If you put your modem outside of your firewall (which is where mine is, in spite of the fact that I haven't successfully connected yet), your exposure is no worse than being attacked from another host connected to the HamWAN network*.  You *do* have a firewall on your network, right? ;^)



* Well, ok, speaking as a professional security geek (which is what I do for a living), it *is* in fact very slightly worse.  Assuming the firmware of the modem could be compromised to launch attacks, it's a higher-bandwidth lower-latency connection to pound on your network from, which, in theory, is less secure.  But given the speed of the HamWAN network, the delta is pretty small, and given that the modems run a semi-proprietary (and fairly uncommon) OS, the odds of the modem itself becoming a leapfrog platform for staging attacks are pretty insignificant.  And again, assuming you've got a halfway decent firewall in the middle (ie, not just a cheap consumer device that does NAT, but an actual firewall), I wouldn't worry about it.

Jeff N0GQ



On Tue, Mar 11, 2014 at 4:27 PM, Nigel Vander Houwen <nigel@k7nvh.com> wrote:
To add to what Cory said,

The goal is not to remove control or access from the user. It's simply for
network management. It's very much an experimental network, so if you
choose not to allow admin accounts on your modem, the network may change
and you will be responsible for maintaining it yourself.

I'd also like to bring up a parallel with other commercial ISPs. You end
up in the same situation. For example, with comcast, you can either rent a
modem from them, which they have full admin control of, and may not give
you any access at all, or you buy a modem yourself, and configure it to
work with them, and any issues or changes are your own responsibility.

For us the problem is far more significant. The HamWAN network is changing
and evolving all the time, unlike a network like comcast's which is
relatively stable. The methods of connecting / authenticating to the
network will change, and you should be prepared for that if you decide
that allowing a few trusted users on your modem is an unacceptable risk,
despite these users having full administrative access to ALL of the rest
of the HamWAN network routing your packets.

In any case, as Cory said, it is your choice, but the recommended one is
what's documented on the wiki instructions.

Nigel
K7NVH


_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org



--
-=jeff=-