[aklug] Re: hardware for super cheap (but small) linux router?

From: Jim Courtney <courtney@ieee.org>
Date: Wed Jun 13 2012 - 04:23:22 AKDT

You're right Arthur, I've been in my own little world so long I didn't
really consider the implications of being on a carrier network other
than the one I'm using, where I know exactly where L2 traffic dead-ends.
If the carrier were out to get me, I would have much bigger problems.

On 06/12/2012 11:07 PM, Arthur Corliss wrote:
> On 06/12/2012 03:33 PM, Jim Courtney wrote:
>> I have iptables rules that keep things as secure as having two NIC's. No
>> problems so far, after having this setup at home for about 13 years and
>> getting continuous hack attempts.
> ... I think my brain just blew a fuse.
>
> As a general rule this is a horrible idea. In this case the modem you're
> making a pppoe connection provides a limited bulwark against leakage of
> internal traffic to the ISP's external network, but you are effectively
> compromising chunks of your L2 traffic to the modem itself. Your ISP is
> literally sitting on your internal network.
>
> Your firewall rules are commendable, but I get the impression that while
> they are giving you the normal protection you'd expect from attackers
> external to your ISP, they're not enough to, at a minimum, prevent traffic
> leakage directly to your ISP or, at a maximum, prevent your ISP from
> attacking your network from your own internal address range (if they so
> choose to do so). Your 13 years of no problems is more due to the fact that
> your ISP *isn't* out to get you than anything else.
>
> Granted, OTS modem hardware is normally fairly limited in thier
> capabilities, but that's accidental insurance at best.
>
> The concept you present here is moderately risky on DSL networks itself, but
> if extrapolated to other kind of connections be exceedingly more dangerous.
>
> I'd have to hit the docs on pppoe to say definitively, but I would wager
> that you'd have a smidge more security if you were to plug everything into a
> managed switch that provided VLAN capabilities. Even that, though, would
> not be risk free.
>
> --Arthur Corliss
> Live Free or Die
> ---------
> To unsubscribe, send email to<aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jun 13 04:23:29 2012

This archive was generated by hypermail 2.1.8 : Wed Jun 13 2012 - 04:23:30 AKDT