CERT, a US Federal government agency tasked with cyber-security research, has issued an alert advising consumers to stop using various models of Netgear routers. These devices are subject to a trivially simple command injection exploit. Ars Technica has a nice overview of the matter.
Normally I’d have literally nothing to say about this, since it simply doesn’t impact us. Wanna know why it doesn’t impact us?
We don’t use a consumer router that runs closed source firmware. We don’t think that you should either. In fact, you probably shouldn’t let your friends and family use that junk either.
Perhaps this holiday season, and all of the travelling & visiting that goes along with it, presents an opportunity to help someone unsuspecting secure their home network.
Continue reading “Netgear Routers Hailed as Dangerous – Here are some alternatives worth considering”
For the past few weeks I’ve been thinking about the Comcast issued CPE that lives in my office. It’s a modem/router combination from SMC. We’ve had the service a long while. All the while we’ve been renting the device for $12.95 a month.
I can’t recall exactly when we transitioned from consumer to business class service. If I assume that it was five years ago, then we’ve paid over $750 in device rental! This for a device that can be purchased outright for under $200.
Clearly, this makes no sense at all. So last week I replaced the Comcast CPE with a Motorola/Arris SURFBoardSB6141. The choice of the SB6141 was made by consulting Comcast’s list of approved devices, and cross-referencing the SmallWall forums where Lee Sharp had some helpful advice to offer.
Continue reading “Owning The Comcast CPE”
This morning’s email included a message from Manuel Kasper, leader of the m0n0wall project. On the very day that is the 12th anniversary of the project he has announced that he’s bringing it to an end.
I’ve used m0n0wall for at least a decade. For several years I’ve intended to migrate to pfsense, a project that was initially forked from m0n0wall. m0n0wall’s NAT implementation is just so very SIP friendly that making the change always felt like a lot of effort. I suppose now there’s an additional reason to follow through on that plan.
Manuel didn’t elaborate on his reasons, but I certainly understand the possibilities. Twelve years is along time to do anything, most especially anything that involves leading a community project.
m0n0wall has been a treat to use. It’s positively inspirational in it’s combination of carefully defined functionality and simplicity. Manuel was masterful in his ability to sustain the project focus, avoiding the mistake of trying to be all things to all people.
In recent weeks I’ve been accumulating some thoughts about the edge of networks, and the edge of my home office network in particular.
This all started last month where there was an Ars Technica article describing how someone found a backdoor that allowed an evil-doer to gain admin access to a common consumer combination DSL Modem/router/Wifi AP. The author initially proved the exploit by hacking his Linksys WAG200G wireless gateway.
The article describes how he published the script used to run the exploit. That allowed others to try the exploit against various makes/models of consumer hardware. It thus came to light that the same trick works against various products from Linksys and Netgear, amongst others.
Continue reading “Recent Thoughts About The Edge of My Network”
One project that I’m am about to start is moving from my m0n0wall router to a new one build around pfsense. The motivation for the project is the integration of our Comcast Business Class internet service into the rest of the household. At present there are two separate networks, with only a few devices enjoying the high speed cable service. The pfsense system will be configured for dual WAN, accessing both the cable service and Covad DSL circuit.
My existing m0n0wall runs on an old Soekris Net4801. In service for many years, it has been extremely reliable. If m0n0wall does what you need I have no hesitation in recommending the software. Support from the user community is tremendous as well.
Continue reading “Choosing A Router/Firewall For A Small Office”
My screencast guide to traffic shaping for VOIP using m0n0wall has been posted on the m0n0wall web site.
However, Manuel Kasper (m0n0wall project lead) had some interesting ideas on how to revise and perhaps simplify my approach. What he describes departs from the approach underlying the present implementation of the Magic Shaper in m0n0wall. Use of the Magic Shaper is the basis of the existing screencast.
Updated to provide a YouTube version in the post and ftp downloadable high quality version.
Continue reading “Traffic Shaping For VOIP With m0n0wall”