I don't know if I would agree with
that.
Lot's of ISP's use RFC1918 addressing AND DNS
entries for the management of
broadband/adsl networks. Usually the
ADSL/Cablemodem will obtain an RFC1918
address during it's bootp process. This is used by
network engineers for SNMP and
other diagnostic tools. It's kind of
handy to have DNS entries for those.
Sometimes the provider does not do a good job and
allows those RFC1918 addresses
to traverse the bridge so you might see them
leaking across occassionally.
============
How secure do you think your traffic is once it
leaves your cable/dsl modem?
(short answer, not at all unless it's encrypted and
don't believe the MYTHS the
ADSL providers will tell you...)
In the case of DOCSIS, it can be much more secure
because a private session key
is established between the headend router and your modem, however a LOT of
these
so called broadband modems are still not
encrypting data via baseline privacy.
I have seen successfull hack attempts where a
hacker coerced his modem into
allowing him to run a DHCP server. He setup a scope
that was at the top end of his
subnet and passed out TWO gateway addresses. The
first being his modem, and
the 2nd the normal gateway for the subnet. He then
setup a sniffer and had access
to ALL traffic traversing his node. If his modem
became too congested, they would
still have the normal gateway so this went
undetected for some time....
What if your users are using some of those spyware
programs that track what URL's
they are visiting? What if they access an
"INTRAnet" site and pass along authentication
information in the URL? Surely the spyware data
miners now have it, and if somebody
has tricked you into
using the wrong gateway on your node...they probably have it
too...
----- Original Message -----
Sent: Friday, January 05, 2001 5:04
PM
Subject: RE: [FW1] Strange Log
Entry
I questioned my ISP about the address and here's what they
said:
Michelle,
We have a reverse
entry for some of our non-routable IP's entered into our DNS
server. This is
just handy for us internally. So your source is 172.16.1.130.
I guess that explains it. -----Original Message----- From: Steven Lee [mailto:[email protected]]
Sent: Thursday, January 04, 2001 4:10 PM To: [email protected]
Subject: Re: [FW1] Strange Log Entry
First, turn off address resolution... you'll see that
t130.uia.net is actually 172.16.1.130 ( a private
RFC1918 address). Are you using 172.16 as an internal
address?
Second, you should tell your ISP that they shouldn't be
populating their DNS with A records (and PTR records)
for RFC1918 addresses.
Steve
[email protected] wrote:
> > >
I'm looking through my FW1 log because our T1 is up and running, but we
can't > seem to get to the Internet, except email.
I'm seeing entries in the log such > as:
> >
Source
Destination >
t130.uia.net msnbc.com >
> The source is not from our network and the destination
is not to our network, > so why the heck would that
source be coming to us to get to msnbc? BTW, > uia.net is our ISP. > > Any ideas? > > Thanks, Michelle >
_____________________ > Michelle Johnston, MCSE4,
CNE5 > Network Manager, NHRA > [email protected]
-- Steven Lee,
CISSP Senior Network Security
Engineer FAX AVCOM
Technologies, Inc. Pager 4636 E Marginal Way S, Ste
B-100 http://www.avcom.com Seattle, WA
98134-2383
mailto:[email protected]
|