DSL

DSL Brings High Speeds and Security Issues

Beware! Major security breaches lurk within your DSL connection. They can be resolved, but not without hard work and attention to detail.

by Jim Thompson

DSL has brought high-speed access, simultaneous voice and data over the same line, and "always on" connectivity, but the speed and convenience comes with a price attached — rampant security concerns.

Anyone who maintains an "always-on" Internet connection, whether via DSL, cable modem, or a T1, runs the risk of compromising the security of their PC, network, or entire enterprise. The question here is not "will someone try to attack my system," but "when will someone launch an attack."

"Anybody who is directly connected to the Internet through cable modems or DSL is extremely susceptible to attack from the outside," said Vincent Weafer, director of Symantec's Anti-Virus Research Center.

High Cost of Break-ins
In its fifth annual "Computer Crime and Security Survey," the Computer Security Institute claims that more than $265,589,940 in financial losses from security breaches were reported by 273 participating organizations.

The most serious financial losses, reportedly, occurred through theft of proprietary information (66 respondents reported losses worth $66,708,000) and financial fraud (53 respondents reported losses worth $55,996,000).

The survey, conducted with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, further indicates that ninety percent of the respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months.

Security Threats
Any computer network or private system can be attacked in a number of ways. All of them are potentially devastating to the owner. Among the types of attacks are:

• Denial of service (DoS). In this type of attack, the flow of information is disrupted by crashing or overloading a server, router, or firewall.
• Theft of information. This can be the most devastating, since it involves the loss of valuable property. Information theft can be achieved by eavesdropping, by masquerading as an authorized entity, or by the use of a computer program that guesses passwords.
• Corruption of data. In this form of attack, the intruder destroys or corrupts data stored on disk or corrupts data as it is transmitted across the network.

The dedicated hacker will usually try all of the above types of attacks, especially if the information in question is valuable.

But you don't have to just sit around and wait for someone to storm the gates and rummage though all your private files and information. There are things that can be done to keep evil intruders from your DSL-connected network.

Built-in DSL Security
On the plus side, DSL, which is a point-to-point connection, is more secure than shared, or point-to-multipoint, systems such as cable modems. The basic security of DSL gets an added boost since each customer has a separate "Private Virtual Circuit," which authenticates and secures the communication between the customer's PC and the Internet.

While all this is helpful, it's rarely enough to deter the determined intruder. In many cases, security breaches are made possible simply by the duration of the connection and not by a sophisticated method of access. Protecting your network can be as simple as changing a few settings in MS Windows or as complex as setting up a firewall or changing servers, operating systems, and personnel. For most, the solution lies somewhere in between.

In a recently released white paper on DSL security issues, the DSL Forum concludes that DSL users should do all they can to protect their personal and intellectual property. "The DSL industry understands the need for protecting your systems from hackers and viruses," said Greg Gilliom, CEO and president of Network ICE. "With the proper tools and knowledge, users can severely limit hackers' ability to undermine secure Internet access."

Protecting Your Network
Among the recommendations from the DSL Forum are:

• Turn off file and print sharing in Windows.
• Set up passwords and use a virus scanning program. Passwords should be at least eight characters in length and contain a combination of letters, numbers and special characters (#$@*). Be sure to keep virus software updated.
• Set up a hardware or software firewall. Hardware firewalls offer the most protection but can be expensive for the home user. Many DSL modems will soon offer firewall protection. An alternative is a software firewall. Most programs are available at a nominal cost, others are available for free. Popular firewall programs include BlackIce Defender, ZoneAlarm, Norton Internet 2000 and McAfee's VirusScan or Guard Dog.
• Configure IP routing. It is possible to configure IP routing so that you can set up a firewall system in an environment separate and isolated from operational networks and specify permitted connectivity while denying all other connectivity. Close the holes in the wall!
• Consider encryption and VPN (Virtual Private Network). Encryption software encodes data for sending then decodes it for reading. A VPN enables corporate users to establish secure tunnels between their homes and their corporate LANs. This is a good solution for telecommuters.

PPP via ATM (PPPoA) and via Ethernet (PPPoE)
The DSL Forum recommends Point-to-Point Protocol (PPP) over asynchronous transfer mode (ATM), or PPPoA, for baseline network architecture. In this system, which has been deployed by many telcos, the customer's PPP session is carried over a "tunnel" to the ISPs gateway router.

According to the white paper, "PPP also provides authentication using PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). RADIUS or 'AAA' servers at the ISP and/or linked to the gateway can also use such standard ISP authentication procedures. An IP address can be dynamically assigned to the end user from a pool of addresses during a PPP session initiation. The PPP over ATM and tunneling aspects are generally good for security, in the sense that these can provide virtual partitioning of the overall broadband platform."

Another system in use by service providers is PPP over Ethernet (PPPoE). Although, at first glance, this would seem less secure than PPPoA because it's 'shared' in much the same way as a cable modem, there are no additional risks. PPPoE systems terminate both the bridging session and the PVC (Permanent Virtual Circuit), so no "leakage" occurs from one PVC into another. PPP also provides for transient connection making it possible to use PPP/DSL without being "always on".

IPSec (Internet Protocol Security) is another way of protecting data and networks. IPSec is based on a set of open specifications including the entire TCP/IP protocol suite and is designed for interoperability between enterprise systems.

IPSec
There are several ways of integrating IPSec into an existing system.

First, it can be integrated into the TCP/IP network stack of the host or other device.

It can also be integrated by performing the processing in software before the data packets are processed by the existing TCP/IP networking stack. Both of these approaches require the host CPU to do security processing.

A third method of integrating IPSec is by performing IPSec processing before the data packets are processed by the host computer. This offloads security processing to a processor on a network component, such as a NIC (Network Interface Card) with an on-board encryption chip, and leaves the CPU free.

Maintaining security is a continuous challenge requiring constant attention and vigilance. When setting up a system to keep out diabolical hackers, you might want to recall the words of Tim Allen in the film, "Galaxy Quest," "Never give up. Never surrender."

Related Articles
The DSL Forum's white paper on DSL security issues can be found here.

IP Security and NAT: Oil and Water?

 —End