Is this router that hard to config?

[MojangYang]

Hi guys. I saw a Huawei AR150 router cheap on eBay. Just wondering, do i need to go through some complicated commands and config before i can use it? Does it use a GUI to config? I can’t find too much about it.

https://www.ebay.com.au/itm/HUAWEI-AR150-Series-Access-Router-AR157/283146140334?hash=item41ecd33aae:g:8ugAAOSw0c9bkgxo

[mynameisjuan]

No GUI. Huawei's CLI is a mix between HP and Cisco. If you dont know the basics to configure an enterprise router I would stay clear until you can brush up on it. 

 

This is purely a router so there is no firewall feature so you would have to create basic ACLs which leave you quite exposed and to top it off if you'll have to configure NAT, DHCP, wireless bridge...

 

Its far from plug and play. 

[brwainer]

37 minutes ago, mynameisjuan said:

No GUI. Huawei's CLI is a mix between HP and Cisco. If you dont know the basics to configure an enterprise router I would stay clear until you can brush up on it. 

 

This is purely a router so there is no firewall feature so you would have to create basic ACLs which leave you quite exposed and to top it off if you'll have to configure NAT, DHCP, wireless bridge...

 

Its far from plug and play. 

You seem to know a lot about this, but does it really have no firewall? Not even a basic SPI firewall? I’m pretty sure most Cisco routers I’ve touched have had that, but they also make so many different SKUs with varying features, and maybe Huawei is the same. How does it handle NAT if it doesn’t have an SPI firewall? I’m most familiar with the design model that NAT and SPI are just two different functions of the same packet processing engine - e.g. the basic linux iptables. And if you don’t have an SPI firewall per se, if the router can NAT a large private IP pool to a single public IP, doesn’t that offer nearly the same security against inbound attacks?

 

EDIT: I haven’t read all the pages but they have an entire manual section for setting firewall on the AR150: https://support.huawei.com/enterprise/en/doc/EDOC1000174075/d42c5234/firewall-configuration

[mynameisjuan]

4 minutes ago, brwainer said:

Not even a basic SPI firewall

Stateful firewall, yes, but NAT is not a true firewall. 

 

6 minutes ago, brwainer said:

I’m pretty sure most Cisco routers I’ve touched have had that, but they also make so many different SKUs with varying features, and maybe Huawei is the same

ISRs do have IOS Firewall but thats what they are designed to do. ASRs have zone-based firewalls which are essentially ACLs and policies. 

 

9 minutes ago, brwainer said:

I’m most familiar with the design model that NAT and SPI are just two different functions of the same packet processing engine - e.g. the basic linux iptables.

NAT is not a firewall and vice versa but there are firewall like properties as a side effect. The definition of a firewall is very vague to be honest I cannot tell you where the line in the sand is. 

 

15 minutes ago, brwainer said:

if the router can NAT a large private IP pool to a single public IP, doesn’t that offer nearly the same security against inbound attacks?

Its a controversial topic. Yes an existing session needs to exist and an attacked needs to spoof an existing session to even get past NAT and most agree that there is no amount of vulnerabilities against this. But this doesnt protect the router itself which policies and ACLs will help mitigate attacks. 

 

I wish I knew more about firewalls to give you better answers, but I wont know more until I am done my CCNP and get into CCNA security

[brwainer]

3 hours ago, mynameisjuan said:

Stateful firewall, yes, but NAT is not a true firewall. 

 

ISRs do have IOS Firewall but thats what they are designed to do. ASRs have zone-based firewalls which are essentially ACLs and policies. 

 

NAT is not a firewall and vice versa but there are firewall like properties as a side effect. The definition of a firewall is very vague to be honest I cannot tell you where the line in the sand is. 

 

Its a controversial topic. Yes an existing session needs to exist and an attacked needs to spoof an existing session to even get past NAT and most agree that there is no amount of vulnerabilities against this. But this doesnt protect the router itself which policies and ACLs will help mitigate attacks. 

 

I wish I knew more about firewalls to give you better answers, but I wont know more until I am done my CCNP and get into CCNA security

But what you've said more or less, and I'm not trying to put words in your mouth, is that this router, if properly configured with the firewall that it does support, is at least as secure as a regular SOHO router, or something like PFSense if you don't add any additional packages.

 

To me, a dedicated firewall appliance performs SPI and other filtering (especially subscription based threat blocking) when routing or as a transparent process (a bump in the wire), as opposed to a router with an SPI (e.g. iptables) only does SPI for NATed traffic and the system's own inbound traffic. And then you have Unified Threat Management (UTM) which add a bunch of other protection into the mix, like live antimalware inspection and mail inspection, and Next Gen Firewalls (NGFW) which do Layer 7 inspection - and those two are sometimes mixed together into a single unit.

[mynameisjuan]

2 hours ago, brwainer said:

But what you've said more or less, and I'm not trying to put words in your mouth, is that this router, if properly configured with the firewall that it does support, is at least as secure as a regular SOHO router, or something like PFSense if you don't add any additional packages.

Well looking at the manual this is more like an ISR so it has basic firewall features but it no more than bottom tier consumer routers. Check incoming packets, block port scanning, blacklisting, trusted zones. Again just glorified ACLs

 

2 hours ago, brwainer said:

To me, a dedicated firewall appliance performs SPI and other filtering (especially subscription based threat blocking) when routing or as a transparent process (a bump in the wire), as opposed to a router with an SPI (e.g. iptables) only does SPI for NATed traffic and the system's own inbound traffic

And yes I am with you. Firewalls provide a service, not just stateless/stateful checks. But like I said, I dont know where the line is drawn of what is and is not a firewall, technically speaking.