|
|
|
How secure is ADSL?
One of the most popular questions we are asked at Swift is “How secure is ADSL”
The main security problem with ADSL is that is uses something called a ‘Fixed IP Address’ to connect your computer with the internet. Every computer needs an IP address to connect to the Internet but using a Fixed IP means that hackers have a stable address to compromise and exploit. For more information on this go to http://www.hackers.com.
We use an ADSL service provider called COLT telecom who offer two options NAT (Network Address Translation) and noNAT. NAT overcomes the static IP address problem by effectively hiding your machine from the internet. However NAT also has shortcomings and may not be a suitable option.There now follows an explanation of NAT and noNAT and some information on overcoming the security problems you may encounter.
What is Network Address Translation?
Historically NAT has been known as IP masquerading. Its function is to
allow more than one computer access to the Internet via a single IP address. It does this
by intercepting all packets from a host and re-addressing them with the public NAT interface
address. There are two main methods by which NAT can operate. The first is the more common
and allows for many machines to connect via one IP Address. This is called dynamic NAT.
The other is by using static address mappings, but this requires a range of registered
addresses. External connections can be made when using static NAT.
COLT ADSL supports only dynamic NAT. The benefit of this is that no host from the Internet can make a connection to a host behind a dynamic NAT server. The reason for this is that the private address of the host is not know to the Internet, and the NAT server is unable to pass traffic to a host on the private network. Therefore the dynamic NAT option offered by COLT is a very secure Internet access option. However, it does not provide complete security, as there are other ways to exploit Internet users.
What about noNAT?
There are side effects to using dynamic NAT. The problem is that many companies require
incoming data to be directed to hosts such as e-mail and web servers. This creates a
problem. Therefore COLT also offers the non-secure option of noNAT. With this option each
computer connected to the Internet has its own registered Internet address and is therefore
vulnerable.
There are many devices and software packages available that can improve and even ensure the
security of the computers on a network. Most of these devices are highly configurable, but
maybe complicated to implement effectively.
Basic Security
There are some basic requirements that should be considered when deploying a security device.
First, the device must be able to stop incoming traffic from reaching secure destination
computers. This is known as packet filtering. It can also stop specific types of traffic
from reaching certain machines, and allow other types of traffic to reach certain machines.
An example of this type of packet filtering is where only e-mail type traffic is allowed to
reach an e-mail server, and all other traffic such as ftp etc is filtered out.
Once this basic packet filtering security is established, there are further augmentations
that can improve aspects of security, which are best discussed when implementing a solution.
Private Wide Area Networks
Because of the inherent insecurity of the noNAT option required for
interoffice networks,
it is advisable to implement some kind of private network-tunnelling device. Most security
appliances are capable of this service, known as IPSec tunnelling or VPN's, (virtual
private networks). These devices create secure encrypted tunnels across the Internet to
connect different sites together. The data that travels through these tunnels is encrypted
and only the other end of the tunnel is able to decrypt it. This ensures the secure transfer
of data over the Internet
|
|
|
