Doubt about ADSL security.

Peter pboy at barkhof.uni-bremen.de
Thu Sep 2 23:53:20 UTC 2004


Am Do, den 02.09.2004 schrieb cviniciusm um 20:58:
> I have a nic card and a ADSL modem. The ADSL modem thas NAT, Firewall,
> IP Filter and DHCP Server. The nic card has a private IP address and
> the modem has a public IP address. All just works fine. The firewall
> has attack protection and DOS protection both active. Need I more
> protection, on Windows 2000 and on Fedora Core 2?

I suppose you don't have an ADSL modem but an ADSL modem router. 
I think, you are basically fine with that kind of equipment and you
should not have to worry about security too much. In the detail it
depends much on the ADSL modem routers manufacturer, but generally it is
the best way to protect yourself.

If you have a ADSL connection, you usually not own a static IP address
but use a dynamic address. DoS is usually not really a problem in this
situation.

You may check from another computer on the internet if / which ports are
open on your firewall (ports on the machines of your private network
doesn't matter). You may use one of the web services which check your
equipment for open ports, etc. (e.g. using nmap). But all ADSL modem
router manufacturer I know have a secure pre-configuration regarding
these issues.

With some products there are other issues. If your connection is time
based, you will shut it down if no traffic occures. One well known issue
is that some routers will not shut down if they receive traffic (e.g.
pings) from the public side, which costs your money, but is not a
security issue. Others don't even perform a time out. 

The firewall / NAT functionality does not protect you from attacks using
well known bugs in Internet Explorer or trojaners sent you by mail. You
have to take care about these issues as usual. But it should protect you
from getting infected by worms like sasser (which use specific open
ports in windows), but if you are infected by a worm like sasser in some
other way, your firewall may not prevent sasser from doing its job
(sending mail using it own smtp daemon). (That is because these
appliances are usually configured to allow all traffic initiated from
the inside and to disallow all traffic initiated from the public side).



Peter









More information about the users mailing list