PDA

View Full Version : Web security



Dave Zellers
05-31-2018, 12:18 AM
Another one bites the dust.

So a thread about web page pop-up ads slowly evolves into a web security discussion, and a moderator shuts it down. Presumably because it became too personal between two members. Perhaps because it strayed too far off topic from the original post but I've never understood why threads are not allowed to evolve. The offended member stated his desire to end his participation so I really didn't see any problem.

Anyhoo, Web security is extremely important and I for one would like to see this topic continue to be discussed.

So please, those who know, and those who want to know, continue.

My question is this- We have chosen to not cut the cord and stay within the Comcast system. We use their provided router. Is it safe to assume that there is a level of protection within that sphere? IOW, if their routers were to be compromised, I would assume they would notify me, and if possible, issue a patch or at the very least, a heads up and then eventually a new router.

Is this naive?

Nicholas Lawrence
05-31-2018, 6:44 AM
Comcast sells a lot of different products in a lot of different markets. The best you will get here is some informed speculation. If you really care about it you should call and ask them.

My guess would be no, you are putting too much faith in them. I have had wireless routers from service providers dating back to about 2003 or so. I have never had any of them call, email, or do anything to indicate the security was obsolete, hacked, etc.

Roy Petersen
05-31-2018, 7:38 AM
The offended member stated his desire to end his participation so I really didn't see any problem.
My apologies (pretty sure that was me). It did stray from the topic, and probably should have been split to a new thread, but mods have the final say.

My question is this- We have chosen to not cut the cord and stay within the Comcast system. We use their provided router. Is it safe to assume that there is a level of protection within that sphere? IOW, if their routers were to be compromised, I would assume they would notify me, and if possible, issue a patch or at the very least, a heads up and then eventually a new router.
I'd like to think they would, but I'd say there's a better than average chance they won't unless someone finds a weakness and makes it very public. They might then be shamed/forced to provide a fix. Much more likely they'd give the least expensive advice of powering down frequently. Another site I saw they went further to state you should also hit the rest button on the device, which would wipe settings along with cache (if any). No chance I'll be recreating all my settings each day (even to restore saved ones from a file).

Personally, I don't trust the cable company has my best interest at heart, so I use my own modem and router with them. Simply looked to see what model was compatible, what level of DOCSIS they're on (they were on 2, I bought one with 3 for future expansion) and so on. That's the public facing device (Dlink, which has a simple firewall). Behind that (in between the modem and me) is an ASUS router. I use that to provide the splitting of service to all local gadgets. Has all sorts of built in goodies like another firewall that help. Lastly on all PCs and laptops behind it, another firewall.
Maybe that's enough. ;)

roger wiegand
05-31-2018, 8:07 AM
I've never had any cable company ever upgrade or update a router voluntarily. I assume they do the absolute minimum possible. I connect my FIOS router to my own firewall and then everything else to that.

My older Netgear firewall was damaged in a recent thunderstorm and I'm thinking of replacing it with one of these (https://www.amazon.com/Ubiquiti-Unifi-Security-Gateway-USG/dp/B00LV8YZLK). I recently switched my wifi APs to the Ubiquiti Unifi products and am very happy with the performance and ability to now roam seamlessly throughout the house and shop. Thought it might make sense to keep it in the family and administer everything from the Unifi controller.

Jim Becker
05-31-2018, 10:12 AM
You cannot depend upon your ISP to do very much relative to "protecting" the gateway/router from a notification standpoint. Once in your home, "you" are the administrator. It's your responsibility to install a strong password on it, re-boot it from time to time and in the case of Comcast, decide if you want to turn off the "public" Xfinity WiFi feature, etc. Most ISPs will still have management access to a device they provide and will likely from time to time force firmware upgrades, but otherwise, you have to be vigilant yourself.

Some folks do choose to purchase and install 3rd party gateway/routers for their home networks for more flexibility, but before doing so, be sure to check that this will not materially affect other features you may be subscribing to. Some ISPs, for example, require "their" gateway/router to be in the network to provide information to the TV STBs (set top boxes) or to support mobility features to devices, etc., In a few cases, the ISP-provided gateway/router must be first in line from the demark of the home to provide those services.

Pat Barry
05-31-2018, 10:42 AM
I have no clue about how to change the password on my router. Its already a 14 digit random number and alpha sequence that came with it. Is that the password that the hackers already know and is easy to exploit? I can't imagine coming up with anything more complicatef.

Bob Grier
05-31-2018, 10:43 AM
If living near or in an area that has TV stations, I just don't understand why people pay for cable TV. It seems to me that entertainment can be streamed across the internet and live TV for sports and news can be had for free using an antennae. There are other alternatives, often less expensive, for phone, security, entertainment, email and other bundled extras. Also, alternatives to these bundled features are often less expensive and have better function. Better routers can be had for home networking than the modem/routers supplied by Comcast or any other cable company.

Stephen Tashiro
05-31-2018, 11:50 AM
In the 1980's it was well know among the security conscious that someone with the proper equipment and proximity to your location could spy on what your computer monitor was showing. That was before the days of LCD monitors and wireless networks. I wonder if old fashioned analog snooping is obsolete.

Dave Zellers
05-31-2018, 12:02 PM
Our only choices for internet access are Comcast or a dish. A dish would be a major downgrade from cable. We've done the math- (and so has Comcast) once we pay Comcast for internet access, adding third party phone and TV options does not really save very much over just getting Comcast's triple play when you honestly include all the extra costs involved. And if a piece of hardware does fail, they replace it for free. There is a Comcast retail office 20 minutes away staffed with very friendly folks. We are too far away to get any over the air TV and streaming wouldn't work without a solid internet connection so once we pay for that, the triple play makes the most sense for us.

Plus- is it possible to have a DVR that is independent of the service provider?

Derek Meyer
05-31-2018, 2:40 PM
The most widely-known DVR that is independent of the service provider is Tivo. The units use a cablecard that is supplied by your cable company and have their own guide and service for getting programming. They are great units - I have one in my bedroom and one in my living room. They are expensive, though. You also need to subscribe to the Tivo service to get software and programming updates. On the plus side, they work with all cable providers and you don't have to rent a set-top box from the cable company. Cablecard rental is typically much less expensive than the set-top box rental.

Carlos Alvarez
05-31-2018, 2:50 PM
You asked three different questions, I'll try to hit them all with some basics. I've been a network and systems engineer for a bit over 30 years. All of this applies to basic home and small business routers, not commercial/enterprise gear.


Is it safe to assume that there is a level of protection within that sphere?

For the most part, yes. A router with NAT (all home routers) offers absolute protection against anything from outside. Unless it has a defect. But a properly-working NAT router simply has no inbound access.


IOW, if their routers were to be compromised, I would assume they would notify me,

Very unlikely. They probably wouldn't know, and if they did, they might do nothing anyway.


and if possible, issue a patch or at the very least, a heads up and then eventually a new router.

Patches would come from the manufacturer, and generic ISPs like Comcast pretty much never update them.


If you really care about it you should call and ask them.

Don't do that. The person you talk to may know less than you do, and will just give you a party line with zero knowledge. You will NOT get a correct answer.


I wonder if old fashioned analog snooping is obsolete.

Pretty much, yes. WPA2 is currently considered uncrackable.

I agree with the other comments about paying for cable/satellite. Just don't get it. We dropped it over ten years ago, maybe 15. We stream on OUR schedule with no ads. I'm not willing to watch an ad or watch something live on someone else's schedule. It's not the paleolithic era.

Curt Harms
06-01-2018, 6:40 AM
The most widely-known DVR that is independent of the service provider is Tivo. The units use a cablecard that is supplied by your cable company and have their own guide and service for getting programming. They are great units - I have one in my bedroom and one in my living room. They are expensive, though. You also need to subscribe to the Tivo service to get software and programming updates. On the plus side, they work with all cable providers and you don't have to rent a set-top box from the cable company. Cablecard rental is typically much less expensive than the set-top box rental.

We recently went from Verizon Fios gear to Tivo. If I did the math correctly, the payback was less than 2 years with 3 TVs. Tivo also has streaming apps so don't need something like Roku or Chromecast. I find myself watching Amazon Prime video far more than 'network' TV. I can't swap out a failed unit for free but the most likely to fail component is the hard drive and it uses a commodity hard drive, no special firmware so it's easy to swap out. I'm happy with our bargain so far.

As to Dave's question about secure devices, it's possible to add a second Router/Wireless Access device 'downstream' from the cable provider's router/modem. Turn off services you don't trust on the cable company's device and use your preferred device.

Dave Zellers
06-01-2018, 9:29 AM
As to Dave's question about secure devices, it's possible to add a second Router/Wireless Access device 'downstream' from the cable provider's router/modem. Turn off services you don't trust on the cable company's device and use your preferred device.

WHOA! I did not know that. That will also help with our weakish signal in our bedroom. I'll be doing that since I have the router already.

Pat Barry
06-01-2018, 10:17 AM
We recently went from Verizon Fios gear to Tivo. If I did the math correctly, the payback was less than 2 years with 3 TVs. Tivo also has streaming apps so don't need something like Roku or Chromecast. I find myself watching Amazon Prime video far more than 'network' TV. I can't swap out a failed unit for free but the most likely to fail component is the hard drive and it uses a commodity hard drive, no special firmware so it's easy to swap out. I'm happy with our bargain so far.

As to Dave's question about secure devices, it's possible to add a second Router/Wireless Access device 'downstream' from the cable provider's router/modem. Turn off services you don't trust on the cable company's device and use your preferred device.
Curt, please give an example of what services could be turned off and how you can go about doing that. As I mentioned earlier, I don't even know how to change the default password. Thanks

Jim Becker
06-01-2018, 12:35 PM
WHOA! I did not know that. That will also help with our weakish signal in our bedroom. I'll be doing that since I have the router already.

This is a somewhat normal thing for many of us. I have to use a "mesh system" to get wireless throughout our entire home and don't use the ISP provided gateway/router for wireless at all, both because it doesn't support the more recent speed protocols which our mobile devices do support and because it's in the basement of the 250 year old portion of our home where the fiber termination is. If you are on Xfinity, Comcast has little "pods" that can be used to distribute signal in areas of the home that have weaker signals, too.

Carlos Alvarez
06-01-2018, 1:08 PM
It's impossible to give a step by step since we don't know what hardware you have. First off, if at all possible, your best bet is to eliminate any carrier-provided equipment. With cable that's normal; you can just go guy a cable modem and hook up your own router. Sometimes you can with DSL, and on FIOS they seem to always provide the hardware. For DSL, the easy trick is to turn on "pass-through" or "bridge mode" or "invisible mode" or similar. Basically telling the carrier-provided modem/router combo to behave as a modem only. Then plug in your own router. I never deal with FIOS so I don't have any recommendations on that, but I'd bet there's something similar.

Keep in mind that most of these issues aren't really a threat to YOU personally. Overall for society there's a problem, but your individual risk level is still very low. If your router is compromised that still won't give anyone access to secure connections such as your bank, or even this site. That data is independently encrypted and nothing on your router can change that.

Jim Becker
06-01-2018, 5:35 PM
Carlos, on FiOS, one can use their own router, but it can set up some limitations. The STBs get guide and VOD information via MOCA and the VZ-provided gateway is the bridge from Ethernet to COAX for that communication. (The primary STB can only be on COAX but the small, slave units in other rooms can be on Ethernet however) Some folks will use their own gateway/router for primary and just use the G1100 or Actontec gateway for bridging purposes. Some will invest in a dedicated MOCA bridge, but not many want to spend the money when they already have a device that can be used for this purpose in-hand. Further, if one wants to use certain mobility features, the Verizon provided gateway must be in the primary position, not behind a used provided gateway/router. These choices may become more difficult in the future as a recent testing phase for IPTV utilized a combination ONT/Gateway Router at the fiber demark. While that testing was discontinued and the IPTV shelved for the moment, the fact that they were testing a combination optical interface to the PON and router in the same device speaks loudly.

Folks on Comcat's XFinity may also have some limitations if they don't use the ISP-provided gateway.

Carlos Alvarez
06-01-2018, 5:44 PM
Carlos, on FiOS, one can use their own router, but it can set up some limitations. The STBs get guide and VOD information via MOCA and the VZ-provided gateway is the bridge from Ethernet to COAX for that communication. (The primary STB can only be on COAX but the small, slave units in other rooms can be on Ethernet however) Some folks will use their own gateway/router for primary and just use the G1100 or Actontec gateway for bridging purposes. Some will invest in a dedicated MOCA bridge, but not many want to spend the money when they already have a device that can be used for this purpose in-hand. Further, if one wants to use certain mobility features, the Verizon provided gateway must be in the primary position, not behind a used provided gateway/router. These choices may become more difficult in the future as a recent testing phase for IPTV utilized a combination ONT/Gateway Router at the fiber demark. While that testing was discontinued and the IPTV shelved for the moment, the fact that they were testing a combination optical interface to the PON and router in the same device speaks loudly.

Folks on Comcat's XFinity may also have some limitations if they don't use the ISP-provided gateway.

Thanks for the details. I work in commercial networking and just have never played with FIOS. My brother has it and I forget to even look at the gear. For residential, around here, coax still rules. Gigabit down, 35 up. I'd love to get more upload since I sometimes move large files to our servers from home.

From a support perspective, we randomly have issues with customers who use stacked routers (ISP router plus personal router) if they don't put the ISP router in bridge or pass-through mode. This causes double NAT, and while in theory that's acceptable, in reality it causes issues sometimes. Particularly with VoIP phones.

Curt Harms
06-02-2018, 6:45 AM
Curt, please give an example of what services could be turned off and how you can go about doing that. As I mentioned earlier, I don't even know how to change the default password. Thanks

WiFi, for starters. The device we have for Verizon FiOS is fairly basic, 2.4 Ghz wifi only and we live in a townhouse community. The 2.4 Ghz band it pretty crowded and the 5 Ghz band is virtually empty. The router that is downstream supports 5 Ghz and 'virtual' wifi networks so I use those. I can also vary the wifi transmit power so I turn it down so I get good wifi throughput but the signal doesn't carry far beyond our 4 walls. That may or may not be seen as a benefit depending on your needs and desires. I've selected a 3rd party DNS provider that can help a little with security. Lots of inexpensive things you can do to make yourself not the low hanging fruit for those of ill will. There are people on here far more knowledgeable than me.

Dave Zellers
06-02-2018, 11:06 AM
From a support perspective, we randomly have issues with customers who use stacked routers (ISP router plus personal router) if they don't put the ISP router in bridge or pass-through mode. This causes double NAT, and while in theory that's acceptable, in reality it causes issues sometimes. Particularly with VoIP phones.

After adding my router last night, it worked fine at first but when I woke up this morning, I could not access the internet on my phone. It didn't matter which wi-fi network I joined. So I removed my router and things are back to normal. I spent some time on my Comcast account online and can't find anything about setting their router for pass-through. Is this a switch or a software adjustment?

Curt Harms
06-07-2018, 8:55 AM
After adding my router last night, it worked fine at first but when I woke up this morning, I could not access the internet on my phone. It didn't matter which wi-fi network I joined. So I removed my router and things are back to normal. I spent some time on my Comcast account online and can't find anything about setting their router for pass-through. Is this a switch or a software adjustment?

This sounds like a problem Carlos mentioned with VoIP. "Stacking routers" can also cause problems if both have DHCP enabled, you can only have one DHCP server per LAN. Maybe if you can put the Comcast device in pass thru or bridge mode, it may work. We have Verizon FiOS which may work somewhat differently. The ONT (Optiical Network Terminal) has a separate output for phone and hooks into the existing phone wires. The Verizon tech I talked to made it sound like Verizon FiOS phone service is sort of a POTS/VoIP hybrid. I don't know how Comcast works.

Carlos Alvarez
06-07-2018, 11:46 AM
This sounds like a problem Carlos mentioned with VoIP. "Stacking routers" can also cause problems if both have DHCP enabled, you can only have one DHCP server per LAN. Maybe if you can put the Comcast device in pass thru or bridge mode, it may work. We have Verizon FiOS which may work somewhat differently. The ONT (Optiical Network Terminal) has a separate output for phone and hooks into the existing phone wires. The Verizon tech I talked to made it sound like Verizon FiOS phone service is sort of a POTS/VoIP hybrid. I don't know how Comcast works.

I didn't say anything about DHCP, I said NAT. You can have multiple DHCP servers on a network (and I do). Since DHCP doesn't cross routers, if you have two routers in series, you can and should have it enabled on both. If you put the ISP-provided router into its transparent mode, then that automatically disables both NAT and DHCP, as well as all routing. The device becomes just a media converter and not a router.

Curt Harms
06-07-2018, 11:58 AM
I didn't say anything about DHCP, I said NAT. You can have multiple DHCP servers on a network (and I do). Since DHCP doesn't cross routers, if you have two routers in series, you can and should have it enabled on both. If you put the ISP-provided router into its transparent mode, then that automatically disables both NAT and DHCP, as well as all routing. The device becomes just a media converter and not a router.

I read someplace - don't remember where that there should only be one DHCP server per network, guess not.

Carlos Alvarez
06-07-2018, 12:06 PM
I read someplace - don't remember where that there should only be one DHCP server per network, guess not.

I don't know how technical you want to get, but the basics... If you have two, there's the potential for some issues. That's mitigated by proper configuration. Even with a random out-of-the-box config, the way most home routers work, it should be fine. Since a network can't really work for the users without DHCP, I put at least two of them on every business network I design. So you probably heard the advice based on the fact that if you don't know what you're doing, you MIGHT end up with problems.

But again, not routers in series. In series, the DHCP cannot pass through the routers to the next one. So you still only have one DHCP server "per network" because in this context the networks are separated by routers. If you have two in PARALLEL, then the are both on the same network.

Either way, all the issues I talked about are because of NAT, not DHCP. I'm happy to cover their details if anyone cares, but many times I make people's eyes glaze over getting too technical.

Jim Becker
06-07-2018, 1:15 PM
I'm of the notion that for "most people" in a home network environment, one actual gateway/router with DHCP is a best practice to keep things simple and "less mysterious". Any other devices that are not endpoints should be passive/transparent/bridged and only provide a particular service, such as wireless access. But I also agree with Carlos that there are circumstances that having multiples is warranted. On example might be where there is a separate "guest network", with the operative idea, "separate network". And Carlos's example of having more than one DHCP for resiliency is quite common on business networks.

Carlos Alvarez
06-07-2018, 1:39 PM
I'm of the notion that for "most people" in a home network environment, one actual gateway/router with DHCP is a best practice to keep things simple and "less mysterious". Any other devices that are not endpoints should be passive/transparent/bridged and only provide a particular service, such as wireless access. But I also agree with Carlos that there are circumstances that having multiples is warranted. On example might be where there is a separate "guest network", with the operative idea, "separate network". And Carlos's example of having more than one DHCP for resiliency is quite common on business networks.

Totally agreed.

Also just realized nobody answered this:


can't find anything about setting their router for pass-through. Is this a switch or a software adjustment?

It's a checkbox in the router software. Here's an example of one such change: https://actiontecsupport.zendesk.com/hc/en-us/community/posts/115009656006-How-to-Bridge-the-Actiontec-MI424WR

Dave Zellers
06-07-2018, 9:21 PM
Totally agreed.

Also just realized nobody answered this:



It's a checkbox in the router software. Here's an example of one such change: https://actiontecsupport.zendesk.com/hc/en-us/community/posts/115009656006-How-to-Bridge-the-Actiontec-MI424WR

Thanks for that. I'm working on it and have found a few web pages that might help but they are 3-5 years old and might not be relevant anymore. Also, I have bigger fish to fry right now- I gotta get the garden planted! :p

Curt Harms
06-08-2018, 5:51 AM
I don't know how technical you want to get, but the basics... If you have two, there's the potential for some issues. That's mitigated by proper configuration. Even with a random out-of-the-box config, the way most home routers work, it should be fine. Since a network can't really work for the users without DHCP, I put at least two of them on every business network I design. So you probably heard the advice based on the fact that if you don't know what you're doing, you MIGHT end up with problems.

But again, not routers in series. In series, the DHCP cannot pass through the routers to the next one. So you still only have one DHCP server "per network" because in this context the networks are separated by routers. If you have two in PARALLEL, then the are both on the same network.

Either way, all the issues I talked about are because of NAT, not DHCP. I'm happy to cover their details if anyone cares, but many times I make people's eyes glaze over getting too technical.

I think you've hit it, at least in my case. The 2 devices are connected LAN port to LAN port. I tried LAN to WAN but was never able to print from a machine connected to the other router.

Carlos Alvarez
06-08-2018, 1:41 PM
but they are 3-5 years old and might not be relevant anymore. Also, I have bigger fish to fry right now- I gotta get the garden planted! :p

Nothing has really changed in this area. Well, there may be cosmetic changes to the menus and such, but the functionality has always been the same.

Just now planting? We're well into our second harvest!

As far as the issues of LAN-WAN-LAN-WAN or LAN-LAN-WAN... Back to back routers, in series, where one's WAN goes to the other's LAN port, allow you to add another router if you want to ignore the ISP-provided router. But yeah, anything connected to the ISP router cannot see anything behind your router. On purpose, by design. It's a good cheap way to have a "guest" network that can't see your network. Connecting the LAN ports together puts two DHCP servers on the same network, and creates a variety of potential problems. You really need to understand networking to do this.