Broadband Internet security over ADSL, Cable, ...

Dear all professionals,

What is the security difference between ADSL, Cable and leased Internet connectivity?

I would appreciate it if you could share your knowledge and experience with me in comparing the security aspects between each mentioned broadband access technologies, or sends me web link of useful documents that discussing the topic.

Grateful and Thanks.
Who is Participating?
ISPs usually don't provide security for end-users, be they business users or home users. Some ISPs install firewalls or filters to limit damage to their internal network, which, although not designed to do so, sometimes have security benefits for end-users. But ultimately, the security of your own network is up to you and should be within your control. That's usually the stance ISPs take too.

In terms of gaining access to the copper or fibre cable for wiretapping, DSL and leased lines are pretty much alike. At the end of the day, it's still a cable running from the exchange, through various junction boxes, and into your premises. The main difference is the telco's termination equipment at each end.

However, if you're going for a *big* leased line (over 2Mb), some telcos might be persuaded to install a microwave link between your premises and the exchange. This is a bit more secure, as there are fewer physical access points.
Well, depends...

Once you have been connected (logged on), security is 100% the same. You are a TCP/IP node and have to make sure that traffic between you and other nodes is as you want it - restricted by firewalls, DMZ etc.

There might be differences in security in order to get connected; these apply more to 'home' subscriptions than to business subscriptions. E.g. for cable usually no logon is needed, for ADSL with our local providers you _do_ need to logon in order to activate the line after startup of the workstation.

Hope this helps,

<Erik> - The Netherlands
Yup, once you're connected and logged in, there's no difference in security.

On a more "paranoid" level, all three types of connection will go through wiring panels, switches, etc. that are shared with other connections and services (eg. voice) and could be accessible by a number of personnel. So even in terms of wiretapping or eavesdropping, there's still no difference.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

The above is so paranoid it almost scares me :)  I agree fully with the statements already made, security (on the WAN side) is going to be dependant on the platform and software that you are running.  The way protocols such as TCP/IP is setup is that most of the time the actual hardware medium will be irrelevant.  The characteristics of a type of connection (also stated above) could be a factor concerning security onsite.  Great stuff guys, hope it helps.
Actually, there is a big difference.

Getting your data with DSL or leased lines involves some illegal activity like taping the line or social engineering the telco.

With Cable, all your data is broadcast to everyone on the same cable segment (usually everyone on your block or something like that) without them having to do anything special.

That's not to say you should asse DSL and leased lines are secure and Cable isn't, but you should know htat there's a different level of effort involved in cracking things, at least on the near end.
> With Cable, all your data is broadcast to everyone
> on the same cable segment (usually everyone on your block
> or something like that) without them having to do anything special.

This statement is not true, at least with the Terayon cable-modem, which does encryption of all the data leaving your computer.
dicksonayAuthor Commented:
So how about the difference of security nature between DSL and leased line access?

thanks for all.
dicksonay , cable, DSL... IMO are just means to "get on the internet". There is no inherant security, it is simply network connectivity. The security comes from how & what you do to limit access to & from the internet for your connection. I think a good alagoly would be.. Is it safer to plug your radio into a power socket in the kitchen or the living room ?
-Leased lines are a different story.. Typically when someone refers to a leased line, it is a connection that exists from one office to another & is not tapped into anywhere else... Its a private line. Sort of like as if you ran a cable from your house to your neigbors & hooked up a radio.. Its very safe & secure because there are only 2 end-points therefore no way to be hacked. In the old days when people would ask for leased lines typically what they would get is a private connection using x25 frame relay, which is excellent for serial networking.
-When you say leased line to the kind of destroys the whole security aspect of a private connection & becomes a question of symantics.. In the way you're using the terms "leased line" again there is not inherant security & is simply another type of network technology used to access a public network.

-You should choose whatever gives you the most bang for the buck & purchase a firewall for the security portion.  
I've heard of ADSL internet providers that use NAT (Network Address Translation) with their own internal IP addressing scheme. It stops users running web servers from home, but it also slows down some hackers.

The ISP will have a gateway or proxy of some kind with a "real" IP address. The client will be assigned an IP address that will work within the ISP's systems but isn't recognised on the Internet (eg. 10.x.x.x). NAT bridges the gap for outgoing connections.

Clients with leased line routers are often permanently assigned "real" IP addresses as needed. This usually means one for the router, plus one for each server (mail, web, etc.). PCs on the client's LAN (eg. for web browsing) are expected to have a "local" IP address and go through a device with NAT such as a router, proxy server or firewall.

In reality, you would probably want to install a firewall on both types of connection, which makes the above comparisons somewhat redundant. :o)
yeah i would collaborate and support a few statements that there are some significant differences...

as calabrese noted the broadcast vs _switched_ architectures (although some providers do use encryption on the cable side)

the other stemming from the fact that cable is typically a pppoe connection using a virtual mac address (this typically limits the capability for internal lans using nat as stated by beluga)

from my experience, the provider hardware with cable is less secure than dsl, both in terms of physical security and network lockdown.

naming and addressing conventions are generally predictable for both technologies.

cable providers tend to filter nbt traffic better.

cable providers that implement dhcp, permit traffic from windows hosts to be source routed via icmp/arp attacks.

dicksonayAuthor Commented:
Yes, it all true.

In fact, I am interesting on what security solutions are being implemented by ISP in order to minimize unauthorized access (from both external and internal attacks) to his client's network, especially for those non-business users without security device at home.

Also, is that mean use DSL topology for accessing private network is in same security level as leased line connection? I wondering if private leased line also face the risk of line tapping activity, such like DSL.

many thanks for all of your comments.
Yes, private DSL links have roughly the same level of privacy as leased lines.  Which is to say, it's fine for most things, but not sufficient to protect things like like medical records or sensitive financial data (US financial regulations require encryption over leased lines, for example).

It's all too easy to listen in on a leased line or DSL link through physical wiretapping,  or by social engineering the Telco into putting you on the same private network (yes, this has really been done).

The question is the value of the data you're trying to protect vs. the cost of obtaining it.
my DSL provider adds an extra level of security through DHCP, my IP address changes every 5-10 minutes. Great if you are just using the connection for surfing, but no good at all if you want to serve anything using the connection.

you *really* need a firewall between your router and local network...nuff said
> my IP address changes every 5-10 minutes.

That is _VERY_ weird.

The DHCP-client on your computer will send a "renew" request
when the current license has aged to 50% of its value,
so you should be keeping the same IP-address,
because your computer keeps "renewing" it,
as long as it is running.

Even when your license "expires", most DHCP-servers
will grant you the _same_ IP-address, if you try to
renew soon after the expiry.

What ISP do you have?
Does 'WINIPCFG /ALL' show a changing IP-address?
What is the duration of the lease?

ouch...i wouldn't say that this increases security, it just closes one door and opens another.

dhcp itself presents a major security issue.  the increase in requests/allocations just adds to the likelyhood of someone exploiting these weaknesses.

if such a short interval of ip reassignment existed on a shared resource (cable), it would be scary what could be done.  ease of consumption of the original pool...route all traffic through host x...resolve all names from host y.  it wouldn't matter that the ip may or may not be changing; as there would be no control over the route and destination of traffic.
dicksonayAuthor Commented:
OK since cable will cause exposure of personal privacy to other users in same cable segment, for sure it is better to encrypt data before sending it out to cable. But finally I want to make sure whether someone can use such kind of LAN monitoring software to capture my data over DSL line?
No, they can't use such LAN monitoring software to capture you data over a DSL line at _your_ end.  What they can do anywhere else in the connection is entirely a different matter.

Bottom line is that you need to use encryption if your're sending very sensitive data over any network that's outside your direct physical control (i.e., there are parts you can't see from your desk and aren't locked in a closet), or when sending medium-sensitivity data over the Internet (even with DSL, since you can't control what's in the middle and possibly not the other end).
> cable will cause exposure of personal privacy to other users in same cable segment

No.  This is not always true.

Would you also say "every automobile-driver always exceeds the speed-limit" ?

Neither statement is always true -- there is nothing inherent in either cable-modem networks or automobiles which causes such results.
There is something inherent in cable-modem networks that exposes your data.  Some carriers supply their users with cable-modems that are setup block snooping of other people's data, but this is easily gotten around.  A very few operators use encryption, which is not so easy to get around (depending on how they do it, but it's going to be a lot harder in any case).
A followup ... imagine the wide-spread press-coverage there would be if cable-modem networks were "insecure".

Any computer-cracker (private or US Secret Service) could "sniff" your E-mail ID and your E-mail password, and intercept your E-mail.

I guess that it is possible that cable-modem networks are insecure, and the USA government is suppressing all media-reports and/or shutting-down any web-sites and/or online discussions that are trying to "blow-the-whistle" on this lack of security.   :-)

Actually, most cable modem networks are insecure.
And the cable providers have all kinds of warnings in their literature.
And there are lots of known break-ins.
And the press has covered it.
But most people don't care because they take the attitude of "it will never happen to me".
> Actually, most cable modem networks are insecure.

Your source for this statistic?

Actually, all cable-modem networks are secure,
from the "head" through the network to each cable-modem,
i.e., a cracker cannot access any of the cable-company's systems,
nor access any cable-modem.

> And the cable providers have all kinds of warnings in their literature.

True, but only because the client's computer which is
connected to a cable-modem is not always "secure".

> And there are lots of known break-ins.

I log 20 to 50 attempts per day.
I don't log the "successful" break-ins.  :-)

> But most people don't care because they take the
> attitude of "it will never happen to me".

I disagree.

Most people just don't know enough about "computers" and "security".  
To them, a computer is an "appliance" -- they use the
keyboard and the mouse, and that's it.
They enable "file and print sharing",
and fail to set a password,
or they install Windows NT Server (or Windows 2000 Server)
and they don't realize that they are running SMTP,
DNS, and HTTP servers.
They open virus-infected attachments.
They don't spend the money on a virus-scanner.

It is "ignorance", rather than a "don't care" attitude, which causes the insecurity.

dicksonayAuthor Commented:
If there is no built-in encryption mechanism in cable-modem, all send out contents (including non-sensitive information, such as online chatting etc. or your logon info of this site without SSL), can be definitely exposing to other parties in same network segment.

Is that all cable network providers will seriously look into this matter, and ensure highly secure access encryption environment.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.