A Commentary on Cable Modem Security
by Rich Troy
(rtroy@optonline.net)
As posted to the lioptonline eGroup July, 2000
LI Cable Modem Users' eGroup FAQ
NOTE: This commentary is long and reasonably technical. I've intended it to be useful to a wide range of people, but I've used words like "you" and "yours" to make it easier to read (I hope). If you're not interested in all the technical details, skip to last few paragraphs which start with "The less technical part starts here".
Part I
Unwanted Guests
So you have flashing cable modem lights, and you're not doing anything on the Internet now? You should be worried. This probably means that people are using your computer(s) without your permission; they're "unwanted guests". If you are running Windows 9x or NT, you can go to a command prompt and enter this command- NETSTAT. That will show you all the currently active TCP/IP connections on your PC, but there are some limitations:
(1) A "currently active connection" might be one that is in the process of timing out, but is still staying open for a while. This can happen if the computer on the other end hangs up without sending a disconnect signal, for example. Obviously, this condition of timing out should not include blinking modem lights.
(2) This command is limited to showing only TCP/IP connections.
If you have any other protocols enabled on your WAN card you should disable them. For example, leaving NetBEUI, NetBIOS or IPX enabled on your WAN card leaves doors open that probably won't be closed by a software based firewall installed on your PC. Software firewalls like ZoneAlarm control TCP/IP ports, but usually ignore connections on other protocols. Your WAN card is the hardware (network interface card or NIC) on your PC which is connected to the cable modem.
Here's another test you can try if you are running Windows 9x. Click these menu commands:
Start -> Programs -> Accessories -> System Tools -> Net Watcher.
This will show you all the currently active Microsoft Network connections on your PC, but there are some limitations:
(1) This will probably not show you who is connected by TCP/IP, unless you've enabled NetBIOS over TCP/IP. NetBIOS over TCP/IP is another thing to turn off on your WAN card for security reasons, if you have it turned on.
(2) As stated above, a "currently active connection" might be one that is in the process of timing out, but is still staying open for a while. This can happen if the computer on the other end hangs up without sending a disconnect signal, for example. Obviously, this condition of timing out should not include blinking modem lights.
The big problem is that once you see which connections are open, closing them is not always so easy. In the Microsoft environment, there are no easy ways to find exactly what programs are active on your computer and are using the open connections. If you see open connections with the Net Watcher utility, and they're not from your local computers, then make sure you don't have Microsoft Networking enabled on your WAN card. If you see open connections with the NETSTAT command, you'll have to make a note of which TCP/IP ports are in use. The port number or name appears after a colon character. Here's a sample output:
C:\WINDOWS\>netstat
Active Connections
| Proto | | Local Address | | Foreign Address | | State |
| TCP | | XYZ5:ftp-data20 | | we-one.net:1321 | | ESTABLISHED |
| TCP | | XYZ5:ftp-data20 | | ca-one.rr.com:4610 | | TIME_WAIT |
In this example, the open ports are ftp-data20 (port 20) on the local computer (your computer is the local computer); 1321 on the remote computer is connected to your local port 20, and is active; 4610 on the other remote computer is connected to your local port 20, but it is timing out. You may be able to recognize the ports in use. Ports 20 and 21 are used by FTP clients and servers. Other common port uses can be found in this file on your computer:
C:\WINDOWS\SERVICES
It's a text file that can be opened with Notepad, etc. Look up the local ports that are in use on your computer to see if your activity comes from a commonly known program that's listed in the SERVICES file. You can then try to track down what program is running on your computer and using those active ports.
If that's not productive, get a copy of 'The Cleaner' from
www.moosoft.com . Install it, run the 'LiveUpdate' function to get the latest updates, and have it scan all your local hard drives. It will scan your computer for all currently known Trojan programs. A Trojan program is one that runs invisibly in the background and allows remote computers on the Internet to initiate network connections to your computer. To be safe, you'll also want to repeat this Trojan scan on any other computers on your network that also are connected to the Internet. That all having been said, 'The Cleaner' will not identify healthy programs as Trojan programs. So if your computer is running an FTP server, for example, it isn't likely to show up as a Trojan.
The less technical part starts here:
Ultimately this comes down to the question of, "How do I help protect my computer from being accessed from the Internet without my permission?"
A good way to resolve this problem is to get a smart, external, firewall. I'd recommend the products from SonicWall Inc.
www.sonicwall.com. They have a SOHO/10 device which allows up to 10 computers on an Ethernet LAN to get to the Internet. You would install this device between your cable modem and the other computers on your LAN, and it would protect all the computers on your LAN. It will work with PCs, Macintosh computers, Windows computers, UNIX computers, etc. The LAN is your local network, in your office/home/etc. Let the SonicWall device assign a private TCP/IP address to each computer on your LAN, using Network Address Translation (NAT). Set each computer on your LAN to use DHCP (obtain an address automatically), and the SonicWall device will provide a TCP/IP address for each LAN computer. The SonicWall device will not interfere with Internet traffic that your LAN computers initiate to the Internet. However, the SonicWall device will block any traffic initiated from the Internet that is trying to get to your LAN computers. That's the key- If you didn't initiate the Internet traffic, why do you want it?
If you do want to run a server, (i.e. FTP, HTTP, etc.) the SonicWall device can be configured to allow the specific traffic associated with the server.
The SonicWall SOHO/10 device is available by Internet mailorder for about $420 when I last checked. It's a reasonable price to pay for security, and it's fairly easy to install and configure.
Consider this:
Without a smart, external, firewall you have to become something of a network security wizard. In the meantime, information on your local hard drives can be copied to remote destinations. If you have a financial program like Quicken on your computer, that's not a good situation to be in. Some Trojan programs can actually send your keystrokes and your screen images over the Internet in real time. So that means your login information (usernames and passwords) to your online bank account, your account at amazon.com, etc., can be in someone else's hands. That also means that your credit card numbers can be in someone else's hands. Not a pretty thought, eh?
Part II
Firewalls
and
Disabling MS Networking from the WAN
In my commentary on the subject of "Unwanted Guests" (Part I), I described the need to disable Microsoft Networking from the WAN (Wide Area Network) card. The software type firewall solutions that exist typically only lock down your TCP/IP ports. That leaves at least two potential problems with a software firewall:
(1) You may already have a Trojan, and it may already be initiating connections to computers on the Internet without your knowledge, and
(2) Other common networking mechanisms (IPX, SPX, NetBIOS, NETBEUI, etc.) are usually ignored by the software firewall.
Those other networking mechanisms (i.e. IPX, SPX, NetBIOS, NETBEUI, etc.), are commonly used by Microsoft for sharing files, printers, etc. So people on the Internet could potentially gain access to your Microsoft "shares" (shared files, shared printers, etc.) even with a software firewall.
That's one of the advantages to an external, hardware, firewall. The external firewall devices typically only let TCP/IP traffic through it. So the common Microsoft sharing mechanisms are blocked by default. Therefore, with an hardware firewall solution, you don't have to worry as much about how well you've controlled the security on your computers. You could, for example, have an active in-house (or in-office) LAN using Microsoft Networking, shared files, shared printers, etc. The external, hardware, firewall would block Internet users from (1) seeing those shared resources on your LAN, and (2) being able to initiate a connection to them.
That having been said, here's some detail to help remove Microsoft Networking from your WAN card:
First, you must be able to identify which hardware, from the operating system point of view, is connected to your cable modem. It could be a NIC (Network Interface Card) mounted in one of the slots inside the computer, or a USB (Universal Serial Bus) port with an RJ45 adapter, depending on the interface you chose to connect to the cable modem. If you have only one computer on the cable modem, the correct hardware should be easy to find.
If you have a LAN (Local Area Network), then you probably also have some proxy software set up. The proxy software would let the other computers on the LAN get to the Internet through the computer with the cable modem. Examples of proxy software include Microsoft ICS (Internet Connection Sharing- from Windows 98 Second Edition and Windows 2000), WinProxy, etc. The proxy software will probably be set up to use two pieces of hardware (typically NICs), one for the WAN and one for the LAN. So be sure the correct hardware is identified before proceeding.
Having found the correct hardware which is connected to the cable modem, you'll need to check your network settings to see what protocols are "bound" to that hardware. In the Windows 9x, NT and 2000 family of products use these menu commands to get started:
Start->Settings-> Control Panel-> Network
In the Windows 9x family of products, look at the items listed in the 'Configuration' tab, where the information window has this text above it: "The following network components are installed:". If you see entries like these:
IPX/SPX- compatible Protocol
Intel xyz Ethernet NIC NetBEUI
Intel xyz Ethernet NIC NETBIOS
support for IPX/SPX- compatible Protocol
Intel xyz Ethernet NIC
and the "Intel xyz Ethernet NIC" is the hardware WAN card connected to the cable modem, delete those entries!
To delete the unwanted entries, select the entry and click on the 'Remove' button. While you're at it, you can also delete entries like these:
IPX/SPX... Protocol
AOL Adapter
IPX/SPX... Protocol (any dial up adapter)
NetBEUI... AOL Adapter
NetBEUI... (any dialup adapter)
NETBIOS... Protocol
AOL Adapter
NETBIOS... Protocol
(any dial up adapter)
Be sure to leave a setting like this:
TCP/IP Intel xyz Ethernet NIC
if the "Intel xyz Ethernet NIC" is the hardware WAN card connected to the cable modem.
You're almost done now...
Select this setting next:
TCP/IP -> Intel xyz Ethernet NIC
Again, assuming the "Intel xyz Ethernet NIC" is the hardware WAN card connected to the cable modem. Then click on the 'Properties' button. Go to the 'Bindings' tab and make sure this box is empty:
File and printer sharing for Microsoft Networks
If you make changes, be sure to 'OK' them as required and re-boot if prompted.
Disclaimers:
Since security is an important subject, let's be clear. I'm providing free advice here. I don't work for SonicWall or Cablevision. I don't sell their products and I'm not formally representing their products here. Use the vendor's published product specifications and warrantees. There are other ways, not described in this message, that people can get your data, your financial information, your personal information, etc. Neither I, nor the owner of this web site accept any liability if you have problems based on the information I've provided. If you have a lot at risk, you should periodically pay for an expert's help and implement their recommendations. With technical things moving at Internet speed, sometimes even good advice can get old quickly.
A request:
If you wish to forward this information to anyone else, please keep it intact and please also include my e-mail address. No spam, please. Feedback, anyone? If anyone finds this information useful, please let me know :)
-Rich
Edited for HTML format by Steve Zambori
July 18, 2000