|
|
|
About to get Broadband : Adequate Firewall protection
|
|
|
brian100
Suspended due to non-functional email address
|
5. August 2004 @ 13:00 |
Link to this message
|
|
Hiya all.
My bumblef**k neighbourhood telephopne exchange has FINALLY been upgraded to allow broadband connection.
I have jumped on the bandwagon, but need some advise on adequate firewall protection for my system.
I will not be using any p2p file sharing applications whatsoever.
Would a software firewall IE Zonealarm be ok or would I need some fancy hardware doohicky? Or perhaps a mixture of both?
Any advise would be greatly appreciated.
many thanks in advance.
Looking for my old AD |
|
Advertisement
|
 |
|
|
|
drchips
Senior Member
|
5. August 2004 @ 14:22 |
Link to this message
|
Hi brian,
Might I STRONGLY suggest both a hardware and a software solution, for the following reasons:
Hardware is invariably based on LINUX (uCLinux in most embedded solutions), SMOOTHWALL is professional level protection.
This will allow you full control over INCOMING connections.
A software firewall on your pc will then not have to handle incoming and can then be used to concentrate on OUTGOING requests.
possibilities are:
1 - ADSL ROUTER as the hardware part with a personal firewall as the software part, e.g.:
Mercury ADSL Router
http://www.kobian.com/products.php?productid=376
Mentor ADSL Router
http://www.gladiatorcomputers.com/support/index.php?page=22&code=MODMENADSLROUT1
Both the above are available from many different dealers online, I have used both but if you have support issues the Mercury (KOBIAN) has MUCH better support.
Both are easy to setup & administer.
Both are available from a supplier I use
http://www.anglianinternet.co.uk
2 - If you have an old pc lying around, download SMOOTHWALL EXPRESS
http://www.smoothwall.org/
very good, very easy to setup & administer etc.
If you need to know more, let me know..
Have Fun...
Life is just more of the same:
This message has been edited since posting. Last time this message was edited on 5. August 2004 @ 14:27
|
AfterDawn Addict
|
5. August 2004 @ 14:45 |
Link to this message
|
|
Yeah, i suggest a router also. Not only do they have good firewalls, you can also share your internet connection with other computers in your house (if you have more than 1). I have a linksys router and it works great.
V9 PS2, flip top, SMD, DVDLoader
Pioneer 107, ritek g05
DVD Shrink, DVD Decrypter, Nero |
|
brian100
Suspended due to non-functional email address
|
6. August 2004 @ 09:12 |
Link to this message
|
|
Drchips & Sly
Many thanks for the, as usual, expert advise !. I will follow your recommendations to the letter.
I will purchase the item that you recommended. I will keep you updated as to how I get on.
Cheers again lads.
Looking for my old AD
|
|
agent-k
Senior Member
|
6. August 2004 @ 11:15 |
Link to this message
|
|
Hey lads,
this may come as a surprise but I've tried about seven different firewalls and run each one of them through the symantec security check.
The only one that gave me a 100% perfectly safe score was the Windows own XP firewall.
Apparently my computer is completely invisible on the internet and when scanned does not scan back which would give itself away.
All I use is Norton Antivirus 2004 and the XP firewall. I don't want to speak too soon but I've never picked up a virus or any other problem and my pc is on broadband about 20 hours a day.
Athlon XP2500+Barton OCd to XP3200+ running at 2.2Ghz
Cooled by Thermaltake Extreme Volcano 12
Asus A7N8X-E DeLuxe
2Gig PC3200 400DDR Dual Channel Ram
160Gb Seagate Barracuda |
|
drchips
Senior Member
|
6. August 2004 @ 12:38 |
Link to this message
|
agent-k,Quote:
I've tried about seven different firewalls
each of which would be a SOFTWARE firewall running on your own workstation, yes??
would you consider a sample size of seven to be representative?Quote:
and run each one of them through the symantec security check.
a reasonable quick-n-dirty check, you could also try the ShieldsUP! test from GRC.COM for another basic test (NOTE: they only test incoming!!!)Quote:
The only one that gave me a 100% perfectly safe score was the Windows own XP firewall.
Hahaha..
What a paragon of security WindowsXP firewall is !LOL!
The proposal put forward was for the firewalling functions to be split between a hardware solution for INCOMING (NAT, Firewall & Routing etc....) and a PROPER software firewall/IDS-type solution on the pc to take care of OUTGOING connection requests & authorisations - WindowsXP firewall DOES NOT DO ANY CHECKING of outgoing requests...
If you want to learn about decent firewall/security solutions (not mickey-mouse ones) you will have to do a LOT of reading...
BEFORE you get all miffed and fire off a reply, consider the possibility that I might be someone who deals with network security (and the breaking of same) as a job.
Have Fun...
Life is just more of the same:
|
|
brian100
Suspended due to non-functional email address
|
6. August 2004 @ 12:49 |
Link to this message
|
|
Dr chips
This software firewall you mentioned "SMOOTHWALL EXPRESS". How does it compare to existing software forewall's?. Not that i don't trust you, but I would be very interested in your opinion.
Thanks in advance.
That router is a good price at £45, i ordered one tonight.
Looking for my old AD
|
|
agent-k
Senior Member
|
6. August 2004 @ 12:57 |
Link to this message
|
drchips,
Quote:
would you consider a sample size of seven to be representative?
yes.
Quote:
If you want to learn about decent firewall/security solutions (not mickey-mouse ones) you will have to do a LOT of reading...
I prefer to try them and test them firsthand rather than read about them.
Quote:
BEFORE you get all miffed and fire off a reply, consider the possibility that I might be someone who deals with network security (and the breaking of same) as a job.
I never doubted your authority on the matter. I was simply relaying my experiences and taking part in the thread, hoping to learn from it.
And I have, thanks mainly to you.
Athlon XP2500+Barton OCd to XP3200+ running at 2.2Ghz
Cooled by Thermaltake Extreme Volcano 12
Asus A7N8X-E DeLuxe
2Gig PC3200 400DDR Dual Channel Ram
160Gb Seagate Barracuda
|
|
drchips
Senior Member
|
6. August 2004 @ 14:34 |
Link to this message
|
|
Brian,
The Smoothwall Express was an alternative to a hardware router:
basically you use an old/redundant pc, put a network card & ADSL modem on it & load up the software.
The software is a custom configured version of Linux that can be configured/controlled from your pc
- it is a hardened (security-wise) setup and provides ALL the functionality of a hardware router/firewall/NAT etc.
As you have ordered a router, Smoothwall is of no use to you.
You can use whatever software firewall you want on your own pc, as the router takes over the job of handling all INCOMING.
My personal choice is Kerio Personal Firewall V4.
There are updated versions of that firewall about, but they look and act a bit too much like Norton/McAfee/ZoneAlarm etc. etc.
(pretty buttons, fancy GUI and designer skins that get in the way of the job of administering)
BTW; Norton, McAfee & ZoneAlarm have all had security vulnerabilities published - so they cannot be relied upon to be the primary/only defence.
In simple terms my systems are such:
Cable Modem -> Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX
Hardware Router -> Bandwidth Arbitrator (pc running custom Linux with Firewall)
Bandwidth Arbitrator -> Switch -> rest of network
Sitting on the network is an IDS (intrusion Detection System) with permission to break the internet link if it detects a break-in.
Each pc (workstation/server) also runs Kerio Personal Firewall in NON-TRUSTED mode (paranoid) AND TRUST-NO-EXE in paranoid mode.
Never mind all the anti-spyware/anti-trojan etc stuff on each machine.
Any malicious code has to beat 3 DIFFERENT firewalls, on at least 3 different machines, all of which are paranoid - as well as the IDS etc...
I take my security seriously !LOL!
agent-k,
Good on ya, a healthy attitude.
If only there were more people like yourself on the internet, willing to learn, interested in security & how things work...
Unfortunately there are MILLIONS of Joe-Sixpacks out there, who connect their machines to the internet with NO thought whatsoever about security
- RESULT: millions of 0Wn3D machines, DDoS'ing, spamming, spreading viruses and other exploits.
And the horrible thing is: most of those idiots DON'T WANT to learn, or plain JUST DON'T CARE!!!!
You have to have training, licence & insurance to drive a car; why not a pc on the internet??
My apologies to you guys for ranting, but that is one of my pet hates :-o
Have Fun...
Life is just more of the same:
|
|
brian100
Suspended due to non-functional email address
|
6. August 2004 @ 22:18 |
Link to this message
|
|
Dr chips
Thanks for the detailed explanation. The "penny" has finally dropped for me. I have had suspicions about Zonealarm & Norton in the past.
Many thanks.
PS. I sometimes get the impression that you've forgotten more about PC's than I will ever know. It's depressing, to tell the truth, but I will have to live with it.
Looking for my old AD
|
|
drchips
Senior Member
|
6. August 2004 @ 23:37 |
Link to this message
|
Quote:
I sometimes get the impression that you've forgotten more about PC's than I will ever know.
Yeah, maybe...
There is only so much that the mind can reasonably hold, and I have filled mine with technical stuff.
As a result I am cr*p at dealing with people!!
Swings & roundabouts....
Have Fun...
Life is just more of the same:
|
AfterDawn Addict
|
7. August 2004 @ 18:34 |
Link to this message
|
|
drchips, I have cable modem broadband. I use the Windows XP firewall, and the firewall on my Linksys router (WRT54G).
I ran some tests at Shieldsup, with both of the above mentioned, in place. The result was Stealth status.
When I ran the test with either one of them down, I failed. With both down, I failed.
Should I be doing more than I am, with both firewalls up? I would tell you that I play one game online, and for the folks that I play with, I use DMZ, but I know you would shoot me. LOL I don't know how to open ports, even though I have read which ones to open.
Life is good!
GrandpaBruce - Vietnam Vet - 1970 - 1971
Computer: Intel Core i7-920 Nehalim;Asus P6T Deluxe V2
|
|
agent-k
Senior Member
|
8. August 2004 @ 03:24 |
Link to this message
|
|
drchips
I tried that sheilds up and thats the one that gave me the 'perfect' status.
But following your advice I have just installed Kerio Personal Firewall version 4. I have used this before but after one of my regular reformats never bothered to put it back in as I couldn't see the point when the XP one was doing such a good job.
It was only after you pointed out that the XP firewall only protects from incoming stuff that I re-installed Kerio to protect from outgoing stuff.
Not explaining this very well am I?
Anyway, this is my new question:
When I tried various firewalls in the past I noticed that some of them significantly slowed down my internet browsing.
When I use the Kerio one it seems to be a lot faster.
Why is this?
And is this one of the reasons why it's one of your personal favourites?
Athlon XP2500+Barton OCd to XP3200+ running at 2.2Ghz
Cooled by Thermaltake Extreme Volcano 12
Asus A7N8X-E DeLuxe
2Gig PC3200 400DDR Dual Channel Ram
160Gb Seagate Barracuda
|
|
drchips
Senior Member
|
8. August 2004 @ 06:41 |
Link to this message
|
|
GrandpaBW,
As you say you don't know how to open ports, I assume you know very little about how your router works & is set up (if that is not the case, let me know).
Putting yourself into the DMZ with only the XP firewall as protection is a NO-NO.
Ideally you would have the Linksys set:
as a Gateway,
radio off,
no DHCP,
uPnP DISABLED,
MAC filtering ON (your pc in the MAC table, natch!),
deault Linksys passwords CHANGED,
remote administration DISABLED,
block WAN requests ENABLED.
etc.
etc.
with your pc linked to the linksys via one of the RJ45 ports,
your pc with a static I.P. (correct subnet/gateway etc),
NOT running under Administrator account,
Administrator account password changed,
proper software firewall.
etc.
etc.
If your pc is connected to the Linksys using Wireless:
radio on,
wireless MAC filtering ON (your pc in the table),
SSID changed,
SSID broadcast disabled,
shared key authentication,
WPA pre-shared key.
etc.
etc.
Those are the requirements for BASIC security BEFORE you consider opening ports for gaming etc..
As you have probably guessed by now, it is a tad complicated (especially so when using wireless).
Setting the whole thing up properly is a step-by-step process, skip a step (or use the wrong settings) and it either won't work right OR you are vulnerable...
If you are prepared for considerable work and the frustration when it doesn't work right straight away, then it can be done....
Have Fun..
Life is just more of the same:
|
|
drchips
Senior Member
|
8. August 2004 @ 07:10 |
Link to this message
|
agent-k,Quote:
When I tried various firewalls in the past I noticed that some of them significantly slowed down my internet browsing.
Quite common.
(quite used in the English sense - more than noticable, but not drastically so:
Americans use the word "quite" in a different sense - very noticable, critical, important)Quote:
When I use the Kerio one it seems to be a lot faster.
Definately soQuote:
Why is this?
Lack of fancy cr*p in the GUI?
Better core engine?
Concentration on the core of the program as opposed to other "functionality"?Quote:
And is this one of the reasons why it's one of your personal favourites?
One of the reasons...
I have been using it (and its predecessors) for a number of years, since it was Tiny Personal Firewall..
Kerio bought the program from Tiny to add to their portfolio, and kept to the core value of the program.
It is small,
fast,
easy to maintain,
easy to configure (for those who can think past "Look, Shiny!!!"),
secure (unlike the XP firewall which loads AFTER the TCP/IP stack has initialised and connection is made),
stable,
reliable,
uses little resources,
has some of the functionality of an Intrusion Detection System,
I could go on and on.
Now before all you others start flaming me about your own personal favourites, consider the following:
XP Firewall - loads AFTER the TCP/IP stack has initialised and connection is made, that means there IS a period of time where TCP/IP is working and the firewall is not (on a slower machine that can be a few seconds)
McAffee Firewalls - If you use the web-base/loadable version, you are unprotected until it is installed & running (how FAST is your connection?)
If you are using their CD based product, how often do you upgrade it? (there have been exploits that affect those).
Norton Firewalls - Slow your machine down, intrusive, resource hungry (at times), exploited..
Good points are: updateable, easily configured..
Agnitum Outpost (free version) - Don't go there, trust me.
The Pro version (that you pay for) is GOOD, but not the free one..
Have Fun...
Life is just more of the same:
|
AfterDawn Addict
|
8. August 2004 @ 13:17 |
Link to this message
|
|
Thanks drchips. You are right, I have some learning to do. All this stuff is fun to learn, though. :)
Life is good!
GrandpaBruce - Vietnam Vet - 1970 - 1971
Computer: Intel Core i7-920 Nehalim;Asus P6T Deluxe V2
|
|
cosmikel
Account closed as per user's own request
|
9. August 2004 @ 01:57 |
Link to this message
|
|
Hi DrChips,
You state;
In simple terms my systems are such:
Cable Modem -> Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX
Hardware Router -> Bandwidth Arbitrator (pc running custom Linux with Firewall)
Bandwidth Arbitrator -> Switch -> rest of network
I was wondering what the "Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX " bit consisted of? and also what you think of "Sygate Personal Firewall Pro".
Thanks for the interesting and informative ideas.
|
|
drchips
Senior Member
|
9. August 2004 @ 05:13 |
Link to this message
|
cosmikel,
The "Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX " consists of a custom board that I built & ported uClinux onto.
There are a number of commercial products available that use uClinux, for example, you could have a look at:
http://www.sweexeurope.com/content.asp?pcID=80
the top listed model is extremely good value for money, costing only £29 (53 USD, 43 EURO), with amazing functionality for the price.
It is available here:
http://www.anglianinternet.co.uk
and many other suppliers online.
If you want to read up on uClinux:
http://www.uclinux.org
As for "Sygate Personal Firewall Pro", I cannot really comment upon it as I have not had sufficient exposure to it yet - though initial impressions are that it offers similar levels of control / customisation / granularity of rulesets to Kerio.
It would probably require a bit of knowledge to get the best out of it (not an install & forget/Joe-Sixpack no-brainer program).
Have Fun...
Life is just more of the same:
|
Moderator
|
9. August 2004 @ 10:30 |
Link to this message
|
This thread needs to be renamed "The drchips School Of Network Security" :P
Quote:
I sometimes get the impression that you've forgotten more about PC's than I will ever know.
Lord have mercy if that isn't true!
My killer sig came courtesy of bb "El Jefe" mayo.
The Forum Rules You Agreed To! http://forums.afterdawn.com/thread_view.cfm/2487
"And there we saw the giants, and we were in our own sight as grasshoppers, and so we were in their sight" - Numbers 13:33 |
|
chthomson
Member
|
9. August 2004 @ 18:00 |
Link to this message
|
|
Hi drchips
Your reference to Zone Alarm security issues. Is that the Zone Alarm freeware or the Zone Alarm Pro.
I have been using Zone Alarm for 5 or 6 years now and for the last 4 years running Zone Alarm Pro with a Linksys router. I have tested the firewall with Shieldsup and seem to be rated as stealth.
From what you are saying - it may be time to change the software firewall. Am I right ??
Thanks for the advice in advance
|
|
drchips
Senior Member
|
10. August 2004 @ 01:19 |
Link to this message
|
chthomson,
A quick extract from my database gives:
http://www.securitytracker.com/archives/vendor/988.html
That being said, ZoneAlarm PRO (note the PRO - paid for version), is one of the better ones, and with your setup (assuming you have the Linksys configured correctly) you are operating at a considerably lower threat level.
To everyone:
The use of a router AND a personal firewall greatly improves your security - the problems really come about when you are reliant upon one layer/device.
In general there is no security (as an absolute), every device has the potential for exploits (actualised or not).
Setting up a multi-layered approach to security means that the chances of a single exploit gaining access to your systems are considerably reduced (getting past one level, easy - getting past 2, hard - past 3, the bad guy will give up & go find an easier target).
That is the main principle of security nowadays, make it so hard for the bad guy to get through, as a consequence he goes away to find an easier target.
A truly DETERMINED bad guy WILL eventually get through (he is not after an easy target, he has chosen a PARTICULAR target - a grudge maybe).
That is one of the main reasons why I dislike monolithic security products (Norton Internet Security, for example) - if ONE module of the suite "trusts" something, ALL modules "trust" it, therefore wide open.
With a seperate, multi-layer approach, with each module/layer being paranoid (not trusting), it is safer.
That being said, the easiest exploits are those based on "Social Engineering", "User Stupidity/Lack or Care or Attention" or "Browser Exploits" (IE ActiveX/JScript etc).
So we are all still at risk...
If you sit behind your multi-layered, fortress-like sucurity and think "I am safe", you are open to attack.
Be PARANOID, people.
Have Fun...
Life is just more of the same:
|
|
chthomson
Member
|
10. August 2004 @ 06:56 |
Link to this message
|
|
Hi drchips
Please excuse my limited understanding of firewall setups. How does one correctly configure a Linksys router.
I have 3 home computers connected to a 8 port ethernet switch. The router is plugged into port 1 of the switch. In configuring the router I selected
1 Connect on demand to limit exposure time on the Internet
2 Enabled block wan request
3 Disabled Remote Management
4 Disacbled remote upgrade
I have tried to be paraniod in choosing settings
The same applies to Zone Alarm Pro.
Sometimes I am unsure of the correct choices and put myself at risk. So any assistance in making better choices would be greatly appreciated.
Once again thanks for the assistance
|
|
Praetor
Moderator
|
11. August 2004 @ 02:38 |
Link to this message
|
Quote:
How does one correctly configure a Linksys router.
What exactly are you looking to configure it for? :) What you've go there is pretty decent.
As for software firewalls, dunno (it's been awhile since i used ZA maybe circa v4) but does it show ports in use? Inbound requests etc? If not, i'd reccomend you get a beefier firewall :)
|
|
drchips
Senior Member
|
14. August 2004 @ 17:26 |
Link to this message
|
Life is just more of the same:
|
|
Advertisement
|
|
|
|
DMW
Member
|
18. August 2004 @ 04:38 |
Link to this message
|
hi Dr.Chips,
earlier in this thread you said...
Quote:
Agnitum Outpost (free version) - Don't go there, trust me.
I have seen your posts plenty of times and you have helped me out on a couple of occasions. therefore I respect your opinion.
I use the above mentioned firewall as part of my setup. You have me worried...are there major problems?
I have my network behind smoothwall also, but believe in having more than one form of protection..ie software also. But now I feel I have made the wrong choice.
i looked on the site you linked to about ZA and found 3 exploits which didnt seem to apply to my system. Are there severe flaws I should consider.
Yours worringly
DMW.
cheers
This message has been edited since posting. Last time this message was edited on 18. August 2004 @ 04:38
|
|
