| Author |
Message |
bob prohaska
Guest
|
 Posted:
Wed Nov 03, 2004 3:53 am Post subject:
DSL router security |
|
|
Hi folks,
I've recently started using DSL service from SBC/Yahoo using
the Cayman 3546 router supplied as part of the deal.
The notion that hosts need to be secured against attack and
compromise has long been with me, but I've always thought of
routers as "too dumb to corrupt". There are suggestions that
modern routers are indeed corruptible; the 200+ page manual
for the Cayman defies any quick read and implies it has ability
and intelligence not apparent to the casual user.
If I wanted to explore this issue a little further, where's
a good place to go fishing? Alternate spelling welcomed 8-)
bob prohaska |
|
| Back to top |
|
 |
George Pontis
Guest
|
| Posted:
Wed Nov 03, 2004 9:40 pm Post subject:
Re: DSL router security |
|
|
In article <cm9koh$sl3$1@agate.berkeley.edu>, bp@fib.eecs.berkeley.edu says...
| Quote: | Hi folks,
I've recently started using DSL service from SBC/Yahoo using
the Cayman 3546 router supplied as part of the deal.
The notion that hosts need to be secured against attack and
compromise has long been with me, but I've always thought of
routers as "too dumb to corrupt". There are suggestions that
modern routers are indeed corruptible; the 200+ page manual
for the Cayman defies any quick read and implies it has ability
and intelligence not apparent to the casual user.
If I wanted to explore this issue a little further, where's
a good place to go fishing? Alternate spelling welcomed 8-)
|
The Cayman 3546 is a good unit, but any router is interacting with the incoming
packets. If there is a weakness if the router's code and it is exploited, then a
problem occurs at some level. I know of an Efficient router that had such a
weakness but the exploit only took the router off line so it had to be rebooted.
There was a workaround and later a firmware update that fixed it. The great
majority of attacks are aimed at Windows PCs. A very much smaller number target
routers, usually Cisco since they are most common at big sites. Your actual
exposure to an attack through failure of the 3546 is very small. Much less than to
an attack on the machines that it serves if they are browsing the internet,
opening email attachments, or clicking on HTML links within an email. The firewall
will not protect you against many of these things because they are initiated by a
user and appear to be legitimate activity. The firewall will stop attack traffic
that comes off the internet looking for a weak machine.
That said, you should take some basic steps to disable WAN administration, enable
the firewall and change the default password. There is a FAQ that tells how to do
this and much more, at dslreports.com. Go to the forums, equipment support,
Netopia/Cayman. Click on "Cayman FAQ" and browse for security stuff, especially
the item on configuring advanced security. |
|
| Back to top |
|
|
bob prohaska
Guest
|
| Posted:
Thu Nov 04, 2004 3:08 am Post subject:
Re: DSL router security |
|
|
George Pontis <gpontis@spamcop.net> wrote:
| Quote: | this and much more, at dslreports.com. Go to the forums, equipment support,
Netopia/Cayman. Click on "Cayman FAQ" and browse for security stuff, especially
the item on configuring advanced security.
|
Thanks George!
bob prohaska |
|
| Back to top |
|
|
wkearney99
Guest
|
| Posted:
Fri Nov 05, 2004 6:55 pm Post subject:
Re: DSL router security |
|
|
| Quote: | That said, you should take some basic steps to disable WAN administration
|
This is often the BEST way to prevent attacks. If a unit has a serial port
it's often best to completely disable ALL network administation interfaces.
A router, once configured, isn't something that usually requires any sort of
regular admin access. So having to use a serial connection directly to it
really isn't all that inconvenient. It's the interval between startup and
reaching a "well configured" state that's a risk. In those cases it's
always good to disable ANY sort of admin access from the WAN side. Better
to ssh into an internal host and then telnet back to the router from the
inside. This is also the way someone might hack into it thus the reason for
completely disabling network access to admin functions.
-Bill Kearney |
|
| Back to top |
|
|
bob prohaska
Guest
|
| Posted:
Sat Nov 06, 2004 2:59 am Post subject:
Re: DSL router security |
|
|
wkearney99 <wkearney99@hotmail.com> wrote:
| Quote: | reaching a "well configured" state that's a risk. In those cases it's
always good to disable ANY sort of admin access from the WAN side. Better
|
If I'm reading the manual correctly, admin access is only through
the LAN side in the default setup. That would seem to preclude
attack on the router until a successful attack on an internal host
was pulled off. If that's done I don't see any point in fooling
with the router.
Now, if the internal server happens to be watching both the internal
and external interfaces, I agree it's not a good thing.....8-)
The serial console port is obviously safest, but given the complexity
of the router the Web interface is very helpful to a beginner.
bob prohaska |
|
| Back to top |
|
|
wkearney99
Guest
|
| Posted:
Sat Nov 06, 2004 7:10 pm Post subject:
Re: DSL router security |
|
|
"bob prohaska" <bp@fib.eecs.berkeley.edu> wrote in message > If I'm reading
the manual
| Quote: |
The serial console port is obviously safest, but given the complexity
of the router the Web interface is very helpful to a beginner.
|
What's helpful to the beginner is to understand the risks of connecting to
the Internet. And how those risks can be mitigated through some fairly
simple procedures. Recognizing, of course, that many SoHo routers don't
even have serial console ports.
-Bill Kearney |
|
| Back to top |
|
|
Guest
|
| Posted:
Mon Nov 08, 2004 4:07 am Post subject:
Re: DSL router security |
|
|
bob prohaska <bp@fib.eecs.berkeley.edu> writes:
| Quote: | If I'm reading the manual correctly, admin access is only through
the LAN side in the default setup. That would seem to preclude
|
But you'll never know for sure until you test it all yourself.
Billy Y.. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in