Question About Firewall

  • Thread starter Thread starter JW
  • Start date Start date
J

JW

I finally got my computers talking to each other with XP and Norton I.S.
All the computers have Norton installed on them with each computer's IP
added to Trusted Sites. Is this necessary? Does Norton have to be
installed on every computer or will it protect all of the clients on the
network? If I could get a link that would answer this would be great also.
Thanks, Joe
 
I finally got my computers talking to each other with XP and Norton I.S.
All the computers have Norton installed on them with each computer's IP
added to Trusted Sites. Is this necessary? Does Norton have to be
installed on every computer or will it protect all of the clients on the
network? If I could get a link that would answer this would be great also.
Thanks, Joe
Click to expand...

Joe,

For protection, each computer needs its own copy of NIS or another firewall.
One of the services that NIS helps you protect is file sharing. For maximum
security, it helps to restrict file sharing to specific computers on your
network. This is done by restricting file sharing to trusted computers, and by
designating the trusted computers group by ip address.

With a wired network, this is not terribly necessary, as you would typically
have a hardware (NAT) router protecting all your computers, in total, from the
evil internet world. With a wireless network, this is a necessary step, because
you cannot control which of your neighbors might connect, at any time, to your
network, and inside your router, bypassing its protection. Remember that, with
wireless equipment, your neighborhood extends far outside your front door, and
to people who do not know you.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Chuck said:
Joe,

For protection, each computer needs its own copy of NIS or another firewall.
One of the services that NIS helps you protect is file sharing. For maximum
security, it helps to restrict file sharing to specific computers on your
network. This is done by restricting file sharing to trusted computers, and by
designating the trusted computers group by ip address.

With a wired network, this is not terribly necessary, as you would typically
have a hardware (NAT) router protecting all your computers, in total, from the
evil internet world. With a wireless network, this is a necessary step, because
you cannot control which of your neighbors might connect, at any time, to your
network, and inside your router, bypassing its protection. Remember that, with
wireless equipment, your neighborhood extends far outside your front door, and
to people who do not know you.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Click to expand...

I agree with you about firewalling on a wired network, Chuck.

I think that it's easier to keep outsiders out of a wireless network
than you apparently do, though. IMHO, these steps should be
sufficient to protect a home wireless network:

1. Enable the highest level of encryption that your equipment provides
(from highest to lowest: WPA, 128-bit WEP, 64-bit WEP).

2. Enable MAC address filtering in the wireless router to only allow
connections from your wireless network adapters.

3. Change the encryption key regularly.

While a dedicated hacker can crack WEP and spoof a MAC address, I
think that the chances are vanishingly small that anyone will park
within 100 feet of your house and spend the necessary time and effort
to do it. There are so many wide-open, un-encrypted networks around
that it isn't worth the effort.

I'm interested in any comments that you might have.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
I agree with you about firewalling on a wired network, Chuck.

I think that it's easier to keep outsiders out of a wireless network
than you apparently do, though. IMHO, these steps should be
sufficient to protect a home wireless network:

1. Enable the highest level of encryption that your equipment provides
(from highest to lowest: WPA, 128-bit WEP, 64-bit WEP).

2. Enable MAC address filtering in the wireless router to only allow
connections from your wireless network adapters.

3. Change the encryption key regularly.

While a dedicated hacker can crack WEP and spoof a MAC address, I
think that the chances are vanishingly small that anyone will park
within 100 feet of your house and spend the necessary time and effort
to do it. There are so many wide-open, un-encrypted networks around
that it isn't worth the effort.

I'm interested in any comments that you might have.
Click to expand...

Steve,

I agree with you that you're probably safe on a wireless network, with minimal
protection (minimal being WEP / WPA and MAC address filtering). In most cases.
Right now.

1) MAC address filtering.
2) WEP / WPA.

WEP-128 can be cracked with 2 hours of network traffic as samples. MAC address
spoofing is trivial.

Most wardrivers, you're right, will probably scan your network, hijack your
internet connection for a while, and move on. There's plenty of more networks.

What about a vindictive wardriver? Or one who just wants to play around? If
you're using your wireless network to share files, including financial or
embarrassing secrets, do you want the possibility of some stranger in your LAN,
messing around? I don't.

When I was too young to care (about the same age of most kids getting their
first computers these days), I lived in a small town in eastern US. No Walmart,
Macdonalds, or any other major store in town. No locks on the doors of the
houses. Not too many houses being sold these days with no locks. Even in small
towns.

I don't want to predicate my personal safety, or my network's safety, upon my
neighbor's security being weaker. I want my protection to be stronger. And I
want to help make my neighbor's stronger.

So, my additional recommendations:
3) Fixed ip addresses.
4) Software firewalls protecting each computer connected to a wireless LAN.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Chuck said:
Steve,

I agree with you that you're probably safe on a wireless network, with minimal
protection (minimal being WEP / WPA and MAC address filtering). In most cases.
Right now.

1) MAC address filtering.
2) WEP / WPA.

WEP-128 can be cracked with 2 hours of network traffic as samples. MAC address
spoofing is trivial.

Most wardrivers, you're right, will probably scan your network, hijack your
internet connection for a while, and move on. There's plenty of more networks.

What about a vindictive wardriver? Or one who just wants to play around? If
you're using your wireless network to share files, including financial or
embarrassing secrets, do you want the possibility of some stranger in your LAN,
messing around? I don't.

When I was too young to care (about the same age of most kids getting their
first computers these days), I lived in a small town in eastern US. No Walmart,
Macdonalds, or any other major store in town. No locks on the doors of the
houses. Not too many houses being sold these days with no locks. Even in small
towns.

I don't want to predicate my personal safety, or my network's safety, upon my
neighbor's security being weaker. I want my protection to be stronger. And I
want to help make my neighbor's stronger.

So, my additional recommendations:
3) Fixed ip addresses.
4) Software firewalls protecting each computer connected to a wireless LAN.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Click to expand...

Thanks for the reply, Chuck. I especially like your recommendation 3,
which prevents an intruder from automatically getting an IP address
from a DHCP server on the network. I once set up a 2-computer
wireless network where I used static IP addresses in an obscure
private IP range (e.g. 172.16.25.0) with subnet mask of
255.255.255.252. That mask only allows 2 computers.

I wonder, though: can't someone who sniffs wireless traffic for a long
enough time to crack WEP also detect the IP addresses that the network
uses?
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
I would think if someone cracks the WEP they will also detect the settings
and get onto the network if DHCP is present. I agree with you Steve, I think
the chances is likely that someone will park within 100 feet of soneone's
house and try to crack a WEP. Not to mention, how do those intruders know
that they are on a wireless network if they didn't tell them? They would
have to know they are on a wireless network first, correct?

Yes, I like the idea of having static ip addresses. The only problem for me
is that my ISP doesn't let me have static ip address. I would like to enter
manually assigned addresses on the network but that isn't an option for me.
I'm using DHCP.

_________________
Eric
 
I wonder, though: can't someone who sniffs wireless traffic for a long
enough time to crack WEP also detect the IP addresses that the network
uses?
Click to expand...

That's a job for the firewall. The firewall will statefully detect forged use
of existing trusted ip addresses. As it would with malevolent internet traffic,
sans NAT router.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
I would think if someone cracks the WEP they will also detect the settings
and get onto the network if DHCP is present. I agree with you Steve, I think
the chances is likely that someone will park within 100 feet of soneone's
house and try to crack a WEP. Not to mention, how do those intruders know
that they are on a wireless network if they didn't tell them? They would
have to know they are on a wireless network first, correct?
Click to expand...

Your typical wardriver goes looking for a wireless network to abuse. Pretty
much anything he's (she's) abusing is wireless, by intention.
Yes, I like the idea of having static ip addresses. The only problem for me
is that my ISP doesn't let me have static ip address. I would like to enter
manually assigned addresses on the network but that isn't an option for me.
I'm using DHCP.
Click to expand...

Your ISP forces YOU to use a dynamic WAN address. If you setup a wireless
router, use of a static LAN address is your choice. Totally separate from the
nature of your WAN.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Yes, Chuck I have a Linksys Wireless AP Router w/4 port Switch. However, I'm
not entirely sure what you are saying. This is the router I have. Details
here.

http://www.linksys.com/Products/product.asp?grid=33&scid=35&prid=415

So are you saying even though my ISP only provides a dynamic ip address, I
can still put a static ip address on my local area network? If so, would I
need to do the following:

1. Going into the router and disable the DHCP server.
2. Open the Network Connections, right-click the LAN and choose Properties.
3. Click Use the following ip address.

Then enter an private ip, subnet mask, and the default gateway?

_____________
Eric


 
Yes, Chuck I have a Linksys Wireless AP Router w/4 port Switch. However, I'm
not entirely sure what you are saying. This is the router I have. Details
here.

http://www.linksys.com/Products/product.asp?grid=33&scid=35&prid=415

So are you saying even though my ISP only provides a dynamic ip address, I
can still put a static ip address on my local area network? If so, would I
need to do the following:

1. Going into the router and disable the DHCP server.
2. Open the Network Connections, right-click the LAN and choose Properties.
3. Click Use the following ip address.

Then enter an private ip, subnet mask, and the default gateway?
Click to expand...

That and DNS server information, under Advanced (if that's not a separate
option).

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Back
Top