[Wizard] Wizard grunt

Craig Ringer [email protected]
Wed Sep 17 06:03:42 2003 

David Basden wrote:
> If what you're talking about is running the back of your ADSL
> modem/bridge into the same switch fabric as your private network, yes
> it's silly from a security point of view.

I'm strongly inclined to agree. It's not /quite/ so bad if you're using 
a PPPoE based DSL connection, but if you're using a bridged connection 
or letting your router do the PPPoE you're exposing your internal lan to 
anybody who can send spoofed packets through. NAT is no guarantee of 
protection, though it does make things harder. You're also betting your 
network on the hope that the next major worm doesn't also affect the 
embedded OS on your DSL router :-(

Even if you're using a basic DSL modem or a DSL router configured in 
basic modem mode, you're still putting what's effectively a WAN bridge 
on your internal LAN that links your LAN to the LAN the DSLAMs etc at 
your ISP live on. No, thanks!

The DSL modem, after all, operates as a long-distance ethernet bridge 
(not, I hope, a repeater - can somebody confirm this?). It just happens 
that your ISP wants you to run PPPoE traffic over that ethernet link, 
and configures it so that you can't get out to the internet directly 
over it. Many older DSL connections had that bridged ethernet link 
directly connected to the ISP's routers, and there was no PPPoE involved 
- this is how our 'net connection at the POST used to work. I gather 
that some DSL modems now do PPPoA (PPP over ATM), which removes the 
ethernet bridge from play but has it's own complications.

I will never connect multiple networks of different security levels 
(802.11?, ethernet, WAN links) except when physically separated and only 
linked by a router. That means oodles of ethernet ports.

As David Basden stated, 802.1q VLANs may improve this, as with VLANs you 
can provide 'virtual' separate networks. However, your switch is 
unlikely to support VLANs.

Basically, it'll work, it's not horribly insecure, but I would never do 
it. I can easily see worm traffic making it onto the DSLAM's local lan, 
and from there to you

Anyway... hope I made sense. I've just realised I'm more tired than I 
thought, so there might be a higher-than-desired gibberish factor here.

Craig Ringer