Hi,
Today I installed ADSL broadband in my company. The ADSL modem is connected to the ethernet HUB. All workstations of the company's LAN have internet access through the ADSL modem, which has built-in routing, NAT, DNS and DHCP functionalities. The ADSL modem, an Aztech DSL 305EU, has an external interface (the one that talks to the WAN) which is assigned a public -but dynamic- IP address by the broadband service provider. The internal ethernet interface, that is, the one that talks to the LAN, was assigned a private, static, non-routable IP address (from class 10.0.0.x). At first I'd thought impersonation attacks, worms, trojans, virii and other security issues wouldn't be a major concern as *all* workstations of the LAN are not visible from the outside world, and therefore a primary barrier to those security risks would be guaranteed. Wrong ! As soon as the ADSL service went up, the antivirus software on the workstations threw alerts due to an infection attempt by the script Marco!.scr (an old worn, called Opasoft/Opaserv according to the different antivirus vendors, that exploits Windows systems with non-protected shares). Then arose my doubts: if the workstations are not visible from the outside, how could the worn have found its way through the ADSL modem, which was supposed to expose only the external interface to the outside world and keep the internal secret ? Now I'm convinced that NATting through private, non-public, non-routable IP addresses doesn't guarantee any security at all.
So, apart from keeping antivirus software and operating systems on the workstations patched and up to date, what other measures should I take to guarantee a higher degree of security ? Sharing an ADSL broadband connection on a LAN must be one of the most (if not the most) common scenarios of ADSL usage. How is security implemented in these scenarios ?
Thank you.
Fernando Ronci E-mail: snipped-for-privacy@hotmail.com