networking with zonealarm

[Bob]

I have been having trouble getting my network set up
between my 2 computers. I have a wirless router and a
desktop and laptop connected to it. When I disable
Zonealarm, the computers communicate, but with Zonealarm
running, they won't network. My question is this--do I
even need Zonealarm? Is the firewall in the router all I
need? I was advised to disable the firewall in my XP
internet connections.
Bob

 

[Chuck]

I have been having trouble getting my network set up
between my 2 computers. I have a wirless router and a
desktop and laptop connected to it. When I disable
Zonealarm, the computers communicate, but with Zonealarm
running, they won't network. My question is this--do I
even need Zonealarm? Is the firewall in the router all I
need? I was advised to disable the firewall in my XP
internet connections.
Bob

Bob,

With a wireless network, you do indeed need ZA or another firewall on each
computer.

Is this Zone Alarm Free or Pro? With Pro, you need to identify each computer as
being in the Local (Most Trusted) Zone on the other, then open the following
ports in Local Zone: TCP 139, 445; UDP 137, 138, 445.

I am told that there is a selection somewhere in ZA Free also, supposedly
"Enable file sharing" or the like, probably under Local Zone settings.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Bob]

Chuck,
thanks for the reply. I am running the free version of
zonealarm and it does not appear to have the ability to
allow file sharing. I definitely notice that the only
time I can share files is when I disable Zonealarm. It
will not allow sharing no matter what security settings I
use.
Bob

 

[Chuck]

Chuck,
thanks for the reply. I am running the free version of
zonealarm and it does not appear to have the ability to
allow file sharing. I definitely notice that the only
time I can share files is when I disable Zonealarm. It
will not allow sharing no matter what security settings I
use.
Bob

Bob,

Is this the most current version of ZAF?

What is the paranoia level in ZAF set at right now? Can you drop a level?

If you can't get ZAF to work for you, there are other solutions. I have heard
good things about Kerio and Sygate personal (free) firewalls. Discussion groups
comp.security.firewalls and microsoft.public.security are good places to
research this.

Or upgrade to ZA Pro.

Other security considerations for a wireless LAN:
Enable WEP / WPA. Use non-trivial (non-guessable) values for each. (No "My dog
has fleas").
Enable MAC filtering.
Disable DHCP, and assign an address to each computer manually.
Change the subnet of your LAN - don't use the default.
Change the router management password, and disable remote (WAN) management.
Don't disable SSID broadcast - some configurations require the SSID broadcast.
But change the SSID itself - to something that doesn't identify you, or the
equipment.
Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?.
Use non-trivial accounts and passwords on every computer connected to a wireless
LAN. Disable or delete Guest userid. Rename Administrator, to a non-trivial
value, and give it a non-trivial password. Never use the Administrator renamed
account for day to day activities, only when intentionally doing administrative
tasks.
Stay educated - know what the threats are. Newsgroups alt.internet.wireless and
microsoft.public.windows.networking,wireless are good places to start.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Bob]

Chuck,
by paranoia level, I take it you mean the internet
security and trusted security levels? I have them set
for medium and it's still not allowing me to network. It
doesn't make sense that I can't network while I'm using
ZA.
thanks,
Bob

-----Original Message-----


Bob,

Is this the most current version of ZAF?

What is the paranoia level in ZAF set at right now? Can you drop a level?

If you can't get ZAF to work for you, there are other solutions. I have heard
good things about Kerio and Sygate personal (free) firewalls. Discussion groups
comp.security.firewalls and microsoft.public.security are good places to
research this.

Or upgrade to ZA Pro.

Other security considerations for a wireless LAN:
Enable WEP / WPA. Use non-trivial (non-guessable) values for each. (No "My dog
has fleas").
Enable MAC filtering.
Disable DHCP, and assign an address to each computer manually.
Change the subnet of your LAN - don't use the default.
Change the router management password, and disable remote (WAN) management.
Don't disable SSID broadcast - some configurations require the SSID broadcast.
But change the SSID itself - to something that doesn't identify you, or the
equipment.
Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?.
Use non-trivial accounts and passwords on every computer connected to a wireless
LAN. Disable or delete Guest userid. Rename

Administrator, to a non-trivial

value, and give it a non-trivial password. Never use the Administrator renamed
account for day to day activities, only when

intentionally doing administrative

 

[Chuck]

Chuck,
by paranoia level, I take it you mean the internet
security and trusted security levels? I have them set
for medium and it's still not allowing me to network. It
doesn't make sense that I can't network while I'm using
ZA.
thanks,
Bob

Bob,

That's the setting. What are the descriptions for "Medium" and Low" Security
Levels? Try "Low" Security as a diagnostic.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Steve Winograd [MVP]]

I have been having trouble getting my network set up
between my 2 computers. I have a wirless router and a
desktop and laptop connected to it. When I disable
Zonealarm, the computers communicate, but with Zonealarm
running, they won't network. My question is this--do I
even need Zonealarm? Is the firewall in the router all I
need? I was advised to disable the firewall in my XP
internet connections.
Bob

Your router acts as a firewall, blocking undesired incoming traffic to
your computers from other Internet users. You don't need a firewall
program for incoming protection.

However, the router can't prevent undesired outgoing traffic from your
computer to the Internet, which can happen if your computer is
infected with a virus, worm, Trojan horse, etc. If that type of
protection is important to you, use a firewall, like ZoneAlarm, that
can block it.

If you keep ZoneAlarm, put your local area network into the Trusted
zone, not the Internet zone.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Bob Willard]

Bob,

That's the setting. What are the descriptions for "Medium" and Low" Security
Levels? Try "Low" Security as a diagnostic.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

I use both ZAF and ZAP, and the solution is pretty much the same for both:
on each PC, add the IPAs of the other PCs on your LAN to the Trusted Zone.
On my LAN, F&P sharing works with a mixture of ZAF and ZAP (using High
Security for the Internet zone and Medium Security for the Trusted zone),
with a mixture of W9x, W2K, and XP PCs.

If all PCs in a LAN get their IPAs from a single DHCP router, then the
easiest way to define the Trusted zone is by adding a range of the LAN's
non-routable IPAs, such as 192.168.1.0-192.168.1.255

I think it is always true that, if F&P sharing works on a LAN with ZA
removed, then it will also work with ZA running and correct def's of
the Trusted Zone members.

 

[Bob]

Bob,
I'll try your suggestions with ZAF. I installed free
Sygate last night on both computers, but that also
prevented me from sharing, so I uninstalled it. Right
now I'm running without anything, but I'll try the XP ICF.
Thanks,
Bob

 

[Bob]

Bob,
It looks like that worked. I put each other's IPA in the
trusted zone on ZA, and they are able to find each other.
Thanks!
Bob

 

[Jacob Kramer]

I use both ZAF and ZAP, and the solution is pretty much the same for both:
on each PC, add the IPAs of the other PCs on your LAN to the Trusted Zone.
On my LAN, F&P sharing works with a mixture of ZAF and ZAP (using High
Security for the Internet zone and Medium Security for the Trusted zone),
with a mixture of W9x, W2K, and XP PCs.

If all PCs in a LAN get their IPAs from a single DHCP router, then the
easiest way to define the Trusted zone is by adding a range of the LAN's
non-routable IPAs, such as 192.168.1.0-192.168.1.255

I think it is always true that, if F&P sharing works on a LAN with ZA
removed, then it will also work with ZA running and correct def's of
the Trusted Zone members.

I was working on a system today where I couldn't get this working
consistently until I set the trusted zone to "low." It would work at
first if I included the network adapter in the trusted zone--I
think--but then it would stop working if I rebooted. Can you think of
some reason why this would be so (Two XP home machines, one wired,
one wireless and a Linksys router)? And is this a security risk to
have the above address range in the trusted zone set to "low"?

Also I don't remember if there was a checkbox option next to the
adapter--or is that only in older versions of ZA? If so, should I
have checked the adapter, or in this version is the same thing
accomplished by putting it in the trusted zone?

 

[Jacob Kramer]

I use both ZAF and ZAP, and the solution is pretty much the same for both:
on each PC, add the IPAs of the other PCs on your LAN to the Trusted Zone.
On my LAN, F&P sharing works with a mixture of ZAF and ZAP (using High
Security for the Internet zone and Medium Security for the Trusted zone),
with a mixture of W9x, W2K, and XP PCs.

If all PCs in a LAN get their IPAs from a single DHCP router, then the
easiest way to define the Trusted zone is by adding a range of the LAN's
non-routable IPAs, such as 192.168.1.0-192.168.1.255

I think it is always true that, if F&P sharing works on a LAN with ZA
removed, then it will also work with ZA running and correct def's of
the Trusted Zone members.

I should mention that the way I left it was with the adapter in the
Internet zone set at "high," with the address range
192.168.1.0-192.168.1.255 in the trusted zone set to "low."

Also can someone explain to me if that ranger is the same thing as
setting a subnet 192.168.1.0/255.255.255.0?