Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Linksys Router and BlackICE - Confused!!

Reply
Thread Tools

Linksys Router and BlackICE - Confused!!

 
 
Beauford
Guest
Posts: n/a
 
      09-24-2004
Hi,

I have a Linksys BEFSR41 router with 6 computers connected to it as
outlined below.

Win2000 - Domain Controller and Mail Server - BlackIce installed
Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
XP Pro - Workstation
XP Pro - Workstation
Linux Slackware - Stand alone - Apache webserver running
Windows NT 4.0 - Workstation

I have my Linksys Router set up to forward port 25 traffic to my mail
server and to forward port 80 web traffic to my Linux box.

Since I installed the mail server it is being hammered by these Asian
IP blocks trying to relay through it - so I installed BlackIce to
block this - and that is working fine.

Here's the part where I'm confused. On the other Win2k PC BlackICE is
also picking up traffic to port 25 - and when you look at the logs it
says the victim IP is that of my mail server.

I contacted Linksys and they said this is normal. Well it doesn't seem
normal to me. If port 25 is not being forwarded to this machine then
does it not make sense that this machine should not be seeing any
traffic to this port.

This is what I got from Linksys

"Since the computer is hooked up to the router and the firewall
detects the traffic, even though the port is not forwarded to that
computer, since it is an activity on the router, it would still detect
the traffic for that port but that doesn't mean that it is going
through it."

My understanding was that any traffic that is not forwarded to a
specific machine should be dropped. So BlackICE should never see this
traffic. Am I missing something here.....

Thanks
 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      09-24-2004
In article <(E-Mail Removed)>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> Hi,
>
> I have a Linksys BEFSR41 router with 6 computers connected to it as
> outlined below.
>
> Win2000 - Domain Controller and Mail Server - BlackIce installed
> Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
> XP Pro - Workstation
> XP Pro - Workstation
> Linux Slackware - Stand alone - Apache webserver running
> Windows NT 4.0 - Workstation
>
> I have my Linksys Router set up to forward port 25 traffic to my mail
> server and to forward port 80 web traffic to my Linux box.
>
> Since I installed the mail server it is being hammered by these Asian
> IP blocks trying to relay through it - so I installed BlackIce to
> block this - and that is working fine.


Here is the root of your problem, if you want to firewall your
applications and servers you need to purchase a firewall, not a NAT
device. In this case, you want to block outsiders based on IP subnets,
and a real firewall can do this for you. I have 83 Class C subnets
blocked in my firewall, and several Class A subnets - these are
permanent blocks. I also have the firewall detect probes on 135 through
139 and 445 (and 1433/1434) and block those addresses for 20 minutes.

You do NOT want to rely on something BI (which was just IDS when it
started) to secure your servers, never trust something running on the
server offering services to protect itself.

> Here's the part where I'm confused. On the other Win2k PC BlackICE is
> also picking up traffic to port 25 - and when you look at the logs it
> says the victim IP is that of my mail server.
>
> I contacted Linksys and they said this is normal. Well it doesn't seem
> normal to me. If port 25 is not being forwarded to this machine then
> does it not make sense that this machine should not be seeing any
> traffic to this port.
>
> This is what I got from Linksys
>
> "Since the computer is hooked up to the router and the firewall
> detects the traffic, even though the port is not forwarded to that
> computer, since it is an activity on the router, it would still detect
> the traffic for that port but that doesn't mean that it is going
> through it."
>
> My understanding was that any traffic that is not forwarded to a
> specific machine should be dropped. So BlackICE should never see this
> traffic. Am I missing something here.....


None of the traffic that is inbound, unless invited or forwarded, makes
it from the WAN side to the LAN side. If you install Wall Watcher (free)
you can see when something hits the WAN port and fails to get to the LAN
side - the local address will show the public IP - indicating that the
probe didn't make it into your LAN.

We run hundreds of linksys units across the country, various levels of
firmware, and never see the problem you describe.

You need to check the forwarding rules in the Linksys and see what
you've configured.

You best bet is to purchase a WatchGuard Firebox or a SOHO unit and set
it up to firewall your devices. A SOHO unit is about $500, a Firebox
(that can do the things I described above) is a lot more, but it's worth
it.

--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
 
 
 
Zaphod Beelblebrox
Guest
Posts: n/a
 
      09-24-2004
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Hi,
>
> I have a Linksys BEFSR41 router with 6 computers connected to it as
> outlined below.
>
> Win2000 - Domain Controller and Mail Server - BlackIce installed
> Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
> XP Pro - Workstation
> XP Pro - Workstation
> Linux Slackware - Stand alone - Apache webserver running
> Windows NT 4.0 - Workstation
>


Tell us a bit more before we can help you. How did you connect 6
computers into a 4-port switch?
 
Reply With Quote
 
David Shaw
Guest
Posts: n/a
 
      09-26-2004
Zaphod Beelblebrox <(E-Mail Removed)> wrote
> Tell us a bit more before we can help you. How did you connect 6
> computers into a 4-port switch?


I'm gonna assume he has a 6 port switch.

The reason BlackICE is picking stuff up on port 25 is because it's
acting as a sniffer in promiscuous mode and sniffing the entire
network. Just as if you were running ethereal on it, how it could pick
up traffic on other computers. My guess is that your router is working
just fine, and BlackICE is just trying to all around protect you.

Don't worry about it


- ds
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BlackIce Firewall Question Boy Meets Web Computer Support 3 08-14-2005 01:25 PM
BlackIce Firewall Question Boy Meets Web Computer Support 1 08-13-2005 10:37 AM
Why can't I get WPA to work with linksys router and linksys/WinXP client? Colin Wireless Networking 0 06-14-2005 08:52 PM
NEW.NET/ BlackIce ETC Preesi Computer Support 1 12-29-2004 11:01 PM
BlackIce. How good? ie idiot friendly Dan Computer Security 6 10-06-2004 02:36 PM



Advertisments