Sygate blocking DHCP from starting

Discussion in 'Computer Security' started by Piotr Makley, Mar 5, 2004.

  1. Piotr Makley

    Piotr Makley Guest

    I a running Sygate Personal Firewall Pro version 5.0 on WinXP Pro.

    After booting, I cannot connect to the network. The DHCP client
    won't start.

    Sygate's traffic log shows it is blocking incoming UDP packets from
    10.82.32.1: 67 going to 255.255.255.255: 68.

    How do I get Sygate to permit these incoming UDP packets?

    Thanks.



    BACKGROUND INFO:

    I uninstalled and re-installed Sygate. And I have permitted every
    popup window from Sygate asking permission.

    Problem still remains if I disable all setting in Sygate > Options >
    Security tab.

    I have got no advanced rules set.

    In the traffic log, Sygate says the rule name used is "Block_all".
    But I can't find this.
     
    Piotr Makley, Mar 5, 2004
    #1
    1. Advertising

  2. Piotr Makley

    Duane Arnold Guest

    Piotr Makley <> wrote in news:94A3558BD959D31E75@
    127.0.0.1:

    > I a running Sygate Personal Firewall Pro version 5.0 on WinXP Pro.
    >
    > After booting, I cannot connect to the network. The DHCP client
    > won't start.
    >
    > Sygate's traffic log shows it is blocking incoming UDP packets from
    > 10.82.32.1: 67 going to 255.255.255.255: 68.
    >
    > How do I get Sygate to permit these incoming UDP packets?


    What does Sygate have to do with the DHCP service not starting on a NT
    base O/S? Unless you went to the DHCP service and disabled the service,
    then most likely DHCP service is running on the machine.

    It doesn't appear that the machine doesn't have an invalid TCP/IP
    connection to the Internet, based on your statement that inbound UDP
    packets are being blocked by Sygate from 10.82.32.1.

    I don't know what your problem is, but it has nothing to do with the DHCP
    service and Sygate.

    If Sysgate is blocking the UDP packets, then it's doing its job in
    stopping unsolicted inbound traffic to the machine.

    You can use the link to determine who the IP belongs to.

    http://www.arin.net/

    You'll see that it belongs to this.

    http://en.wikipedia.org/wiki/IANA

    Duane :)
     
    Duane Arnold, Mar 5, 2004
    #2
    1. Advertising

  3. Piotr Makley

    Piotr Makley Guest

    Duane Arnold <> wrote:

    > Piotr Makley <> wrote in
    >
    >> I a running Sygate Personal Firewall Pro version 5.0 on WinXP
    >> Pro.
    >>
    >> After booting, I cannot connect to the network. The DHCP
    >> client won't start.
    >>
    >> Sygate's traffic log shows it is blocking incoming UDP packets
    >> from 10.82.32.1: 67 going to 255.255.255.255: 68.
    >>
    >> How do I get Sygate to permit these incoming UDP packets?




    > What does Sygate have to do with the DHCP service not starting
    > on a NT base O/S? Unless you went to the DHCP service and
    > disabled the service, then most likely DHCP service is running
    > on the machine.


    I am not very familiar with networks and firewalls. Guess my hunche
    was wrong.



    > It doesn't appear that the machine doesn't have an invalid
    > TCP/IP connection to the Internet, based on your statement that
    > inbound UDP packets are being blocked by Sygate from 10.82.32.1.


    What I did was key in the "IP address" value and "default gateway"
    values by hand into the TCP/IP properties window for my LAN adaptor.

    For some reason, DHCP service will not run on my XP system even if I
    try to start it manually. It says "Error 1068: The dependency
    service or group failed to start".

    In the dependencies tab I can see this tree structure:

    --------START-----------
    AFD Networking Support Environment

    NetBT
    SYMTDI
    TCP/IP Protocol Driver
    IPSEC Driver
    TCP/IP Protocol Driver
    IPSEC Driver

    SYMTDI
    TCP/IP Protocol Driver
    IPSEC Driver

    TCP/IP Protocol Driver
    IPSEC Driver
    ----------END-------------

    I assume that DHCP needs to be running to get my system working
    properly again for when the IP address next gets changes by the
    network.

    In actual fact, even after keying the IP addresses by hand and
    rebooting it didn't work. I then ran the Network Setup Wizard in
    Network Connections and this seemed to get something to work.



    > I don't know what your problem is, but it has nothing to do with
    > the DHCP service and Sygate.
    >
    > If Sysgate is blocking the UDP packets, then it's doing its job
    > in stopping unsolicted inbound traffic to the machine.
    >
    > You can use the link to determine who the IP belongs to.
    > http://www.arin.net/
    >
    > You'll see that it belongs to this.
    > http://en.wikipedia.org/wiki/IANA


    Sounds like it is to do with DHCP? Or not? Hey, I'm getting lost.
    Any further info would be appreciated.
     
    Piotr Makley, Mar 5, 2004
    #3
  4. Piotr Makley

    Duane Arnold Guest

    Piotr Makley <> wrote in news:94A38D90A3F0D31E75@
    127.0.0.1:

    > Duane Arnold <> wrote:
    >
    >> Piotr Makley <> wrote in
    >>
    >>> I a running Sygate Personal Firewall Pro version 5.0 on WinXP
    >>> Pro.
    >>>
    >>> After booting, I cannot connect to the network. The DHCP
    >>> client won't start.
    >>>
    >>> Sygate's traffic log shows it is blocking incoming UDP packets
    >>> from 10.82.32.1: 67 going to 255.255.255.255: 68.
    >>>
    >>> How do I get Sygate to permit these incoming UDP packets?

    >
    >
    >
    >> What does Sygate have to do with the DHCP service not starting
    >> on a NT base O/S? Unless you went to the DHCP service and
    >> disabled the service, then most likely DHCP service is running
    >> on the machine.

    >
    > I am not very familiar with networks and firewalls. Guess my hunche
    > was wrong.
    >
    >
    >
    >> It doesn't appear that the machine doesn't have an invalid
    >> TCP/IP connection to the Internet, based on your statement that
    >> inbound UDP packets are being blocked by Sygate from 10.82.32.1.

    >
    > What I did was key in the "IP address" value and "default gateway"
    > values by hand into the TCP/IP properties window for my LAN adaptor.
    >
    > For some reason, DHCP service will not run on my XP system even if I
    > try to start it manually. It says "Error 1068: The dependency
    > service or group failed to start".
    >
    > In the dependencies tab I can see this tree structure:
    >
    > --------START-----------
    > AFD Networking Support Environment
    >
    > NetBT
    > SYMTDI
    > TCP/IP Protocol Driver
    > IPSEC Driver
    > TCP/IP Protocol Driver
    > IPSEC Driver
    >
    > SYMTDI
    > TCP/IP Protocol Driver
    > IPSEC Driver
    >
    > TCP/IP Protocol Driver
    > IPSEC Driver
    > ----------END-------------
    >
    > I assume that DHCP needs to be running to get my system working
    > properly again for when the IP address next gets changes by the
    > network.
    >
    > In actual fact, even after keying the IP addresses by hand and
    > rebooting it didn't work. I then ran the Network Setup Wizard in
    > Network Connections and this seemed to get something to work.
    >
    >
    >
    >> I don't know what your problem is, but it has nothing to do with
    >> the DHCP service and Sygate.
    >>
    >> If Sysgate is blocking the UDP packets, then it's doing its job
    >> in stopping unsolicted inbound traffic to the machine.
    >>
    >> You can use the link to determine who the IP belongs to.
    >> http://www.arin.net/
    >>
    >> You'll see that it belongs to this.
    >> http://en.wikipedia.org/wiki/IANA

    >
    > Sounds like it is to do with DHCP? Or not? Hey, I'm getting lost.
    > Any further info would be appreciated.



    It sounds like a bad installation of the O/S.

    If you have the install CD, you can do an upgrade over the top of the
    existing O/S to see if that corrects the situation. It will not cause any
    exiting programs on the machine to fail. You'll need to apply the SP and
    Hot fixes again.

    You should have an O/S that is fully functional, IMHO.

    It may come down to doing a fresh install of the O/S as the final
    solution.

    Search Google and the MS Knowledge Base for possible solutions.

    Duane :)
     
    Duane Arnold, Mar 5, 2004
    #4
  5. Piotr Makley wrote:
    >
    > Duane Arnold <> wrote:


    > > I don't know what your problem is, but it has nothing to do with
    > > the DHCP service and Sygate.


    Oh yes, that's *is* the very problem...

    > > If Sysgate is blocking the UDP packets, then it's doing its job
    > > in stopping unsolicted inbound traffic to the machine.


    It isn't unsolicited... see below.

    > > You can use the link to determine who the IP belongs to.
    > > http://www.arin.net/
    > >
    > > You'll see that it belongs to this.
    > > http://en.wikipedia.org/wiki/IANA


    No, the address range 10.0.0.0/8 is the old Arpanet allocation that is
    now free for everyone's private use.

    > Sounds like it is to do with DHCP? Or not? Hey, I'm getting lost.
    > Any further info would be appreciated.


    In case you don't know how DHCP works, here's a summary:

    1. The new host sends a DHCP solicitation to port 67
    This goes to the broadcast address 255.255.255.255, because the new host
    doesn't know where DHCP servers are located. The sending address is
    0.0.0.0 (= "no address").

    2. The DHCP servers respond with an advertisement to port 68
    There may several responders. The responses come to the broadcast
    address 255.255.255.255, because the new host doesn't have a unicast
    address yet.

    3. The new host selects a DHCP server and send it a DHCP request
    This one is from 0.0.0.0 to the unicast address of the selected server,
    port 67.

    4. The server responds with configuration parameters
    IP addres, default router address, DNS server address, and some other
    useful things.

    Obviously your problem is that the firewall won't let through the second
    message, and you won't get the configuration parameters. The message is
    quite legitimate. Even the address matches: it is very common to
    configure the lowest non-zero address of the subnet to the uplink
    router, which also runs the DHCP service. In your case it is 10.0.0.1.

    I'm not familiar with Sygate configuration. If it is smart enough, it
    should detect the DHCP solicitation and open a pinhole for the response
    automatically. Otherwise you have to open a permanent pinhole for UDP:68
    coming from 10.0.0.1.

    -- Lassi
     
    Lassi =?iso-8859-1?Q?Hippel=E4inen?=, Mar 6, 2004
    #5
  6. Piotr Makley

    Frode Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Piotr Makley wrote:
    >After booting, I cannot connect to the network. The DHCP client
    >won't start.


    I've had the same problem with SPF 5.5. For that reason I tried several
    other firewalls. None were good for me so I downloaded the latest SPF and
    reinstalled it. Problem went away.

    I poked around the SPF forums a bit and found that I wasn't the only one
    that had had the problem, but it seemed the latest build (2525) sorted it,
    or just uninstalling/rebooting/reinstalling did.

    Since you're running Pro 5.0 the above may or may not be applicable. But
    based on their website it seems rather like 5.5 is a free upgrade within
    the 5.x series so have a look and see if that helps you out.

    Either way, waiting a few minutes (2-3 maybe) after logging in, then doing
    a manual ipconfig /renew should get you online.


    - --
    Frode

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3

    iQA/AwUBQEnhE+XlGBWTt1afEQIooQCcCZdqY1gDpJh0zVfxhmljTb7RPtMAn1FB
    9/r1Eyu+d5iYh3D0p2IfWACm
    =NDDA
    -----END PGP SIGNATURE-----
     
    Frode, Mar 6, 2004
    #6
  7. Piotr Makley

    Duane Arnold Guest

    >
    > Obviously your problem is that the firewall won't let through the second
    > message, and you won't get the configuration parameters. The message is
    > quite legitimate. Even the address matches: it is very common to
    > configure the lowest non-zero address of the subnet to the uplink
    > router, which also runs the DHCP service. In your case it is 10.0.0.1.
    >
    > I'm not familiar with Sygate configuration. If it is smart enough, it
    > should detect the DHCP solicitation and open a pinhole for the response
    > automatically. Otherwise you have to open a permanent pinhole for UDP:68
    > coming from 10.0.0.1.
    >


    I don't know that much about Sygate. If Sygate is a stateful FW application
    and I think that it is, then it should let the traffic through. That's
    unless Sygate's IDS views the inbound traffic as some kind of threat and is
    instructing the FW to block the traffic.

    AS for the DHCP service not starting, the OP should disconnect from the
    Internet and disable Sygate and make sure the machine doesn't have any
    problems with the DHCP service not starting due to a possible bad install
    of the O/S.

    Duane :)
     
    Duane Arnold, Mar 6, 2004
    #7
  8. Piotr Makley

    John Guest

    In article <Xns94A49FE4C14C6darnold92insightbbco@216.148.227.77>,
    says...
    : >
    : > Obviously your problem is that the firewall won't let through the second
    : > message, and you won't get the configuration parameters. The message is
    : > quite legitimate. Even the address matches: it is very common to
    : > configure the lowest non-zero address of the subnet to the uplink
    : > router, which also runs the DHCP service. In your case it is 10.0.0.1.
    : >
    : > I'm not familiar with Sygate configuration. If it is smart enough, it
    : > should detect the DHCP solicitation and open a pinhole for the response
    : > automatically. Otherwise you have to open a permanent pinhole for UDP:68
    : > coming from 10.0.0.1.
    : >
    :
    : I don't know that much about Sygate. If Sygate is a stateful FW application
    : and I think that it is, then it should let the traffic through. That's
    : unless Sygate's IDS views the inbound traffic as some kind of threat and is
    : instructing the FW to block the traffic.
    :
    : AS for the DHCP service not starting, the OP should disconnect from the
    : Internet and disable Sygate and make sure the machine doesn't have any
    : problems with the DHCP service not starting due to a possible bad install
    : of the O/S.
    :
    : Duane :)
    :

    I used Sygate Personal Firewall Pro for a while. I ended up going to
    a Linksys Cable/DSL router instead. Sygate asks you "Low level OS
    process wants to connect to blah.blah.blah.blah do you want to allow
    it?". The problem is that you don't know how to answer, so you tend
    to answer "No".

    After I got the Linksys I left the Sygate running, but my answers
    eventually led to the situation of Sygate blocking *everything*,
    including the machinery that runs the DHCP. After figuring that the
    Linksys kept me invisible on the net, plus "scrambling" my return
    address I felt OK just having the Linksys protecting my machine.

    Without some clue as to what's on the other end of the connection,
    how do you know how to answer when Sygate asks you "Allow the
    connection?"? The Linksys seems to do the job and is *much* easier,
    since it provides "trouble free motoring" with no questions. I've
    been using just the Linksys for about 2-3 weeks and never once has it
    dropped/lost/stopped my connection. There are no open ports on my
    machine either - I check periodically using "netstat -a -n".

    So if it comes down to a choice between spending $50 on a Linksys vs
    spending $30 on a software firewall, I recommend the $50 for the
    Linksys.

    My 2 cents.

    John.
     
    John, Mar 7, 2004
    #8
  9. Piotr Makley

    Duane Arnold Guest

    John <> wrote in
    news::

    > In article <Xns94A49FE4C14C6darnold92insightbbco@216.148.227.77>,
    > says...
    >: >
    >: > Obviously your problem is that the firewall won't let through the
    >: > second message, and you won't get the configuration parameters. The
    >: > message is quite legitimate. Even the address matches: it is very
    >: > common to configure the lowest non-zero address of the subnet to
    >: > the uplink router, which also runs the DHCP service. In your case
    >: > it is 10.0.0.1.
    >: >
    >: > I'm not familiar with Sygate configuration. If it is smart enough,
    >: > it should detect the DHCP solicitation and open a pinhole for the
    >: > response automatically. Otherwise you have to open a permanent
    >: > pinhole for UDP:68 coming from 10.0.0.1.
    >: >
    >:
    >: I don't know that much about Sygate. If Sygate is a stateful FW
    >: application and I think that it is, then it should let the traffic
    >: through. That's unless Sygate's IDS views the inbound traffic as some
    >: kind of threat and is instructing the FW to block the traffic.
    >:
    >: AS for the DHCP service not starting, the OP should disconnect from
    >: the Internet and disable Sygate and make sure the machine doesn't
    >: have any problems with the DHCP service not starting due to a
    >: possible bad install of the O/S.
    >:
    >: Duane :)
    >:
    >
    > I used Sygate Personal Firewall Pro for a while. I ended up going to
    > a Linksys Cable/DSL router instead. Sygate asks you "Low level OS
    > process wants to connect to blah.blah.blah.blah do you want to allow
    > it?". The problem is that you don't know how to answer, so you tend
    > to answer "No".
    >
    > After I got the Linksys I left the Sygate running, but my answers
    > eventually led to the situation of Sygate blocking *everything*,
    > including the machinery that runs the DHCP. After figuring that the
    > Linksys kept me invisible on the net, plus "scrambling" my return
    > address I felt OK just having the Linksys protecting my machine.
    >
    > Without some clue as to what's on the other end of the connection,
    > how do you know how to answer when Sygate asks you "Allow the
    > connection?"? The Linksys seems to do the job and is *much* easier,
    > since it provides "trouble free motoring" with no questions. I've
    > been using just the Linksys for about 2-3 weeks and never once has it
    > dropped/lost/stopped my connection. There are no open ports on my
    > machine either - I check periodically using "netstat -a -n".
    >
    > So if it comes down to a choice between spending $50 on a Linksys vs
    > spending $30 on a software firewall, I recommend the $50 for the
    > Linksys.
    >
    > My 2 cents.
    >
    > John.
    >
    >


    Currently, I use a Linksys myself. However, the Linksys is not a true FW
    appliance and cannot stop outbound and it has some FW like features.

    http://www.homenethelp.com/web/explain/about-NAT.asp
    http://www.firewall-software.com/firewall_faqs/what_does_firewall_do.html

    If you're using an NT base O/S, then you can use IPsec to supplement the
    router on inbound and outbound. And IPsec is integrated into the O/S and
    doesn't ask any questions either. :)

    http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
    http://www.analogx.com/contents/articles/ipsec.htm

    The AnalogX zip has a SecPol file for the basic protection setup, if
    applied.

    use the Host
    http://mvps.org/winhelp2002/hosts.htm
    http://accs-net.com/hosts/HostsToggle/

    I like to use Active Ports (free use Google) and put it in the Startup
    folder to get a clear picture at machine start up. I also like to use
    Wallwatcher (free) for the BEF model router.

    Duane :)
     
    Duane Arnold, Mar 7, 2004
    #9
  10. On Sun, 07 Mar 2004 00:57:56 GMT, Duane Arnold spoketh

    >
    >Currently, I use a Linksys myself. However, the Linksys is not a true FW
    >appliance and cannot stop outbound and it has some FW like features.


    Yes, you keep saying that, but a simple NAT router is still the easiest
    way to protect your computer/network. It blocks all unsolicited traffic
    by default, there's no configuration necessary (other than changing the
    password), and most NAT routers does come with limited port filtering
    functionality, so you can at least block outbound IRC.

    It is certainly much better than nothing, and since it doesn't have the
    annoying "alarms" that desktop security suites have, one can go about
    ones work without getting interrupted because someone pinged your
    computer.

    The two best (cheap) things to get for your computer security are:
    1) a NAT router, and
    2) Anti-virus software (free versions are available).

    With these to products, you're in good place. The router will keep the
    script kiddies out, and the anti-virus software will keep the malware
    out. There is one other thing that is needed, and it doesn't come cheap:
    Common sense! Don't download every piece of software you find on the
    net. Only a fraction is any good, too much is just plain crap, and then
    some are not what it looks like.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, Mar 7, 2004
    #10
  11. Piotr Makley

    John Guest

    In article <Xns94A4C0F30E453notmwnotmecom@204.127.204.17>,
    says...
    :
    : Currently, I use a Linksys myself. However, the Linksys is not a true FW
    : appliance and cannot stop outbound and it has some FW like features.
    :
    : http://www.homenethelp.com/web/explain/about-NAT.asp
    : http://www.firewall-software.com/firewall_faqs/what_does_firewall_do.html
    :
    : If you're using an NT base O/S, then you can use IPsec to supplement the
    : router on inbound and outbound. And IPsec is integrated into the O/S and
    : doesn't ask any questions either. :)
    :
    : http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
    : http://www.analogx.com/contents/articles/ipsec.htm
    :
    : The AnalogX zip has a SecPol file for the basic protection setup, if
    : applied.
    :
    : use the Host
    : http://mvps.org/winhelp2002/hosts.htm
    : http://accs-net.com/hosts/HostsToggle/
    :
    : I like to use Active Ports (free use Google) and put it in the Startup
    : folder to get a clear picture at machine start up. I also like to use
    : Wallwatcher (free) for the BEF model router.
    :
    : Duane :)
    :

    Well, thanks for the urls. I think the Linksys is pretty good. It
    makes you invisible on the net and with the NAT feature mangles your
    return address. I think a device that allows all outbound and blocks
    all unsolicited inbound makes a good firewall.

    True, it doesn't do anything for outbound, but that's why I use
    antivirus and why I watch port connections intermittently.

    I think it's a firewall.

    I use the flagship Win2K - am I safe? :) Well, maybe not.
    Constucting those ipsec rules is not really something for the average
    joe, wouldn't you agree? Which of the 65000 ports should I block? I
    followed the directions on UKSecurityonline.com to make myself immune
    to syn attacks among other things. Why isn't that organized by
    default? I followed most of the other "hardening" procedures there
    too.

    I like that Petri guy but just about every suggestion that he made on
    the above noted url I asked "why?". I suspect he worked for
    microsoft at one time - you know, here's what I suggest, don't ask
    questions.

    As for the hosts file, mine's read only. Why do you need one anyway,
    these days? Isn't it a throwback to days gone by, when every
    computer had to have its own lookup table?

    I hope microsoft has learned a bit over the last year or so. I think
    the whole company is being risked by the very poor out of the box
    security in its software. They've got time to re-group but they had
    better get on it soon. Start by scrapping ActiveX - a lousy idea if
    ever there was one.

    Why not put in some large (Word style) application to handle
    security? Copious help files to explain all the settings, some
    standard templates to apply for different machine types eg
    (standalone, no web access), (standalone with web), peer to peer
    network, etc. What's wrong with that? Everyone in the whole world
    that buys an MS operating system has to "get up to speed" (on their
    own) with security issues. Not acceptable.

    Sorry, wandered a bit here. You can probably tell I don't feel very
    warm towards Microsoft. Putting ActiveX into the operating system
    and web interface with "Everyone - Full Control" on all the disk
    drives by default says it all. Baad.

    John.
     
    John, Mar 7, 2004
    #11
  12. Piotr Makley

    Duane Arnold Guest

    Lars M. Hansen <> wrote in
    news::

    > On Sun, 07 Mar 2004 00:57:56 GMT, Duane Arnold spoketh
    >
    >>
    >>Currently, I use a Linksys myself. However, the Linksys is not a true

    FW
    >>appliance and cannot stop outbound and it has some FW like features.

    >
    > Yes, you keep saying that, but a simple NAT router is still the easiest
    > way to protect your computer/network. It blocks all unsolicited traffic
    > by default, there's no configuration necessary (other than changing the
    > password), and most NAT routers does come with limited port filtering
    > functionality, so you can at least block outbound IRC.


    I never said it wasn't. And one coming to a NG like this should start
    making the distinction as to what is a FW appliance and what is not a FW
    appliance. After all, one coming to a NG like this is looking for
    knowledge. And one should know that the Linksys NAT router and what most
    of them cannot do that are in this class of routers. They can be
    supplemented with something like IPsec that is part of Win 2K, XP and Win
    2K3 O/S(s) that is not intrusive with a bunch of questions.

    I'll never buy completely into the NAT router AV only solution.

    Duane :)
     
    Duane Arnold, Mar 7, 2004
    #12
  13. Piotr Makley

    Duane Arnold Guest

    > Well, thanks for the urls. I think the Linksys is pretty good. It
    > makes you invisible on the net and with the NAT feature mangles your
    > return address. I think a device that allows all outbound and blocks
    > all unsolicited inbound makes a good firewall.
    >
    > True, it doesn't do anything for outbound, but that's why I use
    > antivirus and why I watch port connections intermittently.
    >
    > I think it's a firewall.


    IMHO, the NAT router serves two purposes.

    1) It is used to stop unsolicited inbound traffic from reaching the
    machine.

    2) It sits in front of the computers and the computer's O/S doesn't have
    to react to scans and attacks as it does with a host based FW, slowing
    the machine down in doing other things. And the computer is less
    productive.

    I have seen at least two attacks come past the router like a hot knife
    through butter. In addition, if you start getting fancy like doing port
    forwarding on the router, then the protection by the router is out of the
    picture for the machine for those forwarded ports.

    >
    > I use the flagship Win2K - am I safe? :) Well, maybe not.
    > Constucting those ipsec rules is not really something for the average
    > joe, wouldn't you agree?


    I don't agree. If one can set there and try to make rules with a third
    party FW, then why not do the same with IPsec? And besides, all I did was
    apply the SecPol file supplied in the AnalogX.zip, which has the basic
    rules that are applied in protecting the basic ports. I enable permit
    NNTP, NTP POP3 and SMTP client rules that were placed there so I could do
    the various functions with one machine. I didn't have to do that with the
    other machines on the network after applying the SECPol file. It would be
    one thing, if one didn't have some examples of existing rules created for
    them and the ability to learn the rules easily.

    I also here recently watched IPsec go into action to protect the machine
    along with BlackIce. As BalckIce reported that the O/S played a role, and
    I think it was IPsec that did it, but it could have been some other
    *hardening* implementations I have done on the O/S.

    > Which of the 65000 ports should I block?


    I would just use the basic setup and go as needed.

    >I followed the directions on UKSecurityonline.com to make myself immune
    > to syn attacks among other things. Why isn't that organized by
    > default? I followed most of the other "hardening" procedures there
    > too.
    >


    The reason being is that the O/S is supposed to be used in a closed
    networking environment protected by a business class or industrial
    strength FW solution. Business applications in such an environment use
    those functions of the O/S. So you deploy 1,000 workstations in a
    company, it would be easier to shutdown functionality than it is to undo
    everything.

    Maybe, what MS needs to do is provide a script or program that can run on
    the machine to shutdown functionality on the O/S for the workstation not
    being used in a corporate environment.


    > I like that Petri guy but just about every suggestion that he made on
    > the above noted url I asked "why?". I suspect he worked for
    > microsoft at one time - you know, here's what I suggest, don't ask
    > questions.
    >
    > As for the hosts file, mine's read only. Why do you need one anyway,
    > these days? Isn't it a throwback to days gone by, when every
    > computer had to have its own lookup table?


    Then you don't understand the Host file. The Host file is used to resolve
    DNS to IP when needed and is being done locally on the machine by the
    O/S. Many programmers use the URL in programming to gain Internet access
    for a program. It doesn't matter if the program being used is a browser
    or batch program. If the program needs to do DNS to IP resolution based
    on a url that has been coded in the program, the use of the Host file
    with 127.0.0.1 for the DNS is going to stop the access.

    As an example, you can put your POP3 Domain Name into the Host file with
    127.0.0.1 and you will not be able to contact the POP3 server. You can
    put the NG Domain name in to the Host file with 127.0.0.1 and you will
    not be able to access the NG server.

    >
    > I hope microsoft has learned a bit over the last year or so. I think
    > the whole company is being risked by the very poor out of the box
    > security in its software. They've got time to re-group but they had
    > better get on it soon. Start by scrapping ActiveX - a lousy idea if
    > ever there was one.


    MS has a little problem but MS is being used in the business community
    and those workstations are sitting in front of millions of workers. And
    what monkey sees, the monkey is going to do. :)

    >
    > Why not put in some large (Word style) application to handle
    > security? Copious help files to explain all the settings, some
    > standard templates to apply for different machine types eg
    > (standalone, no web access), (standalone with web), peer to peer
    > network, etc. What's wrong with that? Everyone in the whole world
    > that buys an MS operating system has to "get up to speed" (on their
    > own) with security issues. Not acceptable.


    Maybe that's needed and maybe it will come to that. I don't know.
    >
    > Sorry, wandered a bit here. You can probably tell I don't feel very
    > warm towards Microsoft. Putting ActiveX into the operating system
    > and web interface with "Everyone - Full Control" on all the disk
    > rives by default says it all. Baad.



    Then I think you need to learn how to undo it, because I don't think it's
    changing no time soon. :)

    Duane :)
     
    Duane Arnold, Mar 7, 2004
    #13
  14. On Sun, 07 Mar 2004 02:03:41 GMT, Duane Arnold spoketh

    >
    >I never said it wasn't. And one coming to a NG like this should start
    >making the distinction as to what is a FW appliance and what is not a FW
    >appliance. After all, one coming to a NG like this is looking for
    >knowledge. And one should know that the Linksys NAT router and what most
    >of them cannot do that are in this class of routers. They can be
    >supplemented with something like IPsec that is part of Win 2K, XP and Win
    >2K3 O/S(s) that is not intrusive with a bunch of questions.
    >
    >I'll never buy completely into the NAT router AV only solution.
    >
    >Duane :)
    >
    >


    What are you afraid of so you need more than that? Although I've
    upgraded from a NAT router to a firewall, that mix has served me well
    for the past 4 years. No viruses, no trojans, no malware of any kind.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, Mar 7, 2004
    #14
  15. "Lars M. Hansen" wrote:

    > What are you afraid of so you need more than that? Although I've
    > upgraded from a NAT router to a firewall, that mix has served me well
    > for the past 4 years. No viruses, no trojans, no malware of any kind.


    A firewall is a far more complex thing than a NAT box. For example, a
    basic NAT box doesn't help against DoS attacks (SYN flood, land, smurf,
    etc.), because it isn't smart enough to know what is happening. The
    commercial products out there may have features against them, but there
    is no standard feature set. So YMMV.

    It's a pity that the vendors have obfuscated the distinction of firewall
    and NAT. Previously you knew what you got, but these days you don't.

    -- Lassi
     
    Lassi =?iso-8859-1?Q?Hippel=E4inen?=, Mar 7, 2004
    #15
  16. On Sun, 07 Mar 2004 15:01:06 GMT, Lassi Hippeläinen spoketh

    >"Lars M. Hansen" wrote:
    >
    >> What are you afraid of so you need more than that? Although I've
    >> upgraded from a NAT router to a firewall, that mix has served me well
    >> for the past 4 years. No viruses, no trojans, no malware of any kind.

    >
    >A firewall is a far more complex thing than a NAT box. For example, a
    >basic NAT box doesn't help against DoS attacks (SYN flood, land, smurf,
    >etc.), because it isn't smart enough to know what is happening. The
    >commercial products out there may have features against them, but there
    >is no standard feature set. So YMMV.
    >
    >It's a pity that the vendors have obfuscated the distinction of firewall
    >and NAT. Previously you knew what you got, but these days you don't.
    >
    >-- Lassi


    I absolutely agree that vendors have misused the "firewall" label on
    their products. I've always attempted to make the distinction between
    firewalls and NAT routers.

    Although a NAT router may not "help" against DoS attacks, it does still
    protect the computer(s) behind the router from the effects of such
    attacks. Even if your internet connection may suffer from such an
    attack, at least your computer won't freak out.

    NAT routers are not the answer to all the security issues out there, but
    for John/Jane Doe who's just getting started, it's a very good first
    step to make. They're very easy to set up, there's almost no
    configuration needed to be done...


    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, Mar 7, 2004
    #16
  17. Piotr Makley

    Duane Arnold Guest

    Lars M. Hansen <> wrote in
    news::

    > On Sun, 07 Mar 2004 15:01:06 GMT, Lassi Hippeläinen spoketh
    >
    >>"Lars M. Hansen" wrote:
    >>
    >>> What are you afraid of so you need more than that? Although I've
    >>> upgraded from a NAT router to a firewall, that mix has served me well
    >>> for the past 4 years. No viruses, no trojans, no malware of any kind.

    >>
    >>A firewall is a far more complex thing than a NAT box. For example, a
    >>basic NAT box doesn't help against DoS attacks (SYN flood, land, smurf,
    >>etc.), because it isn't smart enough to know what is happening. The
    >>commercial products out there may have features against them, but there
    >>is no standard feature set. So YMMV.
    >>
    >>It's a pity that the vendors have obfuscated the distinction of firewall
    >>and NAT. Previously you knew what you got, but these days you don't.
    >>
    >>-- Lassi

    >
    > I absolutely agree that vendors have misused the "firewall" label on
    > their products. I've always attempted to make the distinction between
    > firewalls and NAT routers.
    >
    > Although a NAT router may not "help" against DoS attacks, it does still
    > protect the computer(s) behind the router from the effects of such
    > attacks. Even if your internet connection may suffer from such an
    > attack, at least your computer won't freak out.
    >
    > NAT routers are not the answer to all the security issues out there, but
    > for John/Jane Doe who's just getting started, it's a very good first
    > step to make. They're very easy to set up, there's almost no
    > configuration needed to be done...
    >
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"
    >


    It's funny that you ask this at this time. This is why Lars I don't trust
    the NAT router. The only port forwarding I am doing is on the Indent port
    that I am sending to a dummy IP in the DMZ of the router. I have also
    gotten hits without doing the Indent redirect as wall.

    Time, Event, Intruder, Count
    3/7/2004 11:51:16 AM, TCP_Port_Scan, 216.193.207.46, 1
    3/7/2004 6:40:49 AM, Application Communication Blocked, 0.0.0.0, 1
    3/7/2004 6:39:50 AM, Application Communication Blocked, 0.0.0.0, 1
    3/6/2004 8:57:33 PM, Application Communication Blocked, 0.0.0.0, 1
    3/6/2004 8:56:55 PM, Application Communication Blocked, 0.0.0.0, 1
    3/6/2004 8:59:52 AM, Application Communication Blocked, 0.0.0.0, 1
    3/4/2004 6:57:02 PM, BlackICE detection started, 0.0.0.0, 1
    3/4/2004 6:55:20 PM, BlackICE detection stopped, 0.0.0.0, 1
    3/2/2004 8:13:45 PM, Application Protection stopped, 0.0.0.0, 1

    The scan was aimed at ports 1972, 1975-1977, 1981-1983 and 1986 according
    to the BlackIce logs.

    Granted, out of the million of scans the router has stopped, this is the
    third time BI as reacted behind the router over the last two years. The
    firmware for the 11S4 V1 router doesn't have SPI. I'll be setting a rule to
    block the IP.

    Duane :)
     
    Duane Arnold, Mar 7, 2004
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SGVpbkQ=?=

    Wireless DHCP clients cannot obtain an IP address from the DHCP se

    =?Utf-8?B?SGVpbkQ=?=, Jan 8, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    2,862
    =?Utf-8?B?SGVpbkQ=?=
    Jan 8, 2006
  2. DaveInPNG

    Newbie ACL question: Blocking DHCP

    DaveInPNG, Feb 17, 2005, in forum: Cisco
    Replies:
    6
    Views:
    7,637
  3. Ingo Hauf

    if Active Directory no DHCP? or: Where ist my DHCP

    Ingo Hauf, Oct 17, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    535
    Ralph Wade Phillips
    Oct 18, 2003
  4. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,123
  5. Jack B. Pollack
    Replies:
    4
    Views:
    1,291
    Mr. Arnold
    Aug 4, 2007
Loading...

Share This Page