* Michael Paarmann wrote on Wed, Jan 30, 2002 at 22:42 +0100:
Does anyone know, if it is a security risk when i connect a DSL modem by the TELEKOM with a switch and the computer with the pppoed demon is connected via a switch to the modem and not directly?
Theoretically it is a small risk I think. The most worst part is, that any client could physically connect the modem with PPPoE. I don't know if it's possible to have two clients connected to the Modem at the same time, but a workstation could use some faked packets to make the router believe that the Modem is disconnected and may "get" the modem directly. This "tunnels" all your firewall configuration.
I'm not sure, if somebody can hack or modify different packets, so that they don't reach the pc with the pppoed demon but another local workstation.
With soem ARP spoof such things should be possible. But I cannot imagine how this could be done from outside the LAN. So I think this questions heavily depends on how much so you trust your LAN and clients/workstations.
The T-DSL modem is not a real router (Modem by SIEMENS) and it can only be connected by one single pc, but is real safe ? Has anybody a hint ? Thanx a lot in advance.
The modem trusts any PPPoE speaking client of course, and AFAIK you have no change to configure the Modem to accept a single MAC address only. Maybe your Switch have a VLAN possibility? This should solve the issue, maybe. Otherwise, a intruder could infect a workstation i.e. by a email virus or similar, install some PPPoE implementation of it and launch it. Doing some ARP spoof or maybe just some flooding this workstation should able to get the Modem and use it. You should notice this case since I think your router would lose it's uplink, but propably you would assume a T-Online problem and don't take any action. I think this attack scenario wouldn't be common, since it requires that the intruders knows some details about your network and would need a very special (PPPoE-compatible) infection package. I think it has to be created, AFAIK it's not common available. So script kiddies would not able to do it. But if you consider the possibility of straigt forward to you directed attacks which would invest some ammount of money and time to hack your network, you shouldn't do it. But I think for standard offices with no really important data it may be a way, but not the recommended one. In home network I use DSL from a switch, but I wouldn't use such configurations for companies who have the money to make some new CAT5 cables available. But for private use, I think it's secure enough, hopeing someone will correct me, if I'm wrong. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.