I have a small 10/100BT home network with 3 PC’s on it attached to a little switch. The kids’s PCs are running WinME and I an running Win98se and file sharing and remote administration is fully enabled between the machiens.
I have just had cable internet installed yesterday (wow!)via Comcast via home-excite.com. After installation I went out and purchased a small 4 way Etherfast Linksys Cable/DSL router to replace the little D-Link hub/switch and allow my kid’s PCs to share the connection. The connection to my machine required an additional NIC card to be installed in my machine for the cable connection. (I assume the second NIC is still necessary even with the new router?) The cable connection seems analogous to a WAN link that is always on. The router works fine and I have gotten their PC’s connected to the big fat pipe also by changing their TCP-IP configs.
I am pretty good with hardware but my networking skills are not profound and consist mainly of “Hmmm…that doesn’t work let’s try this”. When my machine was hooked to the home hub/switch there was some sort of configuration guard/warning Win98 had to prevent someone on the net from getting into my home network when using a standard dialup TCP/IP connection. Now that I am, in essence, directly part of a large fast network I am concerned about someone getting into my system.
What do I need to do? Are the necessary tools bundled into 98? Is this what net “firewalls” are all about? Maybe I’d better crack out that Linksys CD!
Yes, you must, must, must get a firewall (ideally a true firewall, not a software one) immediately and turn off file sharing in the meantime. Cable modems are an always on connection, and you are putting your PCs all at risk.
I’m not a great networking guy, actually I really suck at it, so I can’t offer alot of advice on this but several companies make routers with built in firewalls, and other companies make firewalls with built in hubs. Either would suit your needs, and with only 4 PCs you should be able to get by for under a few hundred dollars.
In theory you’re going to have a connection like this, the coax running into your cable modem, the cable modem linked with a straight through ethernet cable to your firewall/router, then the router networked in a star layout to each PC. Each PC will only need on NIC.
You should probably return the Linksys router and upgrade to one with the firewall built in.
I’m sure a much more experienced geek will be here to correct me, and to help you better.
Actually the Linksys router itself serves as a firewall. It has a unique IP address of its own, and any of your pcs that are connected to it are theoretically ‘invisible’ to any badguys that may be out there, assuming you have everything set up correctly. You probably want to ‘unbind’ file sharing from your TCP/IP connection for an extra level of security.
I’m at work, so I don’t have any of the documentation in front of me, but as I recall, there was a big foldout sheet that came with my Linksys router that took you through a quick setup. I used the default settings (except for changing my password), and it’s been working like a charm ever since.
Pay a visit to this site: http://www.grc.com , and see if you can pass the “Shields Up!” test. The guy that developed the tools on this site has the reputation of being either a internet security guru or somewhat of a crackpot depending on who you talk to, but the software itself seems relatively sound in what it’s testing for.
P.S. you don’t really need the extra nic either, but it doesn’t hurt.
The advice I give to people in this situation is to run the modem into the WAN port on the Linksys [I think you have it setup this way now] and rely on its firewall for the bulk of your protection. I also like to run a software based firewall on each of the PCs. My current favorite is ZoneAlarm. It watches both inbound and outbound traffic. This makes it effective at catching trojan horses and “phone home” applications. You can also grant internet access on a per application basis. It’s a great little app concidering how much it costs [nothing].
ZoneAlarm is free for personal and non-profit use (excluding governmental entities and educational institutions);business users must purchase a valid end-user license after 60 days in order to continue using the software.
I use this software firewall and have been pleased, and although it’s not impenetrable, it will stop roaming people and programs from easily getting into your system.
**And with the firewall, I haven’t worried too much about Win98 file sharing being turned on – although I do pay attention to which folders are read-only and password-protected.
astro, Zonealarm is a decent software solution and it’s free for personal use.
I bought a netgear router that has a builtin configureable firewall. The default setting is decent. It blocks all incoming connections, like telnet, ftp, http. This is a good start. If your linksys router has something like this, just make sure it’s configured properly.
Always keep your machines updated with the latest security patches. Run windows update on each of the machines at least monthly.
dzray is right; everyone else is wrong. You don’t need a firewall if your router is doing NAT. Also, you don’t need to disable File sharing, you’re plenty safe. That is, assuming your router is doing NAT. What are the IP addresses you set on the Computers? Are they 192.168.x.x (they probably are). If so, you don’t need a firewall.
I’m not sure why you would need a second NIC for your computer. I’m running a very similar LAN at my home. I’ve plugged each of my 3 computers into the Linksys Router and the cable modem into the WAN socket of the Router.
The Linksys does indeed do NAT in its default settings. Bill H. and dzray are right, it is an excellent hardware firewall (even more effective than ZoneAlarm).
Many thanks to those who suggested the second NIC was not necessary now that I have the router. I have removed it and the system still has full DSL access and connects and shares to the other PCs fine.
astro, I’m sorry you’ve had the gamut of information given here, and only some of it is correct.
The Linksys has a very good firewall, and is extrememly secure. Using ZoneAlarm, while it may make you feel better, and it is a fantastic tool if you don’t have a hardware firewall (like in the Linksys), is a big waste of memory and CPU. The NAT in the Linksys does wonders for protecting your PCs in your intranet. I even tested it by running ZoneAlarm for several months with the Linksys (nothing detected by ZA, where before it would log dozens of probes per day), and also went to www.grc.com to use their port prober to test the security of the Linksys (it gets a perfect score).
Your Linky should be set to “maximum security mode” out of the box by default, so I doubt you need to change anything. But it has so many neat features you may want to browse through it and check it out.
It’s one of the things that protects the UnaBoard, in addition to some other tricks I have.
I disagree that using ZoneAlarm is either wrong or a waste of resources. The Linksys router is a great piece of hardware [I use it] but it can’t do anything about malicious outbound traffic. See Steve Gibson’s take on this.
I also have never noticed a performance hit [at least on my machine] while running ZoneAlarm.
Well I just had my first cable network humiliation.
This is almost a pure undiluted geek story so others can just keep moving if they wish.
Everything was humming last night and then… full of confidence that I had this cable modem scenario in hand I decided to re-install the dialup modem that I had pulled when I had to put two NIC’s in the machine before I installed the router because of IRQ conflicts. Soooo I pulled the NIC from a slot to make space for the ISA USR modem (PCI-ISA shared slot position on the mobo) and after re-installing the drivers and putting in the all the cable network TCP-IP info back in just the way the cable guy did when he installed the second network card. I figured “Monkey see Monkey do” would see me through.
The internet went away and for the next few hours until about 4 AM I checked and re-shecked the cables, pulled and re-installed the NIC into different slots and re-installed the drivers and re-entered the cable config setting over and over and over. No dice. Went to bed at 4:30 AM.
I called the tech at COMCAST this morning and quickly got shuffled to a level 2 tech. 20 minutes of phone wait time later a tech got on the line. Attempting to sound as if I’d done everything humanly possible I glurged on my heroic labors to get it back and then asked if the cable network was down cause I wasn’t getting the fast, fat pipe service I had come to love! “Whine! Howl! Whimper!”
He ran a diagnostic or two on the modem from his end and then asked suspiciously.
Tech: “Are you using a router or a hub?”
Astro: Ummm… a router.
Tech: (in tone of voice as if speaking to Forrest Gump’s less intelligent brother) “Look. The router is now your node and is assigning hidden addresses to the PC’s on your hub/router behind the modem. The @home settings the tech put in for the second NIC have nothing to do with your access at this point. The router is assigning these addresses to the PCs on the network, so you need to re-configure the router after you scrub out all @home info you’ve put into the TCP-IP setup.”
Astro: “Well it was working fine last night! Sigh OK I’ll look into the router configuration.”
Long story short I scrub out all the @home info from the NIC TCP-IP setup and then run the router config applet using the IE address of the router. It auto configs. I’m back on the pipe and much chastened for my hubris.
Speaking of lots to learn. I am an IT manager. Actually I’m the IT department for a new manufacturing company. I recently (3 weeks now) installed Exchange server 2000 to supply our group with email. It worked for about 5 hours and then quit. I don’t know why. I’ve read every relevant article in the google database. I’ve been screwing with it every day for 3 weeks and can’t figure it out. I’ve had a few email suggestions from geeks out there which sounded great, but did not solve the problem. I’ve uninstalled and reinstalled everything on the system. I’m getting desperate, but the powers that be will not let me hire a contractor. Anyone out there an MS guru with 20 minutes to give me on the phone? I get the feeling from a few of the network administrators I’ve spoken to that they feel confident they could solve the problem but just don’t have the time to look at it. Drop me an email and I’ll send you my phone number, or send me yours and I’ll gladly call you on my dime.
I don’t really expect any response to this, but I’m desperate enough to beg.
Sorry VileOrb, I’m an admin, but not an exchange guru. Otherwise I would glady try and help.
Zone alarm rocks. The built in firewall of the router is great, but you still need zonealarm. One of its main features is block access to the internet from trogans, and spyware. Anytime any proggy tries to access the internet, it pops up a little window asking if you want it to(it can save the response,so you dont have to do it again). It can let you know real quick when you got something nasty that is trying to phone home.
One of my kids games, froma major software manufacturer, installed a resident program to send data out to the manufacturer. Zone alarm caught it instantly. I turn it off for multiplayer games, and for downloading, but then I turn it back on. It also provides an instant way to turn off your network connection for the really paranoid. Its kinda like spermacide on condoms. you cant have too much protection.(and it really doesnt eat that much cpu/memory)
Mr Gibson is pretty good, and gives good advice. However, if you don’t have a handle on your outbound traffic already then…what can I say, really? His examples of bots using his outbound IRC ports is something that wouldn’t happen to me, since I monitor my ports.
How hard is your machine taxed, network-wise? The UnaBoard sends out about 202 MB a day, and receives about 60 MB a day. I definitely notice not only a performance hit when I used ZoneAlarm, but also say my memory usage increase such that ZoneAlarm took up more than 100 MB of RAM over 3 days - just for itself! And yes, I monitor my memory usage religiously - Apache, MySQL, PHP, and vBulletin have no memory leaks, and I can go for 3 weeks at a time rock steady at 38.7 MB usage.
ZoneAlarm is a really good tool, but it’s not for everyone, and not needed in all cases.
Anthracite, I don’t disagree with what you’re saying, but I’m looking at the problem from the perspective of the “average internet user.” People who aren’t dealing with as much network traffic as you are [including me] won’t notice ZA. I’ve never seen the memory leak, but again, I don’t have as much traffic as you do.
I use ZA for exactly the reason that bdgr does. I had a problem with Real Player and ZA caught it. If you’re able to catch and stop that from happening, then I agree, you don’t need ZA.
But for most people with a broadband connection who ask, “how can I protect my computer?” I find it hard not to recommend an external router/ZoneAlarm combination. But of course there’s no solution that’s going to fit everyone.
I guess what I was really objecting to was the first line in Bill H.'s and your post implying that this solution was somehow wrong.
Good point, I see what you are saying. I guess that came out harsher than I intended. If it causes no problems, there is certainly something to be gained by combining the two solutions. Plus, IIRC, ZoneAlarm has other features in it as well w.r.t. controlling access on your PC (if you have multiple Users), so it could serve many purposes as well.
I guess I was tending to think more in terms of “hard core” home use here.
If I was running a board off my machine, or a web server, I probably wouldnt be running Zone alarm. As it is, since I have a fairly hotrod machine zone alarm is not even noticable, except with some FTP servers. As for not having a handle on outbound traffic, well I experiment a lot with my machine(the nature of my job depends on it). I load a lot of differant software, and my kid loads some games occasionally. Its easy to miss some little spyware proggy that was installed along with other stuff. Hell, Mircrosoft even installs some things that try to “phone home”. With zone alarm, I don’t have to worry as much about it.