ADSL: Security Risks and Countermeasures

ADSL: Security Risks and Countermeasures
An Analysis of ADSL topologies for SOHO Users

June 14, 2001 - In this report we explain the topology of ADSL connections, analyze the security risks and propose countermeasures.

This article is a part of a series of tests on Personal Firewalls/Intrusion Detection Systems. Refer to [1] for an analysis of PC-based personal firewalls and [3] for an analysis of hardware firewalls for ADSL use. Although we specifically refer to ADSL here, the same basic principles apply to cable modems.

ADSL Benefits

The main advantages of ADSL are:

Always on, no "connection setup" waiting.
Shared Internet connection possible between several hosts
Faster than ISDN or analog modem access
May be the cheapest alternative for frequent users.

Risks

The principle risk of an unsecured ADSL connection is unauthorized access from the Internet to your host(s) on the local network (on the LAN side of the ADSL router/modem).
Such unauthorized access is made more probable since the connection is "always on" and hence attackers can quietly try to crack your machines as you sleep. With "normal" dial-up connections, it's easier to notice unusual activity as one works on the machine when connected to the Internet. Possible impact of such unauthorized access:

Your computer could be misused to publish porn images, warez (pirated software archive), or as a hub for hacker forums.
Your computer could be misused to attack other machines (hundreds of so called 'attack (ro)bots' or 'zombies' can be used to cause major disruption to other Internet sites or users. An example is described in [2]). Your machine is then used to hide the identity of the real attackers, and you seem to be the person who is carrying out the attacks.
Your computer could be misused for mass mailing (i.e. spam).
Theft of information (loss of privacy/confidentiality), and possible misuse for financial gain (credit card numbers, misuse of banking software, blackmail).
Destruction of information or programs
Changing of information (loss of integrity)
Lost time trying to get hackers out, reinstall or clean up after them.
If your computer is misused, it could generate massive amounts of traffic which will cost you money unless you have a flat-rate Internet access. In addition sites which have been 'attacked by you' may block your address from their sites.

ADSL modems can also have security weakness themselves, which allow them to be manipulated [4].

You have a lock on your front door and on car doors, you need one on your Internet connection too!

Countermeasures

The countermeasures for securing ADSL connections depends on the topology, so let's have a look at the hardware components involved in an ADSL connection.

Topologies with ADSL modems

This is the classical setup for a single PC, with either an internal or external modem:

  Phone----ADSL modem
  line     in PC (integrated)

  Phone----ADSL ---- PC
  line     modem  ^   
                  ^
                  ^ RJ45 Ethernet link

Now, if we add a combined hardware firewall/router, it would fit as follows and would allow several hosts, not just one PC to be connected on the Internet "LAN" side. The hub may also be integrated into the firewall/router, depending on the product:

  Phone----ADSL ---- Firewall   ------ Single PC
  line     modem     Incl.router

  Phone----ADSL ---- Firewall -------- Hub -- Internal LAN
  line     modem     Incl.router              [several PCs]

  Phone----ADSL ---- Firewall   ------------- Internal LAN
  line     modem     Incl.router+hub          [several PCs]

Topologies with ADSL Routers

An alternative to an ADSL modem, is the router with integrated ADSL interface, which is designed to allow connection of several hosts on one ADSL connection,.

  Phone----ADSL ---- PC
  line     router

  Phone----ADSL ---- Hub  ----- Internal LAN
  line     router               [several PCs]

Now, if we wish to add a firewall to the equation, it would look something like:

  Phone----ADSL ---- Firewall --- PC
  line     router

  Phone----ADSL ---- Firewall --- Hub ----- Internal LAN
  line     router                           [several PCs]

But this setup can be tricky:

Both router and firewall have routing functions, i.e. IP addresses on both interfaces and routing tables. This can make setup quite complex.
The router can be configured as a "bridge", so it has no IP address and simply forwards packets from the ADSL interface to LAN interface and back. In this modem it emulates an ADSL modem, leaving all IP work to the firewall (for instance the Firewall handles WAN and LAN IP addresses). This is a better idea, but it may be difficult to setup and troubleshoot depending on your router.

Recommended Topology

If you're starting out with new hardware, I'd recommend one of the following setups when integrating your Firewall.

The modem topology is better than with routers, since the configuration is easier and it's cheaper to buy a modem than an ADSL router.
Note that the modem must be external and not a internal card in a PC.
Note also that I've not yet seen a product that integrates an ADSL modem with a firewall.

Assuming one single PC is being protected:

  Phone----ADSL ---- Firewall --------------- Internal PC
  line     modem

Assuming a small network of up to 4 PCs are being protected:

  Phone----ADSL ---- Firewall -------- Hub -- Internal PCs
  line     modem     Incl.router              


  Phone----ADSL ---- Firewall --------------- Internal PCs
  line     modem     Incl.router+hub

Assuming more that 4 PCs are being protected, or a hub/switch is already available:

  Phone----ADSL ---- Firewall -------- Hub -- Internal PCs
  line     modem     Incl.router

A Router Offers Some Firewall Protection...

The basic security principle of most firewalls and routers is that outgoing traffic is allowed (Lan to Wan policy), but incoming from the public network is blocked (Wan to LAN policy). Rules can be customized to allow specific incoming services (none by default), and restrict specific outgoing services. Since routers can allow several machines to access the Internet and all outgoing traffic leaves with the IP address of the router, incoming traffic is denied by default, because the router doesn't know which internal host to send it to!

Modems on the other hand, tend to create a fully open connection in both directions by default. So don't use a modem without a firewall.

On routers, for incoming traffic to be allowed, SUA (single user address) servers need to be defined. SUA hides the real address of servers behind one published address (this is also known as Network Address Translation - NAT or masquerading). Either a 'default server' is defined, or a list of which ports are routed to which IP address is specified.

So, if you don't configure any SUA on your router, incoming traffic is blocked by default. This may be enough for most users. Some routers also offer firewall functions, that may be used to tighten security further.

What Features Should an ADSL Firewall Have?

The following is a check list of features to watch out for in firewalls and routers. We intend using this checklist to measure the effectiveness of actual products:

User interface: ease of use, instructiveness, simplicity, quality of online help and written documentation. Can rules be easily added/removed/checked? Do you understand the questions the software asks and what it is doing?
Price: how much are you willing to pay initially and each year for support/updates? How many hosts can be protected by the firewall?
Protocols:
- Dynamic DNS support: See www.dyndns.org (for example) for a description of this service, which is essential if you intend making servers visible to the Internet.
- IP address translation: NAT and SUA for incoming traffic.
- DNS proxy for performance
- DHCP server for LAN side addressing.
Effectiveness of security protection:
- Port filtering incoming and outgoing, by IP address, port, or network interface.
- Specification of ports and IP addresses by range and lists
- State based filtering of protocols like FTP which use dynamic ports.
- Does the IP stack provide protection against Denial of Service attacks (such as SYN flooding)?
- Content filtering HTTP: can JavaScript, ActiveX, VBscript, Java or cookies be optionally blocked per site/domain/IP range/completely?
- Content filtering Email: can dangerous attachments be filtered in POP or SMTP email?
- Is an IPsec VPN available? What other products are known to interoperate?
Effectiveness of intrusion detection:
- few false positives: accuracy of detection and alerting?
- well known trojans and backdoors recognized and alerts generated?
- alerting of dangerous attacks (via email or other methods)?
- local and remote logging (via syslog) of passed or blocked packets by default, or on a per rule basis?
- alerts easily understood?
Effectiveness of reaction:
- is discovering attackers' identity possible?
- is blocking of attacks supported (possibly automatically, and even in real-time) ?
- ease of use.
Management interfaces:
- Serial, telnet, GUI, Web, other? A serial interface is very useful if you make a mistake with your LAN address configuration!
- Are extensive troubleshooting tools available?
- Password protection? Do management sessions timeout if idle?
- Can policies/configuration be backed up or remotely downloaded from a management station?
- Are configuration changes logged?
- Are all administrative ports/services blocked on the WAN interface by default? Can they be filtered by network interface or source IP address?

Test Criteria

How can one test security effectiveness?

Ping and accessing file shares from the Internet to a test host behind the firewall.
Ping and accessing file shares from a test host behind the firewall to the Internet.
An nmap [2] scan of the firewall to check what ports are visible from the Internet. Try connecting to visible ports.
An nmap scan of the firewall to check what ports are visible from the LAN. Try connecting to visible ports.
A well known 'remote control' trojan (like Netbus Pro v2.1 [3]) is installed on the test system on a non standard port (to make detection more difficult). The Netbus server is started and attempts made to connect from the Internet.

Limitations of Hardware Firewalls

Compared with some software personal firewalls, a hardware firewall cannot see which application on an internal PC generates traffic and hence it cannot restrict traffic by application name.

Example: when certain HTML emails are opened, "web-bugs" in the Email cause the Email software to open an Internet HTTP connection to an image on the Web, usually so the Email sender can gather statistics on its readership. Personally, I prefer to block HTTP access to my Email reader, as I don't want it to send back information I don't know about, that may help spammers and aggressive marketers. A PC personal firewall could stop the email application from accessing the web, a hardware firewall can only grant or deny access to the whole PC, it cannot differentiate between HTTP traffic from an Email read or a browser on the same PC.
Recently, Email viruses have been announced that infect PCs though HTML emails in a method similar to the above.

Hardware firewalls often allow all outgoing traffic by default:

The report [2] discusses a 'Distributed denial of service' attack, that was launched by a cracker who remotely controlled 'bots' (i.e. Attack Robots) on compromised PCs and commanded these to flood specific targets' network connections at will. These bots could be installed via Virii, Trojans, buggy network programs, shares, social engineering, etc. The bots 'call home' each time the PC starts, so an attacker has a ready list of penetrated PCs available without having to actually scan for such hosts.
Since the bots make only outgoing connections, they will go unnoticed by typical hardware firewall configurations, which allow outgoing traffic by default.
Preventing "information leakage" or such reverse tunnels may be difficult for the non-expert user (with a default configuration). If a Trojan is somehow installed on a host in the private zone, it will be able to communicate unhindered with the Internet, without the user being aware. Only an expert user could configure the firewall to only allow specific outgoing traffic such as http, https, ping, smtp and ftp. Even if outgoing traffic is restricted, some channels such as HTTP or IRC will be open, and the bots can use these.
If a Firewall examines the traffic flowing through it for signatures of well known attack tools, it could reduce the risk. But then such a firewall would have to be regularly updated with signatures.

Processing power, memory and cost all limit how much work can be done by hardware firewalls and how sophisticated they can be. Software personal firewalls, on the other hand can simple eat resources from the host PC. :-)

Precautionary Measures for Windows Users

There are a few measures that Windows users should take, whether they install a firewall or not:

Never open any executable attachment or script received by email unless you are very sure of its original and are convinced the originator has excellent virus/Trojan protection in place. (Don't even preview it in Outlook; turn the preview pane feature of Outlook off).
Disable file and printer sharing, especially on PCs with open Internet access.
Disable the SMB/Microsoft protocols in your network configuration, especially on PCs with open Internet access. This will also disable all file/printer and authentication within your LAN though, which may not be desirable.
Install Windows, Explorer and Office security fixes/service packs: This is a tricky one as it can be very time-consuming and cause major headaches. For instance, the recent Outlook security patch is so restrictive as to make it unusable on intranets (in my opinion).
Antivirus/worm/Trojan measures:
- Install a good antivirus scanner and keep it up to date. Scan email attachments before opening them.
- MS Office: Switch on Word/Excel 97 Macro virus protection (Tools/Options/General/Macro virus protection) or run Word/Excel 2000 with at least medium security settings. This will ensure the user is presented with a dialog box when documents containing macros are opened. If suspect Word documents are received by email, open them in Wordpad rather than Word, since macros won't be understood by Wordpad. Set the file-permissions of "normal.dot" to read only, to prevent viruses or Trojans from infecting your Word setup.
- If possible, configure your browser to ignore ActiveX and prompt when Java or Jscript or VBscript is run.
Don't stay connected to the network unless you need to.
Switch off machines when they are not in use.
Don't connect to the network before tools like personal firewalls are active.
Back up your system regularly.

Summary

The risks of an unprotected ADSL connection are real, please ensure that you take at least minimal precautions to secure your ADSL connection.
Either use a router to block incoming traffic or setup a firewall in conjunction with your ADSL modem to provide at least protection against incoming traffic. Install an up-to-date Anti-virus, and apply the Precautionary Measures.

We've presented several checklists here that should help you evaluate which actual product meets your needs. Now you can check out the actual product evaluations we've carried out [3].

References

Personal Firewalls/Intrusion Detection Systems - Seán Boran
This article is analysis of software based Personal Firewalls.
pf_main20001023.html
Distributed Denial of Service (DDoS) Attacks Against grc.com - Steve Gibson
grc.com/dos/grcdos.htm
ADSL Firewalls: Product Reviews - Seán Boran
An Analysis of hardware mini-firewall products for 'always-on' Users
pf_adsl_tests_20010627.html
Alcatel DSL Models found vulnerable: Tsutomu Shimomura, a senior fellow at the San Diego Supercomputing Center, discovered numerous flaws in a popular modem supplied by Pacific Bell, Ameritech, Bell Atlantic and others to DSL customers.
www.uniontrib.com/news/business/20010410-9999_1b10dsl.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Change history

14.June.01 sb First release
27.Jun.01 Add Link for [3]
29.Aug.01 Minor fixes.