Comcast Xfinity Network Security

[PatrickinDC]

Hi all,

 

Tech novice here. I have a Comcast provided Xfinity XFi gateway (not sure that's the technical term for the hardware), which also provides the wireless network for the home/office. There is no additional router between the gateway and the network. I chose to stick with the gateway because the WiFI signal works pretty well for my two bedroom condo. 

 

Having been the victim of numerous data breaches over the years, e.g., Yahoo, etc., I'm overly sensitive about wanting to protect sensitive information as much as possible. It recently dawned on me that I don't know or understand whether there is sufficient security on the Xfinity gateway. The broadband cable line comes into the gateway from the wall, then I have an ethernet cable from the gateway to a netgear switch with 12 ports. All the technology hardware in the home office are wired to that switch and the rest of the condo is on the WiFi.

 

I feel exposed as those there should be a firewall of some sort between the cable gateway, and the wired and wireless network connections. Should there be? If so, what?

 

Appreciate any guidance. 

 

Thanks, Patrick

[kirashi]

3 minutes ago, PatrickinDC said:

I feel exposed as those there should be a firewall of some sort between the cable gateway, and the wired and wireless network connections. Should there be? If so, what?

Then put on some clothes?  Kidding.

 

More seriously, the ISP we use borrows much of the same technology as Comcast uses, so I can tell you that there is a built-in firewall on the TG3482 Technicolor & ARRIS manufactured Gateways (modem/router combo) units. Mine is disabled only as I run custom AdvancedTomato firmware on a Netgear R7000 router because no ISP provided modem provides the granular control & logging I require to operate my home network. If you have a different model of Gateway, it will still have its' own firewalls built-in as well.

 

Firewalls are built-into your operating system, too, and have gotten far better than they were back in the Windows XP days. That being said, it's not your firewall or even security software that you should worry about when it comes to protecting your information or online accounts - it's implementing best security practices, such as not ever re-using passwords, enabling MFA on everything, and only sharing data with companies you trust. Full disclosure: Unless you have access to the source code or servers where your data lives, assume it's insecurely stored, and share only what your comfortable with having leaked to the internet.

 

[jake9000]

The gateway itself should have a firewall with a high/medium/low selector. Comcast puts it to Low by default. The firewall drops all incoming connections that weren't initiated from inside the network. 

The only thing to really worry about are UPNP devices which can cause the firewall to create a port forward to itself. This is how those fun IP cameras end up being publicly accessible. 

[SansVarnic]

-= Topic Moved to Networking =-

[Donut417]

12 hours ago, PatrickinDC said:

I feel exposed as those there should be a firewall of some sort between the cable gateway, and the wired and wireless network connections. Should there be? If so, what?

Remember Gateways =Modem + Router. Every router has a firewall built in. The only security issue with the Xfinity gateway is if an rouge employee were to back door in to it and change settings to make things not secure. But a large company like Comcast has security measures in place to ensure that does not happen. The one thing to remember however is the your renting that gateway, so that means about $14 a month of your bill is for the gateway. 

 

Now if you serriously want a better firewall between you and the internet, you can buy a standard cable modem or put that gateway in bridge mode and build a PFsense box. PFsense is probably going to provide better security, BUT to be clear most of the breaches that happen are because corporate networks are not secure. As what happen with Equifax. In that case there is not shit you can do. Id be more afrid of someone breaking in to the WiFi as WPA2 was cracked once, most routers that were current at the time should have gotten a patch aginst that, BUT its only a matter of time before it will happen again. WPA3 is out, but not many devices or routers for that matter support it as of yet and it will be years before all your devices are WPA3 capable. Even then, I figure it only a matter of time before that gets cracked. 

[beersykins]

Keep in mind the ISP has remote access to your device and can modify any settings.  Whether they do/will or not is irrelevant, ideally you want to plan around what's possible. 

 

The likelihood of getting some driveby malware on a shady porn site is significantly higher, however.  Simply having a firewall on the edge doesn't mean much if you're exploited on an application layer or if your policies are not implemented correctly.

 

Data breaches on remote sites aren't something you can control (such as a service storing cleartext credentials), but you can mitigate the risk as per other suggestions such as unique passwords on each platform and multi factor authentication.

[PatrickinDC]

On 2/1/2020 at 9:41 PM, kirashi said:

Then put on some clothes?  Kidding.

 

More seriously, the ISP we use borrows much of the same technology as Comcast uses, so I can tell you that there is a built-in firewall on the TG3482 Technicolor & ARRIS manufactured Gateways (modem/router combo) units. Mine is disabled only as I run custom AdvancedTomato firmware on a Netgear R7000 router because no ISP provided modem provides the granular control & logging I require to operate my home network. If you have a different model of Gateway, it will still have its' own firewalls built-in as well.

 

Firewalls are built-into your operating system, too, and have gotten far better than they were back in the Windows XP days. That being said, it's not your firewall or even security software that you should worry about when it comes to protecting your information or online accounts - it's implementing best security practices, such as not ever re-using passwords, enabling MFA on everything, and only sharing data with companies you trust. Full disclosure: Unless you have access to the source code or servers where your data lives, assume it's insecurely stored, and share only what your comfortable with having leaked to the internet.

 

Great chuckle re: the clothes.  LOL

 

The firewall on the gateway I have looks exactly like that and right now I have it set to medium. I also have the Mac firewalls active on the computer hardware, and I'm running Sophos Intercept X and Endpoint on the Macs. I also apply a tight control on the URLs that can be accessed from the networked computers through the Sophos Website management platform as well as DLP enabled on inbound and outbound emails.

 

Completely agree with MFAs. I have it enabled everywhere possible and selected an authenticator app when available instead of SMS. I also use Dashlane to help me manage passwords so that no password is reused and is at least 18 characters wherever possible.

 

So, hopefully, I'm on the right track, understanding that nothing is 100%.