An Accepted Solution is available for this post.
NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
douglasmon
Enthusiast - Level 1
‎04-14-2010 07:09 AM

I added FIOS as our IP in January.  We recieved a good deal for superior speed 25/25 Mbs. 

What I learned after testing the Westell 9100 router provided by Verizon was that port 4567 was continutally open.  And that after serveral calls to Verizon techsupport, and yes hours waiting for a live person (Cummulative waiting time) I was met with silence on the question of the open port and given a canned answer that Verizon does not provide support for that issue.      I tested this at norton, grc.com and auditmypc.  All have the same result,  Port 4567 is open.

I found some helpful hints via google search and via this forum.   What I have learned to my dismay is that anyone, who knows our IP address eventhough it is dynamic every few days,  could telnet the port and if they knew our password, or if a user didnot change the default, could enter our setup and network.  This should send shivers down your spine.

Verizon as I understand it, leaves the port open for firmware updates.  And that its impossible to stealth the port given their software.  Also, Verizon has their own DNS that they list as primary and secondary.  This means, that everything you do online passes through their DNS servers and is recorded.  how do you know? ever get that sudden switch to Verizon search after a google search.

I purchased a router  Actually 2, took one back and upgraded to the Netgear WNDR3700.  What a nightmare in trying to figure out why the connection kept dropping.  After hit and miss in configuring 2 settings that are  must. Dynamically assigned DNS. 

  1. MTU must be set to 1492 in the router WAN setup
  2. your routers mac address must be set to use computer mac address.  in the Basic settings.

I also registered at OpenDNS and use their DNS servers with no issue.  Im trusting one over the other. 

FIOS has changed my IP twice since and my home network runs without a hitch.  I have a HUB set up, PS3. Non fios tv, IP phone  etc etc etc

Reply
9 Replies
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
viafax999
Community Leader
Community Leader
‎04-14-2010 07:47 AM

Not sure how you would logon via telnet, did you manage it?

Probably more success via a browser as that way it prompts you for a userid and password, however, the userid and password don't appear to be any of the defined users on the router.

You kind of need their router to make life easier if yyou have STB's - yes I know there are way around that too - so it is easier to just leave it in place and put your own router behind theirs and then control all the security on your router.  That way you don't have to mess around with mtu settings etc and VZ will still support you in the event of any issues.

If you look at your port forwarding settings you will find a whole bunch of ports that VZ have opened for the STBs - I appear to have about 35 now and the list still grows.

Do you power your router off? as it's strange that it keeps changing addresses.  Mine hasn't changed since it was set up last November.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
dslr595148
Community Leader
Community Leader
‎04-14-2010 02:09 PM

If you wanted to block that port, read the info on http://www.compu-help.us/205.htm

0 Likes
Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
Hubrisnxs
Legend
‎04-14-2010 03:42 PM

yeah it can be disabled/blocked - but it's not the easiest thing in the world to do because verizon hard codes it.

It serves two functions.   firmware updates but most importantly it allows VZ support to control the box as part of their troubleshooting.  meaning they can pull stats using it, they can reboot it using it, change your ssid and password if you need it changed remotely, they can change the wireless channel on it if you need that, force an update,. factory reset it etc....

without that port open they fly completely blind. 

you can close it, but just don't expect them to be able to help you much in the way of automated fixes like clearing your DHCP license or breaking the lease.    you'll have to do all of those things manually.

It's a port that is used exclusively for their systems and shouldn't be accessible by anyone else. 

(edit)

0 Likes
Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
douglasmon
Enthusiast - Level 1
‎04-14-2010 08:56 PM

Have I attemtped to logon to another verizon IP? No

Have I accessed my router with telnet?  Yes.  Its all command prompt.

Static IPs are for business accounts while dynamic are for the minions.  I havent had to break a lease manually for a week.  Since the router set up sucessfully.  35 ports open.  uh.....

Thanks for input.  If this router runs foul, I'll give the piggy back option a shot.  I just posted as I notice there wasnt much infor available on netgear set up for WNDR 3700 on the forum.  Might be helpful to someone.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
dslr595148
Community Leader
Community Leader
‎04-15-2010 12:10 PM
@Hubrisnxs wrote:

It's a port that is used exclusively for their systems and shouldn't be accessible by anyone else. 


Since grc.com shields up is not a part of Verizon, this means it is accessible by everyone.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
Hubrisnxs
Legend
‎04-17-2010 08:19 AM

viewable and accessible are two different things.  

0 Likes
Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
prisaz
Legend
‎04-18-2010 04:11 AM

My Verizon router is not a router. Bridge only. No WAN ports used on my Actiontec. Who needs support? The only reason I would call is if my service stopped working, or slowed down to a problem. I am not most people. My router is a Linux box with a single core CPU, 512meg of RAM, 80 gig drive, and two network cards. Logs everything for 90 days.

Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
dslr595148
Community Leader
Community Leader
‎04-18-2010 12:48 PM
@Hubrisnxs wrote:

viewable and accessible are two different things.  

Let me play Devil's Advocate with you:

#1 If

a) I am a bad person and

b) that port is open from the net.

#2 Even if you changed the default password, to your router (something you should do anyways)

#3 I will keep on pounding that port and guessing the username and password - until I get in.

#4 Once I am in, you are pwned.

* End Devil's Advocate *

^^

Reply
An Accepted Solution is available for this post.
Re: NETGEAR WNDR3700 and FIOS Victory and a cautionary tale of security with a FIOS Router
prisaz
Legend
‎04-18-2010 02:44 PM

I will agree with dslr595148. If it is open it is fair game. I know first hand that the Actiontec and Westel routers log will fill up quickly. That is if logging is set properly. I quess if someone tried a brute force attack and spent enough time, they could get in if a non secure short password was used. Like password1. I think even responding to a ping request is not good. My firewall gets hit daily even though it is totally steath on all ports.  There is a switch even on Nmap to ignore the failure to respond to ping request, and still hammer all ports. Things are bad enough without putting out an invite, like open ports. Wow a logon prompt what fun.

Reply