TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:3292] Security Pointers & DSL questions...



I tried sending this earlier, but it bounced, so I'm trying again...

"Scott K. Johnson" wrote:

> -----Original Message-----
> From: Randy Viosca <viosca@visi.com>
> To: Scott K. Johnson <skj@visi.com>
> Date: Tuesday, January 12, 1999 8:40 PM
> Subject: Re: [TCLUG:3292] Security Pointers & DSL questions...
>
>
> >The updated software was supposed to be available back in october, but I
> >haven't heard of any updates.
>
> They didn't make any special mention of it.  My feeling is that the people
> they have doing the ordering, etc. know less about the stuff than we do...

This is mostly true.

> Is there any way to expedite the order?  They said that I would arrive near
> 1/26. Can't I go pick it up from them or something???  Or am I just being
> anally impatient?

Also, the people who did the install knew about the same.

Basically, a communications worker (i.e. POTS [Plain Old Telphone
Service]
person) will come out in a van and hook up the modem. He will have a
laptop for
testing which he will hook up to the serial maintenance port on the
modem (you
can do this as well), and he will verify the line quality by typing  a
few
commands to the modem,  and if everythings ok, you're set.  TIP: if your
wires
are a mess (i.e. older home)  and if you talk nicely to him/her (like to
the
shop keepers in nethack) some times they will be nice and clean the
brambles of
wires up for you.  Note that if your line quality is low and you are
within the
wire length limit,  they will/should do everything they can to resolve
the
problem.  If the problem is outside the house, i.e. bad bug wire (the
line to
the house from the pole or underground) or sac problems (problems in the
junction box that serves several houses) they are obligated to fix it
free of
charge.  However, if the problem is inside your house, (i.e. noisy
telephone,
bad wiring etc...) then they only have to show that they provide the
service to
your door, after that, there are additional charges. Here's where the
niceness
factor comes in.  They have a couple of meters and some simple equipment
that
they are very good at using to find line/phone problems quickly.  They
can
diagnose which lines that fork off the lightning protector  (funky
looking
round thing in old homes, or grey plastic box called a Kep-Tel or NID in
newer
homes) are causing the problems.  I happened to be very lucky,  they
rewired
the whole mess and put in punch down blocks for each unit (I have a 1914
duplex), so now I am setup to rewire the whole house with cat 5.

You can't expedite USWest anymore than you can expedite city hall. 
However,
if they are still shipping out the modem packs in advance of the
installers
(rather than having the installers bring them with) there is a good
chance
your  service may already be working when that UPS package arrives. 
USWest
will notify your ISP (VISI  here) and they will enable  the connection,
nothing
will happen until USWest notifies VISI.  At that point visi can tell you
some
rudimentary things about your line.

Hooking up the modem is very simple, it just plugs into the phone line
(and of
course the NIC in your PC).  If your house phone wiring is not a mess
(i.e. no
shorts or problems) you can take the filters that come with the modem
and
install them at each phone. These filter out any noise the phones may be
generating above 4K Hz which is where the modem "runs".  Next you plug
your
computer into the serial port on the modem (using the supplied cable)
and power
up the modem.  You can use hyperterm(Windows) or cu or minicom (Linux)
to
connect to the maintenance port of the modem.  You will probably have to
tweak
the port settings, as I recall there is no hand shaking, hardware or
software.
Anyways, once connected, get out the manual and figure out how to enable
RFC1483 Bridging.  At the prompt do something like:
set bridging rfc1483 enabled
Note that you may have to log in as root first (on the modem) but I
can't
remember. Instructions for this should be in  Chapter 4 of the modems
manual.
After bridging is enabled, reboot the modem with: reboot.  There are
also some
maintenance commands you can use to check your line quality.  I don't
remember
what they are or how to interpret the numbers that come back.  One of
them is
some kind of line rate value and if it's above 25 it's ok and
optimally/rarely
it's in the 40's. The installers got excited when they did this as mine
came
back in the mid 40's (I almost broke down and served tea and crumpets
;-).


> >The 625 they were shipping back in august had busted routing protocol
> >code forcing us to use the bridging protocol
> >in the device. The 625 has firmware flash, and Cisco has was supposed to
> >make an update available that
> >fixes this problem.
>
> What is the difference between the two??  I don't know much about the
> differences between bridging protocol and routing protocol...

Now, it has been a while, but here goes (someone correct me if I am
mistaken):

Bridging protocol doesn't do any routing, i.e. when bridging, the modem
knows
nothing of RIP and neither can you set static routes, your default
gateway for
machines on your LAN is set to visi's gateway.  Think of it as one link
in a
bidirectional bucket brigade, your modem becomes an extension of visi's
network.

With routing protocol the modem acts as a router, it maintains routing
tables,
learns/remembers routes with RIP and RIP2 and you can set/modify certain
preknown routes with static routing. It understands ARP and proxy ARP,
and you
can set 10 levels of IP filtering. The default gateway for machines on
your lan
becomes the routers address.  You are your own network and visi's
network is
just one of the many networks available to connect to.

Which brings me to your next question.

>
> >As an aside, I have heard that the 625 is supposed to be programmable to
> >do rudimentary firewall activities.
> >It also has a web interface for configuration that is accessible from
> >the LAN side, but these only work in
> >routing mode.
>
> That would be very very cool!!!  So, does the modem/router get assigned an
> IP address, or is it your actuall machine?  I'm under the assumption that it
> is your machine, but then how do you access the 625 to do the firewall
> activities?  ie, where do you point your browser??

Yes, the modem would need an IP address.  And I was under the impression
that
at visi we all have had 2 bits reserved for each of us for IP
addresses.  This
is 4 values, in binary, the LSBs of which are 11 for broadcast, 00 for
the
netmask, and 01 and 10 for router and static IP for your host ip (don't
know
which is which or if it matters).  Since your modem/router has an IP
address,
you point your browser to it.  Here are some of the features of the
router as
listed in chapter 4:
Telnet  -- for configuration
TFTP  -- for tranfering configuration data and updating flash
Web   -- for configuration
SYSLOG  -- have routers system logs sent to you unix box.

Note that despite the fact that the modems are running bridging this
currently
has little, if any, impact on what we, as end users, actually see
interms of
network availablity.  However, what I had seen bandied about was concern
about
excess traffic as the trunkline gets saturated with more subscribers. 
As I
recall, bridging's bucket brigade doesn't understand that certain
packets are
meant only for your LAN it just passes them on.  Consequently lots of
data gets
sent out on the trunkline that needn't be.  As I recall, the linux
firewall
sollution handles this by becomming a subnet to visi's net.  Infact I
have an
older 486 I have been playing with and actually got LRP up and running
on it.
However it only has one NIC and I wasn't crazy about buying a 2nd ISA
NIC for
it.

Instead I think I'll find something newer, say a 233 that has some zip
and can
run a web server without bogging down.  Which brings me to a question. 
I am
curious about what are decent network configurations (assuming we are
using the
625 as a bridge here).  Is it best to have web/ftp/etc. servers not on
the
firewall machine?   Or can they coexist on the same machine
safely/peacefully.
What I am looking for are  standardized solutions i.e. how "people in
the
security know "are doing this.

Something else you want to be aware of:  the NIC that you get with the
modem
has some peculiarities that took a little debugging. Apparently the
linux
initialization code for the 3c905 (or is it the 509? The one that's
newer)  has
some problems.  It will not come up properly after a warm boot from
windows
95/98.  You have to completely power down the box to reboot after
running
95/98.  Further complicating the issue is the wake on lan feature.  The
NIC
comes with a small two wire cable that you can connect to the
motherboard (if
your mother board supports this).  DO NOT CONNECT THIS CABLE.  It
supplies
enough power to the NIC to keep it from reinitializing during the cold
boot and
you will not be able to get the card running in linux unless you actuall
unplug
the box first!  You can imagine the frustration involved in resolving
this
one.  The question was why does it work when I unplug it but not when I
power
cycle it? It took a detailed visual inspection with the power off and
noticing
that a green led on the NIC was still lit. (And of course I had to look
everywhere else first!) I believe the development folks know about this
and fix
is coming.  It does not appear to be fixed in RH 5.2 kernel version:
2.0.36-0.7 which is what I'm running now.  If I have time, I will
upgrade to
pre7 and let you know if that is still a problem.  Has anyone else had
this
difficulty? Or am I off in the weeds?

> skj@visi.com
begin:vcard 
n:Viosca;R.Randall
tel;pager:(612) 526-1289
tel;home:(651) 603-0774
tel;work:(612) 526-1289
x-mozilla-html:TRUE
url:http://www.visi.com/~viosca
adr:;;1993 Ashland Ave;St. Paul;Minnesota;55104;USA
version:2.1
email;internet:viosca@visi.com
title:Sr. Software Engineer
x-mozilla-cpt:;-17056
fn:R.Randall Viosca
end:vcard