Re: Firewall for broadband connection
From: Leythos (void_at_nowhere.org)
Date: 11/14/04
- Next message: <©¿©>: "Re: Specific protections from "true" firewall...?"
- Previous message: René: "Re: Firewall for broadband connection"
- In reply to: René: "Re: Firewall for broadband connection"
- Next in thread: René: "Re: Firewall for broadband connection"
- Reply:(deleted message) René: "Re: Firewall for broadband connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 14 Nov 2004 14:15:48 GMT
In article <41975153$0$44077$5fc3050@dreader2.news.tiscali.nl>,
spamisnietleuk@hotmail.com says...
> > Yes, without ZA, the system would still be protected, but with ZA, the
> > system could detect a problem if he compromises his own system. The dual
> > layered approach is favorable for people that are likely to be infected.
>
> You mean that suppose e.g. a trojan horse gets on his computer, ZA will
> notice the outgoing data, and the external firewall wouldn't?
A router/NAT device will not notice anything going in/out, it just
passes connections based on something your computer initiates. This
means that if you request a web page, it will let the site send you the
web page. If your computer gets infected with a virus, that wants to
contact the www.downloadmoreviruses.com web site, the computer will make
the connection and the router will permit it to reach the site and the
router will also permit the site to return the data requested.
A personal firewall application that runs on your computer will often be
good enough to see that it's not asked you if you want "myvirus" to be
able to contact the internet and will block it until you say "No/Yes" to
the "allow access to internet" question for that application.
Look at a router/NAT is a big Door with a knob only on the inside -
anything that can turn the knob (only on the inside) can get out without
any problem. Things on the outside can't get inside unless something
opens the door from the inside.
The good think is that unless you open the door, nothing comes in that
you didn't want in. This means that all of your neighbors infected
computers will hammer the router and not your computer.
> > > 3. Is configuring a device like that difficult?
> >
> > I reviewed this last night and though it was a nice SOHO unit. It does
> > not appear to be Drop-In ready, but seems like it would be simple to
> > install for my mother-inlaw.
>
> Wouldn't she be willing to do some configuring at my father's place ;-) ?
>
> > The manual is very nicely laid out and
> > seems easy to understand. I'm ordering one to test with.
>
> When do You expect to get it? I hope that You will post Your findings about
> the machine here. I am already quite sure I want to get one but maybe You'll
> have more info soon...
I'm setting up a couple exchange servers for a large group, it may be a
couple weeks before I have any time to 'play' with one since my plate is
quite full.
> > > 4. How does the device update itself? Automatically without my father
> having
> > > to care about it (I may be a newbie but he is even more ignorant and I
> can't
> > > visit him every minute of the day).
> >
> > No, it clearly needs user intervention to apply updates. In most cases,
> > appliances only need updates for enhancing features, most of the updates
> > are not to further harden the device. (most of the ones I work with are
> > very hardened and only add features through updates, but there are some
> > security updates). With this device, since there is little talk of it in
> > the groups, it would be hard to say how often they issue updates.
>
> What I was wondering about, when someone discovers some new sort of weak
> spot in Windows and the owner of the computer has not updated his OS
> immediately and there is an update of e.g. ZA, will the firewall, in this
> case ZA, also help protecting the user from attacks that aim at this weak
> spot? And if the answer is "Yes", is there a difference in the protection of
> this kind between a firewall like ZA and an external firewall?
> I do not fully understand that many firewall-applications like ZA get
> updates very often while an external firewall does not need security-updates
> that often, like You stated (You might read this line as "I don't believe
> You", but that is not correct, I actually don't understand why one firewall
> needs "adjusting of it's hardening" more often than the other one).
Ah, levels of protection. In the case of ZA or other Firewalls, the
updates are sometimes to add enhanced features and not to fix bugs,
other times it's to fix bugs. In the case of the ones I use, most of the
fixes have been for enhancements, adding to the existing filter
property, or just stability, only a few have been for security type
updates. The reason that one may need updates and not another is that
they are all different applications, made by different groups, at
different times, with different ideas of how to best detect and stop
threats.
If you have a router or firewall appliance in front of your computer,
even without patches and updates you can safely install Windows
(unpatched) on the computer without fear that it will be compromised (as
long as you don't browse the web to anywhere but Microsoft to get
updates) while you are building it and patching it.
There are ways to install a new windows system, from scratch, and get it
on-line and updates without it being compromised, but you have to know
what to disable and when it's safe to connect the network cable.
> > > 5. Is it possible (well, it will be possible, but will it be possible
> for me
> > > after doing some reading and researching on the web, I am a newbie but
> am a
> > > quick learner and are a bit above the average computer user, though not
> an
> > > expert) to install a program which allows me to control his computer
> when
> > > using such a device (my father is an expert in messing things up so it
> would
> > > be VERY handy if I could fix some things from my place? I suppose this
> > > question is closely related to question 3.. BTW if there is some sort of
> > > program that You would specifically recommend for doing this, Your input
> > > would be very appreciated (I realise this is OT).
> >
> > Yes, you could to a remote connection many ways - you could buy the VPN
> > version that permits you to make a direct connection to the unit itself,
> > which would let you access his computer.
>
> Yes, but the VPN version is much more expensive (iirc 350 $ vs. 100$) and
> quite soon I am going to get a broadband connection as well, so I would like
> to buy two of those firewalls (note at the same time, first one to see if I
> like it). I presume VNC is an application that does the same thing but from
> within his computer?
VPN is more expensive because it takes more to implement it, but it is
the proper method to use.
If you just want to support a single computer, as long as you know his
IP address, then VNC (free version, latest rev) is a simple way to do
it. The catch is that everyone and his brother (and his mother) knows
what ports to scan looking for exposed remote control applications. When
I install VNC, even in a protected network, I always change the port
number that it listens on. You could FORWARD PORT 31234 to his computer
from the internet (through a router) or create a exception for it in
Zone Alarm, and then install VNC on his computer with an ICON on the
desktop so that he can start it when needed. This would allow him to
start VNC when he needs your help and you to access his systems as
though you were sitting there - your keyboard and mouse work control his
system and you can see anything on his screen on your screen.
VNC is not a VPN type solutions, it's just a remote control application.
> > You could also install VNC on
> > his computer, set it to run on a non-standard port (like 34912) and then
> > connect across the internet to VNC on 34912) and make sure that it's
> > passworded (with a strong password).
>
> I think this is what Jeff mentions in his reply. I agree with him that the
> safest thing to do, would be to visit my father, but maybe there is a way in
> which he can enable the software after we have spoken each other on the
> phone and disable it after the problem has been fixed. Then again, I guess
> this would imply having to re-configure the FW every time which perhaps be
> too difficult for him.
No, just put a START and STOP Icon on the desktop for VNC, use a strong
password, and configure it to use a different port, above 30000, and you
don't have to touch anything in the firewall/router/ZA.
> What I have been wondering about is, whether a VPN-connection can be used
> when one doesn't have a fixed IP-address (we don't)(and we are happy about
> that). How does one computer manage to find the other one? Or do You need to
> get the address from one computer and tell it to the program on the other
> one?
There are a couple methods, and since the firewall appliance will be the
object getting the public IP, it's the only thing that will know it. If
you get into the firewall you can see what your public IP is, and ZA
will tell you if you use it directly connected to the public, but with
an Appliance you have to access it do determine what your IP is. You
could also visit a web site that checks your computer and tells you what
your IP is: https://www.grc.com/x/ne.dll?bh0bkyd2
The link above will tell you what your assigned Internet Address is, at
least in the typical home user (single dynamic IP) not running through a
proxy.
> And what about program like PC-anywhere? Would something like that be
> usefull in our situation?
PCAW is expensive, VNC is free.
> Suppose I would have a VPN. What would that look like on the computer? Is it
> just an extra computer in "My network places"? Or would it be possible to
> actually make my computer show everything from his computer, I mean, would I
> see his desktop and be able to use the applications on his system just as if
> I was working on his computer in his living room?
VPN is a network connection between two networks or systems, it has
nothing to do with seeing his computer/desktop. Imagine a VPN as being a
very long cable that stretches directly between your computer and his
computer with no one having access to it anywhere along the way. That's
all it is - a network connection that only allows the two ends to read
data from each other. You would use VNC once you got the VPN working,
but you would not connect to his PUBLIC internet address, you would
connect from your protected (inside the firewall device network) address
through the VPN, using VNC, to his private address which is inside his
firewall.
>
> > If you get one of the remote
> > control programs that doesn't show an Icon on the task bar he would not
> > know it's there - so he wouldn't have an opportunity to mess with it :)
>
> You higly underestimate the messing capabilities of my father... ;-).
>
> Is there any such program that You would especially recommend? (Preferably
> open source or freeware off course, but the quality is the most important).
> I might already do some reading if You'ld have some names for me.
For inside companies, where we don't want to make it obvious, but people
can still see it in the task bar, we use an old product called Remote
Administrator, much like VNC, but you can hide the ICON and password
protect all settings and connections, and it will even let you use NT
authentication. We have clients that have VNC installed, in default
port, with a single password, on hundreds of computers in their network
(not our idea) and they don't have problems with it - the users leave it
alone.
> > > 6. Are there other devices, let's say below 200 euro's (suppose that can
> be
> > > more or less compared to 200 US$, it's just an indication), that You
> would
> > > recommend above this one? If so, which one('s)? Wireless is not needed
> as
> > > his computer is only 4 m away from the access point.
> > > 7. Any other suggestions?
> >
> > In his case, as well as many home users, it would appear that all he
> > needs is a simple NAT device, most run about $50 US.
>
> Yes, but if the extra 50$ to get the "real" firewall from hotbrick, and this
> does add something to the protection quality, my father will be more than
> happy to spend it. Apart from that, it get's paid by the union my father
> does some volunteer work for on his computer (only small with not many very
> private data, mostly only names and adresses).
> Another question that came to my mind is the following. Hot brick has many
> firewalls, and many are very expensive. Is there also a difference in the
> specific "firewalling" capabilities between those, or is it just the other
> specs that differ, like managing many users and providing VPN-services?
You might do well to send them an email and tell them what you want to
do and ask them to suggest the proper device for your needs. In your
case, while a VPN device is nice to have, a simple router with NAT may
be all you really need. If you were to combine a NAT box with SPI, and
then run ZA on his computer, exposing the VNC port/application, even if
you left it running all the time, you might find that he's just as not-
exposed as if he were running the brick.
> > If you were to
> > install a cheap Linksys BEFSR41 unit, keep ZA on his computer, and get
> > something like Norton Antivirus 2005 for him, he should be safe. I use
> > AVG, but install NAV for home users that can afford to purchase a
> > license. AVG is good, but I trust NAV more.
> > One other thing - get him a copy of the free SpyBot Search & Destroy at
> > www.safer-networking.org and a copy of the AdAware SE (free) from
> > lavasoft.
>
> Sorry, forgot to mention this in my first posting, but he already has those
> programs.
It doesn't sound like he has the router/NAT box - if you put that in the
solution then you've got all he really needs. If you add in blocking of
outbound ports at the router of 135,136,137,138,139,445 then you make it
harder for his computer to spread infections should it be compromised.
> If You would allow me to just ask one more question that is a bit OT in this
> NG, I would be very gratefull (I ask it because we are talking about
> networking already and the two of You seem to know what Your talking about).
> I would very much like to learn to fully configure a network WITHOUT using
> wizards, because after having used a wizard, I still haven't got the
> faintest idea about what I have actually done. I am reading the book "TCP/IP
> unleashed" which is very good (and thick), but not everything I want to know
> is in there. Usually when You buy a book about networking, it starts telling
> about all the kinds of cables there are and such. I am not interested in
> that. Many tutorials/books also explain how to use those wizards (I think
> they are clear enough themselves). Worst are the books that first start
> talking about the wiring and then tell You how to configure the network with
> the wizards. I have not been able to find a tutorial with google that
> thoroughly explains the real configuring of a network, without using the
> wizard. I don't know which words to use in Google. If You say "-wizard", You
> will also "loose" the pages that say "Have You ever wanted to configure Your
> network without wizards? Then this is the page for You!", which would be
> exactly what I want. So my question is: Does anyone of You know of a good
> tutorial on the web, or a book, that will show me how to fully install and
> configure a network without using those stupid wizards that hide everything
> from You?
Not off the top of my head, and networking is a wide subject. The first
thing is to understand the cables, the types of cables, and how to make
them, then to understand the difference between a switch and hub, then
managed and unmanaged, then VLANS, then routers, then NAT, then routes,
then firewalls.
Hope all of this helps somehow.
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: <©¿©>: "Re: Specific protections from "true" firewall...?"
- Previous message: René: "Re: Firewall for broadband connection"
- In reply to: René: "Re: Firewall for broadband connection"
- Next in thread: René: "Re: Firewall for broadband connection"
- Reply:(deleted message) René: "Re: Firewall for broadband connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
