Results 1 to 6 of 6

Thread: Security Risks of Cable Modems

  1. #1

    Exclamation Security Risks of Cable Modems

    originally posted here.
    Facing the security risks of cable modems

    Broadband connectivity has become the most sought after service for home and business computers. Getting 512 kilobit/s (kbps) or a Megabit for a small monthly fee is just too good to pass up. Many organisations are opting to install cable modem connections; according to the March 2002 issue of Cable Datacom News, more than 10 percent of the U.S. online community is connected via broadband. While the UK is behind this figure, penetration is growing here too.

    According to some precise definitions, cable modems are broadband connections, while DSL should more precisely be called a "baseband" connection, since it is not shared. However, in practice broadband simply means "fast" and is applied to both types of connection. This article will focus on the risks of cable, some of which also apply to DSL.

    Broadband offers many benefits, but the widespread use of broadband access is not all good news. Cable is insecure, and most organisations are completely unaware of these risks. However, there are some solutions and countermeasures for combating threats and protecting your data and your network.

    Network vulnerabilities
    The most often overlooked broadband vulnerability is the shared nature of cable connections. All subscribers in the local area--such as an entire building or a few city blocks--share the same subnet when connecting with a cable modem. Any other user in the area has the potential to launch attacks against your system. Even if you have great neighbours, your system is vulnerable simply because other systems can potentially connect to your network.

    Another vulnerability of broadband is that it's an always-on connection. Once a cable modem is deployed, your network is always connected to the Internet. When using a dial-up connection, logging off removes your system from the Internet completely. But with broadband, your system is constantly in harm's way. Attackers can launch assaults against your system 24/7.

    In addition to being permanently online, systems connected to cable modems have IP addresses that are either statically assigned or remain the same for an extended period of time. With dial-up access, every time you connect to the Internet you're assigned a different IP address. With broadband, you may have a single, dedicated IP address. At best, your system will automatically renew the assigned address each time your DHCP lease expires. Either way, you remain connected to the Internet with the same address for quite a while, making ongoing directed attacks against your system not just possible, but easy.

    One final but significant vulnerability is the speed that makes broadband so attractive to users. Once your network is compromised, high-speed connectivity allows the intruder to quickly deposit files, Trojan horses, and hacker toolkits, or download data, password files, and sensitive documents.

    Obviously, broadband's high speed comes with some serious downsides. Aside from the fundamentals of security, such as virus scanning and strong password access, you should implement a few key security measures before you even think about hooking up a cable modem.

    Get control of your shares
    A common way for intruders to gain access to a system is through its shared resources. Sharing resources among members of your local network is a key part of having a network. However, the freedom to share resources among trusted internal hosts should not be offered to unknown and possibly malicious external entities--particularly in a broadband environment where your IP address seldom changes. The ability to access files and printers across the network is made possible by a network service. On Microsoft operating systems, this is called the File and Printer Sharing service. This service should be disabled if a system connected to the cable modem shares no local resources other than Internet access. If the broadband system does share local resources, then unbind or disable the sharing service on the cable modem/broadband interface. Be sure that all resource shares are properly protected by access controls.

    Limit installed services
    Another means for attackers to break into a network is to exploit known vulnerabilities of common applications and services. When operating systems are first installed, many elements that you may not need or use are installed by default. To improve the security of the overall network, each system must be inspected for unneeded, unnecessary, and vulnerable applications and services. Disable or uninstall any service or application that you do not expressly need to accomplish network activities or work tasks.

    Buy a firewall
    To protect against directed attacks, port scanning, and much more, you need a firewall. If you have only a small network (such as less than 25 hosts), a basic firewall product will be sufficient, such as ZoneAlarm or ZoneAlarm Pro from Zone Labs or the built-in Internet Connection Firewall of Windows XP and the forthcoming Windows .Net Server. But, if you are a corporate broadband user, and your network hosts valuable resources and data, you need a full-featured hardware firewall product to protect the assets of your organisation. Firewalls filter traffic coming in from the Internet and flowing out from your computer. When properly configured, a firewall can protect you from most attacks perpetrated over the Internet and over broadband connections. Note: You can also download a freeware firewall and properly configure it to do the same thing for free.

    Employ NAT to limit your vulnerabilities
    A feature commonly found on firewalls, but also found on routers, proxies, and gateways, is Network Address Translation, or NAT. This nifty TCP/IP-addressing trick hides the actual IP addresses and network configuration of your internal network from the Internet. NAT usually is configured so that traffic can originate only from inside your network, not from outside. If any unrequested traffic is received by NAT, it just drops it, thus preventing most Internet attacks from even getting started. NAT also enables a single IP address assignment on a single computer to serve as the connection point for an entire network's access to the Internet. NAT is found in many products, and is even built into several operating systems. For example, Windows XP and 2000 include NAT in their native Internet Connection Sharing and Routing and Remote Access features. When NAT is deployed, attackers are able to attack only the interface connected to the Internet and cannot gain access to the rest of the network behind that connection.

    Invest in an intrusion system
    When a network is compromised by an attack, you may see an immediate effect, or the attack's impact may go unseen for a while. Most attacks, particularly Trojan horses and other hacks, don't cause easily noticeable effects right off the bat, so relying on the first visible event to inform you of a system breach is not a wise choice. Instead, you must deploy a detection system that can register the slight modifications and silent unauthorised activity that indicates a security breach.

    A detection system can be as simple as enabling the built-in auditing features of your operating system or as complex as deploying a full-featured intrusion detection system (IDS). Opting for either of these deployment options requires that you employ access control on all systems and resources. If you don't force user logon and user authorisation to access and manipulate resources, then you don't have accountability and have nothing to audit. Once activities on your system can be audited, then the event details produced by authorised and unauthorised activities leave a digital trail that you can manually or automatically (with the help of IDS) inspect.

    Don't leave the door open
    Broadband connectivity offers high-speed connectivity at seemingly low cost. But the underlying costs of ignoring the security risks inherent in broadband connectivity can be expensive. Taking advantage of this low-cost, high-speed resource will require preparation, and perhaps a little budget outlay, on the front end.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    317
    The most often overlooked broadband vulnerability is the shared nature of cable connections. All subscribers in the local area--such as an entire building or a few city blocks--share the same subnet when connecting with a cable modem. Any other user in the area has the potential to launch attacks against your system. Even if you have great neighbours, your system is vulnerable simply because other systems can potentially connect to your network.
    I think that this info qualifies as useless trivia for the most part, but this portion is mostly true, merely lacking of information. (I suspect it beyond the scope of the article and general interest of most readers). The differnet portions of a city will be split into various nodes. Each node is capable of handling anything from 300-3000 simultaneous connections. It is typical that in areas where they are laying fiber all the way to the house, they will have 2-3 higher capacity nodes. The alternative is where they start laying coax right after the node, where upon they will have 5-8 nodes to handle different portions of the townships. The part where it really gets wierd is that often times there will be multiple gateways attached to each node. (ie user in San Francsisco may potentially have the same gateway as a user in neighboring Redwood City) Though there is a fairly substantial distance between the two, they will be on the same subnet even though the two seperate nodes are in very different regions. At the same time, two users who live right next door to one another running through the same node will have completely different subnets and be run through completely seperate gateways.
    Many of the newer nodes are being designed to prevent this from happening, though it not only interferes with file/printer sharing, but also with online gaming, p2p file sharing, WWW services, and FTP. The modems are also being configured with firmware revisions that should also prevent this type of thing from happening as well. The modem implemented solution has proven best as it allows the cable providers the ability to allow or deny business required application through use of a new modem flash recieved from a TFTP server. In the end, the goal of the company is not necessarily to keep the users honest, but help manage bandwidth across the network, so there are various loop holes in this topology.
    This information is not applicable to all Cable Broadband service providers, but many have adopted this form of network moderation.

    Any which way, I liked the article as it addressed many items that are commonly overlooked by the standard user before they begin using one of these services. Very cool.

    Hope I didn't bore you all senseless and thanks for the original post.
    Regards.
    \"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"


  3. #3
    Junior Member
    Join Date
    May 2002
    Posts
    17
    hey thanx for the info ....i live in south texas and i just got road runner broadband ,i got a firewall and im looking for a proxy or a router just for more protection. Having broadband is cool, but i did not know that it had its ups and down.
    well thanxs again
    light a candle for the sinners ,set the world on fire

  4. #4
    I was gonna say, more or less the same thing. And I have only ever heard of somebody getting in to the computers of others connected to a local node once, and even then it was admitted by the ISP that they didn't provide good security. That part is rare. Very rare. Most ISPs put so much security in place to prevent this happening that it is pretty hard to do.

  5. #5
    Junior Member
    Join Date
    Jul 2002
    Posts
    10
    I have Cox High Speed, got a firewall, proxy, some methodus tools and im all set

  6. #6
    Banned
    Join Date
    Jun 2002
    Posts
    119
    Thanks a lot for the info, Remote_Access_. I've considered switching to a broadband connection, and this really helps clear up a lot of questions that i had.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •