Re: ZoneAlarm Security Alert - My own ISP?
- From: "Mr. Arnold" <MR. Arnold@xxxxxxxxxx>
- Date: Thu, 27 Dec 2007 10:49:39 -0500
"Marshall Price" <d021317c@xxxxxxxxx> wrote in message news:13n78sakv6rp521@xxxxxxxxxxxxxxxxxxxxx
Mr. Arnold wrote:"Marshall Price" <d021317c@xxxxxxxxx> wrote in message
news:13n4t87bs9qrjfb@xxxxxxxxxxxxxxxxxxxxx
I often get alerts like this:
-------
ZoneAlarm Security Alert
Protected
The firewall has blocked Internet access to your computer (NetBIOS
Session) from dialup-4.232.33.145.Dial1.LosAngeles1.Level3.net
(4.232.33.145) (TCP Port 3436) [TCP Flags: S].
-------
Since the city name embedded therein is often my own (Miami), and I'm a
dial-up user, I suspect these might be coming from Earthlink, my own ISP.
How can I determine whether they are from Earthlink and whether to let
them through? What about other NetBIOS Session alerts?
Well, if you have a computer that has a direct connection to the modem,
which is a direct connection to the Internet, then you remove Client for MS
networks and MS File and Print sharing off of the NIC (network interface
card) or the dial-up connection, and the NetBios ports are closed. The
computer cannot network with other computers. The computer shouldn't have
the ability to network with other computers while the computer has a direct
connection to the Internet (no router between) the computer and the
Internet).
I'm not sure I understand, but I think you're saying that if all the
following conditions were met, they would present a vulnerability:
+ Connected to the Internet through a NIC (via ethernet)
+ NetBIOS enabled on that NIC
+ Client for MS Networks enabled
+ MS File and Print sharing enabled
+ Certain ports open
Right?
You are kind of right. And what are those ports that are being talked about in the link provided?
http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm
http://www.governmentsecurity.org/articles/CommonPorts.php
Port 445 is for NT classed O/S(s) like Win 2k, XP, Win 2k3 and Win Vista. If it's not a NT classed O/S like Win 9'x or ME, port 445 TCP is not involved, and the other ports being talked about are involved for MS NT and non NT classed O/S(s).
The Internet is a giant network. If your computer has a direct connection to the Internet via a modem, I don't care if the modem is a dialup or a NIC connected to a modem and there is no device such as a router, firewall appliance or a gateway computer running a software FW with one NIC facing the WAN/Internet and the other NIC facing the LAN, a device/solution between the modem and your computer, then the computer has a direct connection to the Internet.
If the computer is in that situation, then why would you want your computer to be able to share its resources with those ports open to other computers on the Internet? WAN is (Wide Area Network)/Internet. The LAN (Local Area Network) is the ISP's network in this case that has a connection to the WAN/Internet, and other computers (other users) are on the ISP's network like your computer is on the ISP's network. Why would you want your computer in communications with other user computers on the ISP's LAN, and why would you want your computer via the ISP's unprotected LAN from the WAN to be in communications on the ports talked above in an attackable state with computers on the WAN?
The ports being talked about above ARE the (Windows Networking Ports), and if they are open and exposed with the services listening on the ports, then the computer is open to attack and will be attacked if they are open and not protected, with the services listening.
BTW, ZA is protecting those ports as long as you have not set rules with ZA to protect those ports, open them, on ZA with those ports open on the computer itself, because the services below are enabled on the dialup or Ethernet connection.
+ Client for MS Networks enabled
+ MS File and Print sharing enabled
ZA for lack of better words is a machine level packet filter it is not a firewall solution, as discussed in the link provided.
A firewall seperates two networks. One network is usually the Internet it's protection from, and the other network it is protecting is the LAN. A FW sits at the junction point between the two networks. A FW must have at least two network interfaces with one interface facing the WAN, and the other interface facing LAN. That would be two NIC(s) in the case of a secured gateway computer running FW software. The other two solutions have the two interfaces built into them
What is a FW and what does a FW do?
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
ZA is not a FW. ZA is a machine level packet filter protecting at the machine level.
Also, I assume that for routine uses -- http, mail (including IMAP),
news, telnet, rlogin, etc. -- "networking" (which I don't quite
understand) with other computers (including my ISP's computers) is
neither necessary nor desirable. Is that right?
Yes, in away that's networking, but it's not the networking we're talking about, where as, if those (WNP(s)) are not protected while the computer has a direction connection to the Internet with the services listening, then you have some real problems.
There are two types of traffic a FW or a personal packet filter/personal FW deals with in protecting the LAN or a computer that's running something like a PFW. They block unsolicited inbound traffic coming from computers to the computer that have a FW in front of it or packet filter/PFW running on the computer. These solution will allow inbound traffic if a solicitation (outbound traffic) is made by a program to a remote IP while the computer is behind these solutions.
Unsolicited inbound traffic is block, and solicited inbound traffic is not blocked. If you open a port on a FW by settings rules to do so, the unsolicted inbound traffic can access the port on the computer.
If I click on "Don't show this dialog again," will I stop seeing all
security alerts? Should I?
It doens't matter when the ports are closed to begin with, because an attack
cannot be initiated on the ports when they are closed.
.
http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm
Is port 445 a TCP port, or some other kind of port?
There are only two types of ports in this case, and they are TCP and UDP ports on the computer.
Each of these alerts indicates a TCP port (never the same one), but I
assume they refer to ports my ISP's computers are using for output, not
which ports they're addressed to on my computer.
Those are inbound ports that are on your computer that inbound traffic coming form other computers are trying to reach on your computer, unsolicted inbound traffic. It doesn't matter if it's another user's computer on the ISP's network or if it is a computer setting out there on the WAN/Internet
I haven't seen port 445 among them, anyway, but I would like to find out
whether it's blocked.
You don't have to worry about it period if the services that have been talked about are removed off of the NIC or dial-up type connection. If the port is not open with a program/somthing listening on the port, then how can it be attacked?
BTW, ZA or any solution like ZA can be attacked and taken down, just like the O/S can be attacked if malware has been allowed to run on the computer to take it down. If it happens and the (WNP(s)) are closed because you have removed the services that would have those ports open with those services listening on the port, then how can they be attacked?
BTW, the port can be open on the FW and left unprotected on the computer. But if nothing (a program) is listening on the port on the computer so that it can be exploited that can lead to the O/S being exploited, then it doesn't mean anything.
Incidentally, I just received a rash of these alerts.
Well, that's what PFW(s) do they alert when maybe they shouldn't be hollering about anything.
Are they likely to
be initiated by Earthlink, or could they be coming from somebody who
read my post in this newsgroup and wants to have a bit of fun?
As far as this being due to someone reading post, NO. :)
Look at it this way, it's just everyday unsolicited inbound traffic that's being blocked from the Internet. If you had a router sitting in front of the computer something between the modem and your computer, then ZA wouldn't be saying anything> And then you might say to yourself if it came past that router and ZA sounded off, then this is something I need to be worried about.
.
- References:
- ZoneAlarm Security Alert - My own ISP?
- From: Marshall Price
- Re: ZoneAlarm Security Alert - My own ISP?
- From: Mr. Arnold
- Re: ZoneAlarm Security Alert - My own ISP?
- From: Marshall Price
- ZoneAlarm Security Alert - My own ISP?
- Prev by Date: Re: Newsgroup filtering with host server software
- Next by Date: Re: Newsgroup filtering with host server software
- Previous by thread: Re: ZoneAlarm Security Alert - My own ISP?
- Next by thread: Re: ZoneAlarm Security Alert - My own ISP?
- Index(es):
Relevant Pages
|
