| 1 |
Am Wed, 29 Mar 2017 04:52:08 -0700 |
| 2 |
schrieb Jorge Almeida <jjalmeida@×××××.com>: |
| 3 |
|
| 4 |
> On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick <neil@××××××××××.uk> |
| 5 |
> wrote: |
| 6 |
> > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: |
| 7 |
> > |
| 8 |
> |
| 9 |
> > |
| 10 |
> > It's more a privacy issue that security for me. I have a similar |
| 11 |
> > setup with a virgin cable router, which I set to what they call |
| 12 |
> > modem mode, where only one of the ports works and connects to my |
| 13 |
> > router. The one time I ran tech support they were able to see that |
| 14 |
> > I was using it this way and even reset the modem for me. I suppose |
| 15 |
> > it makes life easier for them and their typical customers, but it |
| 16 |
> > was a little unnerving. |
| 17 |
> > |
| 18 |
> > |
| 19 |
> The ISP provided router is officially managed (whatever this means) by |
| 20 |
> them. As to privacy, I know a packet is visible once it leaves the |
| 21 |
> router via Wan port. What I worry a bit is about the possibility of |
| 22 |
> foul play towards the home network. The computers are firewalled via |
| 23 |
> iptables, but accept connections from 192.168.... What prevents a |
| 24 |
> hacked router of impersonating a local origin? |
| 25 |
|
| 26 |
Block packets originating from the router MAC address and that don't |
| 27 |
belong to a known connection. Then deploy a managed switch that can do |
| 28 |
MAC address filtering so it allows only the one MAC address on the |
| 29 |
router port. This should be safe enough. It would be difficult to get |
| 30 |
around such a setup. To be even more safe, use VLAN and exclude all |
| 31 |
your computers from the management port. |
| 32 |
|
| 33 |
This, however, doesn't prevent tampering with packets on their way |
| 34 |
through the router. You could use VPN and place the tunnel endpoints |
| 35 |
only on trusted routers. That way, your ISP only relays VPN traffic, |
| 36 |
and ensures the transfer networks below are only used for VPN and your |
| 37 |
machines accept nothing else. |
| 38 |
|
| 39 |
-- |
| 40 |
Regards, |
| 41 |
Kai |
| 42 |
|
| 43 |
Replies to list-only preferred. |
Archives