As more companies adopt a telecommuting-friendly culture, more employees are taking the plunge for cable or DSL-based Internet access. In many cases, their households have more than one Internet user and are installing turnkey connection-sharing appliances. The two companies that most often come to mind for me as providers of these appliances are the recently Cisco-acquired Linksys and the as-of-yet-to-be acquired NetGear. Linksys is apparently having some engineering difficulties that are leaving its customers exposed to potential security problems.

Between the UPnP problems with the old router and key mDDoS vulnerabilities that haven't gone away with the new one, and some other reliability problems I'm having with the new one, I'm beginning to wonder how well Linksys is testing its routers and firmware upgrades before releasing them to the public.

For starters, as Gibson Research's ShieldsUp firewall vulnerability test will show, most Linksys routers leave port 113 closed by default. Firewall ports have three modes: open, closed, and stealth. The stealth mode hides a port's existence altogether (if all ports are stealthed, the existence of the entire Internet connection is basically hidden), while a closed port will actually acknowledge queries from the Internet by saying "Yes, I'm here!" A well-executed mDDoS attack, such as the one that hit my Linksys router, will send the router/firewall into such a query-acknowledgement frenzy that the device quickly becomes too overwhelmed to handle any legitimate traffic. To users relying on that connection, the connection appears to be down. So vulnerable to such attacks are router/firewalls with any   port open or closed that Gibson's ShieldsUp test will give a clean bill of security health only to a firewall/router with all of its ports stealthed.

According to a Linksys spokesperson, "Our engineers used to have this port stealthed, until we started getting a lot of complaints about using IRC. The solution was to keep it closed at the time." In subsequent e-mails, Linksys said that it was "still under discussion on how to implement [a fix]. This will impact all of our product line, so we need to carefully plan for it." Let me repeat that: "All of Linksys' product line" is affected by this vulnerability. So, is Linksys' rationale for leaving port 113 closed instead of stealthed justified?

According to Gibson Research president Steve Gibson, the answer is no. "Port 113 is known as the IDENT port," said Gibson. "When a user connects to an IRC server, that server turns around and makes an IDENT query back to the user's system. If the user's system is running an IDENT server and port 113 is open, their system will respond to the IRC server's query with information like the user's name and maybe their phone number. If port 113 is closed, the IRC server would at the very least get an acknowledgement, telling it that someone is there. If port 113 is stealthed, the IRC server won't even receive an acknowledgement and, on the assumption that no one is there, will think the connection attempt is bogus and deny the connection. But that practice, which dates back to the early 90's, has long since stopped. If you really tried, you could probably find an IRC server on the Internet that still does IDENT queries, but no one really does it anymore."

Gibson went on to describe how easy the fix would be. "The way ZoneAlarm dealt with this is that it would keep port 113 stealthed, and if it detected that an IRC client was having difficulty achieving a connection, it would dynamically switch the port's status and allow only a connection with that IRC server," said Gibson. "Nothing prevents Linksys or any other router/firewall vendor from programming the same sort of capability into their devices." What firewall/router does Gibson use? "I've already switched from Linksys. Now, I use NetGear."

Whereas Linksys is, in my estimation, making the ill-founded decision to leave port 113 closed instead of stealthed in order to support a hardly used legacy technology, its closest competitor, NetGear, has port 113 stealthed by default on its devices.

"In the early days, everyone had port 113 support," said NetGear product manager Kevin Allan. "We closed it out because it's really not necessary to have it open any more. We use Gibson's ShieldsUp to test all of our products. We decided that it's not critical to issue acknowledgements from port 113. I think that [decision] was critical in terms of customers and the vulnerabilities that leaving port 113 closed would have otherwise subjected them to. We try to keep it as air tight as we can." Although he acknowledged that stealthing port 113 could create problems for some very small percentage of users, Allan noted that those users can open the port through NetGear's administrative interface. "What you don't want to do is leave it open for no reason," said Allan.

I asked Gibson whether UPnP-compliance could be the answer to the sort of on-the-fly port adjustments that he likes. Gibson responded, "Firewall/routers with UPnP enabled by default will be the next major security problem." Why? Systems on the inside of a UPnP-compliant firewall are given the authority to dynamically change a port's status. However, the difference between UPnP and the ZoneAlarm-sort of flexibility that Gibson likes is that in the latter situation, the flexibility is hardwired to some known problems. With UPnP, the dynamism is more encompassing of all ports. Firewalls aren't simply for keeping the bad stuff out, but also for keeping both bad and confidential stuff from getting out. Gibson cites the example of e-mail borne viruses. "Once a virus is inside the firewall, nothing prevents it from using UPnP to open up a port in your firewall and exposing your network."

Linksys' port 113 issues are not my only concerns.. In addition to the port 113 vulnerability, which can be manually dealt with by going into a Linksys router's administration screens and forwarding port 113 requests to a non-existent IP address, the new Linksys firewall/router is having other problems, even with the latest firmware revision.

When I ran Gibson's ShieldsUp utility several times in a row, the utility kept reporting back to me with different results, as though the status of large ranges of ports were changing from stealth to closed and back to stealth again. Another problem had to do with VPN tunnel support, which is an absolute must for telecommuters who need secure access to their corporate networks. Before unplugging the old Linksys router, my VPN connection would stay up for as long as I wanted it to (or until a problem unrelated to the router/firewall forced an interruption in service). With the new router/firewall, my PPTP-based VPN connection to the corporate network drops several times a day.

Linksys told me that their engineers were able to reproduce these problems. The flaky results that ShieldsUp returned on multiple runs has been corrected and the fix is currently being tested. The VPN problem, which the company was also able to reproduce, is being debugged but no solution is available yet.

The problems encountered with the newly supplied router/firewall were bad enough that I can't wait to get rid of it. In its place, I'll be looking at a couple of other options, including some replacement devices from NetGear and ZyXEL. I'm also looking into setting up my own router/firewall using the Linux-based open-source project for IPCOP, which, according to some ZDNet readers, is the way to go. If I learn anything new, you'll hear about it here.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.