How to secure a network that shares an ADSL service
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on April 20, 2005, 10:24 pm
Please log in for more thread options Hi, Today I installed ADSL broadband in my company. The ADSL modem is connected to the ethernet HUB. All workstations of the company's LAN have internet access through the ADSL modem, which has built-in routing, NAT, DNS and DHCP functionalities. The ADSL modem, an Aztech DSL 305EU, has an external interface (the one that talks to the WAN) which is assigned a public -but dynamic- IP address by the broadband service provider. The internal ethernet interface, that is, the one that talks to the LAN, was assigned a private, static, non-routable IP address (from class 10.0.0.x). At first I'd thought impersonation attacks, worms, trojans, virii and other security issues wouldn't be a major concern as *all* workstations of the LAN are not visible from the outside world, and therefore a primary barrier to those security risks would be guaranteed. Wrong ! As soon as the ADSL service went up, the antivirus software on the workstations threw alerts due to an infection attempt by the script Marco!.scr (an old worn, called Opasoft/Opaserv according to the different antivirus vendors, that exploits Windows systems with non-protected shares). Then arose my doubts: if the workstations are not visible from the outside, how could the worn have found its way through the ADSL modem, which was supposed to expose only the external interface to the outside world and keep the internal secret ? Now I'm convinced that NATting through private, non-public, non-routable IP addresses doesn't guarantee any security at all. So, apart from keeping antivirus software and operating systems on the workstations patched and up to date, what other measures should I take to guarantee a higher degree of security ? Sharing an ADSL broadband connection on a LAN must be one of the most (if not the most) common scenarios of ADSL usage. How is security implemented in these scenarios ? Thank you. Fernando Ronci E-mail: fernandoronci@hotmail.com | |||||||||||||||||||
|
Posted by Robert Redelmeier on April 21, 2005, 5:57 am
Please log in for more thread options fernandoronci@hotmail.com wrote: Just as wrong as your first assumption that a NAT solves everything. NAT still gives you valuable protection against worms and other attacks from outside you network. It does nothing against things already inside, or brought in as trojans (email & webpage exploits). > So, apart from keeping antivirus software and operating systems
> on the workstations patched and up to date, what other measures > should I take to guarantee a higher degree of security ? Scanning inbound email & locking down browsers would be very helpful. Especially if you use MS-Outlook [Express] and MS-InternetExplorer. NIST has a useful set of Registry Settings if you're using MS-WindowsXP. You should lockout outbound port 25 [except for hypersecure mailservers] so that your network doesn't become a series of zombie spam relays. If your workstations handle their own mail, you should see if your ISP has an alternate SMTP port [524?] available. There may be other ports you wish to block, but exploits can leak out data via HTTP port 80. -- Robert | |||||||||||||||||||
|
Posted by David H. Lipman on April 22, 2005, 12:12 am
Please log in for more thread options
| Hi, | | Today I installed ADSL broadband in my company. The ADSL modem is | connected to the ethernet HUB. All workstations of the company's LAN | have internet access through the ADSL modem, which has built-in | routing, NAT, DNS and DHCP functionalities. The ADSL modem, an Aztech | DSL 305EU, has an external interface (the one that talks to the WAN) | which is assigned a public -but dynamic- IP address by the broadband | service provider. The internal ethernet interface, that is, the one | that talks to the LAN, was assigned a private, static, non-routable IP | address (from class 10.0.0.x). At first I'd thought impersonation | attacks, worms, trojans, virii and other security issues wouldn't be a | major concern as *all* workstations of the LAN are not visible from the | outside world, and therefore a primary barrier to those security risks | would be guaranteed. Wrong ! As soon as the ADSL service went up, the | antivirus software on the workstations threw alerts due to an infection | attempt by the script Marco!.scr (an old worn, called Opasoft/Opaserv | according to the different antivirus vendors, that exploits Windows | systems with non-protected shares). Then arose my doubts: if the | workstations are not visible from the outside, how could the worn have | found its way through the ADSL modem, which was supposed to expose only | the external interface to the outside world and keep the internal | secret ? | Now I'm convinced that NATting through private, non-public, | non-routable IP addresses doesn't guarantee any security at all. | | So, apart from keeping antivirus software and operating systems on the | workstations patched and up to date, what other measures should I take | to guarantee a higher degree of security ? | Sharing an ADSL broadband connection on a LAN must be one of the most | (if not the most) common scenarios of ADSL usage. How is security | implemented in these scenarios ? | | Thank you. | | Fernando Ronci | E-mail: fernandoronci@hotmail.com Look and see if your ADSL Modem/Router has filtering and block both TCP and UDP Ports 135 ~ 139 and 445. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm | |||||||||||||||||||
> non-routable IP addresses doesn't guarantee any security at all.