Security questions

Those who've read here recently have heard my pleas for help, and for those
who responded: Thank you!!!

Now, I've a question: Given that I'm running DSL through an Actiontec 1524
into the LAN, what are my security concerns?

This is what I get from the non-windows set-up page:

--------------------------------------------------------------------------------

[ Main ] | [ Setup ] | [ Status ] | [ Utilities ] | [ Help ]

Non-Windows Setup

Actiontec DSL Modem Setup Page
The following will setup the router to work with your DSL provider.

The Actiontec DSL modem setup page can be used to setup your modem for the
following configurations.
1) RFC1483 Bridged with DHCP. Bridging session terminated in the R1524SU via
a DHCP address from the ISP. DHCP/NAT is used on the LAN side to run
multiple LAN devices. (Same for RFC1483 Routed)
2) RFC1483 Bridged with Static IP. Bridging session terminated in the
R1524SU via a single Static IP address from the ISP. DHCP/NAT is used on
the LAN side to run multiple LAN devices. (Same for RFC1483 Routed)
3) PPPoA with dynamic IP Addressing. (Same for PPPoE)
4) PPPoA with a Single Static IP Address. (Same for PPPoE)

The advanced configuration session must be used to set the modem for
transparent bridging and PPPoA with a block of static IP addresses.

Please locate your Internet Service Provider(ISP) worksheet. The ISP
worksheet is required to complete the following. The ISP worksheet is sent
separately from your DSL fulfillment package directly from your ISP of
choice. If you do not have an ISP worksheet, please contact your ISP
directly.

ISP Protocol
Please select the protocol below listed on your ISP worksheet.

RFC1483 Bridged
RFC1483 Routed
PPPoA [selected]

ISP Username [xxxxxxxx]
ISP Password [**********]

PPPoE

ISP Username
ISP Password

IP Configuration
Please select your ISP addressing scheme listed on your ISP worksheet.

Dynamic [selected]
Static
IP
Subnet
Gateway

DNS Configuration

Dynamic [selected]
Static
Primary DNS
Secondary DNS

NOTE: This page will setup the router for use with your DSL provider. In
addition to setting up the router you may be required to perform additional
configuration changes on your computer.

Thank you for choosing DSL as your high-speed access of choice.

Please click the Save and Restart button below to save your settings and
restart your Gateway.



Copyright 2001-2002 Actiontec Electronics Inc.

--------------------------------------------------------------------------------

It says it can be configured as a bridge or as a router... or as PPPoATM.
What does that mean? Does that mean that it's not functioning as a router
after all? Does PPPoATM make the bridge/router choice irrelevant? If so,
how so?

Here's more:

--------------------------------------------------------------------------------


[ Main ] | [ Setup ] | [ Status ] | [ Utilities ] | [ Help ]

~~~~~~~~~~~~~~~~~

Advanced Setup

WAN IP Address
Wireless Settings
Wireless MAC Authentication
LAN IP Address
DHCP Server
Services Blocking
Website Blocking
VPN Pass Through
Remote Management
Port Forwarding
DMZ Hosting
Firewall
Dynamic Routing
NAT
Static Routing
MAC Address Cloning

Save and Restart

~~~~~~~~~~~~~~~~

WAN IP Address

Please make the appropriate selection for your Broadband connection.

Transparent Bridging (RFC1483 Bridged)
Obtain an IP Address through PPPoE
Obtain an IP Address through PPPoA [selected]
Obtain an IP Address through DHCP
Specify a Static IP Address

Encapsulation:

RFC1483 Bridged [selected]
RFC1483 Routed

Unnumbered Mode
VIP Mode
Unnumbered IP Address:
(Gateway Address)
(Unnumbered Subnet Mask)


Copyright 2001-2002 Actiontec Electronics Inc.

--------------------------------------------------------------------------------

Does this suggest that the thing is actually performing as a bridge, where
no protection is being provided?

The firewall setting is at basic, which seems to be the lowest setting.
Have to consult the users manual (didn't get one) to know what the other
settings comprise.

This is beginning to look to me like nothing more than a modem by itself. I
just grabbed RFC 1483 to study, but at first glance it doesn't suggest that
it addresses the router/bridge decision at all.

Perhaps it's just a matter of time before we start getting hit!! Comments?

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

William D. Tallman wrote:

> Those who've read here recently have heard my pleas for help, and for
> those
> who responded: Thank you!!!
>
> Now, I've a question: Given that I'm running DSL through an Actiontec
> 1524 into the LAN, what are my security concerns?
>
> This is what I get from the non-windows set-up page:
<snip>

Update:

I've got hold of the Users Guide and have set the thing for Medium Security.
High Security stopped both the Usenet and ftp; not acceptable... <grin>
Medium Security allows me to get out for anything, but nothing gets in, at
least for the following:

80, 53, 21, 23, 25, 110, 119, 7070, 1720, 1503, and 22.

Basic security is listed as NAT only.. <sigh>

Even High Security does not constitute even a basic firewall, as far as I'm
concerned. Looks like iptables will have to be reconfigured for the DSL
modem.

Hope someone makes some use of all this.

Thanks,

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

William D. Tallman <(E-Mail Removed)> wrote:
> Actiontec DSL Modem Setup Page
> The following will setup the router to work with your DSL provider.

> The Actiontec DSL modem setup page can be used to setup your modem for the
> following configurations.
> 1) RFC1483 Bridged with DHCP. Bridging session terminated in the R1524SU via
> a DHCP address from the ISP. DHCP/NAT is used on the LAN side to run
> multiple LAN devices. (Same for RFC1483 Routed)
> 2) RFC1483 Bridged with Static IP. Bridging session terminated in the
> R1524SU via a single Static IP address from the ISP. DHCP/NAT is used on
> the LAN side to run multiple LAN devices. (Same for RFC1483 Routed)


You probably want (1) or (2). Depends if you have a static address or
not. I would guess (1). Depends what your ISP/telco does.


> 3) PPPoA with dynamic IP Addressing. (Same for PPPoE)
> 4) PPPoA with a Single Static IP Address. (Same for PPPoE)

Nah. Proabably not.

> ISP Protocol
> Please select the protocol below listed on your ISP worksheet.

> RFC1483 Bridged
> RFC1483 Routed
> PPPoA [selected]

Whatever works. The simplest would be (1), but it depends what they do.


> ISP Username [xxxxxxxx]
> ISP Password [**********]

> PPPoE

> ISP Username
> ISP Password


You'd only need this if they have some form of ppp.


> IP Configuration
> Please select your ISP addressing scheme listed on your ISP worksheet.

> Dynamic [selected]

This means that the router doesn't present a fixed external IP, but
gets it via dhcp from a server on the ISP side.

> Static
> IP
> Subnet
> Gateway

> DNS Configuration

> Dynamic [selected]

ALl boring.

> Static
> Primary DNS
> Secondary DNS


> It says it can be configured as a bridge or as a router... or as PPPoATM.

No it doesn't. It's a router. But internally its architecture is more
complicated. And in particular it has multiple output ports that are
bridged together on the LAN side of the router.

> What does that mean? Does that mean that it's not functioning as a router
> after all? Does PPPoATM make the bridge/router choice irrelevant? If so,
> how so?


It's an unnecessary complication if your telco is your ISP. If your
telco is not your ISP, then it serves to connect you to your ISP over
your telco.


> Here's more:

Gah. Snip.


Peter

> Actiontec DSL Modem Setup Page


This doesnt run linux, ergo this isnt a linux question.

>
> ISP Protocol
> Please select the protocol below listed on your ISP worksheet.
>
> RFC1483 Bridged
> RFC1483 Routed
> PPPoA [selected]


One of these will work ! They are three alternatives.

PPPoA is a PPP connection between the modem and the ISP using ATM packets.

RFC1483 packets are IP packets over ATM. That means that you get no
features of PPP.
If ATM has week errror detection, you can get corrupt packets. Its actually
'cheaper' that PPPoA.


PPPoA is quite common for ADSL ISP's in Australia...

PPPoE is there to make the connection look like PPPoE&A. (its PPP over
ethernet over ATM ). Its just in case there is an issue with the ISP
handling PPPoA packets, like they were expecting everyone to be using PPPoE
on PC's, which of course talk to the modem via ethernet...



> ISP Username [xxxxxxxx]
> ISP Password [**********]

you got those two , havent you ? you dont need me to get them for you ?


> IP Configuration
> Please select your ISP addressing scheme listed on your ISP worksheet.
>
> Dynamic [selected]
> Static
> IP
> Subnet
> Gateway


yeah dynamic should work - I mean this is a retail product, not a complex
business site setup.



> DNS Configuration
>
> Dynamic [selected]
> Static
> Primary DNS
> Secondary DNS

dynamic means it will get the IP address of the dns servers from the ISP.

static means it will use whatever DNS server you tell it

primary and secondary --- sounds like it can clone pages from a real DNS
server and pretend to be real but I dont know, it doesnt seem important.


> It says it can be configured as a bridge or as a router... or as PPPoATM.
> What does that mean? Does that mean that it's not functioning as a router
> after all? Does PPPoATM make the bridge/router choice irrelevant? If so,
> how so?


No, its only going to act as a router.

These are just protocol selection, the details of which are not important.

The routing and firewalling will still work for you, which ever one of this
works.
you could leave it on PPPoA, that will probably work.


>
> Here's more:
>
> --------------------------------------------------------------------------
------
>
>
> [ Main ] | [ Setup ] | [ Status ] | [ Utilities ] | [ Help ]
>
> ~~~~~~~~~~~~~~~~~
>
> Advanced Setup
>
> WAN IP Address
> Wireless Settings
> Wireless MAC Authentication
> LAN IP Address
> DHCP Server
> Services Blocking
> Website Blocking
> VPN Pass Through
> Remote Management
> Port Forwarding
> DMZ Hosting
> Firewall
> Dynamic Routing
> NAT
> Static Routing
> MAC Address Cloning
>
> Save and Restart
>
> ~~~~~~~~~~~~~~~~
>
> WAN IP Address
>
> Please make the appropriate selection for your Broadband connection.
>
> Transparent Bridging (RFC1483 Bridged)
> Obtain an IP Address through PPPoE
> Obtain an IP Address through PPPoA [selected]
> Obtain an IP Address through DHCP
> Specify a Static IP Address
>
> Encapsulation:
>
> RFC1483 Bridged [selected]
> RFC1483 Routed
>
> Unnumbered Mode
> VIP Mode
> Unnumbered IP Address:
> (Gateway Address)
> (Unnumbered Subnet Mask)
>
>
> Copyright 2001-2002 Actiontec Electronics Inc.
>
> --------------------------------------------------------------------------
------
>
> Does this suggest that the thing is actually performing as a bridge, where
> no protection is being provided?
>
> The firewall setting is at basic, which seems to be the lowest setting.
> Have to consult the users manual (didn't get one) to know what the other
> settings comprise.
>
> This is beginning to look to me like nothing more than a modem by itself.
I
> just grabbed RFC 1483 to study, but at first glance it doesn't suggest
that
> it addresses the router/bridge decision at all.


As PPPoA and IPoA are definitely routing , that makes it a router/firewall
for sure.

Bridging .. well you arent using bridging as your ISP would have to tell you
a lot of details.

Just turn on PPPoA and it will work.

> Does this suggest that the thing is actually performing as a bridge, where
> no protection is being provided?
>
> The firewall setting is at basic, which seems to be the lowest setting.
> Have to consult the users manual (didn't get one) to know what the other
> settings comprise.
>
> This is beginning to look to me like nothing more than a modem by itself. I
> just grabbed RFC 1483 to study, but at first glance it doesn't suggest that
> it addresses the router/bridge decision at all.
>
> Perhaps it's just a matter of time before we start getting hit!! Comments?
>
> Bill Tallman

You might try looking at some of the networking 'HOWTO' articles from
www.tldp.org (they may also be installed on your system - probably
somewhere under /usr/share).