Ethernet Security tips ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • d6jg
    Senior Member
    • Feb 2011
    • 8652

    #46
    Originally posted by kidstypike
    It's next to "Y" in Your?
    I think it may have been intended as YOMMV
    Your Own Mileage May Vary

    In UK I have never heard of a domestic grade ISP using a backdoor to their routers. On the contrary the usual solution to any “unsolvable” router issue is to send a new one.
    I assume Gordon is US based and perhaps it’s the opposite approach there.
    Whichever applies I’d still recommend replacing the £/$/€20 router provided “Free” by a better one that you can control if your ISP permits it (some in UK make it difficult).
    Jim



    VB2.4 storage QNAP TS419p (NFS)
    Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
    Office Joggler & Pi3 -> Onkyo CRN775 -> Celestion F10s
    Dining Room SB Radio
    Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
    Guest Room Joggler > Denon RCFN8 -> Wharfedale Modus Cubes

    Comment

    • garym
      Senior Member
      • May 2008
      • 13396

      #47
      Originally posted by d6jg;[URL="tel:1049406"
      1049406[/URL]]
      Whichever applies I’d still recommend replacing the £/$/€20 router provided “Free” by a better one that you can control if your ISP permits it (some in UK make it difficult).
      I’d certainly agree with that. I’m in the US with a major ISP (Cox) and I use my own cable modem and own router. More for cost and features rather than security.
      Home: Pi4B-8GB/pCP8.2.x/4TB>LMS 8.5.x>Transporter, Touch, Boom, Radio (all ethernet)
      Cottage: rPi4B-4GB/pCP8.2.x/4TB>LMS 8.5.x>Touch>Benchmark DAC I, Boom, Radio w/Battery (Radio WIFI)
      Office: Win11(64)>foobar2000
      The Wild: rPi3B+/pCP7.x/4TB>LMS 8.1.x>hifiberry Dac+Pro (LMS & Squeezelite)
      Controllers: Material Skin, iPhone14Pro & iPadAir5 (iPeng), or CONTROLLER
      Files: Ripping: dBpoweramp > FLAC; Post-rip: mp3tag, PerfectTunes, TuneFusion; Streaming: Spotify

      Comment

      • slartibartfast
        Senior Member
        • Jan 2010
        • 13173

        #48
        Originally posted by d6jg
        I think it may have been intended as YOMMV
        Your Own Mileage May Vary

        In UK I have never heard of a domestic grade ISP using a backdoor to their routers. On the contrary the usual solution to any “unsolvable” router issue is to send a new one.
        I assume Gordon is US based and perhaps it’s the opposite approach there.
        Whichever applies I’d still recommend replacing the £/$/€20 router provided “Free” by a better one that you can control if your ISP permits it (some in UK make it difficult).
        Virgin push firmware updates to their hubs if you want to call that a backdoor.

        Sent from my Pixel 3a using Tapatalk
        Living Room: Touch or Squeezelite (Pi3B) > Topping E30 > Audiolab 8000A > Monitor Audio S5 + BK200-XLS DF
        Bedroom: Radio
        Bathroom: Radio

        Comment

        • P Nelson
          Senior Member
          • Nov 2012
          • 621

          #49
          Originally posted by gordonb3
          Yes, that is one of the morals of the (30+ year old) tectonic plate barrier joke: don't overdo security as it only harms yourself. Trust that the connections on the internet router are purposely marked internet and internal network respectively and that this implies that it provides the security you need to prevent people on the outside accessing your machine(s) on the inside. Also, worrying too much only makes you sick.
          My view on security is making it difficult enough so someone looks for an easier target, while not adding too much difficulty for me to do want I want.

          My use of two routers for personal computers vs internet of things (IoT) does not impact me very much, but it adds an element of security if a IoT has a security problem. The only difficultly I have created is setting up a new device which requires communicating with my phone. I have to make sure both are connected to the right router and temporarily disable isolation between devices. No problem for me, but my wife would not want deal with the hassle.

          Paul
          Last edited by P Nelson; 2022-03-03, 15:17. Reason: edited on 3/3/2022 for grammer

          Comment

          • cookiemonster
            Member
            • Dec 2010
            • 58

            #50
            What a rabbit hole this one, like anything security.
            I'm also in the UK and work in Telecoms. Most ISPs request their router form their providers for the consumer space to have TR69 protocol enabled. Always for good intentions, to be able to roll out firmware upgrades. That can be -rarely- to add new features, but mostly for rolling out security patches if they were required, and to aid their customer services to "look in" to the router to help diagnose problems when the customer calls. Unfortunately (lookup mirai, TR64 and TR69 exploits) like any Consumer device, can have unknown weaknesses that the consumer has no chance to fix because it requires a new firmware that needs to be hands on by a technician with tools and training, or a full replacement. For the ISP that is not going to happen so the customer has to wait until the next router refresh is due that can be years away.
            This is why I always used to disable it in one way or another. Often it's not possible to do so from the UI, was unmodifiable or hidden and needed hackish methods. That and other practices that are to "make things work" without a networking degree, attempting to balance security with usability, the routers have facilities like UPNP for instance so that when you plug your kid's Xbox, it just works, at the expense of the dreadful thought that your firewall can have a whole punched through by anything compromised, like an virus-infected PC to leverage that "capability".
            Very hard to get that balance because soon after, one of these "capabilities" could be weaponized.

            What is the solution? For those happy with an ISP router and just plug and forget, just do that. It will have certain protection by NAT for nasties coming in. It won't stand much of a chance if there is a nasty on the inside. Follow best advice like keep firmware updated, change default admin passwords to strong one, disable WAN management, etc.
            For anyone else willing to get administering a router/firewall, take out the ISP router, replace it with something more capable. It doesn't have to be expensive. No need for unifi gear. DD-WRT, OpenWRT, OPNSense, PFSense are all far superior and free, just bring your own (supported) device.

            Sorry if I sound preachy. Network security is something I feel kind of strongly about.

            Comment

            • gordonb3
              Senior Member
              • Dec 2020
              • 440

              #51
              Originally posted by slartibartfast
              Virgin push firmware updates to their hubs if you want to call that a backdoor.
              That implies the presence of a backdoor, otherwise the ISP would not be able to access the router without your explicit consent for pushing the updates.

              Comment

              • bpa
                Senior Member
                • Oct 2005
                • 22622

                #52
                Originally posted by gordonb3
                That implies the presence of a backdoor, otherwise the ISP would not be able to access the router without your explicit consent for pushing the updates.
                In the case of Virgin with a cable network - the firmware upgrade may be part of DOCSIS and so it would not be over internet - a backdoor but over a private network.

                Comment

                • slartibartfast
                  Senior Member
                  • Jan 2010
                  • 13173

                  #53
                  Originally posted by gordonb3
                  That implies the presence of a backdoor, otherwise the ISP would not be able to access the router without your explicit consent for pushing the updates.
                  I set the Virgin Hub in Modem Only mode after finding that on the rare occasions when broadband was down it was impossible to listen to local music over the network [emoji848]

                  Sent from my Pixel 3a using Tapatalk
                  Living Room: Touch or Squeezelite (Pi3B) > Topping E30 > Audiolab 8000A > Monitor Audio S5 + BK200-XLS DF
                  Bedroom: Radio
                  Bathroom: Radio

                  Comment

                  • gordonb3
                    Senior Member
                    • Dec 2020
                    • 440

                    #54
                    Originally posted by cookiemonster
                    What is the solution? For those happy with an ISP router and just plug and forget, just do that. It will have certain protection by NAT for nasties coming in. It won't stand much of a chance if there is a nasty on the inside. Follow best advice like keep firmware updated, change default admin passwords to strong one, disable WAN management, etc.
                    Exactly. The main thing to remember is that authenticated people can do unauthorized stuff and sometimes without even being aware (`click here to win a chocolate bar`) of doing so. In accordance with RFC1918 no router that is connected to the public internet will allow forwarding of packages to any of the standard's IP ranges (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12) and this includes every dedicated commercial and ISP provided router. The only possible way to access a machine behind such a router is by using a DNAT rule which no router is ever preconfigured to do. Thus presuming that the ISP did not add a backdoor and the owner did not add any inbound rules, then any unwanted connection is always initiated from the inside.

                    Which leads to the question who controls what. A nice example of this is Tuya which is controlled by a server in China - you are just allowed to interact with that server. A few years back there was a similar complaint about Samsung televisions. My ISP is also my digital TV provider who periodically updates the device with new firmware. My thermostat also communicates with some internet server which is nice because this allows me to control it from practically everywhere and be able to return to a warm home (provided that the internet server is not suffering from some issue). None of this stuff requires access to my internal network and since I am also unable to access these devices other than through a remote server I've placed all of these devices in a separate network.

                    Comment

                    • gordonb3
                      Senior Member
                      • Dec 2020
                      • 440

                      #55
                      Originally posted by bpa
                      In the case of Virgin with a cable network - the firmware upgrade may be part of DOCSIS and so it would not be over internet - a backdoor but over a private network.
                      Possible, in the case of my own ISP I just happened to trip over it because I couldn't use the port as it was already in use. I could still have lived with it though if they hadn't used it to overwrite the firewall configuration. That was a big NO for me.

                      Comment

                      • gordonb3
                        Senior Member
                        • Dec 2020
                        • 440

                        #56
                        Originally posted by slartibartfast
                        But it would be an unlikely typo, M is a fair distance from O [emoji2]
                        `O` for opinion. Mileage implies having experience which you can't have because it is completely speculative what would have happened if you didn't accept the update.

                        Comment

                        Working...