Router and Software

[pewterdawg]

do you need a software firewall if you are running behind a router? i have a linksys etherfast cable router.

can you be hacked if someone has your internal IP address...could they get past the router?

thanks

[Dakota]

Yes. Yes. And, Yes.

The only safe computer is one not connected to the Internet at anytime. I have been running my NetGear RT314 for about 2 months now and I still use ZAPro. I use some pretty tight filters, but not too awful strict and I still get a hit squeak through from time to time that gets caught by ZA. If nothing else, it helps keep track of any spyware trying to call home.

[pewterdawg]

thanks...
i'm running ZA and link logger.how do you know if someone gets through?


i ran UDP port scan and got that they were closed, not stealth.
thought ZA stealthed all? If not, which does?

[cyberskye]

You can configure your router to drop unsolicited connection attempts. If you have your 'internet' zone in ZA set to High security, it will do the same. But if you do not drop connections at the router, your ip will still be visible (hence closed, not stealth). Technically, your router is the only device connected to the net...

You should definitely keep a sw fw with the router. The router is not REALLY a fw in the truest sense. It performs NAT which has security benefits as a side effect, but that was not the original intent of NAT. ZA will pick up on trojan type communication (from the inside-out), while the router assumes that since traffic is coming from the 'inside' that it should be allowed to pass.

Jetta is correct in that nothing connected is totally secure. The idea is to make it such a pain to crackers that they will pick someone else. If your security is nearly that of a corporation or website, why would (s)he waste time cracking a personal computer that probably doesn't have much of value (no offense;>) -- even to use your box for distributed attack -- especially when there are so many easier targets.


Have fun,

Skye

[pewterdawg]

thanks for the info in english

if it's not too much trouble, another question please.
my link logger says the destination ip address for incoming is my internal one, shouldn't it be the router address that i see as destination?

also, in ZA which address do i put in for the other computers on the lan? internal or router?


when i click on network neighborhood i get an alarm that says 192.168.1.xx has been blocked, which is the ip address of the router....

sorry that was 3 questions...just paranoid about security even though there's nothing of interest for anyone, unless someone can make my Diablo character a level 10:D

[pewterdawg]

do ineed to put zone alarm on all computers on LAN?

[LinkLogger]

When watching Link Logger you are correct to pay attention to the destination IP address for Incoming traffic. In some cases you will see an internal IP address as the destination address. This case can arise if you have port forwarding set to pass inbound traffic on some port to some system on your network. In this case the destination IP address reflects the IP address of the system the Linksys forwards the traffic to. Most of the time the destination address for inbound traffic will be the router, in which case it is blocked, unless you have placed a machine in the DMZ in which case the destination address will be that system. I would suspect that triggers would also have this behavior. If your not using port forwarding or DMZ then I would suggest enabling SPI. Please let me know if your still seeing internal IP addresses and you don't have forwarding, DMZ, or triggering enabled as these would be the most common reasons for seeing an internal IP address in the destination IP address for inbound traffic.

I trust Link Logger is doing its job for you.

Blake

Originally posted by pewterdawg
if it's not too much trouble, another question please.
my link logger says the destination ip address for incoming is my internal one, shouldn't it be the router address that i see as destination?

[pewterdawg]

DMZ host is 192.168.1.0
triggering is all 0's
forwarding is all 0's after 192.168.1.
dynamic routing disabled

on outbound traffic source ip is 192.168.1.100
in setup under status:

LAN: 192.168.1.1
Wan: 24.92.xxx.xxx
Wan ip to obtain automatically
DHCP server is enabled

does the IP for router need to be changed from default?

[LinkLogger]

It should be OK to leave it as is.

Originally posted by pewterdawg
does the IP for router need to be changed from default?

[pewterdawg]

do the other settings look ok?

[LinkLogger]

Looks OK. Personally I don't put a dummy IP address in my DMZ, but a lot of people do.

Originally posted by pewterdawg
do the other settings look ok?

[pewterdawg]

i like the link logger program, just wish it gave the outcome of what happened to the traffic. i.e "blocked"

[pewterdawg]

i read the setup pages @ speeguide. it said to put in the ip address, subnet mask, gateway and DNS address. i didn't do any of that. i just plugged it in had computers obtain ip address automatically and started them up and they all work fine. it has my correct ip address of one of the computers in the WAN section, should that be the ip address of the router?

[LinkLogger]

Cheap rule of thumb, if its inbound traffic with a non internal IP address as the destination IP, then its blocked. The nature of NAT is like a door with a handle only on the inside. Unless something from the inside opens the door, nothing from the outside can get in (simplified description of a NAT).

Originally posted by pewterdawg
i like the link logger program, just wish it gave the outcome of what happened to the traffic. i.e "blocked"

[pewterdawg]

linklogger...all of my incoming is to internal ip address.
all outgoing is from router address

[pewterdawg]

thanks, Ken i'll read this...

[pewterdawg]

if the ports are closed or stealth, what does it matter how many probes i get if no one can get in. is this a correct assumption?

[Dakota]

Stealth is best. A closed port tells the so-called hacker that the port is there, but is not accepting any requests. Stealth means that as far as a hacker/prober is concerned, the port does not even exist.

The best case scenario is that your computer behind your router should show 100% Stealth, without any firewalls running at all. The firewall then just becomes a safety net of sorts and a way to keep track of any software trying to get out to the Net, for whatever reason, good or bad. Software can only call out if you allow the request.

[pewterdawg]

even if a "so-called" hacker knows your ip address can he/she connect if the ports are closed?

[LinkLogger]

No, but they might try probing other ports since they know your there in order to find a chink in the amour. This isn't to say that stealth is any better, as they still might try probing other ports and see if one is available, but its more unlikely.

Originally posted by pewterdawg
even if a "so-called" hacker knows your ip address can he/she connect if the ports are closed?

[Dakota]

Yes. And not to mention that a hacker really wanting to hack something is not going to waste their time on someone's little home system that's locked pretty tight. There's much bigger fish to fry.

But, if they would happen to find the right ports, they'd toss you a trojan that they could call up later for a DDOS attack. With you behind your router and running a personal firewall, the chances of this happening are pretty extreme, especially if you're a 'normal' user.

And what I mean by normal is that you're not out there scarfing warez and making enemies on IRC or some such nonsense.

Everyone is vulnerable to some degree, but you can control that very easily and there's no need for you to be paranoid about being attacked with what you are doing and the setup you're running. You're pretty darn safe.

[pewterdawg]

cool...that's all i want...be safe! all i want to do is email, a little surfing and play some Diablo, not have to build fortresses

[Dakota]

And stay in touch with SG. With all the resources this site has -- read: people in the know -- you'll learn all you can right here about anything broadband.

[Dakota]

Originally posted by Ken
Good answers Blue Jetta!

Thanks Boss! You guys have learned me well.

[pewterdawg]

thanks for all's help

[LinkLogger]

Having run a honey pot project similar to Lance Spitzner's (http://project.honeynet.org very good site to learn about advanced security, attack methods, detection, and plus Lance is just a dam good guy, etc). I can tell you that an unprotect Windows box with an open c:\ share will last no more then 24 hours on the internet before being compromised. Unpatched Linux boxes probably even less time given the leading hacker probe I see is RPC scans (port 111) which is a probe to look for unpatched Linux boxes to hack and root. Your Linksys Router is very good protection for people trying to hack you and by default all 65,535 ports are protected. About the only way someone can hack you is to social engineer you, ie get you to install their evil software.

We built Link Logger such that people can see what is happening at their Linksys. How much traffic there is, where that traffic is going, what traffic is arriving and from where, and what bad traffic there is, and something about the evil traffic (what it is, etc). Add on top of that a traffic analysis tool, reports and graphs and we hope that Link Logger helps you to understand your internet traffic.

[pewterdawg]

i notice that scans on one 1 computer are getting stopped by ZA
while on another it looks like stopping at router and no peeep from ZA?

[LinkLogger]

Are your forwarding ports to that machine or have it in the DMZ??

[pewterdawg]

no i used the defaults. the only thing different is that machine has Instant messenger and Napster on it.

[LinkLogger]

Could you give a sample??

[pewterdawg]

SPI: Disable


Block WAN Request: Enabled
Multicast Pass Through: Enabled
IPSec Pass Through: Enabled
PPTP Pass Through: Disable
Remote Management: Disable
Remote Upgrade: Disable
MTU: Enable Size: 1500

[LinkLogger]

Sorry, I meant a sample of your zonealarm alarms.

[pewterdawg]

oh, ok

they are just 27234 port scans to 24.92.xx.xx.xxx


ZA also blocks attempts from each comp from connecting to each other.

should i check the box "adapter subnets"

3com etherlink PCI= (192.168.1.1) which is the address of the router?

[pewterdawg]

do the settings look right for the linksys?

what is Ipsec passthrough?

[pewterdawg]

I don't use Napster either, but my 14 yo daughter does, i tried disabling it and telling her that it was down, but shes too smart for that one. "Dad, what did you do to Napster"?

[W_I_Z_K_I_D]

hi GuYs:rotf

While we are on the topic of ROUTERS i was wondering (and HOPING)to see if there were any freeware ones that you knew of.>?
i think that it would be AwSoMe if there was...
is there.>?

[pewterdawg]

Ken, she has her own. Napster is on her computer, it's connected to the router...also wife's has computer also connected to router.
therein lies the problem. security for the whole network. that's what i'm trying to figure out. i read the article on Netbui. should i use that?

thanks,

ralph

[pewterdawg]

ok i'll give it a try...thanks

i noticed that the firmware update for linksys has a new item.
SPI: i should enable Stateful packet inspection: correct

man i've been reading everything i can find on the net, lots of different opinions. can you reccomend a book or two? is there "Networking and Security for Dummies?

[LinkLogger]

I enabled SPI, and I would recommend that other people should as well. NOTE that enabling SPI will stop any forwarded ports. So if you need port forwarding, do not enable SPI. Triggers still work correctly with SPI enabled.

Blake