I have 2 computers sharing the internet. I’ve hooked them to a hub, the hub connects to the router, and the router to the DSL modem. Now I’m a layman at this stuff, I’ve just followed all the instructions and everything is working. My question is about security. My roommate and I leave our computers on 24/7, so now that we are always connected, I’m worried about people gaining access to our little LAN. The router has a NAT firewall on it, (is that network address translation???) but I haven’t made any changes to it other then enabling WAN blocking which “prevents my network from being pinged or detected by other internet users”.
I’ll cut to the quick here. I have am using the NAT firewall on the default settings, and I plan on installing a copy of Zone Alarm (the free one on their site) on each computer. I also am assigned a dynamic IP by Verizon, so I know that will be changing every day or so. Will this be enough to leave the comps on 24/7? Or should I just turn them off?
Lastly how would I test that the firewall is working, should I try and ping my router or something?
There are two separate issues here regarding your choices. You can use a hardware- or software-based solution. The software-based solutions such as Zone Alarm are typically easier to configure and use, however, you must intall one on each machine. In addition, it tends to be slower, but for the average home user you wouldn’t even notice any performance degradation on your network. The hardware solution is faster and it controls your network at the source so you only need to configure it from one location. Many SOHO firewalls are user friendly and have an easy to use browser-based interface for configuration options. I think Netgear has a good one, you might check amazon.com.
A lot of this will depend on your security needs. If you don’t plan on having any open files shares, web or ftp services running, and you use reasonably strong passwords for your logins, then you would probably be just fine without a firewall at all. Just be sure to keep up-to-date on any microsoft OS security patches and you should be fine. It sounds like the default setting on your router for WAN blocking should be sufficient.
We share files between computers, surf the net, and play quake for 37 hours a day. I’ll assume that means no FTP or web services are running, correct? Is it safe to say then, then wan blocking on the router is sufficient and Zone Alarm on each computer is not even neccessary?
Urban, I just wanted on always on connection, so if I want to hop on the net, I’m just a browser click away, no log in or password or connecting etc.
Bernse, you are probably right, but just being realistic, I’ll most likely forget to turn it off, or my GF will use it, or I’ll be to lazy to turn it off etc etc, so I want to make sure I’m protected.
So it looks like between Verizon assigning me a dynamic IP, and the Wan blocking, that is all I need to be safe. No software based firewalls neccessary.
Urban, I just wanted on always on connection, so if I want to hop on the net, I’m just a browser click away, no log in or password or connecting etc.
Bernse, you are probably right, but just being realistic, I’ll most likely forget to turn it off, or my GF will use it, or I’ll be to lazy to turn it off etc etc, so I want to make sure I’m protected.
So it looks like between Verizon assigning me a dynamic IP, and the Wan blocking, that is all I need to be safe. No software based firewalls neccessary.
Load zone alarm and see what happens first. I know I was startled with how many hits my dynamic IP DSL got. I dunno much about WAN blocking so I can’t really speak to that.
There is an option on the router to add zone alarm pro to it, but I’d rather not pay (or look for illegal copies either), so I will just use the NAT on the router. If I download the free zone alarm and install it on my computer, what should I look for? Will it slow me down?, I need every drip of capacity I can get.
I would suggest that you first disable all unnecessary services running in the background on all computers. This will increase security, and increase performance at the same time. Almost all “hacks” rely on exploiting a service that the user has running in the background. To get more information, google for “(your os) service functions” or something similar to get a list of services, how to disable the unnecessary ones, and which ones should be disabled or kept enabled. Also, make sure you have your systems updated with the latest security patches.
Your router should have, built into, port filtering and/or packet filtering firewall abilities. If it does, there is no need for you to install any software firewalls. The most secure, though time consuming, method to setup the firewall is to block EVERYTHING, then slowly enable ports one at a time as you need them. Once you’re finished, you’re left with a configuration that blocks everything but what you need. A more simple method is to just block ports you’re certain you don’t need, and that may be compromised.
Finally, if you really want performance, you may want to replace your hub with a switch. They offer significantly better network performance than hubs, and at this point a 5-port 100mbit full duplex switch is $20 or so.
First things first. If your router is a decent brand (like Linksys) and you are using the default out-of-box configuration, you’re safe. Don’t install ZoneAlarm; it not only won’t add anything to the default router/NAT safety and data setup (ie, there’s nothing to log), it just sits there wasting time and being irritating.
Second, if you want to test your security, go to Steve Gibson’s site here:
Click on the “Shields Up!” logo on the first page, then scroll down to the “Hot Spots” section and click on “Shields Up!”, and finally, click on the buttons marked “Test my shields!” and “Probe my ports!”
If your firewall is decent, it should be like mine, and say “your computer is invisible…”, or whatever.
Load Zonealarm on each computer. As well as anti-virus software.
Depending on how you define “firewall”, your “router” ain’t really one. If all it says is “NAT Firewall”, it is just a Network Address Translation function (no stateful inspection, no application proxies - things you see in “real” firewalls).
That’s not a bad thing, but it still leaves you with certain vulnerabilities. Not even all software firewalls will help, but ZoneAlarm is one that does.
Some background:
The purpose of the NAT is to share the one truly public IP address provided by your provider between two or more PCs on your home LAN. More technically correct, this is done with Network Address Port Translation (NAPT). Provided you have both of your PCs configured for IP addresses that are private (from RFC 1918 space, such as 192.168.* or 10.*), which should be the default, your PCs cannot be “seen” from sessions initiated out on the Internet (unless you’ve messed with Port Forwarding, more later).
BUT, your NAT Firewall (sic) Router will, by default, allow anything and everything that is initiated FROM your PC to the Internet. Normally, that is a good thing. Ocassionally, it is not. And that is where ZoneAlarm comes in. ZoneAlarm will inspect communications in both directions, and give you control to decide whether it is acceptable of not. The risk is that through email, file downloads, freeware installs, peer-to-peer networks, etc., you could pick up some nasty software, like trojan horses, spyware, or other malware. This is stuff that gets loaded on your system, through actions you’ve initiated, but you don’t really want on your system.
When this stuff initiates communications from your PC to the Internet, to send all sorts of potentially bad stuff (all the way from surfing habits to credit card numbers and passwords), your NAT Firewall (sic) Router just let’s it on through. But ZoneAlarm will pop up a little window that says “XYZ.COM application is trying to access the Internet, do you wish to allow it?” And that’s why you want to load ZoneAlarm.
And btw, it is fine to have open file shares on your local LAN, just configure them in ZoneAlarm as part of your trusted network.
Port Forwarding: In some cases, you may want to run a “server application”. These are programs that need to be able to accept connections from the Internet. You may need to do this for multi-player Internet games (not just Quake between your two local PCs), or peer-to-peer network services, or perhaps many other applications as well. Your NAT Firewall (sic) Router can be configured to pass along requests for these applications to the specific PC that has the service, you just have to configure it that way (the specific program should provide instructions as to which protocol/port number to map).
Yes, your computer may be noticeably slower with ZoneAlarm, particularly if it is more than a few years old. It is worth the price in performance, nonetheless.
You can leave your computers on 24/7, if that’s what you want to do.
You can add ZoneAlarm Pro to the Router, if you don’t want to install it on each PC (further proof that the router isn’t a firewall, or why would they have the option to add firewall software?).
And finally, and this is also very important, get into a habit of loading OS patches, ZoneAlarm updates, and A/V signature updates on a regular basis.
Urban Ranger, if it blocked both inbound and outbound traffic, you might was well unplug from the Internet! That would certainly be secure, but it wouldn’t have much utility.
And, even if it can be configured to do so, it has no way of knowing which traffic to block and which traffic to pass. Linksys, Netgear, etc., don’t have any method to proactively, in realtime, query the user to determine if traffic is expected and allowable. Plus, if you are going to start blocking outbound ports, you really need to understand what the hell you are doing. This would not be for neophytes.
Thanks everyone, looks like I have some research to do. I’m going to “check my sheilds” at that site and take it from there. We’ve established that Zone Alarm on my comp will give me a performance hit. Will I suffer one if I put it on the router instead? I’m starting to get the impression that purchasing Zone pro wouldn’t be a bad investment.
Purely anecdotal, but I installed Zone Alarm on my home PC, which is behind a Linksys router using NAT. In the month that I had it installed, I never got a single warning or alert. Except when I wanted to do a ping or a traceroute to an internet site. For me the annoyance to usefulness ratio was too high, so I uninstalled it. Maybe I’m just less paranoid than some people, but unless you are running some service on your PC that you want accessible from the internet, NAT should be sufficient protection.
My one piece of advice (and this is Microsofts recommendation as well) is to unbind file and print sharing from TCP/IP. Use Netbeui or Netbios over IPX for local file and print sharing instead.
I apologize for being oversimplistic. I assume that most people are fully aware of what programs they have that are accessing the Net, and what spyware they do or don’t have installed. It’s not like it’s that hard to keep track of it.
And of course, when ZoneAlarm crashes (which it frequently does on some of my machines), it doesn’t protect you at all…
And, of course, when you are booted to DOS or OS/2, ZoneAlarm isn’t going to help you then either. But I guess I’m just stupid for pushing hardware firewalls. :rolleyes:
Get a hardware firewall. And if you want extra protection, try out ZoneAlarm. It’s great stuff - no, fantastic stuff, there’s no arguing that. But I fail to see why so many people are so hardware-phobic, or feel that setting up and running an entire other computer to just be a “pass through” is somehow easier and better than buying a $59 Linksys.
World Eater, you will not notice any performance hit by loading ZoneAlarm Pro on the Router.
In ZoneAlarm, you can configure both ping and traceroute to be allowed, without getting an alert. And if you never got a single warning otherwise, great, but what is the annoyance? That is to say, under normal circumstances, you don’t need ZoneAlarm. It’s only under unusal circumstances that you need it. Kinda like insurance. Your argument sounds like, “hey, I driven for the last year without a wreck, so I cancelled my car insurance”. It may work for you, just recognize the risk.
Unbinding MS File and Print sharing from TCP/IP is a good idea. Personally, I have needs for running TCP/IP on my LAN, but for most home networks, you are correct, use IPX.
Not so. Trojan horse and spyware, by definition, are designed to operate without your knowing. And while ZoneAlarm will catch them, a “hardware” firewall will not. Anti-Virus software should catch (known) trojan horses, but not normally spyware. Ad-Aware will catch spyware, but not trojan horses. And in both cases, you are only protected by older, known malware. You are still vulnerable to new or variant strains. ZoneAlarm will catch these when they attempt to connect to the Internet.
I’ve run ZoneAlarm on multiple machines for close to two years now, and I have never had a crash that I can directly attribute to ZoneAlarm. YMMV.
You can certainly use a real hardware firewall, but expect to pay over $300. Your $59 Linksys box is a NAPT device, 5 port switch, DHCP server, PPPoE terminator (for some DSL), and has some port forwarding capabilities. It is not a firewall, in any reasonable sense of the word. Don’t believe the marketing. Further, if you are not at least of MCSE/CCNA in your networking knowledge, configuring a hardware firewall is not for you.
My confession: In my home network, I have five PCs. I have cable modem service, which runs into a NAPT “Firewall” Router with an integrated 4-port ethernet switch. I didn’t even go for paying the extra $10 for the Linksys name, I bought the CompUSA brand generic (which is actually a private labeled SMC Networks Barricade), and I paid $49.95. On the computer I use most (and am using now), which is my “work” computer, I don’t use personal firewall software (I actually have some loaded, but it is not ZoneAlarm, and it is a pain in the ass). But on this computer, I practice safe computing. I have no peer-to-peer software loaded on it. I have no Internet chat or instant messaging. I never download freeware. I never open email with attachments, unless I know who sent it and was expecting it. And I am obsessive about applying OS and A/V updates. I am comfortable that the NAPT device is sufficient for my security in this case.
On my “home” PC, as well as my “hobby” PCs, I often do run peer-to-peer software. I often test and evaluate freeware and shareware. I’ll even ocassionally open email attachments that were received unexpectedly (like apparent jokes - I never open attachments received from addresses I don’t recognize). I am less devoted to keeping the OS and A/V systems up-to-date. And I have ZoneAlarm installed on each of those machines. Twice, in two years, I have caught spyware attempting to connect to the Internet without my knowledge. Personally, that is sufficient cause for me to keep ZoneAlarm loaded on those machines.
So, IMHO, it depends on your habits, your knowledge, and the risks you wish to accept. If you just “surf the web, and play some games”, you may not need ZoneAlarm. If you access your bank account online, pay bills, check you 401K, order goods with your credit card, access email attachments, etc., don’t expect the “firewall” to protect you in all cases.
Sorry for bumping this old thread, but I have been trying to figure this out, and maybe someone can help me. I have Windows XP and am trying to “unbind” this TCP/IP thing. I am a computer idiot, but have a high speed DSL connection that is up 24/7, and someone said I should disable this print sharing thing, and I have no idea what I am doing. Can someone explain this to me like I am 3 years old? Thanks.
