3

I cannot alter my modem firmware and there's no legal way to enable bridge mode. I want to add a router so that I can have complete control over the network.

If I use DMZ to achieve this, how secure am I? What would happen if an attacker is able to breach my less-secure modem (that is also a router) and change some settings like DNS? Is there any approaches to minimize risks?

Router/Modem from my ISP¹ => DMZ => Router with DHCP and NAT => All my devices

¹wifi disabled, no wired devices connected, but I can't disable NAT or DHCP

1 Answers1

2

Yes, I don't believe you could cause any harm by DMZ-ing to your own modem. So what you'll basically be doing is use the router as a MIM, but it is all still in your internal network. One concern is that this will create a lot of routing, increase latency etc., but it shouldn't happen on a small setup. As far as security is concerned, even if the hacker does manage to get to the modem shell, he could only access the router, which means he would have to hack in twice to reach your system, thus actually increasing security.

As far as DNS is concerned, if the hacker changes the server to a malicious one, you would get invalid certificate warnings if they tried to phish your requests while you are using SSL. One last thing you can do is to enable logging (though these are generally wiped away when you restart the router for most)

Also, turning off remote management (from WAN) completely in your modem would help a lot. The simplest way sometimes is to simply change all ports to obscure ones. e.g. change your router's telnet port from 23 to 10023. No one generally has enough resources to scan all ports unless they are specifically targetting you.

pulsejet
  • 2,250