July 10th, 2002, 05:54 AM
Security Risks of Cable Modems
originally posted here.
Facing the security risks of cable modems
Broadband connectivity has become the most sought after service for home and business computers. Getting 512 kilobit/s (kbps) or a Megabit for a small monthly fee is just too good to pass up. Many organisations are opting to install cable modem connections; according to the March 2002 issue of Cable Datacom News, more than 10 percent of the U.S. online community is connected via broadband. While the UK is behind this figure, penetration is growing here too.
According to some precise definitions, cable modems are broadband connections, while DSL should more precisely be called a "baseband" connection, since it is not shared. However, in practice broadband simply means "fast" and is applied to both types of connection. This article will focus on the risks of cable, some of which also apply to DSL.
Broadband offers many benefits, but the widespread use of broadband access is not all good news. Cable is insecure, and most organisations are completely unaware of these risks. However, there are some solutions and countermeasures for combating threats and protecting your data and your network.
The most often overlooked broadband vulnerability is the shared nature of cable connections. All subscribers in the local area--such as an entire building or a few city blocks--share the same subnet when connecting with a cable modem. Any other user in the area has the potential to launch attacks against your system. Even if you have great neighbours, your system is vulnerable simply because other systems can potentially connect to your network.
Another vulnerability of broadband is that it's an always-on connection. Once a cable modem is deployed, your network is always connected to the Internet. When using a dial-up connection, logging off removes your system from the Internet completely. But with broadband, your system is constantly in harm's way. Attackers can launch assaults against your system 24/7.
In addition to being permanently online, systems connected to cable modems have IP addresses that are either statically assigned or remain the same for an extended period of time. With dial-up access, every time you connect to the Internet you're assigned a different IP address. With broadband, you may have a single, dedicated IP address. At best, your system will automatically renew the assigned address each time your DHCP lease expires. Either way, you remain connected to the Internet with the same address for quite a while, making ongoing directed attacks against your system not just possible, but easy.
One final but significant vulnerability is the speed that makes broadband so attractive to users. Once your network is compromised, high-speed connectivity allows the intruder to quickly deposit files, Trojan horses, and hacker toolkits, or download data, password files, and sensitive documents.
Obviously, broadband's high speed comes with some serious downsides. Aside from the fundamentals of security, such as virus scanning and strong password access, you should implement a few key security measures before you even think about hooking up a cable modem.
Get control of your shares
A common way for intruders to gain access to a system is through its shared resources. Sharing resources among members of your local network is a key part of having a network. However, the freedom to share resources among trusted internal hosts should not be offered to unknown and possibly malicious external entities--particularly in a broadband environment where your IP address seldom changes. The ability to access files and printers across the network is made possible by a network service. On Microsoft operating systems, this is called the File and Printer Sharing service. This service should be disabled if a system connected to the cable modem shares no local resources other than Internet access. If the broadband system does share local resources, then unbind or disable the sharing service on the cable modem/broadband interface. Be sure that all resource shares are properly protected by access controls.
Limit installed services
Another means for attackers to break into a network is to exploit known vulnerabilities of common applications and services. When operating systems are first installed, many elements that you may not need or use are installed by default. To improve the security of the overall network, each system must be inspected for unneeded, unnecessary, and vulnerable applications and services. Disable or uninstall any service or application that you do not expressly need to accomplish network activities or work tasks.
Buy a firewall
To protect against directed attacks, port scanning, and much more, you need a firewall. If you have only a small network (such as less than 25 hosts), a basic firewall product will be sufficient, such as ZoneAlarm or ZoneAlarm Pro from Zone Labs or the built-in Internet Connection Firewall of Windows XP and the forthcoming Windows .Net Server. But, if you are a corporate broadband user, and your network hosts valuable resources and data, you need a full-featured hardware firewall product to protect the assets of your organisation. Firewalls filter traffic coming in from the Internet and flowing out from your computer. When properly configured, a firewall can protect you from most attacks perpetrated over the Internet and over broadband connections. Note: You can also download a freeware firewall and properly configure it to do the same thing for free.
Employ NAT to limit your vulnerabilities
A feature commonly found on firewalls, but also found on routers, proxies, and gateways, is Network Address Translation, or NAT. This nifty TCP/IP-addressing trick hides the actual IP addresses and network configuration of your internal network from the Internet. NAT usually is configured so that traffic can originate only from inside your network, not from outside. If any unrequested traffic is received by NAT, it just drops it, thus preventing most Internet attacks from even getting started. NAT also enables a single IP address assignment on a single computer to serve as the connection point for an entire network's access to the Internet. NAT is found in many products, and is even built into several operating systems. For example, Windows XP and 2000 include NAT in their native Internet Connection Sharing and Routing and Remote Access features. When NAT is deployed, attackers are able to attack only the interface connected to the Internet and cannot gain access to the rest of the network behind that connection.
Invest in an intrusion system
When a network is compromised by an attack, you may see an immediate effect, or the attack's impact may go unseen for a while. Most attacks, particularly Trojan horses and other hacks, don't cause easily noticeable effects right off the bat, so relying on the first visible event to inform you of a system breach is not a wise choice. Instead, you must deploy a detection system that can register the slight modifications and silent unauthorised activity that indicates a security breach.
A detection system can be as simple as enabling the built-in auditing features of your operating system or as complex as deploying a full-featured intrusion detection system (IDS). Opting for either of these deployment options requires that you employ access control on all systems and resources. If you don't force user logon and user authorisation to access and manipulate resources, then you don't have accountability and have nothing to audit. Once activities on your system can be audited, then the event details produced by authorised and unauthorised activities leave a digital trail that you can manually or automatically (with the help of IDS) inspect.
Don't leave the door open
Broadband connectivity offers high-speed connectivity at seemingly low cost. But the underlying costs of ignoring the security risks inherent in broadband connectivity can be expensive. Taking advantage of this low-cost, high-speed resource will require preparation, and perhaps a little budget outlay, on the front end.