Is my 'modem' attackable?

[redbird71]

So I've got a router provided by my ISP. The first day I got it, I disabled WIFI and configured a DMZ to my asus router which than provides all the network services I need, so it really works more as a modem than a router.

My question is - as the firmware of that router is never updated - is this a security risk at all?

 

[DJones]

Why use a DMZ? Guessing to avoid double nat. Anyways the answer is yes and no. If any attack happens on your isp modem / router it would be within the range of the modems DHCP server which is a different range of ip from the DHCP server running on your asus router. Most I could theoretically think could happen is that modem could packet inspect non encrypted traffic coming from your Asus router or act as a botnet or cause you denial of service. But that’s all assuming it’s a powerful enough modem. Your asus router still has a firewall so anything in front of it will be delt with the same way as the internet in general so unless a vulnerability is discovered in either router it’s probably fine.

You can try and shift your browsers to use https traffic and use DNS over TLS to make your DNS LAN traffic less visible or a VPN to encrypt the whole network traffic. But your reasonably safe and likely not worth the effort to attack.

 

[ColinTaylor]

Why use a DMZ? Guessing to avoid double nat.

DMZ doesn't avoid double NAT. That's not the same thing as some routers which have a "passthrough" or "DMZplus" mode.

N.B. "DMZ" on home routers is not a real DMZ. The manufacturers have just misappropriated the term.

 

[DJones]

Ah ok. My isp uses pppoe snap bridge on its fibre connection so the Asus router handles the authentication to the isp. As I understand cable and some fibre connections are preconfigured and are handled by the isp. Not sure how this users modem/router is setup exactly for wan traffic, but I assume forwarding dhcp to his asus router isn’t an option.

 

[ColinTaylor]

Ah ok. My isp uses pppoe snap bridge on its fibre connection so the Asus router handles the authentication to the isp. As I understand cable and some fibre connections are preconfigured and are handled by the isp. Not sure how this users modem/router is setup exactly for wan traffic, but I assume forwarding dhcp to his asus router isn’t an option.

My interpretation of his post is that his ISP device is still operating as the gateway router, albeit with the Wi-Fi turned off. So this would be the classic double NAT setup, hence the need to port forward everything to the second Asus router (if he wants to allow remote connections).

 

[drinkingbird]

So I've got a router provided by my ISP. The first day I got it, I disabled WIFI and configured a DMZ to my asus router which than provides all the network services I need, so it really works more as a modem than a router.

My question is - as the firmware of that router is never updated - is this a security risk at all?

Who says that firmware is never updated? ISPs update the firmware of their devices on a somewhat regular basis (heck they even do it if you own the device, they take control of it). Until it becomes unsupported at least, at which point they should notify you.

You can ask the ISP if they support bridge mode, which would reduce the attack surface of that device and eliminate the double NAT. But likely you're fine as is.

 

[DJones]

Who says that firmware is never updated? ISPs update the firmware of their devices on a somewhat regular basis (heck they even do it if you own the device, they take control of it). Until it becomes unsupported at least, at which point they should notify you.

You can ask the ISP if they support bridge mode, which would reduce the attack surface of that device and eliminate the double NAT. But likely you're fine as is.

Depends on the modem and isp if they update the firmware. Some only end up with newer firmware if it comes fresh from the manufacture. Fibre modem/routers tend to pull settings and updates from the ISP, but it really depends. My isp's modem/routers can do fibre, voip, or connect to cable or ADSL2+, VDSL modems. In the latter wan connections ISP remote management isn't setup.

 

[drinkingbird]

Depends on the modem and isp if they update the firmware. Some only end up with newer firmware if it comes fresh from the manufacture. Fibre modem/routers tend to pull settings and updates from the ISP, but it really depends. My isp's modem/routers can do fibre, voip, or connect to cable or ADSL2+, VDSL modems. In the latter wan connections ISP remote management isn't setup.

You may not realize it, but just about everything will get updates when needed, they aren't going to leave vulnerabilities once identified. Even fiber ONTs get them.