Firewalls.....

In article <Sx9Sc.1701$>,
says...
> I have a Linksys broadband router (WRT54G). This has a firewall.
> Do I need to run anoher program, like Norton Firewall, or will the Routers
> Firewall suffice.

The router does not have a firewall, it used NAT and SPI to protect your
network. This device is ALSO a wireless unit, it is not configured by
default to be secure. Unless you change the SSID, disable SSID broad-
casting, change the default Channel, Enable WEP, used a strong key, and
apply MAC Address filtering you may be opening your network to anyone
that is within range of it.

As long as you secure the wireless you won't have people getting into
your network through the NAT/SPI side, unless you forward ports. Keep in
mind that anything you connect to on the internet can communicate with
your PC through the router - that means that if you open a malicious
site that it could install spyware or a virus on your computer without
you knowing and the router does not protect you from that type of stuff.

A personal firewall "may" alert you to the above problem.

Additionally, if the router provides real-time logging, get WallWatcher,
run it on a computer and have the router send the logs to that computer
- you might be able to spot a thread/trouble as it's happening.


--
--

(Remove 999 to reply to me)

Leythos

I have a Linksys broadband router (WRT54G). This has a firewall.
Do I need to run anoher program, like Norton Firewall, or will the Routers
Firewall suffice.


Many thanks for your help.
Rgds
Neil

"Tyrant" <> wrote:

>I have a Linksys broadband router (WRT54G). This has a firewall.
>Do I need to run anoher program, like Norton Firewall, or will the Routers
>Firewall suffice.
>
>
>Many thanks for your help.
>Rgds
>Neil
>



Tyrant, Most people here will try to make you feel stupid (because it
inflates their own ego) by giving you answers full of stuff like NAT,
SSID, WEP, and other insignificant information...

To answer your question, YES. You need to protect yourself from
outgoing requests as well as incoming ones.

Your router is (as ALL routers are) a firewall. But it can only
protect you from incoming connection requests (most are configured to
do this strait out of the box). To protect from outgoing requests
(those made by malicious software which may find it's way onto your
system) you need a software firewall on your system. I suggest
(because it is the best free one I've found) ZoneAlarm (by ZoneLabs,
i.e. www.zonelabs.com)

Regards,

In article <>,
says...
> "Tyrant" <> wrote:
>
> >I have a Linksys broadband router (WRT54G). This has a firewall.
> >Do I need to run anoher program, like Norton Firewall, or will the Routers
> >Firewall suffice.
>
> Tyrant, Most people here will try to make you feel stupid (because it
> inflates their own ego) by giving you answers full of stuff like NAT,
> SSID, WEP, and other insignificant information...

Nice, since you don't believe in security you are going to TRY and
discredit those of us that do. What was posted about WEP, the SSID,
Channel, MAC filtering, etc. is a very real part of security when using
a wireless router. Just look at what happened to Home Depot.

> To answer your question, YES. You need to protect yourself from
> outgoing requests as well as incoming ones.

This is the one part that's not true, outgoing is fine, but you need to
be AWARE of what is going out. In most cases, unless your machine is
compromised you can allow outgoing without any problems. So, you don't
need to protect yourself from outgoing, you only need to know what is
outgoing.

> Your router is (as ALL routers are) a firewall. But it can only

Routers are NOT firewall, they offer protection via a "feature" called
NAT. You should really study up on Firewalls.

> protect you from incoming connection requests (most are configured to
> do this strait out of the box). To protect from outgoing requests
> (those made by malicious software which may find it's way onto your
> system) you need a software firewall on your system. I suggest

I agree, to detect a malicious application trying to send outgoing data
you do need a personal firewall, but it doesn't end there. You need to
be aware of everything that enters and leaves your network. If you are
not logging the traffic then it's not going to help you when you enable
a rule on the personal firewall that you should have left disabled or
that you enabled but didn't know why or what it does.

> (because it is the best free one I've found) ZoneAlarm (by ZoneLabs,
> i.e. www.zonelabs.com)

As I said before, Zone Alarm is a great product for personal protection,
for the most part it's fool-proof, but you can make serious mistakes
configuring it. The fact that a user must configure it is the reason to
monitor the logs provided by the router.

Since he has a wireless ROUTER he has additional issues to deal with. If
it's not locked down, and the default networking install on his PC
includes file/printer sharing, it's quite easy to find him and then get
into his PC. Even without file and printer sharing enabled, at the
least, anyone near enough can utilize his wireless connection to access
the internet for any reason they want - which may get him into trouble.

--
--

(Remove 999 to reply to me)

So the Firewall that is built into XP is no good either...
I am running Norton, but the subscription runs out soon, and I was just
wondring whether its worth buying a new one, or having the Windows one only.



"Leythos" <> wrote in message
news:...
> In article <>,
> says...
> > "Tyrant" <> wrote:
> >
> > >I have a Linksys broadband router (WRT54G). This has a firewall.
> > >Do I need to run anoher program, like Norton Firewall, or will the
Routers
> > >Firewall suffice.
> >
> > Tyrant, Most people here will try to make you feel stupid (because it
> > inflates their own ego) by giving you answers full of stuff like NAT,
> > SSID, WEP, and other insignificant information...
>
> Nice, since you don't believe in security you are going to TRY and
> discredit those of us that do. What was posted about WEP, the SSID,
> Channel, MAC filtering, etc. is a very real part of security when using
> a wireless router. Just look at what happened to Home Depot.
>
> > To answer your question, YES. You need to protect yourself from
> > outgoing requests as well as incoming ones.
>
> This is the one part that's not true, outgoing is fine, but you need to
> be AWARE of what is going out. In most cases, unless your machine is
> compromised you can allow outgoing without any problems. So, you don't
> need to protect yourself from outgoing, you only need to know what is
> outgoing.
>
> > Your router is (as ALL routers are) a firewall. But it can only
>
> Routers are NOT firewall, they offer protection via a "feature" called
> NAT. You should really study up on Firewalls.
>
> > protect you from incoming connection requests (most are configured to
> > do this strait out of the box). To protect from outgoing requests
> > (those made by malicious software which may find it's way onto your
> > system) you need a software firewall on your system. I suggest
>
> I agree, to detect a malicious application trying to send outgoing data
> you do need a personal firewall, but it doesn't end there. You need to
> be aware of everything that enters and leaves your network. If you are
> not logging the traffic then it's not going to help you when you enable
> a rule on the personal firewall that you should have left disabled or
> that you enabled but didn't know why or what it does.
>
> > (because it is the best free one I've found) ZoneAlarm (by ZoneLabs,
> > i.e. www.zonelabs.com)
>
> As I said before, Zone Alarm is a great product for personal protection,
> for the most part it's fool-proof, but you can make serious mistakes
> configuring it. The fact that a user must configure it is the reason to
> monitor the logs provided by the router.
>
> Since he has a wireless ROUTER he has additional issues to deal with. If
> it's not locked down, and the default networking install on his PC
> includes file/printer sharing, it's quite easy to find him and then get
> into his PC. Even without file and printer sharing enabled, at the
> least, anyone near enough can utilize his wireless connection to access
> the internet for any reason they want - which may get him into trouble.
>
> --
> --
>
> (Remove 999 to reply to me)

In article <47uSc.822$>,
says...
> So the Firewall that is built into XP is no good either...
> I am running Norton, but the subscription runs out soon, and I was just
> wondring whether its worth buying a new one, or having the Windows one only.

Don't take the wrong, I make a lot of money building, designing, and
installing MS Solutions, but those are managed solutions.

For a home user, trusting the "Windows XP" firewall has some serious
issues. Even in testing SP2 and it's new features, I'm not convenience
that I would trust the OS Vendors products to secure my network.

Now, if you want to be secure at home, here is what I do for family,
friends, and others that can't afford a firewall appliance (and no, I
don't mean a router).

1) If not on dial-up, purchase a router, any router, as long as it
provides NAT and will connect to your ISP.

2) Put all computers BEHIND the router in the 'protected' network called
the LAN (local area network).

3) Install Anti-Virus software (I like NAV 2004 for home users) on EVERY
computer in the network. Set it to fetch updates every evening, any
time, just make sure it does it at least once in the evening every day
of the week. Run a full update and then a full system scan.

4) Install a less vulnerable browser than IE - Mozilla makes a very nice
one called FireFox (ver 0.9.3 is very stable and works well). Open the
ADD/Remove Programs, click "Set Program Access Defaults", expand CUSTOM,
Change the browser to "Mozilla Firefox", ENABLE - uncheck "Enable
Access.." for Internet Explorer. If you absolutely need IE, you can re-
enable it later. If you are using IE make sure that you at least follow
the MS recommendations on securing it.

5) Install SpyBot Search and Destroy 1.3 - run it until clean

6) Install all Windows Updates - don't be stingy here, even do the non-
critical ones.

7) If you bought a linksys router, install WallWatcher on the computer
and have the Linksys send the longs to your IP address (of the computer
where you install WallWatcher). This will show you what is happening at
the router (IN and OUT). Look for things you don't understand, check
things going OUT daily until you understand and feel that your computer
has no spyware installed on it.

If you really want to be more secure you have two options, install
ZoneAlarm or install Windows XP Service Pack 2. Both require
configuration, but if you did everything above you can do #8 and feel
even more secure.

9) Abandon a MS based email / usenet reader and get something that does
text or RTF only. Get a usenet reader like Gravity or PAN.

10) Update everything manually once every couple weeks in case something
disabled your updates while you weren't looking.

--
--

(Remove 999 to reply to me)

Leythos <> wrote:

>In article <47uSc.822$>,
> says...
>> So the Firewall that is built into XP is no good either...
>> I am running Norton, but the subscription runs out soon, and I was just
>> wondring whether its worth buying a new one, or having the Windows one only.
>
>Don't take the wrong, I make a lot of money building, designing, and
>installing MS Solutions, but those are managed solutions.

Don't take this wrong, I've been working with computers (operator,
programmer, network engineer, systems administrator...) for over 30
years and if there's one thing I've learned, it's that NO ONE will
follow your directions if you make them too difficult to understand.
(e.g. Your 10 step plan to a secure network).

OK, so you get paid to do this exact thing. The OP is not getting
paid to do this for a business (like Home Depot). As well, the OP is
not trying to protect his home system(s) from attackers like those
that attacked Home Depot. IPSec is part of security, but I don't
suggest to everyone that they configure it for home use. (I know, you
didn't suggest IPSec) I also don't suggest they setup a computer
based firewall and learn to use UNIX...the router will do enough to
protect this home user from intrusions.

There is very little that needs to be done to protect a home network
(although wireless networks are the worse when it comes to
security...short of covering all the windows with plywood). I'm
reminded of the phrase "You are your worst enemy". The best thing to
remember is that when that notice comes up from ZoneAlarm, don't just
click Yes. Be smart about what/who you give access to.

I told my sister once "You need to stop using IE", she said "If I have
to learn something new, I'm just gonna stop using the whole damn
computer". Which is my point. If something becomes too difficult for
the non-professional, they will just not do it.

regards,

In article <>,
says...
> Don't take this wrong, I've been working with computers (operator,
> programmer, network engineer, systems administrator...) for over 30
> years and if there's one thing I've learned, it's that NO ONE will
> follow your directions if you make them too difficult to understand.
> (e.g. Your 10 step plan to a secure network).

The problem is that you have to educate the users or they will never be
able to protect themselves.

If you just make it as simple as getting a glass of milk they will
always be vulnerable.

While I can understand that we need to make it as simple as possible,
there is NO excuse for not trying to tell them about SSID's, Channels,
WEP, MAC Filtering, etc... These are important things when it comes to
securing their WIRELESS routers.

I personally know people that setup wireless systems, for businesses and
homes, they were completely open and being used by other people without
permission and without knowledge of the network owners. Since most
people have file/printer sharing enabled, most people don't use
passwords, it makes it very easy to get into a home/SOHO users computer,
copy their Quicken/Quickbooks files and any other information that might
contain account/ssn's and do with it what you want.

Being ignorant of security might be an excuse for some, but having a
good handle on security and then not explaining it to anyone that asks
is reprehensible. I don't care if 10 steps are to much for the OP, there
could be people reading that post that learn from it, actually implement
all of it (or even some of it), and benefit from it. Not everyone that
reads these posts actually replies.

Look at it this way, if you only tell the person that they need to run
Linux and stop using IE, they are less likely to do that than they are
to follow 10 steps. Most people could not install their Window XP OS let
alone find and download and then burn the ISO for a linux distro. Even
if they get it installed they won't have a clue as to how to secure it
(and don't think it doesn't need secured) or to update the OS/apps
before going live. Teach them how to protect their systems and data,
they will get the idea sooner or later.


--
--

(Remove 999 to reply to me)

In article <>, Celtic Leroy wrote:
>I also don't suggest they setup a computer based firewall and learn
>to use UNIX...the router will do enough to protect this home user
>from intrusions.

Two thoughts, seen as signatures on Usenet postings:

--------------------
It just so happens that the most frequently used vector to date is that of
user stupidity (why is it that we laugh at the cartoon animal who falls for
the "stand here and press this button" gag, but so many of us seem content
to "click here and be amazed"?
---------------------
Social Engineering - Because theres no patch for human stupidity.
---------------------

>There is very little that needs to be done to protect a home network
>(although wireless networks are the worse when it comes to
>security...short of covering all the windows with plywood).

Of course, using aluminum (or copper) screen in place of plywood might
have a more _USEFUL_ effect on wireless, especially if the whole
house were triple wrapped in metal screen _AND_ chain link fencing.

>I'm reminded of the phrase "You are your worst enemy". The best thing to
>remember is that when that notice comes up from ZoneAlarm, don't just
>click Yes. Be smart about what/who you give access to.

Understatement detected. Far to many people click (or double-click) by
reflex, rather than actually reading what the message says.

-------------------------------------
| Install a pr0n dialer program, and |
| transfer all of your assets to a |
| 6 year old skript kiddie in Nigeria |
| |
| < OK > |
-------------------------------------

Wonder how many people are going to try to click on that. Actually, I think
most users have the "Don't ask for permission, just do it" option enabled
because they don't want to be bothered by messages like the above. It's
really not important, ya' know. This system came with an anti-virus program.

>I told my sister once "You need to stop using IE", she said "If I have
>to learn something new, I'm just gonna stop using the whole damn
>computer".

You are writing that as if there is a problem with this attitude. Work
with me, because I don't see the (a?) problem.

"We're getting a new car." "If I have to learn how to find the ignition
switch on the new car, I'm just gonna stop using the whole damn thing."

Sounds like a great idea to me.

Heck, this _might_ actually improve (information) highway safety, by
getting the fools off of the d**n road! I'm sorry, but your sister has
the right idea. If she doesn't want to "learn" new software, getting
rid of the computer would solve a heck of a lot more problems than it
would create. Most people don't _need_ a computer - they got one because
everyone else has one, and really don't have the first clue what the damn
thing is useful for anyway. Because they can't see a good use for it, they
can't be bothered taking the time to find out how to use it, properly or
otherwise.

Old guy

In article <>,
Leythos wrote:
>For a home user, trusting the "Windows XP" firewall has some serious
>issues.

I find it funny that Microsoft can't build something that professionals
have confidence in, while these same professionals recommend "other"
products. What is it that these aftermarket programmers can get right
that Microsoft can't (or won't).

>Even in testing SP2 and it's new features, I'm not convenience
>that I would trust the OS Vendors products to secure my network.

Hmmm, what time did he write this? 19Z, is mid-afternoon in oh.us.
Anyway, I read this... and a bit further down, I read

>If you absolutely need IE, you can re-enable it later. If you are using
>IE make sure that you at least follow the MS recommendations on securing
>it.

Anyone else see the irony in this pair of statements?

>check things going OUT daily until you understand

The compter has been sending mail to a site in Reston VA.us, as well as
sites in Russia, Hungary, and Nigeria every morning. I don't know what it
is, but it's been happening every day since I got mis-directed to that
gerbil-in-duct-tape pr0n site - must be OK.

[Aside - wonder how many people even know where those countries are?]

>and feel that your computer has no spyware installed on it.

CERT* Summary CS-98.06 Section 3, It refers to UNIX, but is equally
applicable.

Old guy