Fw: [TCLUG:3292] Security Pointers & DSL questions...

["Scott K. Johnson" <sjohnson@bitstream.net>]

Don't think the list has seen this thread...so I figure I'll post it.  Randy
has some great info on the DSL hook up!


-----Original Message-----
From: Randy Viosca <viosca@visi.com>
To: Scott K. Johnson <skj@visi.com>
Cc: tclug-list@listserv.real-time.com <tclug-list@listserv.real-time.com>
Date: Wednesday, January 13, 1999 3:15 PM
Subject: Re: [TCLUG:3292] Security Pointers & DSL questions...


>"Scott K. Johnson" wrote:
>
>> -----Original Message-----
>> From: Randy Viosca <viosca@visi.com>
>> To: Scott K. Johnson <skj@visi.com>
>> Date: Tuesday, January 12, 1999 8:40 PM
>> Subject: Re: [TCLUG:3292] Security Pointers & DSL questions...
>>
>>
>> >The updated software was supposed to be available back in october, but I
>> >haven't heard of any updates.
>>
>> They didn't make any special mention of it.  My feeling is that the
people
>> they have doing the ordering, etc. know less about the stuff than we
do...
>
>This is mostly true.
>
>> Is there any way to expedite the order?  They said that I would arrive
near
>> 1/26. Can't I go pick it up from them or something???  Or am I just being
>> anally impatient?
>
>Also, the people who did the install knew about the same.
>
>Basically, a communications worker (i.e. POTS [Plain Old Telphone Service]
>person) will come out in a van and hook up the modem. He will have a laptop
for
>testing which he will hook up to the serial maintenance port on the modem
(you
>can do this as well), and he will verify the line quality by typing  a few
>commands to the modem,  and if everythings ok, you're set.  TIP: if your
wires
>are a mess (i.e. older home)  and if you talk nicely to him/her (like to
the
>shop keepers in nethack) some times they will be nice and clean the
brambles of
>wires up for you.  Note that if your line quality is low and you are within
the
>wire length limit,  they will/should do everything they can to resolve the
>problem.  If the problem is outside the house, i.e. bad bug wire (the line
to
>the house from the pole or underground) or sac problems (problems in the
>junction box that serves several houses) they are obligated to fix it free
of
>charge.  However, if the problem is inside your house, (i.e. noisy
telephone,
>bad wiring etc...) then they only have to show that they provide the
service to
>your door, after that, there are additional charges. Here's where the
niceness
>factor comes in.  They have a couple of meters and some simple equipment
that
>they are very good at using to find line/phone problems quickly.  They can
>diagnose which lines that fork off the lightning protector  (funky looking
>round thing in old homes, or grey plastic box called a Kep-Tel or NID in
newer
>homes) are causing the problems.  I happened to be very lucky,  they
rewired
>the whole mess and put in punch down blocks for each unit (I have a 1914
>duplex), so now I am setup to rewire the whole house with cat 5.
>
>You can't expedite USWest anymore than you can expedite city hall.
However,
>if they are still shipping out the modem packs in advance of the installers
>(rather than having the installers bring them with) there is a good chance
>your  service may already be working when that UPS package arrives.  USWest
>will notify your ISP (VISI  here) and they will enable  the connection,
nothing
>will happen until USWest notifies VISI.  At that point visi can tell you
some
>rudimentary things about your line.
>
>Hooking up the modem is very simple, it just plugs into the phone line (and
of
>course the NIC in your PC).  If your house phone wiring is not a mess (i.e.
no
>shorts or problems) you can take the filters that come with the modem and
>install them at each phone. These filter out any noise the phones may be
>generating above 4K Hz which is where the modem "runs".  Next you plug your
>computer into the serial port on the modem (using the supplied cable) and
power
>up the modem.  You can use hyperterm(Windows) or cu or minicom (Linux) to
>connect to the maintenance port of the modem.  You will probably have to
tweak
>the port settings, as I recall there is no hand shaking, hardware or
software.
>Anyways, once connected, get out the manual and figure out how to enable
>RFC1483 Bridging.  At the prompt do something like:
>set bridging rfc1483 enabled
>Note that you may have to log in as root first (on the modem) but I can't
>remember. Instructions for this should be in  Chapter 4 of the modems
manual.
>After bridging is enabled, reboot the modem with: reboot.  There are also
some
>maintenance commands you can use to check your line quality.  I don't
remember
>what they are or how to interpret the numbers that come back.  One of them
is
>some kind of line rate value and if it's above 25 it's ok and
optimally/rarely
>it's in the 40's. The installers got excited when they did this as mine
came
>back in the mid 40's (I almost broke down and served tea and crumpets ;-).
>
>
>> >The 625 they were shipping back in august had busted routing protocol
>> >code forcing us to use the bridging protocol
>> >in the device. The 625 has firmware flash, and Cisco has was supposed to
>> >make an update available that
>> >fixes this problem.
>>
>> What is the difference between the two??  I don't know much about the
>> differences between bridging protocol and routing protocol...
>
>Now, it has been a while, but here goes (someone correct me if I am
mistaken):
>
>Bridging protocol doesn't do any routing, i.e. when bridging, the modem
knows
>nothing of RIP and neither can you set static routes, your default gateway
for
>machines on your LAN is set to visi's gateway.  Think of it as one link in
a
>bidirectional bucket brigade, your modem becomes an extension of visi's
>network.
>
>With routing protocol the modem acts as a router, it maintains routing
tables,
>learns/remembers routes with RIP and RIP2 and you can set/modify certain
>preknown routes with static routing. It understands ARP and proxy ARP, and
you
>can set 10 levels of IP filtering. The default gateway for machines on your
lan
>becomes the routers address.  You are your own network and visi's network
is
>just one of the many networks available to connect to.
>
>Which brings me to your next question.
>
>>
>> >As an aside, I have heard that the 625 is supposed to be programmable to
>> >do rudimentary firewall activities.
>> >It also has a web interface for configuration that is accessible from
>> >the LAN side, but these only work in
>> >routing mode.
>>
>> That would be very very cool!!!  So, does the modem/router get assigned
an
>> IP address, or is it your actuall machine?  I'm under the assumption that
it
>> is your machine, but then how do you access the 625 to do the firewall
>> activities?  ie, where do you point your browser??
>
>Yes, the modem would need an IP address.  And I was under the impression
that
>at visi we all have had 2 bits reserved for each of us for IP addresses.
This
>is 4 values, in binary, the LSBs of which are 11 for broadcast, 00 for the
>netmask, and 01 and 10 for router and static IP for your host ip (don't
know
>which is which or if it matters).  Since your modem/router has an IP
address,
>you point your browser to it.  Here are some of the features of the router
as
>listed in chapter 4:
>Telnet  -- for configuration
>TFTP  -- for tranfering configuration data and updating flash
>Web   -- for configuration
>SYSLOG  -- have routers system logs sent to you unix box.
>
>Note that despite the fact that the modems are running bridging this
currently
>has little, if any, impact on what we, as end users, actually see interms
of
>network availablity.  However, what I had seen bandied about was concern
about
>excess traffic as the trunkline gets saturated with more subscribers.  As I
>recall, bridging's bucket brigade doesn't understand that certain packets
are
>meant only for your LAN it just passes them on.  Consequently lots of data
gets
>sent out on the trunkline that needn't be.  As I recall, the linux firewall
>sollution handles this by becomming a subnet to visi's net.  Infact I have
an
>older 486 I have been playing with and actually got LRP up and running on
it.
>However it only has one NIC and I wasn't crazy about buying a 2nd ISA NIC
for
>it.
>
>Instead I think I'll find something newer, say a 233 that has some zip and
can
>run a web server without bogging down.  Which brings me to a question.  I
am
>curious about what are decent network configurations (assuming we are using
the
>625 as a bridge here).  Is it best to have web/ftp/etc. servers not on the
>firewall machine?   Or can they coexist on the same machine
safely/peacefully.
>What I am looking for are  standardized solutions i.e. how "people in the
>security know "are doing this.
>
>Something else you want to be aware of:  the NIC that you get with the
modem
>has some peculiarities that took a little debugging. Apparently the linux
>initialization code for the 3c905 (or is it the 509? The one that's newer)
has
>some problems.  It will not come up properly after a warm boot from windows
>95/98.  You have to completely power down the box to reboot after running
>95/98.  Further complicating the issue is the wake on lan feature.  The NIC
>comes with a small two wire cable that you can connect to the motherboard
(if
>your mother board supports this).  DO NOT CONNECT THIS CABLE.  It supplies
>enough power to the NIC to keep it from reinitializing during the cold boot
and
>you will not be able to get the card running in linux unless you actuall
unplug
>the box first!  You can imagine the frustration involved in resolving this
>one.  The question was why does it work when I unplug it but not when I
power
>cycle it? It took a detailed visual inspection with the power off and
noticing
>that a green led on the NIC was still lit. (And of course I had to look
>everywhere else first!) I believe the development folks know about this and
fix
>is coming.  It does not appear to be fixed in RH 5.2 kernel version:
>2.0.36-0.7 which is what I'm running now.  If I have time, I will upgrade
to
>pre7 and let you know if that is still a problem.  Has anyone else had this
>difficulty? Or am I off in the weeds?
>
>> skj@visi.com
>