D-Link 604 Router

roy

Distinguished
Jan 29, 2003
498
0
18,780
Archived from groups: comp.security.firewalls (More info?)

I have just recently installed a new D-Link 604 VPN NAT Router, and I have
stealthed Ports 113, 137, & 138. I am also running Trend Micro's Firewall.

I have checked everything on GRC.com and all ports are coming back as
stealthed. Furthermore, my Trend Micro Firewall log is showing that nothing
is currently getting through to my software firewall.

Is there anything else I need to do? I am running a single machine on a
cable modem, with no LAN setup.

Please advise.

--
--------------------------------------------------
Virus checked before sending
with Trend Micro PC-Cillin 2004.
--------------------------------------------------
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Roy wrote:
> I have just recently installed a new D-Link 604 VPN NAT Router, and I have
> stealthed Ports 113, 137, & 138. I am also running Trend Micro's Firewall.
>
> I have checked everything on GRC.com and all ports are coming back as
> stealthed. Furthermore, my Trend Micro Firewall log is showing that nothing
> is currently getting through to my software firewall.
>
> Is there anything else I need to do? I am running a single machine on a
> cable modem, with no LAN setup.
>
> Please advise.
>
Are you the sole user, or do you share you system with others?
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Roy said in news:xGnBc.834614$Ig.198794@pd7tw2no:
> Thanks, I just wanted to make sure that I had all my bases covered.
>
> Now onward to the internet surfing.
>

Well, firewalls won't protect you from viruses in communications that
YOU establish. Obviously if you can browse the Internet then you have
an outbound hole punched in your firewalls to permit that connection.
That means you can also do downloads. Same for e-mails. Do you have
anti-virus software (and does it auto-update several times per week and
maybe once, or more, per day)? Do you periodically scan for spyware
(which is not detected by anti-virus products)?
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <J4mdnZ9qBojllkrd4p2dnA@comcast.com>, reply-to-newsgroup@to-
email.use-Reply.obey-signature.invalid says...
> Roy said in news:xGnBc.834614$Ig.198794@pd7tw2no:
> > Thanks, I just wanted to make sure that I had all my bases covered.
> >
> > Now onward to the internet surfing.
> >
>
> Well, firewalls won't protect you from viruses in communications that
> YOU establish. Obviously if you can browse the Internet then you have
> an outbound hole punched in your firewalls to permit that connection.
> That means you can also do downloads. Same for e-mails. Do you have
> anti-virus software (and does it auto-update several times per week and
> maybe once, or more, per day)? Do you periodically scan for spyware
> (which is not detected by anti-virus products)?

You've got your definition of Firewall and NAT devices mixed up.
Firewalls can protect you while you are making a connection to a site
for browsing - many firewalls allow you to block cookies, host
information, active-X, java scripting, etc... A NAT device will not
allow you (in most cases) to block any of those.

Same with email, a firewall often includes proxy filters that allows you
to remove attachments by type, size, and remove invalid header
information. Again, a NAT device doesn't do this.

So, not that you understand that a NAT device is NOT A FIREWALL you
should be able to properly make the statements:

NAT devices are not firewall, they block unsolicited inbound access to
your network.

NAT devices, in most cases, have no ability to block outbound access
from your network - some have features to select "private" port ranges,
but, unless you set them up for that, you are fully permitted to access
the public side of the network by default.

NAT devices do not filter web/smtp sessions and do not protect you from
malicious web sites, spyware, or infected email.

Firewalls, in general, protect you from all of the above things that NAT
devices can't/don't do, and much more.

Now, for the practical side: A home user connected to the internet
should have, at the least, a border devices, a NAT device, to block
inbound traffic and to permit the computers to be updated before being
exposed to the internet and other nasties. A home user sitting behind a
NAT device is much better off than one not sitting behind one. Any user
should (esp, on a Microsoft platform) be running a quality antivirus
software package that AUTO-Updates at least one per day.

If you are a home user running a server or have services exposed to the
internet (or forwarded) make sure you secure your system and don't
scrimp on the "Corporate / Server" class version of the AV software.
While you may not care if your machine is compromised, most of us don't
want the wasted traffic your compromised machine will generate hitting
our networks.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Leythos said in
news:MPG.1b40da6a4fe624c298a67a@news-server.columbus.rr.com:
> In article <J4mdnZ9qBojllkrd4p2dnA@comcast.com>,
> reply-to-newsgroup@to- email.use-Reply.obey-signature.invalid says...
>>
>> Well, firewalls won't protect you from viruses in communications that
>> YOU establish. Obviously if you can browse the Internet then you
>> have an outbound hole punched in your firewalls to permit that
>> connection. That means you can also do downloads. Same for e-mails.
>> Do you have anti-virus software (and does it auto-update several
>> times per week and maybe once, or more, per day)? Do you
>> periodically scan for spyware (which is not detected by anti-virus
>> products)?
>
> You've got your definition of Firewall and NAT devices mixed up.
> Firewalls can protect you while you are making a connection to a site
<snip>

When did *I* ever mention NAT (network address translation)? I don't
care what firewall you use or if your boundary device has NAT. YOU are
still the ultimate barrier for protection. Anti-Virus and anti-spyware
products help but obviously if your firewall lets you make HTTP and POP3
connections then those are avenues for inbound infections from downloads
(files or AX controls) or from e-mail.

By the way, the DI-604 mentioned does have a built-in firewall besides
the NAT function. It doesn't replace using anti-virus and anti-spyware
products on your desktop hosts or on a gateway host and the number of
firewall rules and URL filters is limited but it is still very useful
(and more so than the Windows XP included firewall). A discussion of
the DI-604 and many other NAT routers does include both NAT and firewall
topics because many provide both functions.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <H-ydne5BMd9LiErd4p2dnA@comcast.com>, reply2newsgroup@see-
sig4email.invalid says...
> Leythos said in
> news:MPG.1b40da6a4fe624c298a67a@news-server.columbus.rr.com:
> > In article <J4mdnZ9qBojllkrd4p2dnA@comcast.com>,
> > reply-to-newsgroup@to- email.use-Reply.obey-signature.invalid says...
> >>
> >> Well, firewalls won't protect you from viruses in communications that
> >> YOU establish. Obviously if you can browse the Internet then you
> >> have an outbound hole punched in your firewalls to permit that
> >> connection. That means you can also do downloads. Same for e-mails.
> >> Do you have anti-virus software (and does it auto-update several
> >> times per week and maybe once, or more, per day)? Do you
> >> periodically scan for spyware (which is not detected by anti-virus
> >> products)?
> >
> > You've got your definition of Firewall and NAT devices mixed up.
> > Firewalls can protect you while you are making a connection to a site
> <snip>
>
> When did *I* ever mention NAT (network address translation)? I don't

You indicated that the outbound would be unfiltered - this only happens
in the NAT router type devices, not firewalls. (at least I think that
you typed something like that).

> care what firewall you use or if your boundary device has NAT. YOU are
> still the ultimate barrier for protection. Anti-Virus and anti-spyware
> products help but obviously if your firewall lets you make HTTP and POP3
> connections then those are avenues for inbound infections from downloads
> (files or AX controls) or from e-mail.

And again, even if your firewall lets you make HTTP connections, you can
still filter the content/types that they can access and prevent them
from action being taken then they click on a .EXE (or other) file while
browsing the web. The users are the ultimate line of compromise, not
defense, even educated users make mistakes. If you can head off most of
it by using a real firewall then you are a lot better off than just
having a smart user behind the computer.

> By the way, the DI-604 mentioned does have a built-in firewall besides
> the NAT function. It doesn't replace using anti-virus and anti-spyware
> products on your desktop hosts or on a gateway host and the number of
> firewall rules and URL filters is limited but it is still very useful
> (and more so than the Windows XP included firewall). A discussion of
> the DI-604 and many other NAT routers does include both NAT and firewall
> topics because many provide both functions.

The DI-604 does not have a "built-in firewall" it has a couple features
found in most firewall systems. NAT, MAC filtering, IP Filtering, URL
Filtering, Domain Blocking do not make it a firewall, they make it a
very nice NAT router with some good features. Reference:
http://www.dlink.com/products/resource.asp?pid=62&rid=303


This one is a lot closer to a firewall than the DI-604:
http://www.dlink.com/products/?pid=66
Spec's at:
http://www.dlink.com/products/resource.asp?pid=66&rid=316

The DI-604 is just a router that provides NAT and some additional
features found in any firewall, but it is not a firewall. This is about
the same as any other router on the market, mostly marketing hype.

Now you know why I brought up the difference between NAT devices and
Firewalls.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Leythos said in
news:MPG.1b40efbb96542ae398a67b@news-server.columbus.rr.com:
> In article <H-ydne5BMd9LiErd4p2dnA@comcast.com>, reply2newsgroup@see-
> sig4email.invalid says...
>> Leythos said in
>> news:MPG.1b40da6a4fe624c298a67a@news-server.columbus.rr.com:
>>> In article <J4mdnZ9qBojllkrd4p2dnA@comcast.com>,
>>> reply-to-newsgroup@to- email.use-Reply.obey-signature.invalid
>>> says...
>>>>
>>>> Well, firewalls won't protect you from viruses in communications
>>>> that YOU establish. Obviously if you can browse the Internet then
>>>> you have an outbound hole punched in your firewalls to permit that
>>>> connection. That means you can also do downloads. Same for
>>>> e-mails. Do you have anti-virus software (and does it auto-update
>>>> several times per week and maybe once, or more, per day)? Do you
>>>> periodically scan for spyware (which is not detected by anti-virus
>>>> products)?
>>>
>>> You've got your definition of Firewall and NAT devices mixed up.
>>> Firewalls can protect you while you are making a connection to a
>>> site <snip>
>>
>> When did *I* ever mention NAT (network address translation)? I don't
>
> You indicated that the outbound would be unfiltered - this only
> happens in the NAT router type devices, not firewalls. (at least I
> think that you typed something like that).

I can filter outbound connections using URL filtering using something
like a proxy, say PC Magazine's CookieCop, which is obviously not a
firewall and also obviously nothing to do with NAT. Not having any
firewall software or hardware and no router, and just connecting the NIC
directly to the cable modem, also would not filter outbound traffic and
obviously NAT isn't even used in this scenario. Filtering
outbound/inbound traffic, or the lack of it, has nothing to do with NAT.
Network Address Translation has to do with wrapping another envelope
around your traffic from one host when it connects to the Internet so
the target host's response can be unwrapped and then sent to the correct
internal host on your network. To your ISP and to the target host, only
one host is generating outbound traffic (your NAT device) and that is
the host to which any response traffic gets sent (and then it gets
unwrapped to redirect to the correct internal host). NAT by itself does
no filtering. It hides the structure of your intranetwork. As such, it
provides some protection against hacking attempts. It does nothing to
control the content of your traffic - in or out. See
http://snipurl.com/78us. Actually you and I may be in vehement
agreement that NAT does no filtering but have simply stated it
differently.

Lacking the detection of unauthorized outbound connections is not just a
property of NAT routers. Windows XP's firewall doesn't check nor
restrict outbound connections, even from spyware, but is still
considered a firewall. Neither does BlackIce block outbound
connections. Not restricting outbound connections (which are not
initiated by permitted inbound connections) does not disqualify a
product as a firewall. I'm pretty sure every firewall product could be
configured to permit fully unrestricted and unfiltered outbound traffic.

A firewall in a router won't know what application generated that
traffic. The advantage of using a software firewall on a host is that
it can track which applications are authorized to have Internet access
and which do not. With a local firewall program, you can define rules
for your applications. On the router, you can't, so the rules on the
router will not be based on applications but rather on what types of
traffic is permitted and from where. The DI-604 does permit you to
define rules based on host (MAC or IP), traffic type (protocol), and
destination (LAN and/or WAN). While these same rules can be defined in
your software firewall (and usually are), they are the only types you
can define on the separate router host (because the applications aren't
running there). So not having application rules (for Internet access)
does not disqualify a firewall built into a router as a firewall.

The other fallacy (for software firewalls) is that checking the program
wanting outbound connections is authorized (by the user via prompt or
using automatic rules for known applications) will really provide much
security. This is not as protective as many would think. Once a user
permits, say, IE to have outbound connections then other programs can
use IE's libraries to also make those outbound connections. They hide
behind IE and since you authorized IE to have outbound connections then
you also authorize any program that can use IE to have outbound
connections. Norton's firewall has a couple of added features under its
Firewall tab options that let you know what initiated IE, or any
authorized program, to make a connection:

- Check access settings for external modules that programs use to
connect to the Internet.

- When one program launches another, check Internet access settings for
each program.

I only use the second option. Enabling both options can make using your
computer rather tedious with all the prompts and having to investigate
each module that is trying to get a connection (and which may be getting
that connection through another module). Without these options, if you
have previously authorized IE to make connections then you won't get
another prompt for it when something other than IE is really initiating
the connection. However, with these options, if another program runs
IE, like the Help and Support feature, then you will get prompted that
an unauthorized program A is trying to use authorized program B to make
an Internet connection. Go to http://tooleaky.zensoft.com/ and run the
test program to show you that authorizing IE will also authorize any
program that uses IE to make a connection (after the test, I found that
I had to kill the tooleaky process since it didn't unload by itself).

While Norton has these options, I doubt many of its users actually
employ them, and I suspect some other firewall products do not these
features. Again, these additional features enhances a firewall's
function but the lack of them do not disqualify a product as a firewall.

<snip>
>> By the way, the DI-604 mentioned does have a built-in firewall
>> besides the NAT function. It doesn't replace using anti-virus and
>> anti-spyware products on your desktop hosts or on a gateway host and
>> the number of firewall rules and URL filters is limited but it is
>> still very useful (and more so than the Windows XP included
>> firewall). A discussion of the DI-604 and many other NAT routers
>> does include both NAT and firewall topics because many provide both
>> functions.
>
> The DI-604 does not have a "built-in firewall" it has a couple
> features found in most firewall systems. NAT, MAC filtering, IP
> Filtering, URL Filtering, Domain Blocking do not make it a firewall,
> they make it a very nice NAT router with some good features.
> Reference: http://www.dlink.com/products/resource.asp?pid=62&rid=303

The lack of stateful packet inspection (SPI) provides additional
protection for the firewall that incorporates this feature. The lack of
this feature does not disqualify a product from being a firewall
program. Note that "intrusion detection" is a behavioral analysis check
usually based on algorithms to detect methods for known hack attempts.
IP spoofing is eliminated by SPI while port scans are eliminated by
intrusion detection.

> This one is a lot closer to a firewall than the DI-604:
> http://www.dlink.com/products/?pid=66
> Spec's at:
> http://www.dlink.com/products/resource.asp?pid=66&rid=316
>
> The DI-604 is just a router that provides NAT and some additional
> features found in any firewall, but it is not a firewall. This is
> about the same as any other router on the market, mostly marketing
> hype.

So then YOU provide what is the minimal definition of a firewall. What
features the top-notch, multi-hundreds of dollars firewall products
possess do not define a firewall because then only the most fantastic
and all-encompassing product produced later could then be called a
firewall and every product that used to be called a firewall can no
longer be called a firewall. An 8086 chip is still a CPU although we're
using P4's today.

Fact is, the definition of what is a firewall is very loose. BlackIce's
web page say it is a firewall but in their defensive correspondence they
claim is isn't exactly a firewall but more a behavioral analysis program
(i.e., intrusion detector); see http://grc.com/lt/bidresponse.htm.
Windows XP's firewall has SPI. Is the lack of SPI enough to disqualify
a firewall from being a firewall? I see articles like
http://www.fact-index.com/s/st/stateful_firewall.html where it says SPI
is a feature of more advanced firewalls, but that means less advanced
firewalls without SPI were still deemed firewalls (see
http://www.fact-index.com/s/st/stateless_firewall.html for a definition
of stateless *firewalls*). If you read the link for the definition of a
firewall, all it mentions is that it is a means of enforcing policy in
regards to traffic, and rules are used. The DI-604 has rules. I think
you are adding way too many of the features of newer firewalls used to
enhance and extend security beyond what qualifies as a basic firewall.

Yes, the DFL-300 has a better firewall than does the DI-604, but this
does NOT mean the DI-604 has no firewall. Just because 200-pound
watermelons exist does not mean all the 20-pound watermelons are no
longer watermelons.

> Now you know why I brought up the difference between NAT devices and
> Firewalls.

I wonder how long ago we lost Roy, the OP. ;->

--
____________________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email domain = ".com" *AND* append "=NEWS=" to Subject.
____________________________________________________________
 

roy

Distinguished
Jan 29, 2003
498
0
18,780
Archived from groups: comp.security.firewalls (More info?)

I am currently running Win XP Pro SP2 RC2, Dlink 604 Router, along with
Trend Micro's Pc-Cillin Anti Virus 2004, which updates every three hours and
in my opinion is an excellent product. I also check regularly for Trojans,
spyware, and cookies, using Ad-Aware 6.0, Pest Patrol, and Spy Bot 1.3.
Above all else, I do practice safe hex, and feel that I have done just about
everything possible to keep my machine safe, short of shutting it off.
Thanks for all your help!

"*Vanguard*" <reply-to-newsgroup@to-email.use-Reply.obey-signature.invalid>
wrote in message news:J4mdnZ9qBojllkrd4p2dnA@comcast.com...
> Roy said in news:xGnBc.834614$Ig.198794@pd7tw2no:
>> Thanks, I just wanted to make sure that I had all my bases covered.
>>
>> Now onward to the internet surfing.
>>
>
> Well, firewalls won't protect you from viruses in communications that
> YOU establish. Obviously if you can browse the Internet then you have
> an outbound hole punched in your firewalls to permit that connection.
> That means you can also do downloads. Same for e-mails. Do you have
> anti-virus software (and does it auto-update several times per week and
> maybe once, or more, per day)? Do you periodically scan for spyware
> (which is not detected by anti-virus products)?
>
>
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <iOOBc.856664$Ig.523726@pd7tw2no>, nobody@shaw.ca says...
> Actually I am reading all this and trying to learn from it. But I must say
> that your level of knowledge is way above mine when discussing this topic.

It's only above you until you learn a little more - and you are on the
right track from the sound of it.

> I asked a simple question, and have received answers that require me to
> search the web further for clarification on your conversation topics. My
> level of understanding is way below your knowledge of how routers and
> firewalls work.

Stick with us and you've understand just fine, that's what we're here
for.

> I will continue to use my Win XP Pro SP2 RC2, D-Link 604, Zonealarm Pro,
> Trend Micro PC-Cillin AV, Ad-Aware, Spybot, Pest Patrol, and safe hex.
> Hopefully I can survive! But I know that someone somewhere will come up with
> a way to defeat my system, and I will continue to look for ways and
> equipment to defeat them and achieve piece of mind.

Your SP2 is doing very little for you, but the Router and ZA are doing
the majority of the work for you.

Think about inbound attacks in this order:

Internet
|
Cable Modem / DSL Modem
|
Router w/NAT - stops anything you didn't invite IN
|
Zone Alarm Pro - same as router, more granular control of PC
|
SP2 - lets in what you configured it to let in
|
Your PC

The other things just work on things that actually make it pas the
others and get to the "Your PC" level.

On outbound you have the following path:

AV software / other software on your machine, email, etc...
|
Your PC
|
SP2 - lets everything out
|
Zone Alarm - lets out anything you permit out (prone to user errors)
|
Router w/NAT - lets everything out (in general)
|
Cable Modem / DSL Modem
|
Internet

With everything you are running on your computer, I'm sure you are
having some performance issues, but I would say that you are a lot
better protected that 90% of the people out there right now. Stick with
us, we'll keep answering your questions.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Well, I'll agree with you that the "firewall" (misnamed or not) is not
an extremely protective device. There's no way that I'd use the
consumer-grade NAT routers (with "firewall-like" features) without also
employing a software firewall product running on my host(s) or a gateway
to them.

Thanks for the info.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <DKydncrXBLSqNEXdRVn-gQ@comcast.com>, reply-to-newsgroup@do-
not-email.invalid says...
> Well, I'll agree with you that the "firewall" (misnamed or not) is not
> an extremely protective device. There's no way that I'd use the

Uhm, I disagree - a "Firewall" not a misnamed router, is a very
protective service/device and can limit your exposure to bad things to
less than 1% of what a router/NAT system would.

> consumer-grade NAT routers (with "firewall-like" features) without also
> employing a software firewall product running on my host(s) or a gateway
> to them.

I don't install "soft" firewalls on machines using used by people. A
properly configured firewall, log readings, IDS, and quality AV software
mean you don't really have to run them on hosts. Unless you configure
the rules and block users from making changes, a host based firewall is
easily compromised by the user.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Leythos said in
news:MPG.1b427a8d4853166198a68e@news-server.columbus.rr.com:
>
> I don't install "soft" firewalls on machines using used by people. A
> properly configured firewall, log readings, IDS, and quality AV
> software mean you don't really have to run them on hosts. Unless you
> configure the rules and block users from making changes, a host based
> firewall is easily compromised by the user.
>

In the environment in which a user would be deploying a DLink DI-604 NAT
router, ALL the hosts are under their control, including your concept of
using a separate gateway or proxy host running the firewall and
anti-virus programs. So any compromise of a software firewall running
on any of their intranet hosts would extend to the gateway/proxy host
where you separately would run the firewall. I doubt Roy was using the
DI-604 in a corporate environment. A DI-604 would be a bad joke in a
corporate environment, but also a bad joke is someone using a $5000
Cisco IOS Firewall device (or even a $300+ DLink DFL-300) in a home
network to protect a single $500 consumer-grade PC. The "implied
environment" was some guy at home with one or two computers connected to
the cheapie DLink DI-604, not a small business of 25+ employees or a
corporate environment of hundreds of employees. I was keeping the cost,
which includes management, expertise level, and complexity of equipment
within the realm of the assumed environment: a home PC user. You need
to employ the grade and cost of equipment and management suitable to the
environment in which it gets deployed.

--
____________________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email domain = ".com" *AND* append "=NEWS=" to Subject.
____________________________________________________________
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

On Tue, 22 Jun 2004 04:43:58 GMT, "Roy" <nobody@shaw.ca> wrote:

>I will continue to use my Win XP Pro SP2 RC2, D-Link 604, Zonealarm Pro,
>Trend Micro PC-Cillin AV, Ad-Aware, Spybot, Pest Patrol, and safe hex.
>Hopefully I can survive! But I know that someone somewhere will come up with
>a way to defeat my system, and I will continue to look for ways and
>equipment to defeat them and achieve piece of mind.

I doubt it. You have to think of it like a burglar. If your system
has open doors, or is very easy access, they'll come in and have a
look around. If your system is tightly secured they'll move on and
look elsewhere.

Sure they MAY be able to crack a way in if they put a massive amount
of effort into it but, no offense, are you really worth it? Only if
they think there's something desperately worth it would they even
bother trying.

Myself and my neighbour have heavily encrypted our wireless networks,
not to mention hardware firewalls, NAT routers, MAC address filtering,
software firewalls, AV software, anti-spyware, sensitive files
encrypted and password protected. Why bother trying to crack open our
wireless networks when there is a third from somewhere else in the
street with no encryption at all?
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <7pudnVUx5b_da0XdRVn-jw@comcast.com>, reply-to-newsgroup@do-
not-email.invalid says...
> I doubt Roy was using the
> DI-604 in a corporate environment. A DI-604 would be a bad joke in a
> corporate environment, but also a bad joke is someone using a $5000
> Cisco IOS Firewall device (or even a $300+ DLink DFL-300) in a home
> network to protect a single $500 consumer-grade PC. The "implied
> environment" was some guy at home with one or two computers connected to
> the cheapie DLink DI-604, not a small business of 25+ employees or a
> corporate environment of hundreds of employees.

I fully understand the implications of his post, and I fully understand
the levels of protections. My beef is with people being told that
NAT/SPI makes their product a firewall when it really is just a router
with some firewall "LIKE" features.

While I don't advocate installing a "Firewall" in homes, I do make it a
point to try and explain the difference between a firewall and a router.
Some people may have sensitive information on their home computers, some
may care that they are not getting a real firewall (and all the
protection that a REAL firewall affords them), and some people may be
willing to spend $400 for a real firewall device instead of the $50/100
that they spent on the router.

I read an article last night where D&T estimates that 1.4 million people
had their identities stolen, 90% of them were done in the last year.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

On Wed, 23 Jun 2004 12:49:56 GMT, Leythos <void@nowhere.com> wrote:

>If the device is a router with NAT, that may or may not employ SPI, then
>it's just want I wrote, a NAT router with SPI, not a firewall. By
>default, your device permits all outbound traffic completely
>unrestricted, and does not have rules for blocking services/ports by IP
>address inside the lan.

I have not tried to configure any new rules for outbound traffic on
the router, principally because there are only two machines on the LAN
and both have ZoneAlarm on so I can keep track of what is looking to
send information out.

However it is perfectly possible to block services and ports outbound
on the router, although AFAIK not by IP address. Instead the rules
are global, affecting all machines using the router as a means to
access the internet. This can be circumvented by setting a single IP
address as the master computer which bypasses any restrictions imposed
by the router, including restricted websites and so on.

I have no wish to restrict any internet activities of myself or the
Mrs, but I do like to be sure that the risk of trojans etc is
minimised as much as possible, hence ZA, together with AV and spyware
progs.

Would I need anything more for my home LAN?
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <al3jd01bq5hloeqd1j6vh512givkq4khmv@4ax.com>,
plesbit@hotmail.com says...
> I have no wish to restrict any internet activities of myself or the
> Mrs, but I do like to be sure that the risk of trojans etc is
> minimised as much as possible, hence ZA, together with AV and spyware
> progs.
>
> Would I need anything more for my home LAN?

For a home network, a NAT device, quality AV software, a detection tool
like "Spybot Search and Destroy" the one from www.safer-networking.org
and your own ZA, should put you in the well protected category.

Spybot can be found at http://www.safer-networking.org/


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

On Wed, 23 Jun 2004 10:54:46 +0100, Simon Pleasants
<plesbit@hotmail.com> wrote:

>Why bother trying to crack open our
>wireless networks when there is a third from somewhere else in the
>street with no encryption at all?

Oh, possibly because of the challenge, it's amazing what tools are
available, airsnort for example

http://airsnort.shmoo.com/

"AirSnort is a wireless LAN (WLAN) tool which recovers encryption
keys. AirSnort operates by passively monitoring transmissions,
computing the encryption key when enough packets have been gathered."