Firewalls and Antivirus questions

[wbarnhill]

Anyone using portfast is trying to make up for a poorly designed network or protocol. The only time I've used it is with Netware 5 IPX GetNearestServer calls on a particularly large network (college). Stupid Cisco spanning tree algorithm took too long to transition to a forward state that IPX decided that there WAS no server available. Funny how it only happened on our faster machines. The other ones booted so slow that spanning tree was done by the time the Novell client was asking.

Agreed

 

[wbarnhill]

Well, my laptop goes on the road with me, and probably no hardware firewall with the wireless systems I use. Maybe they do, but I am not sure. I will leave Windows Firewall on for that, but on my home stuff I won't worry about it.

Thanks again for the input, guys.

That's why I made sure to mention that. As for the input, anytime, I mean what else am I going to do during the last hour or so of work?

 

[Brian Austin]

Yeah, I'm surprised we still use it, but with about 100 switches on campus, I'm just lucky my boss hasn't told me to go change the configs.

We used to be able to do blanket config changes with Cisco's switch manager (forget the name) at scheduled times. Just start at the perimeter and work your way in, though. Silly me started at the core one time and couldn't figure out why the logs showed a lot of unreachable entries the next morning.

 

[Greebo]

Well, my laptop goes on the road with me, and probably no hardware firewall with the wireless systems I use. Maybe they do, but I am not sure. I will leave Windows Firewall on for that, but on my home stuff I won't worry about it.

Thanks again for the input, guys.

If you're connecting in to networks on someone elses wireless, then you are probably already behind their firewall. However, the fact that you use wireless is itself a reason to have a software firewall running - because the wireless network may not be secure.

Heck, just the fact that you're plugging into strange networks is enough reason to play it safe and have it running, even hardwired in.

More explanation on firewalls (simplified somewhat): The firewall in the airplane is designed to keep a fire in the engine forward of the passenger compartment. A computer firewall is designed to keep the fire on the public internet outside of your private network.

Your computer connects to the wide area network (internet) through a gateway, and traffic is able to flow two ways through that gateway. That point of entry, the gateway point, has an IP. That gateway point might be your PC, or it might be your hardware firewall or your router, but it has a single IP through which all traffic to your computer (and if you have a network, your network) flows.

Traffic can be incoming or outgoing. The direction is determined not by the flow of data, but by the initiatior of the contact. If you browse to PoA, you open a connection to PoA's server, and that connection (kind of like a phone call) stays open until we're done. You call us, and we talk back and forth. Thats an outbound connection. On the other hand, if PoA tried to call you, that would be an inbound connection.

Firewalls block connections. Mainly inbounds but they can block in either direction.

Each IP has a number of ports. A port is kind of like an extention on a telephone exchange. When you browse to POA, you connect to the IP mapped to www.pilotsofamerica.com and you then connect to port 80, the standard HTTP port. Its like calling an office and asking for Joe Smith at extention 5080, only its all hidden from you - but its 1 phone # and thousands of extentions. (1 IP, 32767 ports, to be exact).

The standard household hardware firewall allows ALL outbound calls and NO inbound calls. If you want to run a web server on port 80, your firewall has to be adjusted to allow calls on port 80 in, because running a web server means your server has to be the 800 number and answer the calls, it can't initiate them.

The software firewalls tend to be a bit more dynamic - they run directly on your computer and monitor direct access to and from your computer using your computers CPU cycles to do so. This allows them to be more interractive and say, "Hey, do you REALLY wanna call up www.haxubadroxorlolol.com on port 9218?" (which no, you don't) when the request is going out, but the cost of course is your comp runs a bit slower overall cause it has more work to do. Very good when your computer goes with you to strange networks...

 

[eLiz]

Firefox can't find the server at www.haxubadroxorlolol.com

Time to register a website....

 

[Brian Austin]

(1 IP, 32767 ports, to be exact).

(Warning: major geek speak thread hijack here)

Only 32,767 ports? Where did you get that number? The port field is 16 bits and 2^16 = 65,536 possibilities (including 0, which isn't used).

And both TCP and UDP can have the 16 bit number....so there are actually 131,070 possible ports taking out the two zeros.

http://en.wikipedia.org/wiki/TCP_and_UDP_port

 

[Greebo]

Only 32,767 ports? Where did you get that number?

Major brain fart and citing from memory...cross wired with having recently having a discussion about what 0xF000 represented in a signed int.

Sorry I'm usually better at my powers of 2 than that

 

[mikea]

So what is a hardware firewall?

It's really a software firewall, but it runs on external hardware. Clear?

Today about any home network router/appliance has a firewall built in to it among many other functions. It goes on the link to the big bad outside world via your DSL or cable conenction and your home PCs connect to that device on "the inside." The firewall in the hardware device blocks inappropriate incoming traffic from bad guiys on the outside. Your PC(s) don't have to have any software whatsoever to be protected. They just connect and that gateway device does the work transparently.

Now, you wanna know what those things actually have int htem? All of this stuff used to take separate devices and software, lessee, Router with PPPoe functionality and Network Address Translation, Ethernet switch, Firewall - often with stateful packet inspection, web server (for configuration), DHCP server, DNS proxy, and sometimes, WiFi Access point, Network printer sharing, Web filter with access rules.... All of that now costs you $50 or so. There was a time not real long ago when it was many $1000s.

The best thing is because all that stuff is built in, you won't have to do more than configure it to log in to your ISP for DSL and for cable not even that. It will all just work.

 

[ggroves]

I'm assuming if you have 2500 PC's on a network (or multiple networks), that you probably have plenty of hardware firewalls that essentially make the use of Windows firewall null and void.

Yes - Checkpoint and McAfee hardware appliances. However, 30% of those 2,500 are laptops that are used on the road from home, hotels, etc on sometimes insecure networks. The Windows firewall isn't null and void.

Greg
182RG

 

[LeonardMack]

The Windows firewall isn't null and void.

Greg
182RG

You took it out of context. If you are behind another firewall, it is "null and void" (ie. doesn't do a whole lot). If it is a laptop that travels, then it isn't behind a firewall and should have software firewall running.

 

[Greebo]

You took it out of context. If you are behind another firewall, it is "null and void" (ie. doesn't do a whole lot). If it is a laptop that travels, then it isn't behind a firewall and should have software firewall running.

On the contrary, a local firewall which is behind an enterprise firewall can help protect your computer from any threats that manage to make it inside the hive, if you will. It may not do as much, but redundancy is not a bad thing when threats can and do get past the outer guards.

 

[CJones]

I'm gonna hijack this thread and ask for some help regarding my own setup. I'm a former CprE geek, but I've since switched over to the world of wrench-turning. *DOH* (Getting ready to head back to school to get back into one of those 'boring' desk jobs. )

Anywho.. Here's my situtation: I'm getting ready to wipe clean and rebuild my home desktop computer. The darn thing seems to get slower every day and it's been about 2 years since I did it (I know, the thing is ancient) so I'm ready to wipe it clean again and start with a clean slate.

1.) From what I've read here and the little tidbits that I've picked up on the 'net, I will be switching from IE to FireFox with the new install. Any special info I need to know to make this happen smoothly?

2.) I am fed up with NAV. I bought the update in January as a combo with TurboTax like I have the past 3 years. The only problem is that THIS time it decided to tell me that my subscription has expired about 3 months into it. On top of that, the 'update' to the new version has never gelled with the old version and it seems that one of them is always trying to tell me it's broken. I'm thinking about switching to McAfee. Is there anything out there as good/better that I should look into? I don't mind paying a bit per year for GOOD and USEFUL AV protection. (my wife is not computer savvy)

3.) I have DSL at home, which runs through a DSL "modem" which also acts as a DHCP server. Does this qualify as a firewall? Regardless if it does or not, I'm running a Linksys router behind the modem, so I know it fits the bill. Is there anything I need to 'tweak' on the Linksys to make it more protective? (other than change Admin L/P) I used to be able to work my way around routers/switches when I was running through VPN for work, but it's been a while since I dabbled in it.

4.) Which and how many Spybot/Ad protection clients should I use? This stuff wasn't in the forefront when I was dealing with WAN/LAN stuff, so it's all new to me.

Thanks for any and all advice. I'll gladly trade Computer Tech support for uhhhh.... hmmmmm.... I guess I can give some herbicide/insecticide advice.

-Chris

 

[LeonardMack]

1.) From what I've read here and the little tidbits that I've picked up on the 'net, I will be switching from IE to FireFox with the new install. Any special info I need to know to make this happen smoothly?

Just download it and install it. It is pretty easy.

2.) I am fed up with NAV. I bought the update in January as a combo with TurboTax like I have the past 3 years. The only problem is that THIS time it decided to tell me that my subscription has expired about 3 months into it. On top of that, the 'update' to the new version has never gelled with the old version and it seems that one of them is always trying to tell me it's broken. I'm thinking about switching to McAfee. Is there anything out there as good/better that I should look into? I don't mind paying a bit per year for GOOD and USEFUL AV protection. (my wife is not computer savvy)

Get AVG antivirus. It is free! Go to www.downloads.com and do a search for it. Be sure to download the free version and not the corporate version.

3.) I have DSL at home, which runs through a DSL "modem" which also acts as a DHCP server. Does this qualify as a firewall? Regardless if it does or not, I'm running a Linksys router behind the modem, so I know it fits the bill. Is there anything I need to 'tweak' on the Linksys to make it more protective? (other than change Admin L) I used to be able to work my way around routers/switches when I was running through VPN for work, but it's been a while since I dabbled in it.

If your DSL modem has a DHCP server in it, it is most likely a a router/firewall also. There probably isn't a reason to have the linksys behind it.

4.) Which and how many Spybot/Ad protection clients should I use? This stuff wasn't in the forefront when I was dealing with WAN/LAN stuff, so it's all new to me.

Spybot Search and Destroy. You can get it for free at www.downloads.com also. You can also try AdAware.

 

[Brian Austin]

If your DSL modem has a DHCP server in it, it is most likely a a router/firewall also. There probably isn't a reason to have the linksys behind it.

Not so. Most DSL modems are, in fact, DHCP servers but NOT firewalls. They are simple routers, nothing more.

Keep the Linksys, make sure the firmware is kept up to date and the defaults will usually take care of anything that comes along.

 

[LeonardMack]

Not so. Most DSL modems are, in fact, DHCP servers but NOT firewalls. They are simple routers, nothing more.

Keep the Linksys, make sure the firmware is kept up to date and the defaults will usually take care of anything that comes along.

Well, if it is a DHCP server assigning internal IP addresses (Non-internet) it is also acting as a firewall. If someone tries to access, lets say, port 80 internally, it has to have a certain IP address internally to forward that traffic too from the internet IP to the internally assigned one. So in effect, it is blocking access to all ports unless specifically designated to forward internally.

Maybe I am just ignorant too and have this all wrong! I don't claim to know everything about networking, but this is pretty basic.

Also, in the 100's of DSL modems i have set up, I have never seen one that has a DHCP server assigning internal IP addreses not act as a firewall also. So this is what I was basing my answer on. I guess i haven't seen them all.

 

[Brian Austin]

Well, if it is a DHCP server assigning internal IP addresses (Non-internet) it is also acting as a firewall. If someone tries to access, lets say, port 80 internally, it has to have a certain IP address internally to forward that traffic too from the internet IP to the internally assigned one. So in effect, it is blocking access to all ports unless specifically designated to forward internally.

Maybe I am just ignorant too and have this all wrong! I don't claim to know everything about networking, but this is pretty basic.

Also, in the 100's of DSL modems i have set up, I have never seen one that has a DHCP server assigning internal IP addreses not act as a firewall also. So this is what I was basing my answer on. I guess i haven't seen them all.

A DHCP server itself is not a protection method. It's simply a way of handing out IP addresses automatically.

NAT (Network Address Translation) provides inbound "protection" by simply not having a way to map outside-to-inside IP addresses permanently. Most firewalls have the ability to do NAT or PAT (Port Address Translation) for inbound nodes but few people actually use it. Instead the router (note I didn't say FIREWALL) simply assigns an outside IP address/port based on the session that is created by the internal node and the router.

A FIREWALL is not only a way to keep people out. Stateful Packet Inspection (SPI) watches inbound packets for characteristics of attacks, trojans, viruses, etc., and blocks those packets. Going to a certain site that may contain ActiveX or Java code that takes over a computer would be INITIATED by the internal node. The firewall/router forwards the request to the site using the NAT address (external because typical internal addresses are not routable on the Internet) and accepts the incoming packets to forward to the internal node. While going through the SPI engine, the signature is triggered and the packet is sent to the bit bucket, ending the session. Some firewalls will tell you what happened. Others just make it look like the session died for unknown reasons.

Unless you absolutely KNOW the DSL modem has a SPI firewall on it, assume it doesn't and continue using the Linksys (unless it's ancient, most Internet gateway provides have SPI firewalls built-in now).

And I'm very familiar with networking, as well as network security and ways around it.

 

[mikea]

Let me ask you a key question" did you put your account (email address) and password on the linksys? You would do that on the web interface. If so, you should keep on going as you are.

Unless you got a newer router/firewall/modem with your DSL - usually with wirelss - most DSL modem are that, simply "modems (not really)" that serve as the ATM node on your side. DHCP and DNS comes from servers at your ISP. Your internal router like the linksys will forward DNS and give an inside IP address with it's own DHCP server.

In any case, even with a hardware firewall it doesn't hurt to run a software one.

 

[Brian Austin]

Unless you got a newer router/firewall/modem with your DSL - usually with wirelss - most DSL modem are that, simply "modems (mot really)" that serve as the ATM node on your side. DHCP and DNS comes from servers at your ISP. Your internal router like the linksys will forward DNS and give an inside IP address with it's own DHCP server.

Not necessarily. A four month old Qwest DSL modem at my office (backup for our 2 T-1s) has a userid/password + DHCP server but no firewall features. It receives its outside IP via DHCP and provides an internal 192.168.x.x address to our firewall. Double NAT doesn't play well with some stuff so I've done some adjustements on it, though.

 

[CJones]

Not necessarily. A four month old Qwest DSL modem at my office (backup for our 2 T-1s) has a userid/password + DHCP server but no firewall features. It receives its outside IP via DHCP and provides an internal 192.168.x.x address to our firewall. Double NAT doesn't play well with some stuff so I've done some adjustements on it, though.

I'm running a QWest DSL modem that I got back in January - "Actiontec DSL Gateway 54Mbps Wireless". It gives my Linksys BEFSR41 a 192.168.1.x IP and my Linksys turns around and gives my PC and PS2 and friend's laptop another 192.168.100.x IP address. I *think* the DSL modem contains the L/P for QWest WAN access, of course, they might be running of MAC authentication.. Not sure...

Like I said, I used to be able to rip into the configs on these things and set up NAT and everything like I wanted it, but I haven't done it in so long that I lost a lot of the 'logic' behind the systems. I haven't had any problems running things through the 'double' IP trading that's going on, though.

Thanks again for the info..

-Chris

 

[Brian Austin]

I'm running a QWest DSL modem that I got back in January - "Actiontec DSL Gateway 54Mbps Wireless". It gives my Linksys BEFSR41 a 192.168.1.x IP and my Linksys turns around and gives my PC and PS2 and friend's laptop another 192.168.100.x IP address. I *think* the DSL modem contains the L/P for QWest WAN access, of course, they might be running of MAC authentication.. Not sure...

MAC authentication takes too much overhead from my experience. It's either PPPoE with no authentication (ie they are authenticating the circuit itself) or it's already got it on there.

My issues are videoconferencing (H.323 doesn't play well with double NAT) and VPN access (it's a backup VPN circuit). And it's also inbound issues vs outbound. Most home users aren't doing any type of inbound traffic (except for responses to their outbound requests).

 

[mikea]

I'm running a QWest DSL modem that I got back in January - "Actiontec DSL Gateway 54Mbps Wireless". It gives my Linksys BEFSR41 a 192.168.1.x IP and my Linksys turns around and gives my PC and PS2 and friend's laptop another 192.168.100.x IP address. I *think* the DSL modem contains the L/P for QWest WAN access, of course, they might be running of MAC authentication.. Not sure...

Like I said, I used to be able to rip into the configs on these things and set up NAT and everything like I wanted it, but I haven't done it in so long that I lost a lot of the 'logic' behind the systems. I haven't had any problems running things through the 'double' IP trading that's going on, though.

Thanks again for the info..

-Chris

Ahh. The key word there is gateway. The Actiontec is a router/NAT/firewalletc. You do have a firewall talking to a firewall. You could leave it alone but it may be giving you some extra latency.

I'll bet if you plug everything, including the Actiontec onto the "inside" part of the linksys, the linksys will work fine as simply a switch and take one router/firewall (the one inside the linksys) out between you and the outside world. That is, you now have the Actiontec on the WAN port of the linksys. Try putting it on one of the ports in the same group where your PCs connect. Just know that in this case you'll be depending on the quality of the firewall inside the Actiontec.

 

[bbchien]

Kerio firewall and Zonealarm are better, but the Windows firewall is better than none. Kerio is only $14.95 http://www.sunbelt-software.com/Kerio.cfm

Forget Norton or AOL: http://www.avast.com

I second Mike's endorsement of Kerio. I now have several licenses.

Thanks, Mike.