hardCOREware - Hardware Gaming News for HARDCORE Gamers  

 



Written by Carl 'lowlight' Nelson [07.25.00]
***Please read Part 1 if you haven't yet.***
Manufactured by: ZyXEL, Umax, Netgear, Linksys, D-Link, Nexland, and MacSense
Suggested Retail Price Price: Varies - $100-200
Visit IBuyer's Routers page for low prices
Everything you need to know about Network/Internet Security


Click Here!

Security!

Now what you've all been waiting for: EXTENSIVE PORT SCANS IN BOTH TCP AND UDP. First, I'll explain a bit about the basic security these things offer...

As you may know, each unit is an NAT (Network Address Translator) firewall.  This means that your specific IP address is never visible, or reachable to the public.  The only way someone can reach your PC over the internet is by way of your public IP address, and go through the router.  It's up to you to tell the router that you want to let the public access your PC through certain ports (specified by you in the Virtual Server setup).  Many routers allow you to leave your PC entirely open to the public, as if the router didn't exist.  This is often called "DMZ", or "Demilitarized Zone".

So why bother with security? If no-one can ever access your PC anyway, how can it matter? It matters because some routers leave ports open to the public! Some of them, like the ZyXEL and Netgear, allow you to filter ports, for remote access to the routers, and others don't leave any open at all.  We are here to tell you which routers have security leaks, and how big the leak might be.

To test the security of the routers, we used Secure-Me.net's FULL port scan service.  This way, over 2000 ports each of TCP and UDP are scanned.  You can head over there and do a basic scan for free, but you are limited to the basic TCP ports, and no UDP ports.  On top of that, you'll be waiting in the queue for quite a while.

*** PLEASE NOTE that I am NOT a security expert or a hacker.  I can show you which ports are left open, and my best idea of what security risks may be present, but that's about it.  If any of you would like to clue me in on what kind of problems leaving these ports open on these routers can present, PLEASE contact me.  I will update this page right away.

And the Results:

Umax Ugate 3000

Port State Protocol Commonly
67 open udp bootps
69 open udp tftp

Having port 67 open is probably safe, but DEFINITELY not port 69.  This will allow basically anyone to connect to your router via a TFTP client.  I'm not entirely sure what they can do in there, but it can't be good... 

Netgear RT311

Port State Protocol Commonly
21 filtered tcp ftp
23 filtered tcp telnet
520 filtered tcp efs

These ports are all filtered, you're pretty safe.

MacSense XRouter Pro

Port State Protocol Commonly
520 open udp route
67 open udp bootps
69 open udp tftp

Again, we see an open TFTP port.  Not good.  Leaving port 520 open on your PC is usually dangerous, since it is vulnerable to RIP 'tracefile' attacks.  I'm not sure if anything can be done with a router though...

ZyXEL Prestige 300

Port State Protocol Commonly
21 filtered tcp ftp
23 filtered tcp telnet
520 filtered tcp efs

D-Link DI-701

Port State Protocol Commonly
113 unfiltered tcp auth

Port 113 is an authorization port, and is very likely to be harmless.

Linksys BEFSR11/BEFSR41

No Response! This is a good thing.

Nexland ISB2LAN-H4

Port State Protocol Commonly
113 unfiltered tcp auth

Again, the TCP port 113 is left unfiltered, but there should be no problems with this.  Random scans might see this and think that there are other ports open, but as you can see, there aren't. :-)

UPDATE [07.27.00] - Thanks for everyone who told us that port 113 is used as authentication purposes only.  This means that if your router leaves this port open, you're pretty safe.

The routers that I found to have the scariest security are both the Umax UGate 3000 and the Macsense XRouter PRO.  They blatantly leave the TFTP port open to the public.  This is a known security leak, and I'm pretty sure hackers can have a heyday with systems that are open like this.  Hey I'm not a hacker, so if I am wrong, please let me know (be polite though, please).

Next: ZyXEL & Netgear: Twin Brothers?

Cable/xDSL Router Shootout Part 2 Table of Contents:

Page 1: Introduction
Page 2: Nexland ISB2LAN-H4
Page 3: MacSense XRouter PRO MIH-130
Page 4: Linksys BEFSR41
Page 5: Security!
Page 6: ZyXEL and Netgear: Twin Brothers?
Page 7: Features/Comparative Matrix/Conclusion

Upgrade your RAM with the Memory SelectorTM
Select your system and press go!  

Copyright 2000, 2001, 2002 hardCOREware. All rights reserved.
All trademarks used are properties of their respective owners.
Use IE5 or 6 to see this page properly. 1024x768 resolution is a minimum.
32 bit colour is recommended.
Our Privacy Statement

Proudly Canadian