Security with DSL and Cable Modems

These services leave you wide open to invasion by hackers, crackers and "script kiddies".

Home
Home

News
News

Topic
Topics

AAx
AAx

The Problem

"Broadband" Internet access is being aggressively marketed with all the care and integrity we have come to expect from telephone and cable companies. There are some things they don't tell you about.

Network disruption: Installation of a broadband service may prevent you from accessing other devices on your network, such as print servers, Linux/Samba file servers, etc. which normally have "private" IP addresses.

Security: An Internet connection is a two way connection. Any computer attached to the Internet can be invaded through that connection. If that computer is attached to a network, the entire network is exposed to attack.

Why Wasn't this a Problem Before?

  • It was, but not a significant problem because IP addresses were changed frequently. Small offices formerly connected to the Internet with modems. Connect sessions were short and had a different IP address every time, so an invader would have to act very quickly.
  • Modem connections are also usually completely separate from your internal network and do not interfere with it.
  • Office networks ran NetBIOS or IPX network protocols, limiting possible invasion to a single computer.
  • Hackers were few, highly skilled and attracted only to high profile targets. "Security through Obscurity" was acceptable for many small offices.

Why is it a Problem Now

  • DSL and Cable Modem Internet connections are "always on". Effectively, you have a "static" IP address, making you an easy invasion target.
  • DSL and Cable Modems put your internal network at the service of the access provider. They configure it for their needs, which may disrupt your internal services.
  • "Back Orifice" type tools propagate like viruses. If a computer on your network gets infected, it emails your IP address and passwords to the perpetrator. "Security through Obscurity" no longer exists.
  • Thousands of "script kiddies" now download sophisticated "point and click" invasion tools that automatically search for exposed computers to play with.
  • TCP/IP is rapidly displacing NetBIOS and IPX on office networks making the entire network accessible from the Internet.
  • The rise of an Internet criminal class. Wherever there is an easy vulnerability, lowlife is attracted to it. Data theft and data blackmail are becoming common, and "industrial espionage" is an aggressively marketed service.
  • A uniform Microsoft Windows environment features low to no security and complete "integration", allowing rapid dispersal of virus-like hacking tools and easy access to all resources once the network is breached. Then your network becomes a launching pad for invasion of other networks.

How Likely is an Invasion?

Very. A security expert recently installed a new cable modem at his home. It took him half an hour to get his firewall up. Within that time, someone was already examining the contents of his hard disk.

Brian Livingston, respected author and InfoWorld columnist has written a series of columns on the subject, starting with High speed Internet access can be harmful to your health and the health of your PC (25 Oct '99). Though his column aims at the home PC and home network, the problems are even greater for business networks.

Many other security experts have provided similar warnings.

Note: If you get your Internet service by simply plugging into a network jack provided by your office building's Internet service, they may be providing a private IP address that provides good protection except from people in the same building.

One of our clients recently installed a new computer. Instead of connecting to their network, it connected to the network of another tenant through the Internet access system. This is not what I'd call secure. Of course our client is firewalled, in fact they have two firewalls so accounting is secured from the rest of the employees.

The company maintaining Internet access system for this building assured everyone they were firewalled - and they were, from the ourside - but now the network is misconfigured and everyone is open to invasion from the outside too, unless they have their own firewall.

Note: Cable Modem service has additional network security problems because you are on a LAN (Local Area Network) with everyone else on that leg of the cable. This can make invasion of your computer stupifyingly simple. Some cable providers encrypt network traffic to prevent this, others don't. If you are networked in your office using the Windows default settings, your hard disks, printers and other resources may even show up in other people's "Network Neighborhood".

Solving the Problem

A permanent solution for these Internet access problems is imperative for several reasons:
  • More and more employees will require extensive Internet access as more and more types of business communications move to the Internet.
  • Everything on your internal network will be moving to TCP/IP, including Novell NetWare and Microsoft Windows 2000. You will not be able to escape IP addressing.
  • "Breaking and entering" of private networks will continue to grow rapidly as tools to do so become more common and require less and less skill.

An individual or home office with a single PC can use a product like Zone Alarm, a product of ZoneLabs. It can be downloaded free for hobbyist use, $19.95 for business users.

For a small office with a network, the most effective and easily maintained solution is to use unroutable "private" IP addresses within the network and access the Internet through a masq, or NAT router. Automation Access offers several ways to install this class of protection.

  • 1. Internet sharing Software: This was once a practical solution, but the advent of low cost firewall routers has made it too expensive. The software itself runs between $50 and $250 depending number of users and platform. Installation and configuration would add $150 or more depending on number of computers and other factors.

    If you already have an up-to-date Linux computer, software cost would be $0.

    Advantages:

    • Can be lowest cost solution (Linux).
    • using existing hardware.

    Disadvantages:

    • Places additional load on one of your computers.
    • Not as secure as other methods - the firewall is also an "in use" workstation or server.
    • If on a Windows computer, your Internet gateway will crash every time Windows crashes. An additional software package increases the likelihood of Windows crashing. The software will have to be reinstalled and reconfigured every time Windows needs to be installed.

  • 2. Linux Software on a Surplus Computer: This was once a preferred solution, but with the appearance of very low cost firewall routers it is not practical unless you have unusual needs.

    A fast 486 or better can be used as a masq router running under Linux. A monitor and keyboard are not required once the system is configured. Cost to prepare and configure an older computer you already own would be around $450.

    Advantages:

    • Does not place additional load on any server or workstation.
    • Low cost, stable, highly configurable, highly secure.
    • Could also be used as a print server.

    Disadvantages:

    • An additional box in your office (but doesn't need monitor or keyboard).
    • May require pulling one or two network cables depending on where the Linux box and the DSL / cable device are located.
    • Requires normal PC maintenance

  • 3. Firewall Router: This solution takes little space and may not require pulling any cables depending on where your Network hub and DSL / cable device are located.

    Cost of firewalls varies widely. Once expensive, they can now be had for as little as $100 for one suitable for home or small office, $200 with integrated network hub. More capable ones with more filtering options and better ability to allow controlled access through the firewall run about $650. Beyond that are big company firewalls costing thousands of dollars.

    There are some costs for install, but they are minimal, unless you also need incomming access through the firewall, or content filtering (blocking porn sites, etc.). Then labor costs become very significant.

    Advantages:

    • Very small box can be put almost anywhere.
    • Highest possible reliability.
    • Highest security in a low cost firewall.
    • Low power consumption.
    • Software is available to do extensive Internet filtering (porn, sports, gambling and other undesirable sites).

    Disadvantages:

    • None significant

NAT, PAT, masq: What Are They?

These are special router protocols. A router is a device that connects one network to another network. In this case, your business network and the Internet. For a plain router, traffic is simply passed through in both directions and all computers have their own "routable" IP address, and those addresses must be assigned by proper authority (and usually handed to you by your ISP). This is how the routers that make up the Internet work.

A router offering NAT, PAT or masq (there are subtle differences we won't go into here) requires only one IP address from your ISP, because all the computers on your network have special non-routable "private" IP addresses. These are not vulnerable to hackers because they can't pass through the routers that make up the Internet, or even through the router that connects you to the Internet.

When the router sees a request for an address not on the private network, it flags it for the private address it came from, sets the "from" address to that one routable IP address, and sends it out on the Internet. When a reply comes back, it is re-addressed for the private network and sent to the correct workstation.

Even if a hacker knows the exact IP address of your workstation, he can't send anything to it because no router will pass that address through. Only replies to requests from your workstation can get through. If he knows that one routable IP address your router uses, he still can't get through, because your router will just drop his packets because they aren't flagged for your workstation.

©:Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners