Network Security Warning ..... How to Protect Yourself On The Internet - Page 5

*Fraoch* · 04-09-2004, 04:34 PM

Quote:

Originally posted by UH60LimaTI
I ran the test again and got 2 "FAILS" on the "COMMON" and "ALL SERVICE PORTS".

I guess I can fix this by adjusting some settings or something. Must read up on it. Also ,Can send you a PM with the Text part of the tests that failed and let you look at them. I'm figuring that that info shouldn't be view by all???

Hmm...from what I can tell there are no router settings that influence this (unless the SPI in the v2 version makes the settings vastly different).

It's probably your software firewall settings.

PCBruiser · 04-09-2004, 04:36 PM

Fraoch, he didn't really fail anything, he was completely closed. What we were trying to figure out is how to stealth the unit too. He was showing stealthed on some ports and was thinking that was somehow bad. So, that cleared up, we were trying to see if the unit has total stealth capability, you should know the answer to that better than I.

PCBruiser · 04-09-2004, 04:37 PM

Quote:

Originally posted by Riptide
Thanks Bruiser, you're alright.

Just can't live without a firewall any more. To many punks out there.

You are absolutely positively corrcect.

swannema · 04-09-2004, 04:38 PM

Quote:

Originally posted by Fraoch
Hmm...from what I can tell there are no router settings that influence this (unless the SPI in the v2 version makes the settings vastly different).

It's probably your software firewall settings.

I agree 100%, I have the linksys and run those tests once a month, never was an open port detected. Not in Windows and not in Linux. You really should check your router and firewall settings.

adamsfbay · 04-09-2004, 04:38 PM

I wanted to thoroughly recommend the Netgear FR328S.

It's not wireless (since wireless technology changes so much, I prefer to have my firewall in a non-wireless router).

It's got 8 ports, and all of them, and the WAN port as well, are 10/100 for those future 100 mbps broadband connections

.

It has SPI and NAT. It also has a very fast processor so the impact of putting it between your WAN is truly imperceptible.

It does allow various flavors of VPN tunnelling, though it is not a VPN Firewall per se - so if you don't need robust VPN functionality, just a very powerful, very capable firewall router, this is it.

Out of the box, it passes every ShieldsUp! test perfectly, with ALL ports stealth on the 1000+ scan.

You can define any IP connected to it as a DMZ (e.g. not protected by the firewall, which is useful in certain cases), vs. having a dedicated port to do this.

It has a robust internet filter, and robust inbound/outbound port config and service definition options for power users.

Costs < 150, which is more than some and less than others.

The web-based user interface is a breeze to use. I even set it up to email me daily logs, or any identified WAN-side attacks.

Firmware updates are frequent and simple to install via the web interface.

Highly recommended. I plug my Wireless access point into a port and have 802.11g WPA running through my house without any difficulties - all using the DHCP server and NAT in the FR328S.

Drc Ok · 04-09-2004, 05:06 PM

Thanks for the heads up PCBruiser...i went to the link you posted and i passed all the tests, however, i am still looking at adding some hardware for extra security

VoodooAlien · 04-09-2004, 05:30 PM

For those looking (and have less than 4 systems to connect) also check out the SMC Barricade 7004VBR or SMC7004VWBR (Wireless)

UH60LimaTI · 04-09-2004, 06:24 PM

Quote:

Originally posted by PCBruiser
Fraoch, he didn't really fail anything, he was completely closed. What we were trying to figure out is how to stealth the unit too. He was showing stealthed on some ports and was thinking that was somehow bad. So, that cleared up, we were trying to see if the unit has total stealth capability, you should know the answer to that better than I.

PCBruiser helped me out pretty darn well.

I also think he's an ALRIGHT kinda guy

link53 · 04-09-2004, 06:25 PM

Well PCB, I ran all of the linked tests and nothing got through. But thanks for the heads up, I checked the log file and the only intrusive entries were the ones from the tests. It is a different brand then you mentioned, but it still works and works great.

PCBruiser · 04-09-2004, 06:36 PM

Great link53, I'm glad to see mambers taking this seriously. I really couldn't care less WHAT brand you are using, I am completely indifferent to that issue, I only care that you are using something that works well, protrects you as completely as possible, and if possible have SPI implemented.

*Bofinn* · 04-09-2004, 06:39 PM

My son moved it with me 2 weeks ago and I threw his system on my router. I totally forgot to put a firewall on his machine until reading this.

I use: McAfee Firewall that came with Comcast.net

So I just installed ZoneAlarm on his. How do you update it?

PCBruiser · 04-09-2004, 06:43 PM

Update ZA? There is an auto notification in the first panel which you can set to check for updates. But, given that it runs as a service, you generally have to physically download and install the update. The first thing the updater does is close the running service safely. It also issues a warning when the service closes down asking to make sure that it is being shut by an unpdater or deliberate uninstall. Safety measure.

Maxbo · 04-09-2004, 11:50 PM

Thanks Bruiser, my personal PC and our small business computer has a lot of personal info on both machines which is connected to a DSL and cable lines.

I ran ShieldsUp! and failed on 113, quote: “olicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection.”

It passed everything else though.

I am currently using Norton’s firewall (which is expiring), but I am going to be switching to ZA Pro and I am going to buy a router with SPI.

PCBruiser · 04-10-2004, 08:52 AM

OK, I am very pleased that members are taking this seriously. So I thought that it would be good to add some additional ways to protect yourself and your network. Now, for obvious reasons, I learned a hard lesson, and have locked myself down even further than what I indicated in earlier posts. Since, of course I'm downright paranoid on this subject.

Here''s the next step. OK. WOW. I bought one of those routers I'M PROTECTED!!!!!!!!!!! Right, you are, but there is still more that you can do to protect yourself even better.

There are 2 critical Clients that you must have in order to run an internal LAN. Client for MS Windows, and File and Printer Sharing. These two clients are ABSOLUTELY UNNECESSARY if you only have 1 machine connecting to the Internet via your router and DSL/Cable Modem. You can simply delete them from your network if you only have 1 machine. And those Clients are inherently dangerous!

But, more than 1 machine on your LAN, those clients are essential. But, if they are so dangerous, isn't there some way to secure them too? Answer, for a SMALL LAN YES. For a larger one, not without giving up some network efficiencies. To understand how to do this, you need to understand a couple of more things about networking. This is a very complex subject, so what follows will be simplistic again, sacrificing technical accuracy for understandability.

There is a Difference Between A Client and a Protocol: You have Clients to do something on YOUR machine. Client for MS Networks manages the LAN interface on YOUR machine. But, natively, these clients do not communicate themselves over the LAN/Internet. To communicate they need a network protocol, like TCP/IP, for example. Now, TCP/IP works very well - that's the protocol used by the entire Internet, of course. IT IS NOT THE ONLY NETWORK PROTOCOL THAT YOU CAN USE ON YOUR LAN. You do NOT need to use TCP/IP to service your LAN clients. But, having said that, Windows assumes that since you will use TCP/IP to communicate on the Internet, you might as well use this modern, efficient protocol to manage clients on your LAN. BAD ASSUMPTION! Correct for large LANs because TCP/IP is efficient, and running more than 1 protocol does add inefficiencies.

So, here's what I do on my SMALL LAN. I do not use TCP/IP for my LAN at all. I use IPX/SPX, a different, and somewhat less efficient protocol. But, since IPX/SPX is incompatible with the Internet, nothing that passes in my LAN other than TCP/IP packets intended to pass through my router to the Internet can even be seen or routed over the Internet. In fact, the WAN side of my router cannot even recognize an IPX/SPX packet, and discards any that get that far (none do anyway) as junk packets because they are formatted totally differently from TCP/IP packets, AND CONTAIN NO IP ADDRESS INFORMATION.

Furthermore, and here I am really simplifying, because IPX/SPX does not use IP address info to identify my machines, I can disable broadcasting my netBIOS names completely. What is a netBIOS name, you ask? It is a second way to identify your individual machines needed to link TCP/IP to Client for MS Networks. But, if you are using IPX/SPX it is unnecessary, and you can disable netBIOs in your network properties completely, and stop it from broadcasting your "name" over your LAN. Well, who cares if it does? Well, without a router to block netBIOS packets from exiting and entering your LAN, YOU ARE BROADCASTING YOUR MACHINE'S NAME ALL OVER THE INTERNET SAYING HERE I AM, COME GET ME! This, BTW, is one way a cracker can bypass NAT and find your machine behind a router lacking SPI even though the IP address is strictly an internal one.

So, by using IPX/SPX, although somewhat less efficient, over my LAN, I can disable netBIOS, and I also block both inbound and outbound netBIOS packets in ZoneAlarm as well. And, in my router also.

Why use IPX/SPX and unbind TCP/IP from the two clients? By unbinding TCP/IP from the two clients a cracker cannot use TCP/IP to connect to your machine or see your hard drives even if they somehow are able to bypass all of your other firewall/NAT/router protections. And they cannot get to your LAN over the internet by using IPX/SPX. So, by doing this, you have made it even harder to crack your system, if not virtually impossible, even for a really professional cracker.

Now, here's how you do it. To use IPX/SPX internally, you need to "Add" the protocol in the Network Properties Control Panel for all machines on your network. Then you have to unbind TCP/IP from these clients also. Right click on Network/Properties. Advanced Menu/Advanced Settings. There you will see a bindings tab, with both clients listed and bindings checked for both TCP/IP and IPX/SPX. Simply uncheck (i.e.,unbind) TCP/IP from these clients, and you have SUBSTANTIALLY INCREASED YOUR SECURITY, for a minimal price of using a somewhat less efficient LAN protocol. That's a reasonable price to pay IMHO.

*Fraoch* · 04-10-2004, 10:37 AM

Thanks PCBruiser, but I think my XP Home does things a little differently.

I can add: "NWLink IPX/SPX/NetBIOS Compatible Tranport Protocol" (note NetBIOS comes with it) and in the "Advanced" tab I can only enable XP firewall, not change bindings.

My other machine runs Win98SE. Haven't checked that yet but I assume it'll be even worse...but I may switch to IPX/SPX if Win98SE has it. Not sure about NetBIOS - I can't seem to disable it through Windows, ZoneAlarm Free or my router.

Thanks for the help though!

04-09-2004, 04:36 PM	#62
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Fraoch, he didn't really fail anything, he was completely closed. What we were trying to figure out is how to stealth the unit too. He was showing stealthed on some ports and was thinking that was somehow bad. So, that cleared up, we were trying to see if the unit has total stealth capability, you should know the answer to that better than I. Last edited by PCBruiser : 04-09-2004 at 04:43 PM.
(Offline)

04-09-2004, 04:38 PM	#65
adamsfbay Registered User Join Date: Nov 2003 Location: San Francisco, CA Posts: 198	I wanted to thoroughly recommend the Netgear FR328S. It's not wireless (since wireless technology changes so much, I prefer to have my firewall in a non-wireless router). It's got 8 ports, and all of them, and the WAN port as well, are 10/100 for those future 100 mbps broadband connections . It has SPI and NAT. It also has a very fast processor so the impact of putting it between your WAN is truly imperceptible. It does allow various flavors of VPN tunnelling, though it is not a VPN Firewall per se - so if you don't need robust VPN functionality, just a very powerful, very capable firewall router, this is it. Out of the box, it passes every ShieldsUp! test perfectly, with ALL ports stealth on the 1000+ scan. You can define any IP connected to it as a DMZ (e.g. not protected by the firewall, which is useful in certain cases), vs. having a dedicated port to do this. It has a robust internet filter, and robust inbound/outbound port config and service definition options for power users. Costs < 150, which is more than some and less than others. The web-based user interface is a breeze to use. I even set it up to email me daily logs, or any identified WAN-side attacks. Firmware updates are frequent and simple to install via the web interface. Highly recommended. I plug my Wireless access point into a port and have 802.11g WPA running through my house without any difficulties - all using the DHCP server and NAT in the FR328S.
(Offline)

04-09-2004, 05:06 PM	#66
Drc Ok ABXPopulator Join Date: Sep 2003 Location: Recovering World of Warcraft Addict Posts: 4,351	Thanks for the heads up PCBruiser...i went to the link you posted and i passed all the tests, however, i am still looking at adding some hardware for extra security
(Offline)

04-09-2004, 05:30 PM	#67
VoodooAlien Registered User Join Date: Jul 2003 Location: Atlanta, GA Posts: 428	For those looking (and have less than 4 systems to connect) also check out the SMC Barricade 7004VBR or SMC7004VWBR (Wireless) __________________ ASUS P4P800 Deluxe 1009, P4 2.8C@3.15GHz, Zalman CNPS7000-AlCu GeIL Golden Dragon PC3500DC 1GB (2-3-3-6-8) MSI FX5900-VTD256, Samsung 191T LCD Maxtor DiamondMAX +9 120GB Antec Sonata (380W TruePower), Antec 120MM SmartCool (exhaust)
(Offline)

04-09-2004, 06:25 PM	#69
link53 Registered User Join Date: Apr 2003 Location: IL Posts: 78	Well PCB, I ran all of the linked tests and nothing got through. But thanks for the heads up, I checked the log file and the only intrusive entries were the ones from the tests. It is a different brand then you mentioned, but it still works and works great. __________________ Intel Core 2 Duo E-6400 @ 2.4 ghz, Zalman CNPS 9700 NT, ASUS P5W DH DELUXE/WIFI-AP, HIS Radeon X1950PRO 256MB, OCZ Platinum 2GB (2 x 1GB)PC2 6400), WD 320GB SATA 3.0 16mb Cache, SB Live 24, THERMALTAKE TR2 500W
(Offline)

04-09-2004, 06:36 PM	#70
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Great link53, I'm glad to see mambers taking this seriously. I really couldn't care less WHAT brand you are using, I am completely indifferent to that issue, I only care that you are using something that works well, protrects you as completely as possible, and if possible have SPI implemented.
(Offline)

04-09-2004, 06:39 PM	#71
Bofinn I'm gettin' dizzy! Join Date: Jan 2004 Location: Chicagoland Posts: 11,035	My son moved it with me 2 weeks ago and I threw his system on my router. I totally forgot to put a firewall on his machine until reading this. I use: McAfee Firewall that came with Comcast.net So I just installed ZoneAlarm on his. How do you update it? __________________ ---------- JimBo ----------- When in doubt, smack it!
(Offline)

04-09-2004, 06:43 PM	#72
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Update ZA? There is an auto notification in the first panel which you can set to check for updates. But, given that it runs as a service, you generally have to physically download and install the update. The first thing the updater does is close the running service safely. It also issues a warning when the service closes down asking to make sure that it is being shut by an unpdater or deliberate uninstall. Safety measure.
(Offline)

04-09-2004, 11:50 PM	#73
Maxbo just visiting... Join Date: Sep 2002 Posts: 1,280	Thanks Bruiser, my personal PC and our small business computer has a lot of personal info on both machines which is connected to a DSL and cable lines. I ran ShieldsUp! and failed on 113, quote: “olicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection.” It passed everything else though. I am currently using Norton’s firewall (which is expiring), but I am going to be switching to ZA Pro and I am going to buy a router with SPI.
(Offline)

04-10-2004, 08:52 AM	#74
PCBruiser Registered User Join Date: Nov 2003 Posts: 13,497	Some More Ways To Secure Your LAN OK, I am very pleased that members are taking this seriously. So I thought that it would be good to add some additional ways to protect yourself and your network. Now, for obvious reasons, I learned a hard lesson, and have locked myself down even further than what I indicated in earlier posts. Since, of course I'm downright paranoid on this subject. Here''s the next step. OK. WOW. I bought one of those routers I'M PROTECTED!!!!!!!!!!! Right, you are, but there is still more that you can do to protect yourself even better. There are 2 critical Clients that you must have in order to run an internal LAN. Client for MS Windows, and File and Printer Sharing. These two clients are ABSOLUTELY UNNECESSARY if you only have 1 machine connecting to the Internet via your router and DSL/Cable Modem. You can simply delete them from your network if you only have 1 machine. And those Clients are inherently dangerous! But, more than 1 machine on your LAN, those clients are essential. But, if they are so dangerous, isn't there some way to secure them too? Answer, for a SMALL LAN YES. For a larger one, not without giving up some network efficiencies. To understand how to do this, you need to understand a couple of more things about networking. This is a very complex subject, so what follows will be simplistic again, sacrificing technical accuracy for understandability. There is a Difference Between A Client and a Protocol: You have Clients to do something on YOUR machine. Client for MS Networks manages the LAN interface on YOUR machine. But, natively, these clients do not communicate themselves over the LAN/Internet. To communicate they need a network protocol, like TCP/IP, for example. Now, TCP/IP works very well - that's the protocol used by the entire Internet, of course. IT IS NOT THE ONLY NETWORK PROTOCOL THAT YOU CAN USE ON YOUR LAN. You do NOT need to use TCP/IP to service your LAN clients. But, having said that, Windows assumes that since you will use TCP/IP to communicate on the Internet, you might as well use this modern, efficient protocol to manage clients on your LAN. BAD ASSUMPTION! Correct for large LANs because TCP/IP is efficient, and running more than 1 protocol does add inefficiencies. So, here's what I do on my SMALL LAN. I do not use TCP/IP for my LAN at all. I use IPX/SPX, a different, and somewhat less efficient protocol. But, since IPX/SPX is incompatible with the Internet, nothing that passes in my LAN other than TCP/IP packets intended to pass through my router to the Internet can even be seen or routed over the Internet. In fact, the WAN side of my router cannot even recognize an IPX/SPX packet, and discards any that get that far (none do anyway) as junk packets because they are formatted totally differently from TCP/IP packets, AND CONTAIN NO IP ADDRESS INFORMATION. Furthermore, and here I am really simplifying, because IPX/SPX does not use IP address info to identify my machines, I can disable broadcasting my netBIOS names completely. What is a netBIOS name, you ask? It is a second way to identify your individual machines needed to link TCP/IP to Client for MS Networks. But, if you are using IPX/SPX it is unnecessary, and you can disable netBIOs in your network properties completely, and stop it from broadcasting your "name" over your LAN. Well, who cares if it does? Well, without a router to block netBIOS packets from exiting and entering your LAN, YOU ARE BROADCASTING YOUR MACHINE'S NAME ALL OVER THE INTERNET SAYING HERE I AM, COME GET ME! This, BTW, is one way a cracker can bypass NAT and find your machine behind a router lacking SPI even though the IP address is strictly an internal one. So, by using IPX/SPX, although somewhat less efficient, over my LAN, I can disable netBIOS, and I also block both inbound and outbound netBIOS packets in ZoneAlarm as well. And, in my router also. Why use IPX/SPX and unbind TCP/IP from the two clients? By unbinding TCP/IP from the two clients a cracker cannot use TCP/IP to connect to your machine or see your hard drives even if they somehow are able to bypass all of your other firewall/NAT/router protections. And they cannot get to your LAN over the internet by using IPX/SPX. So, by doing this, you have made it even harder to crack your system, if not virtually impossible, even for a really professional cracker. Now, here's how you do it. To use IPX/SPX internally, you need to "Add" the protocol in the Network Properties Control Panel for all machines on your network. Then you have to unbind TCP/IP from these clients also. Right click on Network/Properties. Advanced Menu/Advanced Settings. There you will see a bindings tab, with both clients listed and bindings checked for both TCP/IP and IPX/SPX. Simply uncheck (i.e.,unbind) TCP/IP from these clients, and you have SUBSTANTIALLY INCREASED YOUR SECURITY, for a minimal price of using a somewhat less efficient LAN protocol. That's a reasonable price to pay IMHO. Last edited by PCBruiser : 04-10-2004 at 12:35 PM.
(Offline)

04-10-2004, 10:37 AM	#75
Fraoch Resident ABX Wizard Join Date: May 2003 Location: London, Ontario Posts: 8,814	Thanks PCBruiser, but I think my XP Home does things a little differently. I can add: "NWLink IPX/SPX/NetBIOS Compatible Tranport Protocol" (note NetBIOS comes with it) and in the "Advanced" tab I can only enable XP firewall, not change bindings. My other machine runs Win98SE. Haven't checked that yet but I assume it'll be even worse...but I may switch to IPX/SPX if Win98SE has it. Not sure about NetBIOS - I can't seem to disable it through Windows, ZoneAlarm Free or my router. Thanks for the help though!
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode