On Wed, Aug 22, 2001 at 11:42:59PM -0400, Adam William Lydick wrote: > * I am assuming your firewall exists to protect your network, by providing > packet filtering (potentially inbound AND outbound). > > 1) If an attacker learns an internal address, and your internal network is > unrouted (on a single segment of ethernet), they would be able to get > packets (unfiltered) into your network, unless your upstream > router/DSL/Cable modem etc is going ingress filtering. Cable modems are bridges (though many can do IP based filtering). However, I'm not aware of any cable ISPs who enable IP based filtering by default. DSL is a different story since there are several ways that your DSL "modem" can be configured. However, you're still depending on the ISP doing the right thing. How confident are you regarding your ISPs default security stance? Even if you've got a leased line, it's unlikely that the router is doing any filtering unless you paid someone to set it up that way. It's just too much work for the average install. ISPs are in business to make money, not to provide the best possible security to their customers. When I worked at an ISP, I liked to bring up security issues. Invariably the response was "well, security is good but if it affects customer's ability to use the network we're not going to do it." Since "customer's ability to use the network" often meant that the customer wanted to do something dumb from a security stance, we didn't do much filtering by default. What little filtering we did do was designed to protect us (filter dhcps so a customer can't provide dhcp replies to other customers, filter rfc1918 addresses at the gateway to prevent those addresses from accessing the internet, filtering source addresses not in our netblocks from accessing the internet, filtering incoming traffic with source addresses in our netblocks, etc). -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:nnorman@micromuse.com | -- Patton
Attachment:
pgpdQ1K7OEFBd.pgp
Description: PGP signature