Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which is more secure: cable or DSL?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    17 Posts 7 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kejianshi
      last edited by

      DSL people used to say that DSL was more secure because cable was basically a neighborhood loop that busybody neighbors could snoop into.  At least it was implied.  But I don't believe this to be true.  As far as I know the neighbors activity can only affect your available bandwidth, not your security.

      DSL is usually less reliable and slower but can't say its more secure.

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        They're talking about the old days.  Many years ago (15-20), I could open up Network Neighbourhood in Windows and see other people's PCs and printers.  It was wide open.  These days, ISPs are a bit smarter and have closed those holes.

        1 Reply Last reply Reply Quote 0
        • C Offline
          cmb
          last edited by

          Yeah it was a different situation 15-20 years ago. That's long since changed.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            You'll still see all sorts of DHCP chatter on Cable though that isn't on DSL (depending on the implementation) :-)

            Both can be made more (or less) secure depending on the ISP and the type of roll-out.

            As cmb said, if it leaves your location, it's untrusted. It doesn't matter if it's Cable, DSL, Metro-E, a point-to-point leased line, or a direct wireless link. It cannot be trusted.

            And in some cases it can't be trusted locally, either.

            /adjusts tinfoil hat

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K Offline
              kejianshi
              last edited by

              If you aren't paranoid you are not paying attention…

              1 Reply Last reply Reply Quote 0
              • C Offline
                charliem
                last edited by

                This document from CableLabs gives a hint at just how easily your traffic can be covertly monitored / captured on a cable modem: http://www.cablelabs.com/specification/cable-broadband-intercept-2-0-specification/

                Granted, that's only when the cable operator is presented with 'proper authorization', but I'm afraid that bar is frighteningly low

                Appropriate Legal Authorization: A Broadband Intercept Order or other authorization, pursuant to [18 U.S.C. 2518], or any other relevant federal or state statute

                Not to pick on the cable modem guys, I'm sure there are equivalent standards for intercepting all other data & voice transmissions, but this is written right into the DOCSIS standard.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  CALEA reaches all technologies.  Encrypt and authenticate.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kejianshi
                    last edited by

                    Correct…

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Mr. Jingles
                      last edited by

                      Thank you all for your replies, much appreciated  :-*

                      I should have stressed that I am not thinking about if my ISP can monitor what I am doing, I know he can since all data goes through his machines.

                      My concern was/is more if my neighbor, living next door, can easily sniff what I am doing since we are on the same 'LAN' segment (node).

                      So what I understand right now is: I still don't know  ;D

                      So, it appears under DOCSIS 2.0 sniffing the neighbor would have been rather easy, according to this DefCon talk:

                      Youtube Video

                      (Which, btw, is not what is said in this 14 years old thread: http://arstechnica.com/civis/viewtopic.php?t=1047846. Back in 2000, apparently they already said/thought the traffic on the 'LAN' is encrypted such that only the intended recipient, casu quo my modem, can take it in/out, all the others on the segment can not decode the traffic that passes all modems in the segment, only the intended recipient can).

                      Under DOCSIS 3.0 it should be more difficult, 'provided the ISP has set up everything correctly'. Sure, but how would I know that?

                      (Your average ISP, at least over here, is as un-customer-friendly as can be, and one indicator for that is the people they put on the support departments to answer calls from customers: "information will be provided on a need to know basis only', and asking about how they have set up anything appears 'not need to know'.)

                      Then again, in this DefCon talk, of which I do understand very little, it seems suggested DOCSIS 3.0 isn't secure either (and I've learned using cable phone seems a bad idea too):

                      Youtube Video

                      (DefCon presentation sheets can be found here, btw: https://www.defcon.org/html/links/dc-archives/dc-18-archive.html).

                      Now this is interesting too:

                      First of all its true about cable internet. It all passes down the same cable/line. But mostly the isp give you the cablemodem. Witch should be locked by them and should block the sniffing by default. If you want to sniff it you would need hack inside the modems first and then alter to allow all traffic to get to your sniffing box

                      (https://forums.hak5.org/index.php?/topic/28465-how-to-stop-a-sniffer-wout-breaking-his-nose/)

                      It is interesting, because: it appears only two months ago a customer of the largest cable ISP over here just discovered some nasty details in the appliances this cable ISP hands out:

                      http://userbase.be/forum/viewtopic.php?f=50&t=42216

                      Unfortunately, this thread is in Dutch which will make it difficult for you all to read. What I've understood from it this customer was able to 'break into his own box', and then sniff his own traffic, capture his own phone calls, install backdoors and root kits, and he is worried about tcpdump being installed on it by default and that there is a telnet running on WAN by default:

                      even ter verduidelijking dit werkt enkel op men eigen modem ik kan niets doen met andere modems … ==> Just to be sure, I can only do this on my own modem

                      dit wordt via de config files in de modem beveiligt enkel als je van de telenet  management ip range komt kan je met andere modems praten ... ==> This is being secured through config files; 'only if you arrive from the ISP's management ip-range are you allowed to other modems'

                      deze hack is een probleem om de volgende redenen ==> This hack is a problem for these reasons:

                      • je kan telefoon gesprekken en internetverkeer afluisteren ==> You can sniff phone and internet traffic
                      • je kan malware in de modem plaatsen ==> you can put malware on the modem
                      • je kan de telenethomspot sniffen die normaal volledig gesheiden is  ==> You can sniff the hotspot, which normally is a fully separated network
                      • je kan wifi keys uit de modem leezen ==> you can read the WIFI-keys
                      • je kan de firewall aanpassen ==> You can change the firewall
                      • je kan firmware downloaden van telenet servers ==> You can install firmware
                      • je hebt full root acces ==> You've got full root access

                      Ik heb ook de bootloader unlocked dus in theory kan ik zelf custom firmware flashen naar de modem ==> I also unlocked the bootloader so theoretically I could flash custom firmware to the modem

                      Now, three key points are:

                      • He says he can only do it for his own modem;
                      • He is talking about the 'all in one appliance', e.g. router/modem/WIFI; I have modem only, so being the noob that I am I'm not sure which part is relevant for me;
                      • He has worked with the ISP to fix these problems, and apparently a firmware patch has been rolled out around now.

                      (After which he discovered another problem: he is able to access any customer's modem based on the WIFI SSID ::) ).

                      In the end, I wanted to know this as my VDSL-ISP is making a mess of things, and, of course, the 'customer support' is denying everything. So I pay for 30/2, yet get 17/1,5. For the same money, I can get 160/10 on cable, so I was thinking to make cable my primary WAN, and VDSL my backup WAN (which is the exact opposite of what it is right now).

                      And so I still don't know if my neighbor, next door, who also has cable, can sniff my traffic. 'It depends', it seems, on my ISP. Who just was caught having so it seems very buggy / insecure modems.

                      What would you all do if you would be in my shoes?

                      (Yes, ask for a new brain, I know  ;D But I can't be blamed for that: I simply was last in line when they handed out the brains  ;D ).

                      Thank you for your comments,

                      Bye,

                      6 and a half billion people know that they are stupid, agressive, lower life forms.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports.  I would be happy to take some packet captures for comparison.

                        I am not equipped to take ATM samples on the provider segment of the DSL modem nor DOCSIS samples from the coax going to the cable modem provider (the provider sides of the DSL/Cable Modems).  Those would probably be far more interesting.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • K Offline
                          kejianshi
                          last edited by

                          Anything is secure if pfsense is sitting on the other side and the installer is semi-competent.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            Mr. Jingles
                            last edited by

                            @kejianshi:

                            Anything is secure if pfsense is sitting on the other side and the installer is semi-competent.

                            That was not the subject, the subject was before pfSense can do it's thing  ;D

                            6 and a half billion people know that they are stupid, agressive, lower life forms.

                            1 Reply Last reply Reply Quote 0
                            • M Offline
                              Mr. Jingles
                              last edited by

                              @Derelict:

                              I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports.  I would be happy to take some packet captures for comparison.

                              I am not equipped to take ATM samples on the provider segment of the DSL modem nor DOCSIS samples from the coax going to the cable modem provider (the provider sides of the DSL/Cable Modems).  Those would probably be far more interesting.

                              Thank you  ;D

                              I only understand half of what you are writing, remaining the proud noob that I am  :P

                              ( :-[ ).

                              Do you want me to capture something which you can then analyze? How would I need to provide you with the information you need?

                              Btw, this I found intriguing:

                              [quote]I have a DOCSIS3 cable modem connection from Cox and a DSL connection from CenturyLink both going through an outside switch on blank VLANs to pfSense WAN ports

                              You don't have cable and VDSL in two NIC's, but on VLAN's? I am trying to understand how that would work in the first place, as I don't get any further with my knowledge than:

                              Cable/VDSL-modem => pfSense NIC's => WAN1/WAN2 => (V)LAN => Switch => machines

                              But you have(?):

                              Cable/VDSL => Switch => (V)LAN => ?

                              6 and a half billion people know that they are stupid, agressive, lower life forms.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                No, they're on physical ports.  Could be VLANs though.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • M Offline
                                  Mr. Jingles
                                  last edited by

                                  Well, given I can't find anymore info on this, I decided to 'take the dive'. I've ordered 160 Cable, and will use this to swap my VDSL to be the backup, and cable the primary one. Total costs stays the same, so let's hope this helps fixing my ISP-crap.

                                  Thank you all for commenting  ;D

                                  6 and a half billion people know that they are stupid, agressive, lower life forms.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.