Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] T-DSL 'routing' through a network - is it unsafe ?!
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Mon, 4 Feb 2002 12:37:35 +0100
  • Message-id: <20020204123735.H3593@xxxxxxxxx>
* Michael Paarmann wrote on Wed, Jan 30, 2002 at 22:42 +0100:
> Does anyone know, if it is a security risk when i connect a DSL modem by
> the TELEKOM with a switch and the computer with the pppoed demon is
> connected via a switch to the modem and not directly?

Theoretically it is a small risk I think. The most worst part is,
that any client could physically connect the modem with PPPoE. I
don't know if it's possible to have two clients connected to the
Modem at the same time, but a workstation could use some faked
packets to make the router believe that the Modem is disconnected
and may "get" the modem directly. This "tunnels" all your
firewall configuration.

> I'm not sure, if somebody can hack or modify different packets,
> so that they don't reach the pc with the pppoed demon but
> another local workstation.

With soem ARP spoof such things should be possible. But I cannot
imagine how this could be done from outside the LAN. So I think
this questions heavily depends on how much so you trust your LAN
and clients/workstations.

> The T-DSL modem is not a real router (Modem by SIEMENS) and it
> can only be connected by one single pc, but is real safe ? Has
> anybody a hint ? Thanx a lot in advance.

The modem trusts any PPPoE speaking client of course, and AFAIK
you have no change to configure the Modem to accept a single MAC
address only. Maybe your Switch have a VLAN possibility? This
should solve the issue, maybe.

Otherwise, a intruder could infect a workstation i.e. by a email
virus or similar, install some PPPoE implementation of it and
launch it. Doing some ARP spoof or maybe just some flooding this
workstation should able to get the Modem and use it. You should
notice this case since I think your router would lose it's
uplink, but propably you would assume a T-Online problem and
don't take any action.

I think this attack scenario wouldn't be common, since it
requires that the intruders knows some details about your
network and would need a very special (PPPoE-compatible)
infection package. I think it has to be created, AFAIK it's not
common available. So script kiddies would not able to do it. But
if you consider the possibility of straigt forward to you
directed attacks which would invest some ammount of money and
time to hack your network, you shouldn't do it. But I think for
standard offices with no really important data it may be a way,
but not the recommended one.

In home network I use DSL from a switch, but I wouldn't use such
configurations for companies who have the money to make some new
CAT5 cables available. But for private use, I think it's secure
enough, hopeing someone will correct me, if I'm wrong.



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
This Thread
  • No further messages