Menu
What's new
By:
Filters Better Search

Bad UI Design Sabotages Security of ASUS SoHo Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin said:
And yet, CTF provides a major performance improvement when you bypass the FORWARD chain (among other undocumented things).
Click to expand...

Latency improvements?

CTF confuses me with it's initials corresponding with the latency-improving "Cut-Through Forwarding", but I don't think that is correct.
 
RMerlin said:
And yet, CTF provides a major performance improvement when you bypass the FORWARD chain (among other undocumented things).
Click to expand...

Well - CTF.ko does odd things and Broadcom doesn't let anyone see behind the curtain (even with NDA in place...)
 
Nullity said:
CTF confuses me with it's initials corresponding with the latency-improving "Cut-Through Forwarding", but I don't think that is correct.
Click to expand...

No, you're correct - Cut Thru Forwarding - basically I'm told that it sets some tags inside the switch functional block inside the Broadcom System on Chip... note I say functional and not physical - the switch element inside the Broadcom SoC's is much more than a general unmanaged switch - and in the immortal words of Forrest Gump - "That's about all I have to say about that"
 
When I first heard of cut-through forwarding, the name didn't make sense. Then I realise it's very indicative of its functionality. Much better than SmartXXX or IntelliYYY from other companies. lol. It's really cutting through the protocol stack..in its cruelty. When it works, it's very nice.

Unfortunately now it seems break here and there. Turning off CTF becomes a band-aid to every single mystery connection/performance issue. On top of that the CTF implementation looks improved on newer SDK (so, good for you new router owners) but only bug fixed in older ones.

Netfilter or rather the current stack in Linux is showing its age. In multi-gigabit era, we need something better and some are horizon already..
 
RMerlin said:
That's another alarmist report. Because if you disable that firewall, you are exposing MUCH MORE than just your router's webui... Like, uh, your whole LAN.

"Sabotage"? Some wannabe security experts need to get a life, quite bluntly.
Click to expand...
RMerlin said:
That's another alarmist report. Because if you disable that firewall, you are exposing MUCH MORE than just your router's webui... Like, uh, your whole LAN.

"Sabotage"? Some wannabe security experts need to get a life, quite bluntly.
Click to expand...

Are these people serious? I have owned routers from Netgear, Speedtouch, the newer Technicolor, Fritz!Box, and Draytek as well as Asus, guess what, they all had a button which said Firewall on/off.

This is on a par with the "technical review" I saw written by a so called expert for one of the PC magazines.

The "expert" was reviewing Private Firewall and slammed it because " I let the kids surf the net for a few hours, the firewall failed our tests because when we looked it had allowed cookies to be installed to the machine from the internet". ......... Yeah, okay.
 
I'm glad to be reminded of this, it's not something obvious. You'd think if one turns the firewall off, the firewall settings are still enforced that block access from the WAN if the "allow WAN access" button is off. I'm not sure why people are getting offended at the reviewer. I think even intelligent consumers would assume that part of the firewall that controls WAN access, the IP tables, are still valid no matter the state of the firewall button. I think it is an under-sight from ASUS.
 
FWIW - While I never depreciate security considerations...

While the SPI firewall that the guy reported might get accidentally disabled, one is still NAT'ed, which is a firewall of sorts in and of itself... tempest in a tea-cup perhaps?

I'm surprised nobody brought that up...

Anyways, the take-away here is that there are many levers and switches that can lead to a misconfiguration and potentially expose your network - and that's the big thing to take away from the "disclosure" that started this thread...
 
sfx2000 said:
FWIW - While I never depreciate security considerations...

While the SPI firewall that the guy reported might get accidentally disabled, one is still NAT'ed, which is a firewall of sorts in and of itself... tempest in a tea-cup perhaps?

I'm surprised nobody brought that up...

Anyways, the take-away here is that there are many levers and switches that can lead to a misconfiguration and potentially expose your network - and that's the big thing to take away from the "disclosure" that started this thread...
Click to expand...

NAT protects the LAN, but it does not protect the router itself, which is what the article is about.

I have wondered if NAT was vulnerable to some sort of attack. Disabling firewalling is still ill-advised, especially for gateway routers. Better safe than sorry.

Edit: I am torn between presenting settings and hiding them, because I know how bad I am with "if there's a switch, I must flip it"... like all defaults are conspiratorially sub-optimal.
 
Nullity said:
NAT protects the LAN, but it does not protect the router itself, which is what the article is about.

I have wondered if NAT was vulnerable to some sort of attack. Disabling firewalling is still ill-advised, especially for gateway routers. Better safe than sorry.
Click to expand...

NAT itself is fairly safe in an IPv4 context...

There's always concerns about NAT gateways - e.g. SOHO consumer router/AP's - as they are vulnerable - not the first time, and it won't be the last... these things have a lot of old code, and many will never be fixed...
 
You must log in or register to reply here.

Similar threads

K
Latest RT-AC68U Asuswrt stock vs Merlin security
Replies
6
Views
2K
KrypteX
K
K
  • Locked
PC Mag and others on 6/20/23: 19 Asus Routers Need Their Firmware Updated Immediately
Replies
1
Views
2K
RMerlin
RMerlin
mekki
WAN Reconnect Problems Across ASUS Routers / Firmware Versions
Replies
10
Views
1K
brummygit
brummygit
torstein
Avoid Consumer Routers
2
Replies
39
Views
6K
netware5
netware5
L
VLAN on NEW Router... or Separate Routers for IoT and Security
Replies
8
Views
11K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
C Attempting to design an ASUS Mesh Network purposely using a double NAT? Good or bad idea? ASUS Wireless 7
H Asus Network design ASUS Wireless 13

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 802 (members: 20, guests: 782)
Top