Menu
What's new
By:
Filters Better Search

Bad UI Design Sabotages Security of ASUS SoHo Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tl;dr

The firewall must be enabled to block WAN access to administrative router services like SSH & HTTP(S).

With the firewall disabled, outside hosts will not be blocked. Seems obvious to me, but I suppose the GUI should note that you cannot block without the firewall.
 
That's another alarmist report. Because if you disable that firewall, you are exposing MUCH MORE than just your router's webui... Like, uh, your whole LAN.

"Sabotage"? Some wannabe security experts need to get a life, quite bluntly.
 
RMerlin said:
That's another alarmist report. Because if you disable that firewall, you are exposing MUCH MORE than just your router's webui... Like, uh, your whole LAN.

"Sabotage"? Some wannabe security experts need to get a life, quite bluntly.
Click to expand...

hehe :D
 
RMerlin said:
That's another alarmist report. Because if you disable that firewall, you are exposing MUCH MORE than just your router's webui... Like, uh, your whole LAN.

"Sabotage"? Some wannabe security experts need to get a life, quite bluntly.
Click to expand...

I would tend to agree - it's more a UI/UX glitch than a serious issue - but it also points out how much Asus has built on top of an aging code base, and that code base is getting more and more brittle as they add/remove features over time and models...

Also that as our homes/cars/business/bodies are ever more connected to the internet, it's very important to do it not only in the right way as a technology, but also to ensure that users don't accidentally expose themselves thru different, and seemingly unrelated, features.
 
sfx2000 said:
I would tend to agree - it's more a UI/UX glitch than a serious issue - but it also points out how much Asus has built on top of an aging code base, and that code base is getting more and more brittle as they add/remove features over time and models...

Also that as our homes/cars/business/bodies are ever more connected to the internet, it's very important to do it not only in the right way as a technology, but also to ensure that users don't accidentally expose themselves thru different, and seemingly unrelated, features.
Click to expand...

Well, you know the saying: if you make it idiot proof, nature will build a better idiot :(

You could add a large popup warning when you disable the firewall that "This will expose your entire LAN AND ROUTER to the rest of the world, including nasty buggers who love nothing more than to install malwares everywhere they can! Are you really, REALLY, REALLY sure you want to do this, from the bottom of your heart, and commit yourself body and soul to helping make the world a worse place for people to live in?". And I bet a large portion would just click on "Yes" out of reflex, without reading it :(
 
RMerlin said:
Well, you know the saying: if you make it idiot proof, nature will build a better idiot
Click to expand...

And they seem to get better every day :D

It would be interesting to do some analysis/analytics on commonly used settings - and then move the others into an advanced/pro menu - even here, a majority of users likely use 20 percent of the features exposed in most consumer grade router/AP's - it's the 80 percent of functionality that gets users into trouble as they can impact security or functionality of the device in a less than positive manner...

The challenge here then is everyone uses a different 20 percent (the MSWord toolbar/feature issue...) - but I would be perfectly ok with a dumbed down WebUI, and then advanced functionality via SSH into a menu'ed interface with an option to go right to the shell, where everything can be tweaked...
 
sfx2000 said:
And they seem to get better every day :D

It would be interesting to do some analysis/analytics on commonly used settings - and then move the others into an advanced/pro menu - even here, a majority of users likely use 20 percent of the features exposed in most consumer grade router/AP's - it's the 80 percent of functionality that gets users into trouble as they can impact security or functionality of the device in a less than positive manner...

The challenge here then is everyone uses a different 20 percent (the MSWord toolbar/feature issue...) - but I would be perfectly ok with a dumbed down WebUI, and then advanced functionality via SSH into a menu'ed interface with an option to go right to the shell, where everything can be tweaked...
Click to expand...

I think the article does have a valid complaint. The toggle logic needs to be fixed. It is just too bad the author felt the need to aggrandize his painfully simple observation.

Turning off the firewall is... :(
 
in routerOS if you dont protect the router with the firewall the router can get swamped by DoS. Cant you change the IPTables settings to include the listen interface/IP and deny from other interfaces/IP?
 
System Error Message said:
in routerOS if you dont protect the router with the firewall the router can get swamped by DoS. Cant you change the IPTables settings to include the listen interface/IP and deny from other interfaces/IP?
Click to expand...

A better "solution" would be for httpd to stop binding to all interfaces, and only bind to the specific interfaces it's supposed to be listening on. That would be just good security practice.
 
System Error Message said:
Are you able t.o do that? Can httpd be binded to a physical interface?
Click to expand...

No idea, I never really looked at that part of the code. My main worry is that things can get tricky with some users using Dual WAN and VLANs, all scenarios which I cannot realistically test without devoting more time than I'm willing to.

This would be only one of many architecture issues in Asuswrt (and the Tomato code it was originally based on), and taking care of these would require too much changes all over the place, it would make it impossible to keep in sync with Asus's own codebase afterward.

Personally I consider this to be a non-issue, as disabling the firewall makes no sense anyway unless you were troubleshooting something.
 
And anyway in this specific case, Asus has already taken steps to mitigate/resolve the potential risk, so no need for me to devote any resource to this case.
 
Thats good than, so we can still rely on asus as being something decent unlike linksys, dlink and tp-link. I wonder if tp-link has updated their firmwares with updated libraries since people posted their outdated security.
 
RMerlin said:
...Personally I consider this to be a non-issue, as disabling the firewall makes no sense anyway unless you were troubleshooting something.
Click to expand...

Other than perhaps in a testing environment, why would one ever turn off the firewall? The RT models that the "security" guy with his hair on fire is writing about, are, for the most part, not targeted for professionals, but for consumers. So why not just remove the ability of consumers to disable the firewall from the GUI entirely, and take the "better idiot" scenario out of the equation entirely?
 
Last edited:
jegesq said:
Other than perhaps in a testing environment, why would one ever turn off the firewall? RT's are, for the most part, not designed for professionals, but for consumers. So why not just remove the ability to disable the firewall from the GUI entirely, and take the "better idiot" out of the equation entirely?
Click to expand...

Better to leave that option in for the people that can use it wisely.

The 'better idiot' will still be born the second that option is removed. ;)
 
L&LD said:
Better to leave that option in for the people that can use it wisely.
Click to expand...

What good reasons are there for disabling the firewall?

I think my RT-N66U has the firewall disabled, but only as a side-effect of having it in AP mode.
 
Nullity said:
What good reasons are there for disabling the firewall?

I think my RT-N66U has the firewall disabled, but only as a side-effect of having it in AP mode.
Click to expand...

In a multi router setup, of course. :)
 
The only potential setup I can think of would be someone who just wants to route two separate segments within his LAN, and does not need to isolate the segments - just route them together, without NAT. But that's not something I'd expect to see in a home network unless someone went out of his way to create a weird topology.
 
You must log in or register to reply here.

Similar threads

torstein
Avoid Consumer Routers
2
Replies
39
Views
7K
netware5
netware5
Similar threads
Thread starter Title Forum Replies Date
C Attempting to design an ASUS Mesh Network purposely using a double NAT? Good or bad idea? ASUS Wi-Fi 7
Armand28 37 bad PEBs on an AXE16000 ASUS Wi-Fi 7
H Asus Network design ASUS Wi-Fi 13

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 837 (members: 31, guests: 806)
Top