7.4 DSL and Cable VPN Security

DSLs and cable modem access account for 20 percent of all home user Internet connections. Over the next few years that number is expected to grow significantly. Users like the speed and always-on connectivity that DSL and cable afford. Unfortunately, the speed and always-on connectivity can be security headaches for network administrators.

When a dial-up user connects, the computer is assigned a dynamic IP address by the dial-up ISP. Dial-up connections tend to be short, and any hidden application designed to use as much bandwidth as possible will cause a noticeable slowdown , causing the user to disconnect. DSL and cable Internet connections are different. Users are often assigned a dynamic IP address ”though not always ”but the connections are always on, so users stay connected longer, even when they are away from the computer for extended periods of time. Because there is more bandwidth available, users are also less likely to notice an application that is using a lot of bandwidth.

The problem with always-on consumer Internet access services is that subscribers are frequently subject to attacks. These are not attacks against a specific user; instead, the attacks tend to be random, searching for exploitable weaknesses. An attacker will conduct port scans against large blocks of IP addresses known to belong to DSL or cable Internet companies. When the attacker finds a known weakness, he or she will attempt to exploit the weakness, and gain access to the user's computer.

Once the attacker controls the computer, it can be used to launch DoS attacks, or the attacker can monitor activity to see if anything useful, like credit card information, is passed across the WAN. These types of attacks are particularly effective. DSL and cable networks generate so much traffic that ISPs are often unable to detect port scans launched against their networks. Subscribers to DSL and cable Internet services generally have more money, therefore more powerful computers. Combine this with the high-speed, always-on connection, and you have the perfect launching platform for security attacks.

From a corporate security standpoint it is very important to be aware of these issues. It does not matter how secure the connection to an organization's VPN is if the machine accessing it has been compromised. An attacker sitting at a computer connected to the corporate VPN will be able to access the network as easily as the person using the computer.

As with dial-up ISP users, there are precautions that security and network administrators should take before allowing users to connect to a corporate VPN using a DSL or cable connection. If a user has a laptop issued by the organization, that should be the only machine used to connect to the VPN. Otherwise, users connecting into the network should be using one of the corporate-approved operating systems, with the most current patches installed. The users should also be running one of the approved virus scanners , with up-to-date virus definitions.

In addition to these security precautions, which are identical to the security precautions taken by dial-up ISP users, many organizations require DSL and cable Internet users to have an external firewall device on their home network. Often sold as a combination firewall and gateway router, these network devices generally retail for less than $200 and plug quickly into the network. While not nearly as secure as a full-fledged firewall, personal firewall devices serve as a mask for the computers connected to the DSL or cable ISP. The personal firewall assumes the IP address assigned by the ISP and performs a Network Address Translation (NAT) on all requests from the computers behind it, out to the Internet.

The advantage of this type of system is that these devices are not complex; therefore, they are less susceptible to security problems than an operating system. An attacker launching a port scan against one of these devices will not find any of the traditional operating system security holes and will, generally, not launch an attack against the system. Think of it like a car thief . If there are two identical cars next to each other, a car thief is going to choose the one that is unlocked with the keys in the ignition.

While personal firewalls are not a cure-all solution for problems facing DSL and cable Internet users, when combined with a fully patched system and updated virus software they provide a good level of security. These three layers of security should be enough assurance that DSL and cable Internet users are properly secured for VPN access to the network.