Alcatel !!! Ist nicht im stande zu helfen Brauche
Verfasst: Fr 20 Dez, 2002 17:36<HTML>Alcatel und der Provider sitzen in einem Bod keiner is im stande zu helfen das wichtigste ist immer in englisch und keiner will es auf deutsch sagen wieso auch immer.... Nur da bin ich am ende
Brauche hilfe ?????
zitat des providers
Die bei der Version Speed Touch Home festgestellten Probleme jedoch sind ,
entgegen der Aussage von Alcatel/Thomson, etwas ernster zu bewerten. Im
Prinzip ist es nicht möglich, von aussen auf des ADSL-Modem
zurückzugreifen. Hat jedoch ein Virus oder ein Trojanisches Pferd die
Kontrolle über eine am Netzwerk angeschlossene Arbeitsstation übernommen,
so kann sich ein Eindringling von aussen über diese Arbeitsstation Zugriff
auf das Modem verschaffen.
Um dies wirkungsvoll zu verhindern, muss im Modem ein Passwort gesetzt
werden. Die diesbezügliche Prozedur ist auf der beim Modem mitgelieferten
CD in Kapitel 8 beschrieben.
und dies wiederum ist wieder mal auf englisch auf cd tztztzt
mfg
Das nennt man Kunden betreung man o man
Antwort:
Bitte lesen Sie das folgende offizielle Statement von Alcatel/Thomson.
Leider ist es nicht in
Deutsch verfügbar:
"ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
GENERAL SECURITY CONSIDERATIONS FOR BROADBAND REMOTE ACCESS SERVICE
SPECIFIC RECOMMENDATIONS ON THIS ADVISORY
ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
There have been some discussions in the press regarding security of Alcatel
DSL modems and the security of DSL services in general.
The major vulnerability referred to in the advisory (VU#211736 - Alcatel
ADSL modems grant unauthenticated TFTP access via Bounce Attacks), does not
apply to mainstream Operating Systems used by residential and small business
subscribers (e.g. Windows 95, 98, 98se, ME, and typical installations of
NT4.0 Workstation, 2000 Professional and the latest commercial releases of
Linux).
On Microsoft Windows Operating Systems, the "echo" service exploited to
bounce TFTP traffic to the modem, is either not available as part of the OS
(Windows 95, 98,98se, ME), or is not installed in a "typical" installation
(NT4.0 Workstation and 2000 Professional).
It should be noted, however, that without a firewall, any PC in any
configuration (home PC or in a LAN) is open for attacks by hackers, that can
alter software, install viruses, spy information, etc. Especially PCs
connected to the Internet through 'always on' Cable or DSL services should
be protected through firewalls.
Therefore Alcatel highly recommends the use of firewalls as a general
practice for 'always-on' connections. Additionally, Alcatel has started an
initiative to qualify firewall software that will provide users with the
highest possible degree of security. Alcatel will publish and update lists
of recommended firewalls on its website in the near future.
The firewall recommendation is especially relevant for server applications,
where a generic vulnerability for FTP-bounce may be present, as described in
CA-1997-27.
One should in any case be aware of the fact that firewalls also continuously
evolve to mitigate the subsequent security issues as they arise in the
security experts community. Hence, the deployment of firewalls also
inherently presumes an attitude towards the implementations of regular
updates just as for anti-virus software.
GENERAL SECURITY CONSIDERATIONS FOR BROADBAND REMOTE ACCESS SERVICE
Security in Modems and Networks
In any network there are two main types of security: network security and
user security (more specifically, user content security).
Wide Area Network (WAN) is concerned with protecting a network from
malicious usage. Security at the Customer Premise Equipment (CPE) level is
less available - unlike all other network levels -, since this equipment is
not directly controlled by a Network Operator or an ISP.
This is true for any type of CPE, including telephones, modems (analogue,
DSL or cable) and fax machines. For a Network Operator's, ISP's or private
network security can only be guaranteed at the network level. In other
words, a network should stay operational at all times. Such type of security
is already provided by Alcatel, built in its DSLAM (operated by the service
provider).
User security is concerned with protecting the content and local area
network of an end-user. This type of security has to be implemented on Local
Area Network (LAN) or PC level at the customer premises.
This is standard practice for any network connection (i.e. leased lines,
cable modem, DSL). Generally such modems provide connectivity to the network
and not security. User content security can be reinforced at the LAN level
by installing a dedicated firewall software and/or hardware, either on the
server or on the PC, or by installing a dedicated firewall device. Alcatel
also provides DSL modems which have firewall security. User content and LAN
security is the responsibility of the user.
There are many software and hardware products on the market to ensure
security, including Alcatel products.
Modem security
Alcatel's modems are designed to allow users to alter the firmware.
This is a standard feature built into some of the Speed Touch modems to
allow local or - in case of the Speed Touch Pro - remote software upgrades.
Access from the LAN interface (i.e. local access) into the modem does not
constitute a security problem, since the modem normally belongs to the
person who is using it. (For this reason no remote access is possible on the
Speed Touch Home).
On the Speed Touch Pro, a protection mechanism feature is implemented to
ensure that nobody can gain remote access to the modem (or via the WAN/DSL
interface). This mechanism guarantees that nobody from outside can access
the modem and change modem settings.
Alcatel ships all modems with the protection activated. However, it's easy
for a modem owner to deactivate the protection (the procedure for activating
this protection mechanism is described below).
This protection can be switched off locally by the modem owner, in case the
service provider wants to do upgrades or do remote management. The service
provider normally manages this process, and the service provider explains to
the end-user how to deactivate the protection and how to re-activate it
again.
SPECIFIC RECOMMENDATIONS ON THIS ADVISORY
This Advisory applies to Speed Touch Home up to Rel. 3.2.5, Speed Touch Pro
up to Rel 3.2.5 and Alcatel 1000 ANT Rel 3.1.
Advisory Statement
Alcatel ADSL modems grant unauthenticated TFTP access via User Datagram
Protocol (UDP) bounce.
Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol
(TFTP) access from the local area network (LAN) as a method for updating
firmware and making configuration changes to the device. In conjunction with
a common vulnerability, a remote attacker may be able to gain
unauthenticated access as well.
Alcatel's answer
Correct. TFTP together with FTP are protocols that are used in the modem to
upgrade the system software (firmware). This gives the capability to the
user to benefit from new features at all times. This upgrade is done from
the LAN network (or the user port) that can only be accessed by the modem
user/owner.
However, this is an action that is not allowed from the WAN interface by
external users.
Speed Touch Home modems (typically in bridged configuration) with no
embedded firewall and used for LAN interconnect, give transparent access to
the LAN. If this is used for connection to the Internet, additional measures
have to be taken, since outside intruders can access the LAN and access the
modem via a bouncing mechanism. Explanation on how to use the modem
correctly and to alleviate this issue is described in the chapter: Measures
for Speed Touch Home modems.
In any case one should note that the vast majority of operating systems used
in residential or small business applications do not exhibit this security
vulnerability (cf. non-exhaustive list above).
Advisory Statement
Alcatel ADSL modems provide EXPERT administrative account with an easily
reversible encrypted password.
Alcatel ADSL modems contain a special account (EXPERT) for gaining
privileged access to the device. This account is secured via a
challenge-response password authentication mechanism. While the use of such
a mechanism is commendable, the algorithm used is not sufficiently strong.
Attackers with knowledge of the algorithm used to compute the response are
able to compute the correct response given information visible during the
login process.
Alcatel's answer
This is correct. Alcatel provides expert level access for technical support
and maintenance activities by service personnel. To avoid that the user
accidentally enters this mode, this mode is not documented in the manual and
is password protected. As such, the password is not intended to protect
against intrusion of malicious users. The Speed Touch Pro offers another
feature, called "system protection", providing this security. The system
protection disables the capability of remotely (this is via a wide area
network) accessing this expert level, which could be used by outside
attackers.
Advisory Statement
Alcatel ADSL modems contain a null default password
The Alcatel Speed Touch ADSL modem ships with a null default password,
permitting unauthenticated access via TELNET, HTTP, and FTP. As with the
EXPERT account vulnerability, the device must have an externally accessible
IP address.
Alcatel's answer
This is correct, there is no default password. During the installation, the
user can configure the parameters, and protect this with it's own password.
This is a standard practice. The same "system protection" offers additional
security against malicious users, which are entering from the WAN side and
are not owner of the modem. The same "system protection" guarantees this
security. See below "Specific Measures for Speed Touch Home users".
Advisory Statement
Alcatel ADSL modems provide unauthenticated TFTP access via physical access
to the WAN interface to allow your ISP to upgrade the firmware of the ADSL
modem remotely, unauthenticated TFTP access is provided to users with
physical access to the wire on the WAN side of the modem. While this access
is normally used legitimately by your ISP, an attacker could also abuse it
with physical access to the wire outside of your home or at a local access
point.
Alcatel's answer
Correct. This is true for all communication in general, e.g. voice traffic,
leased line data traffic. Physical wire access to a public network by third
parties is considered as crime. However, in cases where a high degree of
security is required, specialized encryptions methods are used such as IPSec
are typically. This is a practice used by banks, insurance company's etc.
and is recommended whatever the data network is that is used for highly
sensitive information.
What, if anything, can service providers do to guard against this problem in
their network? What can consumers do to guard against the problem?
All modems that are shipped by Alcatel are by default "system protected",
and this is the recommended default operation. As a result, in the majority
of the cases, there is no real problem. In general, it is strongly advised
that end-users do not alter this default setting. However, in certain cases
where the service provider manages the modem (as a managed service) with the
Speed Touch Pro, the "system protection" is disabled to be able to manage
the modem remotely. See below "Specific Measures for Speed Touch Pro modems"
for more info.
Specific Measures for Speed Touch Home modems
**********************************************
Speed Touch Home modems in bridged mode provide transparent access to the
LAN (e.g. homeworking, branch office). When the LAN is connected to the
Internet, it is standard practice to provide additional security measures to
shield the LAN environment from general accessibility from the Internet.
Possible measures are:
1) For single PC connections or small home networks, it is recommended to
disable the ECHO service on the Operating system, or to install a quality
firewall software on hosts.
2) For more advanced networks, a dedicated firewall is recommended, or
equivalently, make use of Speed Touch Pro with Firewall.
3) Alternatively, the service provider can provide the protection in the
network. The routers or broadband remote access servers can be configured to
drop all packets with broadcast source address, which are considered illegal
according to RFC1812.
Specific Measures for Speed Touch Pro modems
As explained before, in some cases the "system protection" is disabled when
service providers offer a managed service. In those cases the user could
enable the "system protection" on the Speed Touch Pro modem. However, we do
not recommend this without consulting the service provider. Typically, in
managed service, the modem is property of the service provider and should
allow configuration by the service provider. In the case of a managed
service, the service provider provides security at network level by
configuring the broadband remote access server to only allow the management
server of the service provider to communicate with the management interface
of the modems.
If you need to verify or alter the configuration of the system protection,
proceed as described below:
Configuring the security of your Alcatel Speed Touch Pro modem:
Setup a telnet connection to your modem.
Telnet address is 10.0.0.138
Consult your Operation System manual on how to setup a telnet connection.
Type "Enter" at the User Name prompt
Wait for the next prompt and then type the following:
=> ip config
The information on you firmware protection feature is given in the second
line of the response
If it is "ON", your modem has the security features activated and you have
nothing to worry about.
If it is "OFF", you are vulnerable to the attacks.
You can adjust the security settings as follows:
=> ip config firewalling on
=> config save
Now you are safe again!"
Mit freundlichen Grüssen
Speed Touch Helpdesk
Michael Köster
Monday-Saturday 09:00-21:00 CET
Direct Numbers to SpeedTouch Helpdesk:
Belgium: 0903 99506 (1.12 Euro/Min.)
France: 0892 255111 (0.34 Euro/Min.)
Germany: 0190 747615 (1,24 Euro/Min.)
Norway: 820 10010 (8,82 NKr/Min.)
Switzerland: 0900 229966 (1,00 SFr/Min.)
United Kingdom: 0906 3022114 (0,50 £/min.)Email:
[email protected]
Send your Support Request from Website:
http://www.speedtouch.com <http://www.speedtouch.com>
</HTML>
Brauche hilfe ?????
zitat des providers
Die bei der Version Speed Touch Home festgestellten Probleme jedoch sind ,
entgegen der Aussage von Alcatel/Thomson, etwas ernster zu bewerten. Im
Prinzip ist es nicht möglich, von aussen auf des ADSL-Modem
zurückzugreifen. Hat jedoch ein Virus oder ein Trojanisches Pferd die
Kontrolle über eine am Netzwerk angeschlossene Arbeitsstation übernommen,
so kann sich ein Eindringling von aussen über diese Arbeitsstation Zugriff
auf das Modem verschaffen.
Um dies wirkungsvoll zu verhindern, muss im Modem ein Passwort gesetzt
werden. Die diesbezügliche Prozedur ist auf der beim Modem mitgelieferten
CD in Kapitel 8 beschrieben.
und dies wiederum ist wieder mal auf englisch auf cd tztztzt
mfg
Das nennt man Kunden betreung man o man
Antwort:
Bitte lesen Sie das folgende offizielle Statement von Alcatel/Thomson.
Leider ist es nicht in
Deutsch verfügbar:
"ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
GENERAL SECURITY CONSIDERATIONS FOR BROADBAND REMOTE ACCESS SERVICE
SPECIFIC RECOMMENDATIONS ON THIS ADVISORY
ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
There have been some discussions in the press regarding security of Alcatel
DSL modems and the security of DSL services in general.
The major vulnerability referred to in the advisory (VU#211736 - Alcatel
ADSL modems grant unauthenticated TFTP access via Bounce Attacks), does not
apply to mainstream Operating Systems used by residential and small business
subscribers (e.g. Windows 95, 98, 98se, ME, and typical installations of
NT4.0 Workstation, 2000 Professional and the latest commercial releases of
Linux).
On Microsoft Windows Operating Systems, the "echo" service exploited to
bounce TFTP traffic to the modem, is either not available as part of the OS
(Windows 95, 98,98se, ME), or is not installed in a "typical" installation
(NT4.0 Workstation and 2000 Professional).
It should be noted, however, that without a firewall, any PC in any
configuration (home PC or in a LAN) is open for attacks by hackers, that can
alter software, install viruses, spy information, etc. Especially PCs
connected to the Internet through 'always on' Cable or DSL services should
be protected through firewalls.
Therefore Alcatel highly recommends the use of firewalls as a general
practice for 'always-on' connections. Additionally, Alcatel has started an
initiative to qualify firewall software that will provide users with the
highest possible degree of security. Alcatel will publish and update lists
of recommended firewalls on its website in the near future.
The firewall recommendation is especially relevant for server applications,
where a generic vulnerability for FTP-bounce may be present, as described in
CA-1997-27.
One should in any case be aware of the fact that firewalls also continuously
evolve to mitigate the subsequent security issues as they arise in the
security experts community. Hence, the deployment of firewalls also
inherently presumes an attitude towards the implementations of regular
updates just as for anti-virus software.
GENERAL SECURITY CONSIDERATIONS FOR BROADBAND REMOTE ACCESS SERVICE
Security in Modems and Networks
In any network there are two main types of security: network security and
user security (more specifically, user content security).
Wide Area Network (WAN) is concerned with protecting a network from
malicious usage. Security at the Customer Premise Equipment (CPE) level is
less available - unlike all other network levels -, since this equipment is
not directly controlled by a Network Operator or an ISP.
This is true for any type of CPE, including telephones, modems (analogue,
DSL or cable) and fax machines. For a Network Operator's, ISP's or private
network security can only be guaranteed at the network level. In other
words, a network should stay operational at all times. Such type of security
is already provided by Alcatel, built in its DSLAM (operated by the service
provider).
User security is concerned with protecting the content and local area
network of an end-user. This type of security has to be implemented on Local
Area Network (LAN) or PC level at the customer premises.
This is standard practice for any network connection (i.e. leased lines,
cable modem, DSL). Generally such modems provide connectivity to the network
and not security. User content security can be reinforced at the LAN level
by installing a dedicated firewall software and/or hardware, either on the
server or on the PC, or by installing a dedicated firewall device. Alcatel
also provides DSL modems which have firewall security. User content and LAN
security is the responsibility of the user.
There are many software and hardware products on the market to ensure
security, including Alcatel products.
Modem security
Alcatel's modems are designed to allow users to alter the firmware.
This is a standard feature built into some of the Speed Touch modems to
allow local or - in case of the Speed Touch Pro - remote software upgrades.
Access from the LAN interface (i.e. local access) into the modem does not
constitute a security problem, since the modem normally belongs to the
person who is using it. (For this reason no remote access is possible on the
Speed Touch Home).
On the Speed Touch Pro, a protection mechanism feature is implemented to
ensure that nobody can gain remote access to the modem (or via the WAN/DSL
interface). This mechanism guarantees that nobody from outside can access
the modem and change modem settings.
Alcatel ships all modems with the protection activated. However, it's easy
for a modem owner to deactivate the protection (the procedure for activating
this protection mechanism is described below).
This protection can be switched off locally by the modem owner, in case the
service provider wants to do upgrades or do remote management. The service
provider normally manages this process, and the service provider explains to
the end-user how to deactivate the protection and how to re-activate it
again.
SPECIFIC RECOMMENDATIONS ON THIS ADVISORY
This Advisory applies to Speed Touch Home up to Rel. 3.2.5, Speed Touch Pro
up to Rel 3.2.5 and Alcatel 1000 ANT Rel 3.1.
Advisory Statement
Alcatel ADSL modems grant unauthenticated TFTP access via User Datagram
Protocol (UDP) bounce.
Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol
(TFTP) access from the local area network (LAN) as a method for updating
firmware and making configuration changes to the device. In conjunction with
a common vulnerability, a remote attacker may be able to gain
unauthenticated access as well.
Alcatel's answer
Correct. TFTP together with FTP are protocols that are used in the modem to
upgrade the system software (firmware). This gives the capability to the
user to benefit from new features at all times. This upgrade is done from
the LAN network (or the user port) that can only be accessed by the modem
user/owner.
However, this is an action that is not allowed from the WAN interface by
external users.
Speed Touch Home modems (typically in bridged configuration) with no
embedded firewall and used for LAN interconnect, give transparent access to
the LAN. If this is used for connection to the Internet, additional measures
have to be taken, since outside intruders can access the LAN and access the
modem via a bouncing mechanism. Explanation on how to use the modem
correctly and to alleviate this issue is described in the chapter: Measures
for Speed Touch Home modems.
In any case one should note that the vast majority of operating systems used
in residential or small business applications do not exhibit this security
vulnerability (cf. non-exhaustive list above).
Advisory Statement
Alcatel ADSL modems provide EXPERT administrative account with an easily
reversible encrypted password.
Alcatel ADSL modems contain a special account (EXPERT) for gaining
privileged access to the device. This account is secured via a
challenge-response password authentication mechanism. While the use of such
a mechanism is commendable, the algorithm used is not sufficiently strong.
Attackers with knowledge of the algorithm used to compute the response are
able to compute the correct response given information visible during the
login process.
Alcatel's answer
This is correct. Alcatel provides expert level access for technical support
and maintenance activities by service personnel. To avoid that the user
accidentally enters this mode, this mode is not documented in the manual and
is password protected. As such, the password is not intended to protect
against intrusion of malicious users. The Speed Touch Pro offers another
feature, called "system protection", providing this security. The system
protection disables the capability of remotely (this is via a wide area
network) accessing this expert level, which could be used by outside
attackers.
Advisory Statement
Alcatel ADSL modems contain a null default password
The Alcatel Speed Touch ADSL modem ships with a null default password,
permitting unauthenticated access via TELNET, HTTP, and FTP. As with the
EXPERT account vulnerability, the device must have an externally accessible
IP address.
Alcatel's answer
This is correct, there is no default password. During the installation, the
user can configure the parameters, and protect this with it's own password.
This is a standard practice. The same "system protection" offers additional
security against malicious users, which are entering from the WAN side and
are not owner of the modem. The same "system protection" guarantees this
security. See below "Specific Measures for Speed Touch Home users".
Advisory Statement
Alcatel ADSL modems provide unauthenticated TFTP access via physical access
to the WAN interface to allow your ISP to upgrade the firmware of the ADSL
modem remotely, unauthenticated TFTP access is provided to users with
physical access to the wire on the WAN side of the modem. While this access
is normally used legitimately by your ISP, an attacker could also abuse it
with physical access to the wire outside of your home or at a local access
point.
Alcatel's answer
Correct. This is true for all communication in general, e.g. voice traffic,
leased line data traffic. Physical wire access to a public network by third
parties is considered as crime. However, in cases where a high degree of
security is required, specialized encryptions methods are used such as IPSec
are typically. This is a practice used by banks, insurance company's etc.
and is recommended whatever the data network is that is used for highly
sensitive information.
What, if anything, can service providers do to guard against this problem in
their network? What can consumers do to guard against the problem?
All modems that are shipped by Alcatel are by default "system protected",
and this is the recommended default operation. As a result, in the majority
of the cases, there is no real problem. In general, it is strongly advised
that end-users do not alter this default setting. However, in certain cases
where the service provider manages the modem (as a managed service) with the
Speed Touch Pro, the "system protection" is disabled to be able to manage
the modem remotely. See below "Specific Measures for Speed Touch Pro modems"
for more info.
Specific Measures for Speed Touch Home modems
**********************************************
Speed Touch Home modems in bridged mode provide transparent access to the
LAN (e.g. homeworking, branch office). When the LAN is connected to the
Internet, it is standard practice to provide additional security measures to
shield the LAN environment from general accessibility from the Internet.
Possible measures are:
1) For single PC connections or small home networks, it is recommended to
disable the ECHO service on the Operating system, or to install a quality
firewall software on hosts.
2) For more advanced networks, a dedicated firewall is recommended, or
equivalently, make use of Speed Touch Pro with Firewall.
3) Alternatively, the service provider can provide the protection in the
network. The routers or broadband remote access servers can be configured to
drop all packets with broadcast source address, which are considered illegal
according to RFC1812.
Specific Measures for Speed Touch Pro modems
As explained before, in some cases the "system protection" is disabled when
service providers offer a managed service. In those cases the user could
enable the "system protection" on the Speed Touch Pro modem. However, we do
not recommend this without consulting the service provider. Typically, in
managed service, the modem is property of the service provider and should
allow configuration by the service provider. In the case of a managed
service, the service provider provides security at network level by
configuring the broadband remote access server to only allow the management
server of the service provider to communicate with the management interface
of the modems.
If you need to verify or alter the configuration of the system protection,
proceed as described below:
Configuring the security of your Alcatel Speed Touch Pro modem:
Setup a telnet connection to your modem.
Telnet address is 10.0.0.138
Consult your Operation System manual on how to setup a telnet connection.
Type "Enter" at the User Name prompt
Wait for the next prompt and then type the following:
=> ip config
The information on you firmware protection feature is given in the second
line of the response
If it is "ON", your modem has the security features activated and you have
nothing to worry about.
If it is "OFF", you are vulnerable to the attacks.
You can adjust the security settings as follows:
=> ip config firewalling on
=> config save
Now you are safe again!"
Mit freundlichen Grüssen
Speed Touch Helpdesk
Michael Köster
Monday-Saturday 09:00-21:00 CET
Direct Numbers to SpeedTouch Helpdesk:
Belgium: 0903 99506 (1.12 Euro/Min.)
France: 0892 255111 (0.34 Euro/Min.)
Germany: 0190 747615 (1,24 Euro/Min.)
Norway: 820 10010 (8,82 NKr/Min.)
Switzerland: 0900 229966 (1,00 SFr/Min.)
United Kingdom: 0906 3022114 (0,50 £/min.)Email:
[email protected]
Send your Support Request from Website:
http://www.speedtouch.com <http://www.speedtouch.com>
</HTML>
