Re: Firewall for broadband connection
From: René (spamisnietleuk_at_hotmail.com)
Date: 11/17/04
- Next message: J Warren: "ZoneAlarm pro blocking access to its own servers?"
- Previous message: LastAngel: "KerioWinroite Firewall 6 HTTPS from lan blocked"
- In reply to:(deleted message) Leythos: "Re: Firewall for broadband connection"
- Next in thread: Leythos: "Re: Firewall for broadband connection"
- Reply:(deleted message) Leythos: "Re: Firewall for broadband connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Nov 2004 21:39:16 +0100
Dear Leythos,
Thank You for replying again, this is very kind of You. I have put my
comments in the story:
"Leythos" <void@nowhere.org> schreef in bericht
news:MPG.1c0133aa6ada7535989a46@news-server.columbus.rr.com...
> In article <41975153$0$44077$5fc3050@dreader2.news.tiscali.nl>,
> spamisnietleuk@hotmail.com says...
> > > Yes, without ZA, the system would still be protected, but with ZA, the
> > > system could detect a problem if he compromises his own system. The
dual
> > > layered approach is favorable for people that are likely to be
infected.
> >
> > You mean that suppose e.g. a trojan horse gets on his computer, ZA will
> > notice the outgoing data, and the external firewall wouldn't?
>
> A router/NAT device will not notice anything going in/out, it just
> passes connections based on something your computer initiates. This
> means that if you request a web page, it will let the site send you the
> web page. If your computer gets infected with a virus, that wants to
> contact the www.downloadmoreviruses.com web site, the computer will make
> the connection and the router will permit it to reach the site and the
> router will also permit the site to return the data requested.
>
> A personal firewall application that runs on your computer will often be
> good enough to see that it's not asked you if you want "myvirus" to be
> able to contact the internet and will block it until you say "No/Yes" to
> the "allow access to internet" question for that application.
>
> Look at a router/NAT is a big Door with a knob only on the inside -
> anything that can turn the knob (only on the inside) can get out without
> any problem. Things on the outside can't get inside unless something
> opens the door from the inside.
>
> The good think is that unless you open the door, nothing comes in that
> you didn't want in. This means that all of your neighbors infected
> computers will hammer the router and not your computer.
This is what I thought it was like, thanks.
> > > > 3. Is configuring a device like that difficult?
> > >
> > > I reviewed this last night and though it was a nice SOHO unit. It does
> > > not appear to be Drop-In ready, but seems like it would be simple to
> > > install for my mother-inlaw.
> >
> > Wouldn't she be willing to do some configuring at my father's place ;-)
?
> >
> > > The manual is very nicely laid out and
> > > seems easy to understand. I'm ordering one to test with.
> >
> > When do You expect to get it? I hope that You will post Your findings
about
> > the machine here. I am already quite sure I want to get one but maybe
You'll
> > have more info soon...
>
> I'm setting up a couple exchange servers for a large group, it may be a
> couple weeks before I have any time to 'play' with one since my plate is
> quite full.
I see, no problem, "mate" ;-) (that's Australian I think).
> > > > 4. How does the device update itself? Automatically without my
father
> > having
> > > > to care about it (I may be a newbie but he is even more ignorant and
I
> > can't
> > > > visit him every minute of the day).
> > >
> > > No, it clearly needs user intervention to apply updates. In most
cases,
> > > appliances only need updates for enhancing features, most of the
updates
> > > are not to further harden the device. (most of the ones I work with
are
> > > very hardened and only add features through updates, but there are
some
> > > security updates). With this device, since there is little talk of it
in
> > > the groups, it would be hard to say how often they issue updates.
> >
> > What I was wondering about, when someone discovers some new sort of weak
> > spot in Windows and the owner of the computer has not updated his OS
> > immediately and there is an update of e.g. ZA, will the firewall, in
this
> > case ZA, also help protecting the user from attacks that aim at this
weak
> > spot? And if the answer is "Yes", is there a difference in the
protection of
> > this kind between a firewall like ZA and an external firewall?
> > I do not fully understand that many firewall-applications like ZA get
> > updates very often while an external firewall does not need
security-updates
> > that often, like You stated (You might read this line as "I don't
believe
> > You", but that is not correct, I actually don't understand why one
firewall
> > needs "adjusting of it's hardening" more often than the other one).
>
> Ah, levels of protection. In the case of ZA or other Firewalls, the
> updates are sometimes to add enhanced features and not to fix bugs,
> other times it's to fix bugs. In the case of the ones I use, most of the
> fixes have been for enhancements, adding to the existing filter
> property, or just stability, only a few have been for security type
> updates. The reason that one may need updates and not another is that
> they are all different applications, made by different groups, at
> different times, with different ideas of how to best detect and stop
> threats.
>
> If you have a router or firewall appliance in front of your computer,
> even without patches and updates you can safely install Windows
> (unpatched) on the computer without fear that it will be compromised (as
> long as you don't browse the web to anywhere but Microsoft to get
> updates) while you are building it and patching it.
>
> There are ways to install a new windows system, from scratch, and get it
> on-line and updates without it being compromised, but you have to know
> what to disable and when it's safe to connect the network cable.
Understood!
<I cut the VPN and VNC explanation here>
I now fully understand how it works. At least, I fully understand what You
have explained (except for one detail, I'll ask that later on).
I found two other devices that are available in a shop in the Netherlands
which might be of interest. One cheaper than the Hotbrick, the other one a
bit more expensice. They are from Linksys and can be seen on
http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=433 and
http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=607. Both
have, if I have understood the things written there correctly, hardware
support for VPN, i.e. a processor in the device that handles this. There are
some tutorial-like things on their site, I am going to study them, same goes
for the product manuals.
One thing I still do not understand is the following (if You could throw
just a little light on it, it would be very nice, even though I might find
out about it when studying all those texts). Suppose my father's computer is
turned on and online on the internet, having an IP address I do not know. I
want to make some adjustments on his computer, so I go online as well. We
both have routers with hardware VPN-capability (so not his computer has the
important IP-address I do not know, but his routers has)(You see, I have
understood that)(his computer has an IP address given to him by the
DHCP-server in the router). I go online and my router also get's an IP
address. How do those two routers manage to find each other? Do they do
portscans on a lot of computers to pick out their "brother/sister"? Or do we
have to "help" them by telling them the addresses?
> > >
<cut a lot of text here>
> > > If you were to
> > > install a cheap Linksys BEFSR41 unit, keep ZA on his computer, and get
> > > something like Norton Antivirus 2005 for him, he should be safe. I use
> > > AVG, but install NAV for home users that can afford to purchase a
> > > license. AVG is good, but I trust NAV more.
> > > One other thing - get him a copy of the free SpyBot Search & Destroy
at
> > > www.safer-networking.org and a copy of the AdAware SE (free) from
> > > lavasoft.
> >
> > Sorry, forgot to mention this in my first posting, but he already has
those
> > programs.
>
> It doesn't sound like he has the router/NAT box - if you put that in the
> solution then you've got all he really needs.
No, I am sorry I was so unclear, I just meant the two copies You mentioned.
To be honest, now that I come to think about it, he only has AdAware. But
I'll get the other one as well!
<cut a lot of text again>
> Hope all of this helps somehow.
I most certainly does! You may already regret deeply having replied to this
everlasting "nagger" (not correct English but You'll get the point I am
trying to make). I very much thank You for all Your efforts, it is great
that You have helped me out so much without gaining anything from it. Thanks
again!
Sincere greetings,
Rene
- Next message: J Warren: "ZoneAlarm pro blocking access to its own servers?"
- Previous message: LastAngel: "KerioWinroite Firewall 6 HTTPS from lan blocked"
- In reply to:(deleted message) Leythos: "Re: Firewall for broadband connection"
- Next in thread: Leythos: "Re: Firewall for broadband connection"
- Reply:(deleted message) Leythos: "Re: Firewall for broadband connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
