Is a router a firewall?

Routers allow data to move between computer networks. If you use a computer at home or work, your router will perform a fundamental job by forwarding data packets between your computers and the internet, in other words, they provide the means for your internet connectivity. They are still typically implemented as hardware, but are really just software or “firmware” systems connected to hardware data ports inside some kind of case or “chassis”. A firewall is a special type of router that is able to detect, block and report unwanted or malicious traffic trying to move into or out of your network. We generally refer to modern firewalls as next-generation firewalls (NGFW), but that has been true for about 20 years now, so all real firewalls are NGFW these days.

It’s not uncommon for home users to install a router that has been provided by their internet service provider. These are usually good value, efficient, and easy to operate. These routers have the most basic of security features, including the general restriction on unsolicited internet traffic entering your private network. In this sense they are sometimes treated as a basic home firewall, and some even argue that for cost-saving reasons they should be sufficient for their business also.

Routers at risk

However, standard entry-level routers, as well as lowest-cost dedicated firewall type devices, come with very little in the way of real-world security, either from the device itself or from the vendor behind the device. For example, home or consumer internet routers generally lack the ability, or default configuration, to auto-update their own firmware, and few users (especially home users) know how or when to patch that firmware to remove already-known vulnerabilities. This leaves those routers and private networks open to attack. A typical security flaw may allow an attacker anywhere on the internet to read any file from the router, potentially including the credentials of administrative user accounts. This means that the hacker can decrypt the username and password and potentially gain full remote access to and control of that router. Such flaws may also be exploited to automatically enlist your router as part of a botnet; an army of internet-connected workers that can be enlisted to anonymously attack other targets across the internet. This can be problematic in terms of consuming your bandwidth and data, restricting your ability to access web sites and services, and potentially implicating you in nefarious activities.

Cryptojacking with routers

Another recent example of a router-based attack involves the exploitation of un-patched routers to secretly install a cryptocurrency miner on all the computers connected to that router. Once a hacker has successfully gained administrator access on the targeted router, they are then able to install well-crafted scripts to inject cryptojacking software into web pages visited by users within your private network. (Source: SpiderLabs MikroTik exploit analysis). In some cases the scripts have been injected into every user who visited a web server located behind an infected router or firewall. This cryptojacking software utilises your computer power to mine cryptocurrency and then transmit that mined value to a wallet controlled by the attacker.

Attackers prefer cryptomining rather than using ransomware because it is the type of attack that keeps itself relatively hidden from quick discovery, meaning that the hacker can run a stealthy miner for a longer period of time which can make profit more than ransomware. (See our recent post for more on cryptojacking).

False economies

Problems can arise when businesses find themselves relying on a low-end commodity router, or cheapest-option firewall, instead of a leading business-grade solution. Often this comes down to having made cost-centric, or insufficiently informed, security purchases. In other cases the choice of router or firewall is symptomatic of a broader problem – where insufficient priority and budget are given to one of the key defences of the business. Tens of thousands of low-end routers and firewalls can be infected using a single type of attack (source: Twitter). And even if the router manufacturer is quick to release effective patches, these patches are of course only of use if they are actively (and manually) applied to the device. Businesses that choose the cheapest option for their internet-connected gateway typically underinvest in the people and procedures around that gateway device – with limited or no attention to vulnerability discovery, firmware updating procedures, or security event monitoring.

It is also worth considering that price-point routers and firewalls are typically provided by vendors for whom security reputation is low on the list. Routers and firewalls, for these vendors, might be a small part of a much larger product suite, and sales volumes across those product ranges are the real priority. Contrast this with vendors who model their entire business on their firewalls and security product, and stake their reputation on avoiding vulnerabilities in their security devices, and on how quickly they are able identify and patch any such issues. Combine this with the high likelihood that the customers of these vendors will take seriously the discovery, patching and monitoring of such devices, and you will understand why low-end devices come with far higher business risk.

What to do

If you are using a standard router at home, or are not using a leading firewall brand for your business, ensure that you keep the router or firewall and all connected devices regularly and actively updated. Months or years can go past without considering such things, and in that time you might have been “owned” more than a couple of times!

Also, take steps to ensure that your web sites are only serving up HTTPS (with no pages over plain old HTTP). This establishes an end-to-end tunnel between your web site and the end user, and helps to prevent any illicit content (such as cryptomining scripts) being injected into your web pages by a compromised network device.

You can also take steps to ensure that your users access all sites through HTTPS, for the same reasons. This can be controlled via browser extensions, firewall rules, and training.

Fundamentally, however, all businesses should implement a business-grade gateway security solution to protect and monitor their network for anomalous activities, and they should take the ongoing management of those solutions as seriously as the initial purchase.

Speak to phew! today about ensuring that your internet gateway is fit for purpose and that your business is being properly protected.