeMax 5X on spec.  It can probably do what you need to do and probably won't take 12 hours to configure.

[peter-h]

A day's messing later, and magically the VOIP breaks are gone. Well, can't reproduce them. It must have been a bug in the 2955. One of many which Draytek probably knew about but never bothered to fix.

We are on FTTP, BTW. I would never trust VOIP to copper, out here in the countryside, where lightning blows up copper cables and BT fix only voice lines fast.

Amazingly, the site to site VPN also works 2955-2960. No idea how that just worked. Well, it runs 2960 to 2955. Not 2955 to 2960. I could not work out how to set up the incoming profile. It is ok if I have it always on from the 2960, of course. On the 2955, the config for both directions was on the same page. On the 2960, it is spread all over the place. It seems to need two profiles; one for outgoing and one of incoming connections.

What I am struggling with is "teleworker" VPNs. Nothing seems to work on the 2960. Not even PPTP. With android, it "connects" but no data is passing.  With win10, it gives a typically useless error message. I am sure the credentials are right so something else is going wrong. It's not a firewall issue, and anyway IME on the 2955 you could not firewall a VPN anyway; the VPN function appears to bypass the firewall. No doubt we will fix this, after wasting days on trying different things, but I never had trouble with PPTP; it "just works" every time. Yes I have read all the stuff about it being supposedly insecure, but found negligible real info on that. The credentials can be extracted if the login is captured (a compromised wifi, e.g.) but with great difficulty.

The VPN setup is just for convenience, work-home, and when travelling.

Another subtle difference is that on the 2955, all devices on the 2nd subnet were also accessible from a PC on the LAN (which is physically on the same LAN; well via a switch). On the 2960, one of them isn't... Can't even ping it. But if I go out via a VPN, that device *is* accessible so it is accessible (as it should be; it's a web server) from the outside. No doubt we will fix this, after wasting days on trying different things. Not firewall related.

Draytek now have their tech guides behind a login, for which the reg requires a S/N of a Draytek product, and they have just terminated my login, saying my email address is blocked Damn arrogant!

UPDATE: The 2960 also seems to not have a bug which the 2955 had: it would reboot quite often. It seemed to be some spurious packet arriving which it didn't know what to do with.