DSL stuff (was Re: [SunRescue] Re: Help!)
R. Lonstein
rescue at sunhelp.org
Sat Apr 21 10:32:05 CDT 2001
On Sat, Apr 21, 2001 at 12:31:44AM -0500, Scott Newell wrote:
[snip]
> I've got my Speedstream 5260 DSL modem plugged into the hub, and a single
> nic in the 486. Seems like most people run two nics--one for the LAN and
> one for the DSL modem--could that make a difference? (Hmmm...have I
> created some monster security hole by allowing the modem access to my LAN?)
Apologies for the ASCII art.
If it looks something like this:
+-----+
| 1 | Pvt.
+-----+
| ___ Public
| / \ /\ \
--------------< DSL >-- \ \/--- Inet
| | \___/
| |
| |
+-----+ +-----+
| 2 | | 3 | Pub.
+-----+ +-----+
Pvt.
and if you are directing boxes 1 and 2 with private IPs to use box 3
with a public IP as the gateway and box 3 uses the DSL modem as its
gateway (or any combination thereof), you have mixed Public and Private
which is not a good idea as all the boxes are exposed. If the DSL modem
is permitting private address space ranges in and out, then you have a
real problem. Someone could source route and come in uninvited. If your
dslmodem itself is subject to compromise- a possibility demonstrated by
the recent Alcatel gaffe- the entire LAN is totally open. Generally,
only secured hosts should be exposed.
The better way, which you describe as having 2 NICs, looks like this:
+-----+
| 1 |
+-----+
| Private
| IP LAN
-----------------
| |
| | Public IP
| |Pvt. ___
+-----+ +-----+ / \ /\ \
| 2 | | 3 |------< DSL >-- \ \/--- Inet
+-----+ +-----+ Pub. \___/
Where box #3 has two NICs, one private IP and one public IP, and is
doing one of Firewalling with NAT/PAT, Firewalling with Application
Proxies (squid, etc.), routing and filtering, or bridging and filtering.
In the last case, box 3 has no IP address (it's a bridge) and there
is no private address space as the other two boxes have public IPs.
Firewalling with proxies is likely most secure, firewalling with NAT/PAT
is easiest.
+ $.02
- Ross
More information about the rescue
mailing list