[Nottingham] Setting up a router at uni

Jim Moore jmthelostpacket at googlemail.com
Wed Aug 27 00:27:19 UTC 2008 

Danny King wrote:
> Thanks Martin,
>
> I just got an email from the IT team and they said it was fine to take
> more than one computer as long as I register each one through their
> "registration process", whatever that is.
>
>   

Basically, they're making sure that they're billing students for their 
net usage. They also, understandably, like to be sure of what equipment 
is connected to their network...

> I think I'll look into finding/buying a little hardware router rather
> than using a spare computer. Other students are what I'm worried
> about, especially since I have full intentions of getting some friends
> together to try and test out security on our boxes! As for capability,
> is NAT the only requirement I should be looking for?
>
> Thanks again.
>
>   
NAT routers do two things - they route data packets to the correct 
machine in their slice of LAN, and silently drop (or bounce) rogue 
packets (pings, other incoming packets) which aren't accompanied by the 
correct header information for the router to know where that packet is 
going. DMZ and port forwarding rules bypass this by routing all "other" 
incoming packets (those not routed to systems on the LAN) to the DMZ, 
those directed through specific ports to specified addresses on the 
local network. Ergo, NAT routers by their nature are hardwalls.

More sophisticated NAT routers can include AV, SPI (Stateful Packet 
Inspection, which is the firmware's ability to determine the protocol 
used, the source and destination IPs of each packet (thus be able to 
hold open a port for that connection), and the default behaviour of 
dropping each and every packet that does not adhere to strict 
preprogrammed filter rules - this makes an SPI-equipped router 
practically invulnerable to ICMP spoof attacks and other such packet 
flooding behaviour: at least, that's the theory. Linksys WRT54GS 
routers, for instance, were so broken in early models that [from 
experience] literally every one sold was returned faulty within days or 
even hours with the same firmware problem). More recent models of 
SPI-equipped routers are a lot more stable, and while a little more 
expensive than bog-standard routers (the £20 jobs...) they are a lot 
more secure, in every sense of the word.

cheers

TLP

More information about the Nottingham mailing list