I router FRITZ!Box they are really very popular in Europe. There are several reasons for their success: they are devices known for their reliability and performance, for the availability of advanced features and for offering a complete and intuitive administration interface. The firewall FRITZ!Box it is a little different than that of other manufacturers but still offers a high level of protection. Also, the telecom operators that provide the internet access service They are increasingly choosing FRITZ!Boxes for their customers also because of the solid VoIP support.
The transition to VoIP telephony (Voice over Internet Protocol) by the Europen telecommunications operators for fiber offers (FTTC and FTTH) is influenced by various factors. Let us cite for example the bandwidth available with the fiber offers which allows to significantly improve the telephony service. But there are also the cost reduction (VoIP eliminates the need to manage two separate network infrastructures for telephone and Internet services), the ability to offer converged servicesflexibility and scalability without making physical changes on the network.
Forever VoIP-orientedwe have seen how FRITZ! Box routers work and how they have become a “first choice” in the home and professional environment.
FRITZ!Box firewall: how it works
Like the other routers of the same category, the FRITZ!Boxes also integrate a firewall, an essential component for the security of the local network. The FRITZ!Box firewall uses technology Stateful Packet Inspection (SPI): The device analyzes network traffic at the packet level to identify and filter harmful or potentially harmful communications. The incoming and outgoing data flow is constantly monitored and analyzed by applying safety rules to allow or block any communication.
The FRITZ!Box firewall also offers protection against such attacks Denial of Service (DoS). They aim to overload the network or devices with a massive flow of requests. The firewall can detect and mitigate such attacks to maintain network stability and accessibility.
Also, by default, all communication ports of the FRITZ!Box router are inaccessible from the outside or from a host connected to the Internet. No service and no element of the router is accessible in remote mode.
Actually, by carrying out a simple test with GRC ShieldsUp! (to select Proceed Therefore All service ports), we realize that not all of the porte I am stealth. Some may simply turn out closed.
Difference between stealth doors and closed doors
- Porta Stealth– A network port that is hidden or made invisible from outside the network. This means that when someone tries to scan the device’s ports from a remote location, the “stealth” port becomes unresponsive and provides no information that makes its presence known. It’s as if the port doesn’t exist for external users.
- Closed door: A “closed” port is a network port that has been configured to block incoming traffic. Unlike a “stealth” port, however, a “locked” port responds with an error or denial message if someone tries to access or communicate with the port from a remote location. The device indicates that the port exists but does not accept the connection.
Stealth mode of the FRITZ!Box firewall
By accessing the administration panel of the FRITZ!Box router and then navigating to Internet, Filters, Lists, Global Filter Settingsyou can enable the firewall stealth mode.
It is a feature that allows you to HIDE the existence of the FRITZ!Box device to the port scanners external: we have seen what Nmap is and how it works, the “king” of port scanners. In stealth mode, the firewall of the FRITZ!Box does not respond to requests sent to device ports from outside the network.
However, we have found that to date the FRITZ!Box still responds to ICMP requests from remote systems. In other words, even with firewall stealth mode enabled, issuing the ping command followed byIP address assigned to the router, the FRITZ!Box responds to requests by confirming its presence on the network.
Apart from that, the level of protection for the communication ports offered by the FRITZ!Box routers is absolutely up to the expectations. Also, by clicking on Diagnosis, Safety in the device administration panel, the router shows the list of tcp port e UDP that could possibly result open.
In the example in the figure, the ports related to the are open VoIP service made available by the telecommunications operator. The configuration is correct.
How to access the local network remotely with the FRITZ!Box firewall
If you had the need to access remotely to one or more services provided by devices connected to the local network, it is possible to go to the section Internet, Qualifications del FRITZ!Box.
In this section you can choose the name of the device towards which forward the traffic coming from remote hosts connected to the Internet. Alternatively, you can specify the respective private IP addresses local or MAC addresses. In all cases, the FRITZ!Box router must be the owner of a public IP address therefore be reachable on the Internet.
If you choose to specify a private IP address, that address must of course be assigned in a manner static to the corresponding device. Otherwise, the FRITZ!Box will forward data packets to another local device that is not the correct one. We have already seen what a static IP is and how to use it. By specifying the target device name or the MAC address you don’t have this problem (the private IP of the device configured as recipient of data traffic can change without problems).
Be careful to enable incoming ports
Wherever possible, it is always good avoid opening doors in entrance. Assuming you have a server HTTP/HTTPS running on the local network, by forwarding data traffic to that device, anyone on the Internet has the ability to reach that device.
Think about the login screen a camera, a video surveillance system, an alarm system, a NAS server, any business application. If you expose this panel publicly by opening the port on the FRITZ!Box router and forwarding the traffic, anyone – on the internet – will be able to see it. And it can start guessing your username and password by launching for example a brute force attack. Or take advantage of one vulnerability security to access a single device or the entire local network. Or again, execute arbitrary code.
Better to open doors with an eyedropper, then. Better yet, don’t open them at all. In this regard, for access the local network remotely and you can safely consider setting up a VPN server that the FRITZ!Boxes themselves support. The server VPN local can be configured on the router or managed with another system also connected to the LAN.
In another article we have seen how to install a VPN and the differences between server locale and services offered by third parties.
What are MyFRITZ!
FRITZ!Box routers also offer calling functionality MyFRITZ! activations It is a tool that allows you to reach an application available on the local network via the Internet, overcoming the difficulty of opening ports.
With this approach, the services that you want to appear on the Internet can be reached via a direct link (domain myfritz.net).
There is however one limitation important: MyFRITZ! they are only compatible with web browser-based applications. The local server service must be reachable via a schema URI (Uniform Resource Identifier)therefore for example through HTTP, HTTPS or FTP protocols.