Reply to post:

Oh no, Moto! Cable modem has hardcoded 'technician' backdoor

Lee D

Have always done this.

As far as I'm concerned, a modem or cable router or ADSL router is just a modem. It's also the "hostile" side of the network. Invariably I then plug it into a real router/firewall that I have control over. Historically, for both work and personal, that's been everything from a Freesco single-floppy-linux router, to Slackware distributions, to WRT54G's with custom firmware, you name it.

Currently my Virgin Superhub is in modem-only mode and goes to a proper firewall. Even then, doing something like DMZ'ing my machine to the world would trigger the software firewall on the individual clients too (not to mention the IPS on the firewall). Hell, for many years I used to VPN across my internal home wireless network because WEP couldn't be trusted and WPA2 was too expensive to deploy. And I'm a gamer and it barely added 1ms to my gaming pings, even over wireless, even with all the house machines doing the same (so there's really NO excuse).

Sure, you might get into my modem, but the modem isn't party to anything SSL-encrypted anyway, and all unencrypted stuff I assume is perfectly sniffable by anyone else on the net - if they are in my modem or not! And trying to get into the local net from there will be blocked just as any other malicious traffic coming from the Internet.

I deploy work and home networks this way precisely because of problems like this. You can't trust the cheap routers you're given by your ISP and you can't even go out and buy a decent home router and trust that alone.

At my previous workplace there was still a pile of untouched BT ADSL2 routers in their boxes and wrapping because we never used them. Their replacements were pure modems that didn't try to offer their own wireless / BTOpenZone, etc. that went into a Linux router with multiple Ethernet cards, which secured the 500 users behind it and load-balanced the connections.

At this workplace - same thing, but with a set of Cisco routers doing HSRP failover in between so the Linux machines doesn't have to.

Even bridging / modem mode, however, is not a defence in itself - in the same way that it's possible for YOU to turn it back into a router with DMZ to the network, it's possible (theoretically) for an attacker to do the same. Virgin SuperHubs still offer a web interface on, I believe, that lets you turn modem mode off and the firmware auto-updates. One slip in that configuration and you have a modem that's working against you.

Always put something in front of it, even just for one machine. And if WPA2 is ever weakened, investigate putting VPN over local wireless links. It costs nothing with OpenVPN, IPSec functionality in Windows, etc. And when, as often happens for me in work, you come up against odd traffic flows you have a machine on the border already that you can analyse traffic from without needing to port-mirror or use DMZ etc. to diagnose it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon