Problem solve Get help with specific problems with your technologies, process and projects.

Securing a residential broadband connection

Is there anything available now or on the horizon to protect my residential broadband connection from someone else also on a broadband connection in my neighborhood from using a sniffer to read my non-SSL transmissions, e.g. e-mail?

As you point out, in some cable systems, an attacker can gather data from other cable Internet subscribers in their neighborhood, simply by sniffing data. Not all cable providers are sniffable; some use technology at the cable head-end that limits what you can see on the network. Unfortunately, lobbying your cable provider to deploy such technology is probably fruitless, as it requires changes to the cable infrastructure.

Also, even for those people not using cable modems (such as DSL, dial-up, and ISDN users), keep in mind that an attacker who has compromised your ISP can still see all data you send out. There are several recorded attacks in which an attacker took over critical systems at an ISP and perused customer traffic. Furthermore, an attacker could simply get a job with an ISP and snoop your Web surfing habits.

While there is no silver-bullet solution to protecting against your neighbors sniffing your cable line or similar ISP-based attacks, you can protect yourself by encrypting the data you send across the network. As you mention in your question, SSL goes a long way into securing your Web access. Other protocols, such as e-mail, don't have this built-in protection. So, how can you protect them? There are several options, including:

  • Encrypt your e-mail -- This solution works well and provides a high degree of security. However, the person sending or receiving e-mail has to use the same tool as well to encrypt or decrypt your e-mail. One of the most popular options in this genre is the encryption tool PGP or the open source GnuPG, available at www.gnupg.org.

  • Access Internet services using a secure proxy -- Various individuals and companies offer access to Internet services beyond HTTP using their site as a proxy. The path from your application to the proxy is encrypted, usually using SSL with HTTP, e-mail or newsgroups riding on top of the SSL encrypted connection. Because your ISP and snooping neighbors sit between you and the proxy, all traffic will be encrypted when they receive it. The Web site anonymizer.com offers secure Web access (encrypting all URLs that you send, but not the data). For a more complete solution, you should check out the Cult of the Swimming Elephant Web site (www.cotse.com), which offers a service providing SSL-encrypted Web, Web-mail, newsgroups, POP and SMTP e-mail, and other goodies for $5.95 per month.

  • Access all services on the Internet using a Secure Shell (SSH) tunnel through an SSH service -- This solution improves on the one listed above, because it can be used for any protocol that relies on TCP (including Web, ftp, telnet, e-mail, etc.) You install the SSH software on your system, and everything using TCP gets encrypted and tunnelled over SSH as it is sent to the SSH service provider. There, it is decrypted and sent to its destination. The SSH service provider acts as the endpoint of the encrypted tunnel and protects you from snooping. You can subscribe to the Anonymizer's commercial SSH service for $29.99 for three months at http://www.anonymizer.com/services/ssh2.html

    It is important to note that for items two and three above, the proxy or SSH tunnelling service you use will have access to all of your traffic.

    For more information on this topic, visit these other SearchSecurity.com resources:
    Tech Tip: Securing remote access service
    Executive Security Briefing: Managing safe and secure remote connections
    Executive Security Briefing: Watch out for hotel broadband vulernabilities

  • This was last published in April 2002

    Dig Deeper on Network device security: Appliances, firewalls and switches

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.