Features of the embedded SMB and FTP servers

As it has already been said in excursus to settings, you can connect external data storage devices with USB or Firewire interfaces to USR8200. The storage devices at once appear (if detected) in Network map, where you can browse them, create partitions, format, or check for errors.

Unfortunately (this is noted on the web site of the manufacturer in the firmware comments), compatibility with USB 1.1 devices leaves much to be desired. Out of ten flash cards that I tried to connect, only two worked: Kingmax 16Mb and Easydisk 128Mb. I had no devices with USB2.0 or IEEE 1394 available, and so I didn't manage to check how USR8200 works with them.

Users will see such storage devices as shared disks (SMB resources) or via an FTP server. Access to both kinds of resources is granted only to users, who have logins and passwords in the corresponding section of USR8200. Besides, an ftp server can have a special anonymous user. This user can have read and write rights. You can also create a special directory, and this user will not be able to go any higher than that (chroot). But in Samba (this program serves as an SMB server) anonymous access is not provided.

Much to my regret, implementation of user access isolation is in germ. If you grant read access to a user, this user will be able to read all files from the medium. If you grant write rights – in much the same way, this user will be able to write and delete any files. You can see why it is so in the screenshot above: the files listed on the screenshot were created by different users via ftp and smb, but they all actually have one owner or group. This concerns the files created by anonymous users via ftp as well.

USR8200 security tests

The tests were carried out according to this technique.

The device has been scanned in two modes. The first mode featured the minimum security policy (all inbound and outbound connections were allowed) and the activated access to configuration interface on WAN:

Nessus reports:

• Abridged
• Full

Obviously, a lot of various problems are found as a result of full access (in reality, this configuration will hardly be chosen). But it should be noted that no serious vulnerabilities were found.

During scanning the device was operating all right, there were no reboots or freezes. But the security logs showed almost no signs of attack attempts or scanning.

Before the second scanning, we set the security policy to "block everything" and deselected all check boxes in Remote Administration (all possible access from outside was blocked). I will not publish Nessus reports, because there aren't any. That is nothing was found during scanning.

In other words, device security is on a high level.

Availability

Unfortunately, USR820 was not on sale when the review was written.

Conclusions

Secure Storage Router Pro (USR8200) from U.S.Robotics is a functional and a high-performance device. One can even say that it's a first device (in our lab), which possesses such an impressive set of functions, high performance, as well as a good security level.

If programmers corrected several bugs about access right isolation for users working with embedded SMB and FTP servers and some glitches in IPSec implementation, there would be practically nothing to nag at. Another obscurity – the device has the IPSec support and the console mode of control via telnet, why not add the ssh support?

Pros

• High routing performance (transfer between the LAN and WAN segments)
• IPSec/PPTP VPN server
• High performance of the embedded VPN server supporting IPSec
• Very rich settings of the IPSec protocol (including tunnel and transport mode support)
• Good performance of the embedded VPN server with the PPTP support
• IPSec/PPTP pass-through support
• Good security level
• Flexible and functional firewall
• Very detailed logs
• SNMP protocol support
• Embedded print server
• Embedded file server supporting SMB and FTP
• Remote control via telnet

Cons:

• It's impossible to add anonymous users to the IPSec server (without specifying an IP address)
• Implementation of the IPSec tunnel establishment algorithm does not allow to connect to a remote host directly (at minimum, you need another host specified as a gateway on WAN interface)
• L2TP pass-through is not supported
• Domain filtering does not support masking
• Some ambiguity with content filtering by subscription
• Lack of the external syslog server support (logs are stored locally or can be partially sent to emails)
• Possible incompatibilities with USB1.1 devices
• Certificate support in IPSec is not convenient, Radius server integration is not supported
• SSH control is not supported
• No anonymous access to a file server for Samba
• Primitive user access isolation on a file server (the owner of all files is the admin user)

Navigation:

• Overview, circuitry, and specifications
• Excursus to settings
• Performance tests
• Security tests, features of the embedded SMB and FTP servers, availability, and conclusions