Home Company Services Home Networks Site Map Search

Secure Modem

 

Up

 

Increasing Security of
3Com Dual Link ADSL Modem

Important Notes on "Home Networks" Section of Website:

  • This information was compiled by the author and is provided as a public service. The author is not responsible for any errors or omissions, or for any consequential problems that might result. USE AT YOUR OWN RISK.
  • NO LIABILITY: Use of this information may void your warranty, or cause irreparable harm to your equipment. Changing the configuration of your device may be in violation of your contract with your service provider. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES.
  • PRIVACY POLICY: This site collects no personal information; does not require registration; and does not use browser "cookies."
  • SUPPORT: The author does not have the time to give individual technical support.
  • FEEDBACK: Email comments and suggestions to webmaster@bbarrera.com.

OK, now that legal info is out of the way... This page describes how I disabled features on the modem. This may cause problems for your connection, or may violate your ISP's contract. My intent is to help you understand my thinking process, you'll need to decide for yourself about the security of the modem.

The Dual Link is actually an interesting modem. It supports all three major ADSL transport protocols (PPPoA, PPPoE and Bridged), so if I move or switch ADSL providers it should work. It provides a command line interface with outstanding visibility and flexibility. It provides a simple web interface (but you can't use this while connected to the Internet in PPPoA mode). And it provides a number of built-in services that you would expect to only find on routers.

BUT, it ruins compatibility on the LAN side for PPPoA users by introducing PPPoE:3com.

Motivation

This page has information on how I increased the security of my 3Com ADSL Modem Dual Link ("Dual Link"). Because the Dual Link has a number of internal servers, it could be compromised by hackers (very unlikely given the 'easy target' of an unsecured PC).

This issue became important to me after reading a CERT advisory http://www.cert.org/advisories/CA-2001-08.html and associated details. Well, that and my desire to tweak equipment for better performance and security.

There is no documentation for the Dual Link, but in November 2000 someone from 3Com tech support suggested I read the documentation for a related product (3Com ADSL Modem Ethernet).

Approach

First step is to understand the default configuration of my Dual Link.  Following that, I'll selectively disable capabilities and add security settings.  I used the Dual Link's serial port and HyperTerminal on my Win2k PC. That is the only way to access the powerful command line interface, plus I could interrogate and configure the modem without interrupting my Internet connection. And with a little 'cut & paste' action you get to see my actual dialog with the modem.

After reading the documentation for a related product, I now assume that the Dual Link ships with most remote access capabilities disabled.  This is based on my understanding of the "3Com HomeConnect ADSL Modem Ethernet CLI User's Guide."  I have not tested all the claims made in that Users Guide.

The remote access capabilities and internal servers for http, telnet, and TFTP are my immediate security concerns.  After closing any obvious open holes I may test with a port scanner to verify my actions and understanding of the Dual Link.

I'm running firmware version 1.0.14 at the time this web page was written: 

root> show system

SYSTEM DESCRIPTION
System Descriptor:
3Com HomeConnect ADSL Modem Dual Link V1.0.14,
Built on Apr 17 2000 at 11:41:11.

Default Configuration Settings that Impact Security

I was pleased to find that by default, the Dual Link is fairly secure. Telnet and TFTP must be enabled through access lists, but SNMP was wide open.

The default settings for Command Line Interface (CLI) services are very secure for a home user:

  • CLI password protection is disabled (for serial port connections)
  • no default users (for TELNET access from LAN/WAN)

The default settings for Bridging services can be increased either through filters or specifying authorized LAN MAC addresses:

  • bridge will pass any LAN MAC address
  • 2 bridge WAN ports configured (only 1 used for Internet connection)
  • No packet filtering on bridge ports

The default settings for Ethernet services are:

  • ARP cache empty
  • No packet filtering on Ethernet interface

To allow remote SNMP and Telnet management of the Dual Link you must configure the unit's TCP/IP stack. The stack can receive packets from any bridge port. The Dual Link will also send syslog information to a pre-defined host.

The Dual Link also includes a standard set of IP utility programs including Ping, Telnet, TFTP, FTP, and Rlogin.  The internal servers for telnet and TFTP are enabled but inaccessible by default.  The internal web server for administration of Dual Link via a web browser is enabled by default. 

The default settings for TCP/IP services are:

  • has a single IP address on private class C subnet
  • no default route (0.0.0.0)
  • no static routes
  • routes for private class C subnet
  • DNS server table empty
  • DHCP server for LAN enabled
  • Web server (http) is enabled
  • TFTP server enabled, with no clients defined (TFTP inaccessible)
  • TELNET server enabled, with no login users defined (TELNET inaccessible)
  • SNMP access is enabled, and SNMP generates authentication traps and Ethernet linkup/linkdown traps
  • Syslog has no IP hosts defined (will not send syslog entries)

Closing Potential Security Holes

Now that default configuration settings are understood, here's my approach to closing potential security holes:

  • Disable IP network and IP address
  • Disable DHCP server (Netgear router provides IP addresses for LAN)
  • Disable HTTP web server
  • Disable TFTP server (overkill because no clients defined)
  • Disable TELNET server (overkill because no login users defined)
  • Disable SNMP
  • Disable SNMP authentication traps
  • Disable SNMP linkup/linkdown traps

Here is what I left open:

  • No CLI password protection, because CLI requires physical access to serial port on modem.
  • No special packet filtering because this is handled by my gateway router. I could have put a spoof filter to reject WAN inbound packets with source address on my home LAN subnet, but I'd rather maintain only one set of filters on the router.

Secure the Dual Link

The changes made with "disable" command can be reversed with corresponding "enable" command (and vice versa). The DHCP server can be enabled with "set dhcp mode server" command. 

Disable IP Network 
root> disable ip network ip

Disable DHCP Server 
root> set dhcp mode disabled

Disable Internal HTTP, TFTP and TELNET Servers
root> disable network service httpd
root> disable network service tftpd
root> disable network service telnetd

Disable TELNET access to CLI 
root> disable security_option remote_user administration

Disable SNMP access and traps
root> disable security_option snmp user_access
root> disable snmp authentication traps
root> disable link_traps interface eth:1

Restrict LAN access by Ethernet MAC address
(replace xx:xx:xx:xx:xx:xx with PC or router MAC address)
root> add bridge access_mac_address xx:xx:xx:xx:xx:xx
root> enable bridge access_mac_address

Remember Changes after Modem Loses Power or Reboots
root> save all

How to Identify Default Configuration Settings

In this section I will show the commands used to determine the default configuration settings.  Some of these examples were done after disabling services, so don't assume I captured these before securing the Dual Link.

I've highlighted the command with BOLD font, and items of interest in blue font.

CLI: Disable CLI password protection and verify no Telnet users

root> disable command password
root>
root> list users

USERS
        Login
Name    Service    Status
root>

BRIDGE: Check "Access MAC" mode and addresses

root> show bridge

BRIDGE SETTINGS
Status: ENABLED
Number of Active Ports: 2
Base MAC Address: yy:yy:yy:yy:yy:yy
Base Aging Time: 300
Wan to Wan Forwarding: DISABLED
Access MACs Only: ENABLED
Spanning Tree Mode: DISABLED
SpanningTree Forward Delay: 5
SpanningTree Priority: 32768
root>
root> list bridge access_mac_addresses

BRIDGE ACCESS MAC ADDRESSES
MAC Address
xx:xx:xx:xx:xx:xx
root>

FILTERS: Check for input and output filters

root> list ports

BRIDGE WAN PORTS

Port    Description    Type    VPI    VCI    Status
ISP                    PVC     0      35     ENABLED
root>
root> show port ISP

INFORMATION FOR BRIDGE WAN PORT: ISP
Status: ENABLED
Description:
Input Filter:
Output Filter:

NETWORK PARAMETERS:
Encapsulation: PPP

ATM PARAMETERS:
Circuit Type: PVC (D)
Virtual Path Identifier: 0
Virtual Channel Identifier: 35
Bit Rate: UNSPECIFIED (D)
Peak Cell Rate: 0 (D)
root>
root> show ethernet settings

INTERFACE eth:1 SETTINGS
Description: ETHERNET-T Ethernet Driver
Type: ETHERNET-CSMACD
Speed: 10000000
High Speed: 0
Administrative Status: Up
Operational Status: Up
Link Up/Down Traps: ENABLED
Promiscuous Mode: FALSE
Connector Present: TRUE
Filter Access: ON
Last Change: 0d 00:00:01
Input Filter:
Output Filter:
Physical Address: 00:c0:49:24:0e:60
root>

TCP/IP: Identify basic networking services

root> list ip arp

IP ARP
IP Address    Phys Address    Type    IfName

root> list ip addresses

IP ADDRESSES
                   Bcast    Reassembly
Address            Algo     Max Size    Interface
192.168.100.100/C  1        3468        NONE

root> list ip routes

IP ROUTES
Destination       Prot  NextHop         Metric Interface
192.168.100.000/C Local 192.168.100.100 1      NONE
192.168.100.100/H Local 192.168.100.100 1      NONE
192.168.100.255/H Local 192.168.100.255 1      NONE
255.255.255.255/H Local 255.255.255.255 1      NONE

root> list ip networks

CONFIGURED NETWORKS
Name    Prot Int    State    Type   Network Address
ip      IP   bridge ENABLED  STATIC 192.168.100.100/C

root> list dns servers

DNS NAME SERVERS
Domain Name    Server Address

root> show dhcp server settings

DHCP Server Settings

Status: DISABLED
Start IP Address: 192.168.100.001
End IP Address: 192.168.100.040
IP Mask: 255.255.255.000
IP Router: 000.000.000.000
Lease (seconds): 4800
Host Name: unit
Domain Name: dummy.net
DNS #1: 000.000.000.000
DNS #2: 000.000.000.000
WINS #1: 000.000.000.000
WINS #2: 000.000.000.000
root>

SERVERS: Identify internal servers and status

root> list services

CONFIGURED NETWORK SERVICES
        Server                     Admin
Name    Type    Socket    Close    Status
httpd   HTTPD   80        FALSE    ENABLED
    DATA:

tftpd   TFTPD   69        FALSE    ENABLED
    DATA:

telnetd TELNETD 23        FALSE    ENABLED
    DATA:

root>

SNMP and SYSLOG: Status

root> show security_option settings

SECURITY OPTION SETTINGS
SNMP User Access: DISABLED
Administration by Remote User: OFF
root> show snmp settings

SNMP SETTINGS
Authentication Traps: DISABLED
root>
root> list syslog

SYSLOG SINKS
SysLog    Log Level    Msg Count
root>

 

Home ] Up ]

Send mail to webmaster@bbarrera.com with questions or comments about this web site.
Copyright © 2001 B. Barrera & Associates
Legal Information and Disclaimer
Last modified: April 26, 2001