Strange problem with software or hardware router..

Hi all


I have narrowed down a strange phenomenon I get between my Win2k
computer network, router and NIS (Norton internet security) 2003. All
PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
the updates. L2TP Cable internet is through 3Com wireless
Officeconnect 3CRWE554G72T router.


The problem is this: every few hours, one of the computers (any one,
not a particular one) will have a partial failure of internet service-
I can't browse the web but email, skype and FTP still work. After a
10-30 minutes the problem rights itself. The other computers in the
network don't usually experience this problem in the same time (i.e.
they are fine except the one that does't work). I thought my router
has a hardware problem but then I noticed that every time the problem
happens, just before it my NIS 2003 reports a "portscan" of
192.168.1.1 (domain 53).

192.168.1.1 is of course, the router address...
I have tried to have the PC's configured statically (with DNS
servers)
as well as DHCP automatic config, it doesn't imrove the issue.
If I disable NIS 2003 and then immediately enable it, internet service
resumes...
I scanne all open ports with a web security site and it reports that
only port 113 is closed (the rest are stealthed).

That's as far as my networking skills go


Thanks...!

Re: Strange problem with software or hardware router..

Post removed (X-No-Archive: yes)

Re: Strange problem with software or hardware router..

developmental2@walla.com wrote:
> I have narrowed down a strange phenomenon I get between my Win2k
> computer network, router and NIS (Norton internet security) 2003. All
> PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
> the updates. L2TP Cable internet is through 3Com wireless
> Officeconnect 3CRWE554G72T router.

There's no SP5 for Windows 2000.

> The problem is this: every few hours, one of the computers (any one,
> not a particular one) will have a partial failure of internet service-
> I can't browse the web but email, skype and FTP still work. After a
> 10-30 minutes the problem rights itself. The other computers in the
> network don't usually experience this problem in the same time (i.e.
> they are fine except the one that does't work). I thought my router
> has a hardware problem but then I noticed that every time the problem
> happens, just before it my NIS 2003 reports a "portscan" of
> 192.168.1.1 (domain 53).

Concratulations. You just discovered why automatic network shunning
(like e.g. the "block attacker's IP address" feature implemented by
NoISe) is utterly braindead.

What you're experiencing is most likely this: NoISe regards incoming
traffic with the source IP of your router as an attack (for whatever
reason), and subsequently blocks the IP address of your router for about
half an hour. Bang! No Internet for this host.

[...]
> I scanne all open ports with a web security site and it reports that
> only port 113 is closed (the rest are stealthed).

"Stealth" is another braindead "feature" of NoISe. A computer is not
invisible just because it doesn't respond to echo requrests.

Why do you need a personal firewall on your hosts anyway? Filter
unsolicited traffic on your network borders and remove NoISe from your
hosts.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Strange problem with software or hardware router..

On Feb 17, 4:58 pm, Ansgar -59cobalt- Wiechers
wrote:
> development...@walla.com wrote:
> > I have narrowed down a strange phenomenon I get between my Win2k
> > computer network,routerandNIS(Norton internet security) 2003. All
> > PC's in the network have Win2k, SP5 IE6 SP1, andNIS2003 with all of
> > the updates. L2TP Cable internet is through3Comwireless
> > Officeconnect 3CRWE554G72Trouter.
>
> There's no SP5 for Windows 2000.
>
> > The problem is this: every few hours, one of the computers (any one,
> > not a particular one) will have a partial failure of internet service-
> > I can't browse the web but email, skype and FTP still work. After a
> > 10-30 minutes the problem rights itself. The other computers in the
> > network don't usually experience this problem in the same time (i.e.
> > they are fine except the one that does't work). I thought myrouter
> > has a hardware problem but then I noticed that every time the problem
> > happens, just before it myNIS2003 reports a "portscan" of
> > 192.168.1.1 (domain 53).
>
> Concratulations. You just discovered why automatic network shunning
> (like e.g. the "block attacker's IP address" feature implemented by
> NoISe) is utterly braindead.
>
> What you're experiencing is most likely this: NoISe regards incoming
> traffic with the source IP of yourrouteras an attack (for whatever
> reason), and subsequently blocks the IP address of yourrouterfor about
> half an hour. Bang! No Internet for this host.
>
> [...]
>
> > I scanne all open ports with a web security site and it reports that
> > only port 113 is closed (the rest are stealthed).
>
> "Stealth" is another braindead "feature" of NoISe. A computer is not
> invisible just because it doesn't respond to echo requrests.
>
> Why do you need a personal firewall on your hosts anyway? Filter
> unsolicited traffic on your network borders and remove NoISe from your
> hosts.
>
> cu
> 59cobalt

Thanks for that. The reason I left NIS on my pc's is because I
figured the hardware NAT "firewall" is not the same as a real
firewall, i.e. it can't protect against many types of security risks
that something like NIS can (with all of its admitted flaws).
I have also thought about opening the 192.168.1.1 ip for unlimited
traffic on NIS (i.e. placing the gatway IP inside the NIS DMZ), but
isn't that the same as removing NIS?

Thanks

Re: Strange problem with software or hardware router..

developmental2@walla.com wrote:
> On Feb 17, 4:58 pm, Ansgar -59cobalt- Wiechers wrote:
>> development...@walla.com wrote:
>>> The problem is this: every few hours, one of the computers (any one,
>>> not a particular one) will have a partial failure of internet
>>> service- I can't browse the web but email, skype and FTP still work.
>>> After a 10-30 minutes the problem rights itself. The other computers
>>> in the network don't usually experience this problem in the same
>>> time (i.e. they are fine except the one that does't work). I
>>> thought myrouter has a hardware problem but then I noticed that
>>> every time the problem happens, just before it myNIS2003 reports a
>>> "portscan" of 192.168.1.1 (domain 53).
>>
>> Concratulations. You just discovered why automatic network shunning
>> (like e.g. the "block attacker's IP address" feature implemented by
>> NoISe) is utterly braindead.
>>
>> What you're experiencing is most likely this: NoISe regards incoming
>> traffic with the source IP of yourrouteras an attack (for whatever
>> reason), and subsequently blocks the IP address of yourrouterfor
>> about half an hour. Bang! No Internet for this host.
>>
>> [...]
>>> I scanne all open ports with a web security site and it reports that
>>> only port 113 is closed (the rest are stealthed).
>>
>> "Stealth" is another braindead "feature" of NoISe. A computer is not
>> invisible just because it doesn't respond to echo requrests.
>>
>> Why do you need a personal firewall on your hosts anyway? Filter
>> unsolicited traffic on your network borders and remove NoISe from
>> your hosts.
>
> Thanks for that. The reason I left NIS on my pc's is because I
> figured the hardware NAT "firewall" is not the same as a real
> firewall, i.e. it can't protect against many types of security risks
> that something like NIS can (with all of its admitted flaws).

If by "protect against many types of security risks" you mean
controlling which program communicates outbound: NoISe doesn't protect
against those risks, because the moment it detects a threat, your
security has already been compromised.

> I have also thought about opening the 192.168.1.1 ip for unlimited
> traffic on NIS (i.e. placing the gatway IP inside the NIS DMZ), but
> isn't that the same as removing NIS?

If you must keep using NoISe (for whatever reason): just disable the IP
blocking feature.

cu
59cobalt
--
"Personal Firewalls are crap. Throw away any personal firewall. Personal
Firewalls are bad[tm]."
--Malte von dem Hagen on security-basics