Firewalls and Cable Modems





Purpose of this Paper

This document is intended to provide a lightly technical, yet easily understandable overview of firewalls and how they relate to Cable Modem Internet connections.

Before we start I would like to clearify the term Hacker. A hacker is a person who likes to dig in and analys computer systems. A hacker is not a bad person, just someone interested in finding out how and why a system works. A Malicious Hacker is a person who likes to hack systems but for destructive, disruptive and often illegal purposes. When I use the term hacker in this article I will be refereing to a Malicious Hacker, unless the context indicates otherwise.



Cable Modems vs DSL     Back to Top

Cable Modems and DSL are two types of connections that can fall into the "always on" catagory, although the two technologies are quite different. In a home environment DSL is typically implimented as ADSL or more often "DSL Lite". The many different types of DSL differ mainly in speed and distance from the switch. DSL allows a private connection to the Internet. The home version usually uses DHCP, meaning your computer is identified on the Internet by a number that is not permanently assigned to you. The identification or properly IP number is issued according to a time lease (likely 24 hours), but can be renewed on an ongoing basis. Cable modems use DHCP as well. One way to throw off a hacker who has targeted is to change your IP. Windows 95/98 offers an easy tool to accomplish this. It is called WINIPCFG, which can be typed in at the RUN prompt from the START menu. Once it is started, just sellect RELEASE ALL, then RENEW ALL. Depending on the DHCP server configuration, this will usually provide a new IP number. The malicious hacker will no longer have your machines address and will have to restart the process of locating you, assuming this is not a random attack.

The use of DHCP is about the only similarity between the two access methods. Cable modem connections are not a direct link to the Internet. They place you on a local network much like those used in any buisness or in many homes. Basically you are connected to a 10MB LAN that is connected to other clients in your physical neighborhood. This is a very important point when considering both speed as well as security. The local network shares the cable that connects through the ISP (ie Shaw or Rogers) just like you share the cable within an office environment. This means not only that the 10MB advertised speed is for the neighborhood, not just your machine, but also that the other customers in that loop are siting on the edge of your connection. Hacking into a coworkers machine or sniffing network passwords is a much simpler matter than cracking a remote site. Fortunately for users of Windows 95/98, one of it's saving graces is the fact that as a single connected machine without File And Print Sharing enabled, it is a pretty secure box. This is only true if no other computers are connected to it and if it does not run any services such as Personal Web Server. Unfortunately, many people turn on sharing or even worse, use it as a Web Server (or run other services). It does not have the security required to stop a direct attack. It is a simple three step process to attach to a computer in your cable loop. If the services are running and it is not even password protected (yes, this is common to allow easy in-house sharing) an average user can be in your pc in a moment. A password will present the more ambitious (or curious) hack a challenge, but not much of one based on most peoples password creativity, especially if you are known by the would-be attacker.



Which Operating System can I use?     Back to Top

Providing services such as Web Servers or FTP Servers should be left to systems with strong security models. There are a number of options depending on finances and user knowledge. Windows NT, now called Windows 2000, has such a security model. The user interface is similar to Win95 but the systems are not related at all. It is relativly easy to configure, has the doors wide open by default, will stop the novice hack (and often the experienced one as well), is very resourse intensive and cost lots. Another alternative is Linux. Based on UNIX, it is a freely distribulted, Open Source operating sytem. There are many 'flavours' of Linux such as RedHat, Debian, Calder. They are all similar in features as they all are based on a common kernel or base system. The choice is personal. Linux is fast, runs on minimal hardware, extremely stable and offers features no Microsoft system comes close to. There is even a free firewll system that runs on a condensed version of RedHat, this firewall can run on a 486 66MHz with as little as 16 MB RAM, no hard drive and a floppy only to boot the system, it resides entirely in RAM. The other end of the scale is also free and based on RedHat. It is a large system that runs on a fast Pentium or better, with lots of RAM. It provides email, Web, FTP etc and is self configuring. The Linux environment may appear a little dawnting at first, but once you become familiar with it, anything else is a step down and cost too much.

The floppy based cable modem firewall is available at Edge FirePlug
The full blown Network Appliance is available at e-smith

As far as Windows based home use firewall products go, I am unfamiliar with what is available these days. However, a few word of caution. Firewalls must be configured correctly or they are of no value. Some ship with all services open, others with all services blocked, often logging must be turned on or you will not even know someone is attacking you. One shareware product, WinGate, was shipping with logging turned off, and although it would block Telnet sessions to the box, it would silently let a hacker rebound off your machine and attack another from there. The problem is that without logging this meant a malicious hackers trail would lead back to, and end, at your WinGate machine. Explain that to the authorities! Hopefully this has been rectified if subsiquent versions.



What Tools are Available?     Back to Top

The tools that a malicious hacker uses to search for vulnerabilities are often the same tools that administrators and other good hacks use to test there networks. The most common tool used is called a Network Scanner. Basic scanners will check report which services are available on a server or firewall, more safisticated scanners attempt to gain access through a firewall by launching attacks using known vulnerabilities based. They can be set to use brute force or stealth modes. They can report the type of operating system used, if any services are run with special privliges associated or any number of other useful tidbits. If you have a firewall or any computer with an always on connection, run a scan against it from another location. Then turn off every service it finds except those absolutely required, you can always turn them back on if needed. Remember, if there are holes, someone will find them, it may as well be you.

A starting point to find a Windows scanner would be WinFiles
One of the most popular UNIX/Linux scanners is called SATAN, available at fish.com. Unlike most of the Unix/Linux scanners, it is web browser based.
nmap, a powerful UNIX command based scanner is available at insecure.org

Be leary of clubs like Napster, where you allow others to access your system. Who are these people anyway?



Maintenance     Back to Top

It seems almost everyday someone discovers a new security vulnerability. This information is made available to the public so those involved in network security can be kept up to date. Vendors release patches, fixes or workarounds as soon as possible. This information is freely available to anyone with email or a web browser. It is important that you keep a lookout for issues that effect your systems. Just to drive this home, in 1998 two boys broke into a US Department of Defence site using a vulnerability in a Sun Microsystems Solaris system. A patch for the security hole had been on Sun's patch site for over two years before the attack. In 1999 Microsoft issued 61 security bulletins, Sun issued 11, Hewlett Packard 16 and RedHat 8. This was not all, nor is it a comparison of systems, it is just to show that there are issues and there are fixes, but it is up to you to maintain your own equipment. Security does not stop when the firewall is installed.



DDNS and DHCP     Back to Top

On a brighter note, if you have a Domain registered, and don't want to pay the extra money for a static IP address, you can still use the Domain Name by registering with a Free DynamicDNS Server. E-Smith, mentioned above, comes configured for one of them. The site is not too informative but it works. Check it out at yi.org Each time your IP address changes, just visit the site and it will (almost) automaticly update the Internet DNS servers so your site can be found by your registered Domain Name. The Domain Name is the Internet name we use to identify sites such as RedHat.com, IBM.com, or SolarFlare.bc.ca. The www infront of these names just depicts the server that web pages are available on. Actually the www could be any symbol such as edge.fireplug.net.



Where to locate a Firewall     Back to Top

The home implimentation can take one of three forms. The first, which I would never recommend, is to place firewall software on your workstation. This may be tempting if there is only one computer being used. The problem is that performance will be impacted severly and it does not allow you to segregate protected from unprotedcted resources. Everything is right there, protected only by the firewall software.

The second option is likely the best solution, but of course is the most expensive. This would be to use a complete network appliance combining a hub with a firewall. The prices are coming down on these devices as home networks increase in popularity. One such appliance is an ethernet swith to plug your PC's into with a port for a cable modem (or other outward) connection as well. It runs RedHat Linux on a chip (RedHat is used in many "embedded systems"). Last I heard these devices were aboout the price of a mid-rangePentium III computer.

The most common firewall implimentation is to put the firewall on a computer that sits between the cable modem and your home network. This is commonly refered to as "the man in the middle". Using an old 486 and a ThinLinux configuration like the FirePlug mentioned earlier (http://edge.fireplug.net ), a fairly robust system can be set up with minimal cost. It requires two network cards, a floppy drive and 16MB or more of RAM. One network card connects to the modem and the other to a your regular computer or if more than one PC is in use in your home, into a Hub which links the other computers together. Network cards (NICs) cost between $35 and $60 each and a home use hub runs about $50 to $80. Ideally the 486 would be a PCI based machine with a DX66 or faster processor.



Sharing an IP Address with NAT     Back to Top

Typically Internet providers will assign one address to you, usually changing it periodically via DHCP, as mentioned earlier. In order to put a home network onto the Internet with only one IP Address you use what is refered to as a Gateway, in our case the firewall will also act as a Gateway. The Gateway is just what it sounds like. It is a common way in and out of your network. A Firewall almost always acts as a Gateway, but a Gateway does not necessarily have to provide security so it does not necessarily have it be part of a firewall. The Gateway uses the assigned IP Address for itself as it is visible to the Internet and must have a legitimate number. As machines on your home network request access to the Internet, the Gateway sends the request out on behalf of those machines. It keeps track of which machine is looking for which information and redirects the data as it comes back in. This process is called Network Address Translation or NAT. Your local computers will still need to have an IP Address associated with them but you can use any number as long as you stick to the IP Address number convention. (There are other ways to identify your internal machines but for this discusion lets stick with TCP/IP and IP Addresses.) Having said that, I would suggest that you use one of three series of numbers that have been reserved for private use and are not used on the Internet. The IP ranges are listed in the cart below. If you are unfamiliar with how IP Addresses and Subnetmasks are used or the rules around them, please seek additional information before attempting this. Luckily, many firewalls will automaticly provide the addresses to your internal network just the way your Internet Service Provider automatically provides one to you and all there other customers. If you run any servers or network-connected printers you will want to assign them permanent numbers. I believe both e-Smith and Fire-Plug provide some details to assist with this. If these numbers are assigned incorrectly you may find your internal devices will not communicate with each other.


Private IP Address Ranges
Range Network Class
10.0.0.0 - 10.255.255.255 A
172.16.0.0 - 172.31.255.255 B
192.168.0.0 - 192.168.255.255 C


Information on Private IP Addresses can be found by searching for RFC 1597 at the following site http://www.cis.ohio-state.edu/hypertext/information/rfc.html


Where to put the Server     Back to Top

Ideally a publicly available server, be it WWW , Email or FTP should be on a machine on the outside of the firewall. This is the safest location in terms of protecting your site. As long as you have the data backed up or duplicated on machines inside, then let the hackers attack the symbolic sacraficail lamb. That allows you to deny all access from outside the firewall, or at least restrict it to possibly a few trusted machines (identified by IP address). Of course connection originating from inside, such as a web site request from your browser, would be allowd back in.

Realisticly, most home users cannot afford to have a dedicated web server sitting on the outside of the firewall. Not only would there be the cost of the computer but an additional IP address would be required (see NAT above). The next best solution would be to incorporate the firewall and the web services onto one system. The reasoning here is to try to avoid allowing the public access through the firewall into your private network. Of course, combining these features onto one machine will eliminate the option to run a diskless firewall such as FirePlug, and will actually bump up the requirements of the hardware, depending on how much traffic your site will have. You want to avaid paying for a high speed connection only to have it funneled through a busy, slow machine. In this senario lots of RAM, processing power and a fast hard drive are desireable.

The last option would be to have the web services running on a machine inside the firewall. This would be best on a dedicated machine, but if you have one I suggest putting it outside. So you have a computer inside the firewall that the general public, or select computers/users can access. Again, when you sit down to work on this machine it may perform poorly if it is low on RAM and processing power, probably the RAM will be the bigger issue here. The firewall can be configured to allow only specific traffic through and only to specific machines. If you choose this method be very thorough when configuring the firewall and test it excessivly to detect errors before opening it up to the public. Most security breaches are do to configuration errors, not short comings in the software or operating systems.



How Firewalls work     Back to Top

There are a few different types or levels of security provided by firewalls. There are also two main catagories that they fall into, hardware or software based. The strongest, fasrtest and most expensive is a hardware solution. This is usually a proprietary piece of equipment and uses chips to do the work. Hardware solutions are very reliable but would not be feasable, price wise, for a home or small business. Most firewalls are software based. This provides a more cost effective solution. Many software based firewalls run on their own custom operating system, usually based on Unix or Linux. This allows the designers to remove all but the necessary components, leaving a more streamlined, faster system that is much less prone to any known security issues. Some of the lower end firewalls ride ontop of an existing installed computer, which of course is the least secure as well as least expensive.

Firewalls, of whichever design, monitor the trafic entering, and often leaving a network. The information traveling over a TCP/IP network, such as the Internet, is divided into what is typically refered to as a packet. Consider it an envelope of data. Firewalls use a set of rules that will decide whether that packet should be allowed through or not. A very basic firewall will only look at what the packets destination is. The destination is a port number or service number that tells the computer that the packet is for a particular application type. For example, data refering to a WWW page is directed to port 80, which most firewall configurations will allow through. If it was destined for a different port or service, such as port 21 FTP, it may be rejected, depending on the rules. That is all a very basic firewall does, although most will be much more discrete on what gets in or out.

One old trick hackers try is to tell the firewall that they are actually a packet that came from a computer inside the network or from a trusted computer at a remote site. This is refered to as IP Spoofing, and all modern firewalls should protect againt it. Data however does not usually arrive all in one packet, it is split into a series of packets, the number depending on the amount of data being transfered. Most firewalls look at the destination port or service and make an access decision based on that information. However, stronger firewalls will do what is refered to as stateful inspection, looking into the data packet to see just what it intends to do once inside the system. This process, of course, requires a very powerful system in order to read into the packet without slowing things down. There are also different levels of inspection that determine just how much they read before a decision is made. Many routers provide this service as they are hardware based and very fast to begin with. This process would be very difficult to achive in a software solution without severe performance impacts.

The way the Internet, and many other networks work, is that the packets arrive in any order and are sequenced once they arrive. Many firewalls only check the initial packet in a series, so hackers can send packets that are labeled as the middle of a set, which are not inspected by the firewall. More sophisticated setups scan for this process and block it.

There are many possible rule sets controlling a firewall. At a minimum they look at that service the transmittion is connecting to. Ultimately, they in base the decision on the validated source, the compete packet sequence, the destination service, the intended action and any number of other criteria.

A home use system should definitely check service destination (web, ftp, email etc) and protect from spoofing. Those two features, coupled with a restrictive list of allowed services should protect you against random attacks. This does not protect you against attacks such as DoS (Denial of Service) which is the bombardment of packets that eventually overwhelm the receiving machine. Those levels of protection are very expensive and hopefully not necessary.


Back to Top




original document created by Pete Nesbitt, May 2000