For years, I have given advice to everyone that the first line of security for your home PCs is a NAT router between your home network and the Internet. While that is still true, there is one situation where the protection normally afforded you by the router is non-existent, leaving your public IP address visible to the world and your home network open to attack. I have actually observed the phenomenon I will describe in a moment, so I know it is an issue and something you should know about. It’s highly unlikely it could be exploited on any large scale, but it’s possible, so something worth discussing. In any event, the concept is out there, so someone is sure to try it.
This reader question came up in Security Now! Episode 133:
Question #5, Sami Lehtinen…from Helsinki, Finland makes a GREAT observation about dangerously leaky “hardware” firewalls. He says: I wanted to warn people about potential problems with regular home routers such as the more expensive and fancy firewall routers that are very configurable. That configurability can backfire nastily….
While the router is booting – it’s quite a long process – parts of the system start with default configuration, like the switch portion. This causes all LAN, WAN and DMZ ports to be completely bridged for about one minute. After that, normal NAT/SPI, DHCP, et cetera, function returns….
What Sami discovered is that you are directly connected to public Internet for about a minute while the router reboots. Steve Gibson concurs and proposes his solution, which I wholeheartedly endorse:
So this is a very real problem. What, I mean, the takeaway from this actually is to – what I would do is, and I’m probably going to do it from now on, I don’t reboot my router very often, but I would disconnect my LAN side connection for a couple minutes until the router comes up and it settles down, and then bring my local network up inside….