Router Issue.
am 16.10.2007 09:36:39 von Cornelia Parsley
Do I really need a router?
I am presently on a dial-up 56K connection, an average homeuser with a
desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
firewall and Seconfig XP.
I am going to subscribe to a high-speed internet service and the ISP will
also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'. The router comes
with a Quick Installation Guide and a Starter Kit CD-ROM.
ISP connection number, username and initial password will be provided by the
ISP which have to be added during installation. The program will then setup
the ADSL2+ router and make connection to the Internet automatically.
According to Wikipedia, a router would be needed if a homeuser may want to
set up a LAN or WLAN and connect all computers to the Internet without
having to pay a full broadband subscription service to their ISP for each
computer on the network.
Since I am a single pc user, I was wondering if it is really necessary to
install this router.
Could I not just go to Network Connections | Network Tasks | Create a new
connection and use the New Connection Wizard to Set up my connection
manually?
(Though my ISP refers to this type of connection as PPPoE LLC and not
PPPoE).
Also, the Trouble Shooting list of the Quick Installation Guide points out
that the TCP/IP setting in network adapter of my pc should be set to obtain
and IP address and DNS.
Currently, the Service TCP/IP NetBIOS Helper is Disabled as are SMB and RPC
over TCP/IP.
Must these services be re-instated to achieve ADSL connection?
TIA.
Re: Router Issue.
am 16.10.2007 11:18:22 von Burkhard Ott
Am Tue, 16 Oct 2007 14:36:39 +0700 schrieb Cornelia Parsley:
Hello,
> Do I really need a router?
no you don't.
> Could I not just go to Network Connections | Network Tasks | Create a new
> connection and use the New Connection Wizard to Set up my connection
> manually?
> (Though my ISP refers to this type of connection as PPPoE LLC and not
> PPPoE).
Sure you can, it uses the same stack.
> Also, the Trouble Shooting list of the Quick Installation Guide points out
> that the TCP/IP setting in network adapter of my pc should be set to obtain
> and IP address and DNS.
I'm pretty sure you have 'receive setting automatically' on your network
adapter, that is all you need. The same thing happens in the router itself.
> Currently, the Service TCP/IP NetBIOS Helper is Disabled as are SMB and RPC
> over TCP/IP.
>
> Must these services be re-instated to achieve ADSL connection?
No.
cheers
Re: Router Issue.
am 16.10.2007 12:35:15 von MR. Arnold
"Cornelia Parsley" wrote in message
news:ff1pjt$ndp$1@aioe.org...
> Do I really need a router?
> I am presently on a dial-up 56K connection, an average homeuser with a
> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
> firewall and Seconfig XP.
That's dia-up. But back a few years ago, they did have routers for dial-up,
and if I was soley using dial-up for a single machine, that router would be
sitting there to protect the machine from the Internet, even on a dial-up.
>
> I am going to subscribe to a high-speed internet service and the ISP will
> also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'. The router comes
> with a Quick Installation Guide and a Starter Kit CD-ROM.
> ISP connection number, username and initial password will be provided by
> the ISP which have to be added during installation. The program will then
> setup the ADSL2+ router and make connection to the Internet automatically.
Why not? You do know that the router is a border device, and it acts more
like a FW solution than XP's FW/packet filter does or any other 3rd party
PFW/packet filter will do? The router has the two interfaces. One
interface faces the WAN/Internet the untrusted zone, and the other interface
faces the LAN the trusted zone. One of the definitions for a FW is it at
least two interfaces.
The router sits in front of the machine and stops unsolicted scans and
attacks from reaching the computer so that a psersonal FW/packet filter
along with the O/S, which the PFW/packet filter must run with the O/S, don't
react to them slowing the computer down from doing other things as they
react to the scans and attacks.
>
> According to Wikipedia, a router would be needed if a homeuser may want to
> set up a LAN or WLAN and connect all computers to the Internet without
> having to pay a full broadband subscription service to their ISP for each
> computer on the network.
That's part of it, but a router also provides protection too for a machine
or machines from unsolicted scans and attacks from the Internet, as it sits
in front of the computer to stop them.
There is nothing wrong with a single machine sitting behind a router --
none -- and is a better solution than just connecting the computer directly
to the modem, which is a direct connetion to the Internet no border device
in between the modem and the computer like a router
You would be getting a NAT router.
http://www.homenethelp.com/web/explain/about-NAT.asp
>
> Since I am a single pc user, I was wondering if it is really necessary to
> install this router.
>
You don't, but some do try to do the right thing to provide better
protection. You do know that anything like a 3rd PFW/packet filter or
even Window's XP FW/packet filter can be taken out if malware can hit the
computer and is executed, since it runs with the O/S, and the O/S can be
attacked too and taken out leaving the computer wide open to the Internet.
It's kind of hard to take down the router, since it's a standalone device
and is not running with the O/S.
> Could I not just go to Network Connections | Network Tasks | Create a new
> connection and use the New Connection Wizard to Set up my connection
> manually?
> (Though my ISP refers to this type of connection as PPPoE LLC and not
> PPPoE).
>
Sure you can.
> Also, the Trouble Shooting list of the Quick Installation Guide points out
> that the TCP/IP setting in network adapter of my pc should be set to
> obtain and IP address and DNS.
> Currently, the Service TCP/IP NetBIOS Helper is Disabled as are SMB and
> RPC over TCP/IP.
Why not, the machine even on a dial-up connection is set to obtain an IP and
DNS so why can't a NIC do to it too? The computer's NIC can be set to not
network too, which you should have been doing on the dial-up as well. So
where is the problem?
>
> Must these services be re-instated to achieve ADSL connection?
Just remove the Client for MS Networks and MS File & Printer Sharing off of
the NIC and tell the NIC to Obtain an IP aitomatically, and you're good to
go.
IMHO, you need to do the right things like get the router. along with doing
some other things if the O/S will allow it.
http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
Re: Router Issue.
am 16.10.2007 14:52:20 von Burkhard Ott
Am Tue, 16 Oct 2007 06:35:15 -0400 schrieb Mr. Arnold:
> "Cornelia Parsley" wrote in message
> news:ff1pjt$ndp$1@aioe.org...
>> Do I really need a router?
>> I am presently on a dial-up 56K connection, an average homeuser with a
>> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
>> firewall and Seconfig XP.
>
> That's dia-up. But back a few years ago, they did have routers for dial-up,
> and if I was soley using dial-up for a single machine, that router would be
> sitting there to protect the machine from the Internet, even on a dial-up.
... or opening the backdoor, there are some funny devices out the, the last
I remember was a Linksys and if you send an special string to a special
port you got the administartive access plus the WEP Keys.
> Why not? You do know that the router is a border device, and it acts
> more like a FW solution than XP's FW/packet filter does or any other 3rd
> party PFW/packet filter will do? The router has the two interfaces. One
> interface faces the WAN/Internet the untrusted zone, and the other
> interface faces the LAN the trusted zone. One of the definitions for a
> FW is it at least two interfaces.
Nope, depends on the firmware ther is everything possible, so the trusted
zone tells you that you trust but you never know.
Otherwise and thats my solution use an opensource os and build you own
router, should be the safest way in my opinion.
> The router sits in front of the machine and stops unsolicted scans and
depends on the configuration
> attacks from reaching the computer so that a psersonal FW/packet filter
> along with the O/S, which the PFW/packet filter must run with the O/S,
> don't react to them slowing the computer down from doing other things as
> they react to the scans and attacks.
the packset flow is still on the wan line, so a slow down might be
possible, but I've never seen somebody who is scanning so stupid
>> According to Wikipedia, a router would be needed if a homeuser may want
>> to set up a LAN or WLAN and connect all computers to the Internet
>> without having to pay a full broadband subscription service to their
>> ISP for each computer on the network.
the little flashbox is a coputer with a small embeded OS which acts as an
router an filter (depends on the configuration)
> That's part of it, but a router also provides protection too for a
> machine or machines from unsolicted scans and attacks from the Internet,
> as it sits in front of the computer to stop them.
Nope, if you open with your browser a site which contains PoC for your
browser you'll be infected, if you get an email with the super winner
chance and click that you'll be infected.
There is no chance for the router to detect that.
> There is nothing wrong with a single machine sitting behind a router --
> none -- and is a better solution than just connecting the computer
> directly to the modem, which is a direct connetion to the Internet no
> border device in between the modem and the computer like a router
>I am going to subscribe to a high-speed internet service and the ISP will
>also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'.
She want to switch, doesn't she?
> You don't, but some do try to do the right thing to provide better
> protection. You do know that anything like a 3rd PFW/packet filter or
> even Window's XP FW/packet filter can be taken out if malware can hit
Doesn't matter, you also could place a bot at this computer (via
email,browser attacks or whatever), so the router will route every traffic
which comes from this computer, think about all the spam which comes from
dynamic dial up adresses, there are mostly no spammers
>
> IMHO, you need to do the right things like get the router. along with
> doing some other things if the O/S will allow it.
There is nothing wrong with a router, only the sentence "you're more
protected..".
"Security is a process not a product" (Bruce Schneier)
cheers
Re: Router Issue.
am 17.10.2007 00:58:13 von goarilla
Burkhard Ott wrote:
> Am Tue, 16 Oct 2007 06:35:15 -0400 schrieb Mr. Arnold:
>
>> "Cornelia Parsley" wrote in message
>> news:ff1pjt$ndp$1@aioe.org...
>>> Do I really need a router?
>>> I am presently on a dial-up 56K connection, an average homeuser with a
>>> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
>>> firewall and Seconfig XP.
>> That's dia-up. But back a few years ago, they did have routers for dial-up,
>> and if I was soley using dial-up for a single machine, that router would be
>> sitting there to protect the machine from the Internet, even on a dial-up.
>
> .. or opening the backdoor, there are some funny devices out the, the last
> I remember was a Linksys and if you send an special string to a special
> port you got the administartive access plus the WEP Keys.
>
>> Why not? You do know that the router is a border device, and it acts
>> more like a FW solution than XP's FW/packet filter does or any other 3rd
>> party PFW/packet filter will do? The router has the two interfaces. One
>> interface faces the WAN/Internet the untrusted zone, and the other
>> interface faces the LAN the trusted zone. One of the definitions for a
>> FW is it at least two interfaces.
>
> Nope, depends on the firmware ther is everything possible, so the trusted
> zone tells you that you trust but you never know.
> Otherwise and thats my solution use an opensource os and build you own
> router, should be the safest way in my opinion.
>
>> The router sits in front of the machine and stops unsolicted scans and
>
> depends on the configuration
>
>> attacks from reaching the computer so that a psersonal FW/packet filter
>> along with the O/S, which the PFW/packet filter must run with the O/S,
>> don't react to them slowing the computer down from doing other things as
>> they react to the scans and attacks.
>
> the packset flow is still on the wan line, so a slow down might be
> possible, but I've never seen somebody who is scanning so stupid
>
>>> According to Wikipedia, a router would be needed if a homeuser may want
>>> to set up a LAN or WLAN and connect all computers to the Internet
>>> without having to pay a full broadband subscription service to their
>>> ISP for each computer on the network.
>
> the little flashbox is a coputer with a small embeded OS which acts as an
> router an filter (depends on the configuration)
>
>> That's part of it, but a router also provides protection too for a
>> machine or machines from unsolicted scans and attacks from the Internet,
>> as it sits in front of the computer to stop them.
>
> Nope, if you open with your browser a site which contains PoC for your
> browser you'll be infected, if you get an email with the super winner
> chance and click that you'll be infected.
> There is no chance for the router to detect that.
>
>> There is nothing wrong with a single machine sitting behind a router --
>> none -- and is a better solution than just connecting the computer
>> directly to the modem, which is a direct connetion to the Internet no
>> border device in between the modem and the computer like a router
>
>> I am going to subscribe to a high-speed internet service and the ISP will
>> also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'.
>
> She want to switch, doesn't she?
>
>> You don't, but some do try to do the right thing to provide better
>> protection. You do know that anything like a 3rd PFW/packet filter or
>> even Window's XP FW/packet filter can be taken out if malware can hit
>
> Doesn't matter, you also could place a bot at this computer (via
> email,browser attacks or whatever), so the router will route every traffic
> which comes from this computer, think about all the spam which comes from
> dynamic dial up adresses, there are mostly no spammers
>
>> IMHO, you need to do the right things like get the router. along with
>> doing some other things if the O/S will allow it.
>
> There is nothing wrong with a router, only the sentence "you're more
> protected..".
>
> "Security is a process not a product" (Bruce Schneier)
>
> cheers
i think it is : security is a process not a state.
and one has to strive, test, experiment, implement new ideas (eg
portkocking, wep chaffing, ...) regarding security.
but we can say however that in general if you have a router in front of
your box
that you're more protected than you would be without (eg direct
connection) but
you're NOT secure.
Re: Router Issue.
am 17.10.2007 02:02:11 von MR. Arnold
"Burkhard Ott" wrote in message
news:ff2c64$s3t$1@el-srv04-CHE.srvnet.eastlink.de...
> Am Tue, 16 Oct 2007 06:35:15 -0400 schrieb Mr. Arnold:
>
>> "Cornelia Parsley" wrote in message
>> news:ff1pjt$ndp$1@aioe.org...
>>> Do I really need a router?
>>> I am presently on a dial-up 56K connection, an average homeuser with a
>>> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
>>> firewall and Seconfig XP.
>>
>> That's dia-up. But back a few years ago, they did have routers for
>> dial-up,
>> and if I was soley using dial-up for a single machine, that router would
>> be
>> sitting there to protect the machine from the Internet, even on a
>> dial-up.
>
> .. or opening the backdoor, there are some funny devices out the, the last
> I remember was a Linksys and if you send an special string to a special
> port you got the administartive access plus the WEP Keys.
>
That's wireless and that's Linksys. One egg doesn't apply to all solutions.
>> Why not? You do know that the router is a border device, and it acts
>> more like a FW solution than XP's FW/packet filter does or any other 3rd
>> party PFW/packet filter will do? The router has the two interfaces. One
>> interface faces the WAN/Internet the untrusted zone, and the other
>> interface faces the LAN the trusted zone. One of the definitions for a
>> FW is it at least two interfaces.
>
> Nope, depends on the firmware ther is everything possible, so the trusted
> zone tells you that you trust but you never know.
> Otherwise and thats my solution use an opensource os and build you own
> router, should be the safest way in my opinion.
I set behind a WatchGuard when at home if you know what that is about. When
I am on the road contracting, then I am using something like the Vista FW on
dial-up and wireless connections in a hotel or elsewhere.
The solution that you're talking about requires two things. 1) That one
knows the FW solution very well to use it and configure it properly. 2) That
one knows the O/S or platform. Both are learning curves that the average
home user CANNOT accomplish this.
A router, a packet filter FW router or FW appliance is a plug it up and go
device that provides instant protection from the Internet and most need very
little configuration on the end-users part. Granted, some of these solutions
are more complicated than that. But the fact remains that for the most part,
one can take one of these devices out of the box and go with it.
>
>> The router sits in front of the machine and stops unsolicted scans and
>
> depends on the configuration
Yes. some are stupid enough to connect the router to a computer acting as a
gateway with the router stitting behind it, when it should be the other way
around. But some have no choice but to do that. But most are going to do the
right thing and let the router act as the gateway device with what
protection it can provide from the Internet from unsolicated inbound
traffic.
>
>> attacks from reaching the computer so that a psersonal FW/packet filter
>> along with the O/S, which the PFW/packet filter must run with the O/S,
>> don't react to them slowing the computer down from doing other things as
>> they react to the scans and attacks.
>
> the packset flow is still on the wan line, so a slow down might be
> possible, but I've never seen somebody who is scanning so stupid
What are you talking about?????? The router is going to stop unsolicted
scans and attacks from the Internet at the border. Let's clarifiy here. We
are talking about a home user sitting there with one machine or maybe the
home user has two machines or more on a home network. We're not talking
about business class solution, and the home user is really small potatoes in
the long run, unless they start opening ports for someting like a Web server
that they have any bussiness doing in the first place, because they don't
know how to protect the Web server nor the O/S or anything else.
>
>>> According to Wikipedia, a router would be needed if a homeuser may want
>>> to set up a LAN or WLAN and connect all computers to the Internet
>>> without having to pay a full broadband subscription service to their
>>> ISP for each computer on the network.
>
> the little flashbox is a coputer with a small embeded OS which acts as an
> router an filter (depends on the configuration)
>
>> That's part of it, but a router also provides protection too for a
>> machine or machines from unsolicted scans and attacks from the Internet,
>> as it sits in front of the computer to stop them.
>
> Nope, if you open with your browser a site which contains PoC for your
> browser you'll be infected, if you get an email with the super winner
> chance and click that you'll be infected.
> There is no chance for the router to detect that.
Look man, the router's job is to stop unsolicited inbound traffic from
reaching the computer. That's the router's job. What you're talking about is
solicited traffic. Nothing can stop the user sitting behind the mouse doing
the pointing and clicking with the mouse or typing at the keyboard, doing
the solictation for traffic. And no software running on the computer is
going to do it either, protect them fro him or herself. Most PFW solutions
have snake-oil in them with the impression that it's some kind of security
blanket that's going to do just that. They can't do it.
>
>> There is nothing wrong with a single machine sitting behind a router --
>> none -- and is a better solution than just connecting the computer
>> directly to the modem, which is a direct connetion to the Internet no
>> border device in between the modem and the computer like a router
>
>>I am going to subscribe to a high-speed internet service and the ISP will
>>also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'.
>
> She want to switch, doesn't she?
>
>> You don't, but some do try to do the right thing to provide better
>> protection. You do know that anything like a 3rd PFW/packet filter or
>> even Window's XP FW/packet filter can be taken out if malware can hit
>
> Doesn't matter, you also could place a bot at this computer (via
> email,browser attacks or whatever), so the router will route every traffic
> which comes from this computer, think about all the spam which comes from
> dynamic dial up adresses, there are mostly no spammers
If it's going to happen, then it's better that something is there that is
not going to be taken down so easily. as something running on the computer
with the O/S that has a direct connection to the Internet. That's not the
case with a standalone border device. Its software is not running on the
computer as opposed to the software running on the computer with the O/S
when it's knocked out. At least with the border device, the machine is not
left wide open to attack while connected to the Internet. Or maybe, you
can't understand this, and you cannot think out side the box.
The other thing is one has to know that the computer has been compormised,
and no junk in PFW(s) are going to help to do that.
One have to use the right tools to make the discovery and most don't know
how to do it.
And if they do discover something, then most won't do the right thing either
and just wipe the machine out. One doesn't know whatelse can be there, but
they think they have gotten it when most likey they didn't get all of it.
>
>>
>> IMHO, you need to do the right things like get the router. along with
>> doing some other things if the O/S will allow it.
>
> There is nothing wrong with a router, only the sentence "you're more
> protected..".
Where did I say that? You point it out. All I said is that the machine is
better protected with the use of a border device such as a router, which can
be used in combination with ohter solutions. The router is NOT a stop all
and ends all solution. The router's job is to stop unsolicited inbound scans
and attacks from the Internet from reaching the computer.
The router's job is NOT to protect the user from him or herself, and no
software running on the computer can do it either. The job of a PFW/packet
filter should be to filter inbound or outbound packets. Its job is not to be
trying to do all this other BS trying to protect the user from him or
herself that it cannot do.
>
> "Security is a process not a product" (Bruce Schneier)
>
I have been in this NG since year 2000. I have heard it all, seen it all,
and I have learned from the best. And I wouldn't connect to the Internet if
I have the control of it without a border device such as a packet filtering
FW router, FW appliance or gateway computer using a network FW solution
running on the machine with the machine/OS properly locked down to face the
Internet, which I don't include PFW(s)/personal packet filters running at
the machine level as they are NOT FW solutions. I don't care if it's a MS,
Linux, Apple or anything else solution.
And about the process thing, the buck stops with the end-user what he or she
is doing, not doing, knows how to do and what not to do.
And they can start here.
http://www.claymania.com/safe-hex.html
And then they can start here. You have already seen this.
http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
And I want to make this clear. I am not in a debate with you about this. If
you start going in that direction, then I am going to drop you like a hot
potato. I don't think you can do it, as it doesn't seem that you could mind
your own business in the first place -- nothing against you personally. ;-)
Re: Router Issue.
am 17.10.2007 02:36:10 von Cornelia Parsley
Thanks for detailed explanation and links. I am going to install this
router :)
Best wishes...
"Mr. Arnold" wrote in message
news:13h94vf2d03qfcc@corp.supernews.com...
>
> "Cornelia Parsley" wrote in message
> news:ff1pjt$ndp$1@aioe.org...
>> Do I really need a router?
>> I am presently on a dial-up 56K connection, an average homeuser with a
>> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
>> firewall and Seconfig XP.
>
> That's dia-up. But back a few years ago, they did have routers for
> dial-up, and if I was soley using dial-up for a single machine, that
> router would be sitting there to protect the machine from the Internet,
> even on a dial-up.
>
>>
>> I am going to subscribe to a high-speed internet service and the ISP will
>> also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'. The router
>> comes with a Quick Installation Guide and a Starter Kit CD-ROM.
>> ISP connection number, username and initial password will be provided by
>> the ISP which have to be added during installation. The program will
>> then setup the ADSL2+ router and make connection to the Internet
>> automatically.
>
> Why not? You do know that the router is a border device, and it acts more
> like a FW solution than XP's FW/packet filter does or any other 3rd party
> PFW/packet filter will do? The router has the two interfaces. One
> interface faces the WAN/Internet the untrusted zone, and the other
> interface faces the LAN the trusted zone. One of the definitions for a FW
> is it at least two interfaces.
>
> The router sits in front of the machine and stops unsolicted scans and
> attacks from reaching the computer so that a psersonal FW/packet filter
> along with the O/S, which the PFW/packet filter must run with the O/S,
> don't react to them slowing the computer down from doing other things as
> they react to the scans and attacks.
>
>>
>> According to Wikipedia, a router would be needed if a homeuser may want
>> to set up a LAN or WLAN and connect all computers to the Internet without
>> having to pay a full broadband subscription service to their ISP for each
>> computer on the network.
>
> That's part of it, but a router also provides protection too for a machine
> or machines from unsolicted scans and attacks from the Internet, as it
> sits in front of the computer to stop them.
>
> There is nothing wrong with a single machine sitting behind a router --
> none -- and is a better solution than just connecting the computer
> directly to the modem, which is a direct connetion to the Internet no
> border device in between the modem and the computer like a router
>
> You would be getting a NAT router.
>
> http://www.homenethelp.com/web/explain/about-NAT.asp
>
>>
>> Since I am a single pc user, I was wondering if it is really necessary to
>> install this router.
>>
>
> You don't, but some do try to do the right thing to provide better
> protection. You do know that anything like a 3rd PFW/packet filter or
> even Window's XP FW/packet filter can be taken out if malware can hit the
> computer and is executed, since it runs with the O/S, and the O/S can be
> attacked too and taken out leaving the computer wide open to the Internet.
> It's kind of hard to take down the router, since it's a standalone device
> and is not running with the O/S.
>
>> Could I not just go to Network Connections | Network Tasks | Create a new
>> connection and use the New Connection Wizard to Set up my connection
>> manually?
>
>> (Though my ISP refers to this type of connection as PPPoE LLC and not
>> PPPoE).
>>
> Sure you can.
>
>> Also, the Trouble Shooting list of the Quick Installation Guide points
>> out that the TCP/IP setting in network adapter of my pc should be set to
>> obtain and IP address and DNS.
>> Currently, the Service TCP/IP NetBIOS Helper is Disabled as are SMB and
>> RPC over TCP/IP.
>
> Why not, the machine even on a dial-up connection is set to obtain an IP
> and DNS so why can't a NIC do to it too? The computer's NIC can be set to
> not network too, which you should have been doing on the dial-up as well.
> So where is the problem?
>
>>
>> Must these services be re-instated to achieve ADSL connection?
>
> Just remove the Client for MS Networks and MS File & Printer Sharing off
> of the NIC and tell the NIC to Obtain an IP aitomatically, and you're good
> to go.
>
>
> IMHO, you need to do the right things like get the router. along with
> doing some other things if the O/S will allow it.
>
> http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
Re: Router Issue.
am 17.10.2007 02:38:30 von Cornelia Parsley
Hi Burkhard,
Your response and clarification was very much appreciated. I am going to
install this router.
Best wishes...
"Burkhard Ott" wrote in message
news:ff2c64$s3t$1@el-srv04-CHE.srvnet.eastlink.de...
> Am Tue, 16 Oct 2007 06:35:15 -0400 schrieb Mr. Arnold:
>
>> "Cornelia Parsley" wrote in message
>> news:ff1pjt$ndp$1@aioe.org...
>>> Do I really need a router?
>>> I am presently on a dial-up 56K connection, an average homeuser with a
>>> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
>>> firewall and Seconfig XP.
>>
>> That's dia-up. But back a few years ago, they did have routers for
>> dial-up,
>> and if I was soley using dial-up for a single machine, that router would
>> be
>> sitting there to protect the machine from the Internet, even on a
>> dial-up.
>
> .. or opening the backdoor, there are some funny devices out the, the last
> I remember was a Linksys and if you send an special string to a special
> port you got the administartive access plus the WEP Keys.
>
>> Why not? You do know that the router is a border device, and it acts
>> more like a FW solution than XP's FW/packet filter does or any other 3rd
>> party PFW/packet filter will do? The router has the two interfaces. One
>> interface faces the WAN/Internet the untrusted zone, and the other
>> interface faces the LAN the trusted zone. One of the definitions for a
>> FW is it at least two interfaces.
>
> Nope, depends on the firmware ther is everything possible, so the trusted
> zone tells you that you trust but you never know.
> Otherwise and thats my solution use an opensource os and build you own
> router, should be the safest way in my opinion.
>
>> The router sits in front of the machine and stops unsolicted scans and
>
> depends on the configuration
>
>> attacks from reaching the computer so that a psersonal FW/packet filter
>> along with the O/S, which the PFW/packet filter must run with the O/S,
>> don't react to them slowing the computer down from doing other things as
>> they react to the scans and attacks.
>
> the packset flow is still on the wan line, so a slow down might be
> possible, but I've never seen somebody who is scanning so stupid
>
>>> According to Wikipedia, a router would be needed if a homeuser may want
>>> to set up a LAN or WLAN and connect all computers to the Internet
>>> without having to pay a full broadband subscription service to their
>>> ISP for each computer on the network.
>
> the little flashbox is a coputer with a small embeded OS which acts as an
> router an filter (depends on the configuration)
>
>> That's part of it, but a router also provides protection too for a
>> machine or machines from unsolicted scans and attacks from the Internet,
>> as it sits in front of the computer to stop them.
>
> Nope, if you open with your browser a site which contains PoC for your
> browser you'll be infected, if you get an email with the super winner
> chance and click that you'll be infected.
> There is no chance for the router to detect that.
>
>> There is nothing wrong with a single machine sitting behind a router --
>> none -- and is a better solution than just connecting the computer
>> directly to the modem, which is a direct connetion to the Internet no
>> border device in between the modem and the computer like a router
>
>>I am going to subscribe to a high-speed internet service and the ISP will
>>also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'.
>
> She want to switch, doesn't she?
>
>> You don't, but some do try to do the right thing to provide better
>> protection. You do know that anything like a 3rd PFW/packet filter or
>> even Window's XP FW/packet filter can be taken out if malware can hit
>
> Doesn't matter, you also could place a bot at this computer (via
> email,browser attacks or whatever), so the router will route every traffic
> which comes from this computer, think about all the spam which comes from
> dynamic dial up adresses, there are mostly no spammers
>
>>
>> IMHO, you need to do the right things like get the router. along with
>> doing some other things if the O/S will allow it.
>
> There is nothing wrong with a router, only the sentence "you're more
> protected..".
>
> "Security is a process not a product" (Bruce Schneier)
>
> cheers
Re: Router Issue.
am 17.10.2007 04:45:38 von MR. Arnold
You are welcomed.
Here are two other links that will help with FW technology understanding. A
PFW/personal packet filter is NOT FW technology, and neither is NAT. NAT is
mapping technology.
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
http://www.more.net/technical/netserv/tcpip/firewalls/
"Cornelia Parsley" wrote in message
news:ff3laj$3fc$1@aioe.org...
> Thanks for detailed explanation and links. I am going to install this
> router :)
>
> Best wishes...
>
> "Mr. Arnold" wrote in message
> news:13h94vf2d03qfcc@corp.supernews.com...
>>
>> "Cornelia Parsley" wrote in message
>> news:ff1pjt$ndp$1@aioe.org...
>>> Do I really need a router?
>>> I am presently on a dial-up 56K connection, an average homeuser with a
>>> desktop computer. My OS is WinXP SP2. I work with LUA, use the in-build
>>> firewall and Seconfig XP.
>>
>> That's dia-up. But back a few years ago, they did have routers for
>> dial-up, and if I was soley using dial-up for a single machine, that
>> router would be sitting there to protect the machine from the Internet,
>> even on a dial-up.
>>
>>>
>>> I am going to subscribe to a high-speed internet service and the ISP
>>> will also supply a 'Hatary HW-AA 101 wireless ADSL2+ router'. The
>>> router comes with a Quick Installation Guide and a Starter Kit CD-ROM.
>>> ISP connection number, username and initial password will be provided by
>>> the ISP which have to be added during installation. The program will
>>> then setup the ADSL2+ router and make connection to the Internet
>>> automatically.
>>
>> Why not? You do know that the router is a border device, and it acts more
>> like a FW solution than XP's FW/packet filter does or any other 3rd party
>> PFW/packet filter will do? The router has the two interfaces. One
>> interface faces the WAN/Internet the untrusted zone, and the other
>> interface faces the LAN the trusted zone. One of the definitions for a FW
>> is it at least two interfaces.
>>
>> The router sits in front of the machine and stops unsolicted scans and
>> attacks from reaching the computer so that a psersonal FW/packet filter
>> along with the O/S, which the PFW/packet filter must run with the O/S,
>> don't react to them slowing the computer down from doing other things as
>> they react to the scans and attacks.
>>
>>>
>>> According to Wikipedia, a router would be needed if a homeuser may want
>>> to set up a LAN or WLAN and connect all computers to the Internet
>>> without having to pay a full broadband subscription service to their ISP
>>> for each computer on the network.
>>
>> That's part of it, but a router also provides protection too for a
>> machine or machines from unsolicted scans and attacks from the Internet,
>> as it sits in front of the computer to stop them.
>>
>> There is nothing wrong with a single machine sitting behind a router --
>> none -- and is a better solution than just connecting the computer
>> directly to the modem, which is a direct connetion to the Internet no
>> border device in between the modem and the computer like a router
>>
>> You would be getting a NAT router.
>>
>> http://www.homenethelp.com/web/explain/about-NAT.asp
>>
>>>
>>> Since I am a single pc user, I was wondering if it is really necessary
>>> to install this router.
>>>
>>
>> You don't, but some do try to do the right thing to provide better
>> protection. You do know that anything like a 3rd PFW/packet filter or
>> even Window's XP FW/packet filter can be taken out if malware can hit the
>> computer and is executed, since it runs with the O/S, and the O/S can be
>> attacked too and taken out leaving the computer wide open to the
>> Internet. It's kind of hard to take down the router, since it's a
>> standalone device and is not running with the O/S.
>>
>>> Could I not just go to Network Connections | Network Tasks | Create a
>>> new connection and use the New Connection Wizard to Set up my connection
>>> manually?
>>
>>> (Though my ISP refers to this type of connection as PPPoE LLC and not
>>> PPPoE).
>>>
>> Sure you can.
>>
>>> Also, the Trouble Shooting list of the Quick Installation Guide points
>>> out that the TCP/IP setting in network adapter of my pc should be set to
>>> obtain and IP address and DNS.
>>> Currently, the Service TCP/IP NetBIOS Helper is Disabled as are SMB and
>>> RPC over TCP/IP.
>>
>> Why not, the machine even on a dial-up connection is set to obtain an IP
>> and DNS so why can't a NIC do to it too? The computer's NIC can be set
>> to not network too, which you should have been doing on the dial-up as
>> well. So where is the problem?
>>
>>>
>>> Must these services be re-instated to achieve ADSL connection?
>>
>> Just remove the Client for MS Networks and MS File & Printer Sharing off
>> of the NIC and tell the NIC to Obtain an IP aitomatically, and you're
>> good to go.
>>
>>
>> IMHO, you need to do the right things like get the router. along with
>> doing some other things if the O/S will allow it.
>>
>> http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
>
Re: Router Issue.
am 17.10.2007 10:28:43 von Burkhard Ott
Am Tue, 16 Oct 2007 20:02:11 -0400 schrieb Mr. Arnold:
> That's wireless and that's Linksys. One egg doesn't apply to all solutions.
Do you have the firmware source code?
I read about serveral others, but mostly dos issues.
> The solution that you're talking about requires two things. 1) That one
> knows the FW solution very well to use it and configure it properly. 2) That
> one knows the O/S or platform. Both are learning curves that the average
> home user CANNOT accomplish this.
Nope, the scenario is pretty easy, track down a tcp fingerprint most
devices sends you also the firmeware version, most devices support only
one RFC1918 Network (NAT), so can read the manual because the most user
let the these IP's untouched even DHCP. The rest is just using brain and
hope the target is a litte stupid.
> A router, a packet filter FW router or FW appliance is a plug it up and
> go device that provides instant protection from the Internet and most
No, all device I've seen have NAT from LAN to WAN from port 1 to 65535 on,
the goal is to place a piesce of software on the client computer (not the
router), this software can connect from inside to outside, thats the way
you can do what you want.
Think about bot networks and especially why they exists.
As you write that wouldn't be possible, because your router protects you,
thats not true.
A router has usually only one sense, it's the point if you network 'ask'
for other networks (public IP's, all wich are not in the broadcast), the
router itself only know a way to these networks and forward these packets,
nothing else.
The firewall on these cheap routern watches only src-ip to dst-ip, maybe
they track the connection (SYN,ESTABLISHED,RELEATED etc.).
Think about the described scenario above, the piece of software lets say
is an keylogger and logs for user:pass in all tcp packets to port 110 etc.
or better ssh connection, then you can succesfull enter a server maybe.
After a while, if he has something nice, it sends an email, or transfer
the informatin via IRC, HTTP whatever.
You router will accept that traffic and I got what I want.
Now think about that without a router, you would have the same steps.
> need very little configuration on the end-users part. Granted, some of
> these solutions are more complicated than that. But the fact remains
> that for the most part, one can take one of these devices out of the box
> and go with it.
Thats the point, if you click "block all evil" do you know all evil is now
outside? Have you disabled activeX in IE and some of these can still run?
I guess you understand what I mean.
> Yes. some are stupid enough to connect the router to a computer acting
> as a gateway with the router stitting behind it, when it should be the
> other way around. But some have no choice but to do that. But most are
> going to do the right thing and let the router act as the gateway device
> with what protection it can provide from the Internet from unsolicated
> inbound traffic.
read above
> What are you talking about?????? The router is going to stop unsolicted
> scans and attacks from the Internet at the border. Let's clarifiy here.
> We are talking about a home user sitting there with one machine or maybe
> the home user has two machines or more on a home network. We're not
> talking about business class solution, and the home user is really small
> potatoes in the long run, unless they start opening ports for someting
> like a Web server that they have any bussiness doing in the first place,
> because they don't know how to protect the Web server nor the O/S or
> anything else.
read above
>>> That's part of it, but a router also provides protection too for a
>>> machine or machines from unsolicted scans and attacks from the
>>> Internet, as it sits in front of the computer to stop them.
a route is designed to route packets, some can also act a simple firewall
> Look man, the router's job is to stop unsolicited inbound traffic from
> reaching the computer. That's the router's job. What you're talking
> about is solicited traffic. Nothing can stop the user sitting behind the
> mouse doing the pointing and clicking with the mouse or typing at the
> keyboard, doing the solictation for traffic. And no software running on
> the computer is going to do it either, protect them fro him or herself.
> Most PFW solutions have snake-oil in them with the impression that it's
> some kind of security blanket that's going to do just that. They can't
> do it.
I only say you are not saver with an router, thats it.
> If it's going to happen, then it's better that something is there that
> is not going to be taken down so easily. as something running on the
> computer with the O/S that has a direct connection to the Internet.
> That's not the case with a standalone border device. Its software is
> not running on the computer as opposed to the software running on the
> computer with the O/S when it's knocked out. At least with the border
Yes and no, when did you your last firmeware update on your watchguard?
> Or maybe, you can't understand this, and you cannot think
> out side the box.
Sure, there is no need to discuss like an a....
> The other thing is one has to know that the computer has been
> compormised, and no junk in PFW(s) are going to help to do that.
read above
> One have to use the right tools to make the discovery and most don't
> know how to do it.
Sure, because all are stupid.
>
Thats absolutely the best site to get security informations, all what
written ther is absolutely true.
BTW: They still not patched the URI hole in Outlook and IE.
>> There is nothing wrong with a router, only the sentence "you're more
>> protected..".
>
> Where did I say that? You point it out. All I said is that the machine
> is better protected with the use of a border device such as a router,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You told it again.
> a stop all and ends all solution. The router's job is to stop
> unsolicited inbound scans and attacks from the Internet from reaching
> the computer.
read above, a router routes packets.
> I have been in this NG since year 2000. I have heard it all, seen it
> all, and I have learned from the best. And I wouldn't connect to the
> Internet if I have the control of it without a border device such as a
> packet filtering FW router, FW appliance or gateway computer using a
> network FW solution running on the machine with the machine/OS properly
> locked down to face the Internet, which I don't include PFW(s)/personal
> packet filters running at the machine level as they are NOT FW
> solutions. I don't care if it's a MS, Linux, Apple or anything else
> solution.
Again, there is nothing wrong with that but you also could save the money
for the router.
> And about the process thing, the buck stops with the end-user what he or
> she is doing, not doing, knows how to do and what not to do.
Yep thats the point, the result is you are not better protected with an
router.
> And they can start here.
>
> http://www.claymania.com/safe-hex.html
Sure, but secunia,zone-h, security focus etc. are a little better, depends
on the person itself.
> And I want to make this clear. I am not in a debate with you about this.
> If you start going in that direction, then I am going to drop you like a
> hot potato. I don't think you can do it, as it doesn't seem that you
> could mind your own business in the first place -- nothing against you
> personally. ;-)
All what I say is: You are not more secure if you using one of these
routers, no debate no stress.
Everybody can and should do what he want.
cheers
Re: Router Issue.
am 17.10.2007 12:31:20 von MR. Arnold
"Burkhard Ott" wrote in message
news:ff4h3r$mla$1@el-srv04-CHE.srvnet.eastlink.de...
> Am Tue, 16 Oct 2007 20:02:11 -0400 schrieb Mr. Arnold:
>
>> That's wireless and that's Linksys. One egg doesn't apply to all
>> solutions.
>
> Do you have the firmware source code?
> I read about serveral others, but mostly dos issues.
Does anyone have the source code? You have to know that this is a moot
point.
>
>
>> The solution that you're talking about requires two things. 1) That one
>> knows the FW solution very well to use it and configure it properly. 2)
>> That
>> one knows the O/S or platform. Both are learning curves that the average
>> home user CANNOT accomplish this.
>
> Nope, the scenario is pretty easy, track down a tcp fingerprint most
> devices sends you also the firmeware version, most devices support only
> one RFC1918 Network (NAT), so can read the manual because the most user
> let the these IP's untouched even DHCP. The rest is just using brain and
> hope the target is a litte stupid.
>
The average home user knows nothing about this. So, this is a moot point as
well.
>> A router, a packet filter FW router or FW appliance is a plug it up and
>> go device that provides instant protection from the Internet and most
>
> No, all device I've seen have NAT from LAN to WAN from port 1 to 65535 on,
> the goal is to place a piesce of software on the client computer (not the
> router), this software can connect from inside to outside, thats the way
> you can do what you want.
This has nothing to do with it. A computer that has software that has
compromised the machine and is making solicitations to a remote IP is not
going to be stopped in this situation. I don't care what solution such as a
router, packet filtering FW router, FW appliance, PFW, packet filter or
whatever is being used. It's not going to be stopped. So what is your point?
> Think about bot networks and especially why they exists.
> As you write that wouldn't be possible, because your router protects you,
> thats not true.
Nothing is going to protect in this situation. What is your point?
> A router has usually only one sense, it's the point if you network 'ask'
> for other networks (public IP's, all wich are not in the broadcast), the
> router itself only know a way to these networks and forward these packets,
> nothing else.
So what about a router that's using SPI? What about a router that's a
packet filtering FW router working with the OSI model to filter packets? You
know they do exist.
> The firewall on these cheap routern watches only src-ip to dst-ip, maybe
> they track the connection (SYN,ESTABLISHED,RELEATED etc.).
> Think about the described scenario above, the piece of software lets say
> is an keylogger and logs for user:pass in all tcp packets to port 110 etc.
> or better ssh connection, then you can succesfull enter a server maybe.
> After a while, if he has something nice, it sends an email, or transfer
> the informatin via IRC, HTTP whatever.
> You router will accept that traffic and I got what I want.
> Now think about that without a router, you would have the same steps.
Once again, if the computer is compromised and software is doing this
running on the computer, it's not the router, FW appliance, gateway
computer running FW software or anything else's responsibility to stop it.
It's over and it's moot. I don't care if the solution cost $10,000 that's
sitting there.
>
>> need very little configuration on the end-users part. Granted, some of
>> these solutions are more complicated than that. But the fact remains
>> that for the most part, one can take one of these devices out of the box
>> and go with it.
>
> Thats the point, if you click "block all evil" do you know all evil is now
> outside? Have you disabled activeX in IE and some of these can still run?
> I guess you understand what I mean.
Once again, this is a software situation/issue running on the computer, with
the O/S. It's whoever is sitting behind the mouse doing the pointing,
clicking and using the keyboard responsibility. One has to know what one
has, and what one is doing with any program, application or technology.
How is this the fault of the router? How is this the responsibility of the
router?
BTW, I am a programmer by profession, for Windows Web, desktop and client
server solutions, and I have been doing it since 1980. I do know what
you're talking about. You can take it to the bank too that I understand and
know what you're talking about.
>
>
>> Yes. some are stupid enough to connect the router to a computer acting
>> as a gateway with the router stitting behind it, when it should be the
>> other way around. But some have no choice but to do that. But most are
>> going to do the right thing and let the router act as the gateway device
>> with what protection it can provide from the Internet from unsolicated
>> inbound traffic.
>
> read above
And if you click block all with anything what does it mean. Your point is
moot.
>
>> What are you talking about?????? The router is going to stop unsolicted
>> scans and attacks from the Internet at the border. Let's clarifiy here.
>> We are talking about a home user sitting there with one machine or maybe
>> the home user has two machines or more on a home network. We're not
>> talking about business class solution, and the home user is really small
>> potatoes in the long run, unless they start opening ports for someting
>> like a Web server that they have any bussiness doing in the first place,
>> because they don't know how to protect the Web server nor the O/S or
>> anything else.
>
> read above
Sorry, I have no need to do it.
>
>>>> That's part of it, but a router also provides protection too for a
>>>> machine or machines from unsolicted scans and attacks from the
>>>> Internet, as it sits in front of the computer to stop them.
>
> a route is designed to route packets, some can also act a simple firewall
Some can and are more than a simple FW. They cost more than $50-$70
considerably more than $50-$70, a typical price for a router for home usage,
and they are using NAT too, which NAT is not FW technology.
>
>
>> Look man, the router's job is to stop unsolicited inbound traffic from
>> reaching the computer. That's the router's job. What you're talking
>> about is solicited traffic. Nothing can stop the user sitting behind the
>> mouse doing the pointing and clicking with the mouse or typing at the
>> keyboard, doing the solictation for traffic. And no software running on
>> the computer is going to do it either, protect them fro him or herself.
>> Most PFW solutions have snake-oil in them with the impression that it's
>> some kind of security blanket that's going to do just that. They can't
>> do it.
>
> I only say you are not saver with an router, thats it.
I disagree.
>
>> If it's going to happen, then it's better that something is there that
>> is not going to be taken down so easily. as something running on the
>> computer with the O/S that has a direct connection to the Internet.
>> That's not the case with a standalone border device. Its software is
>> not running on the computer as opposed to the software running on the
>> computer with the O/S when it's knocked out. At least with the border
>
> Yes and no, when did you your last firmeware update on your watchguard?
I only update a firmware when there is a need to update the firmware due to
some fuctionallity that I may need or a secuirty related issue, just like
what you are doing with your Open Source solution you talked about. Just
because a vendor comes out with an update does one need to go to an update.
In other words, if it's not broke, then you don't fix it some cases and not
all cases.
>
>
>> Or maybe, you can't understand this, and you cannot think
>> out side the box.
>
> Sure, there is no need to discuss like an a....
To be honest, I don't think you can do it. I think you have a one track
mind.
>
>> The other thing is one has to know that the computer has been
>> compormised, and no junk in PFW(s) are going to help to do that.
>
> read above
You're not talking about anything I don't already know.
>
>> One have to use the right tools to make the discovery and most don't
>> know how to do it.
>
> Sure, because all are stupid.
That's most are ignorant. It doesn't mean that they are stupid. You do know
the differnce don't you, just like you were isgnorant at one point?
>
>>
>
> Thats absolutely the best site to get security informations, all what
> written ther is absolutely true.
> BTW: They still not patched the URI hole in Outlook and IE.
So? I use them both and none of the machines I use have been compormised due
to it. Again, it all depends upon who is sitting behind the wheel and is
doing the driving.
>
>>> There is nothing wrong with a router, only the sentence "you're more
>>> protected..".
>>
>> Where did I say that? You point it out. All I said is that the machine
>> is better protected with the use of a border device such as a router,
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> You told it again.
I think it's in your mind, and you're reading into it what you want to read
into it.
>
>
>> a stop all and ends all solution. The router's job is to stop
>> unsolicited inbound scans and attacks from the Internet from reaching
>> the computer.
>
> read above, a router routes packets.
I guess you don't know what a packet filtering FW router is about. There are
FW routers that are more than some solution for home usage.
>
>> I have been in this NG since year 2000. I have heard it all, seen it
>> all, and I have learned from the best. And I wouldn't connect to the
>> Internet if I have the control of it without a border device such as a
>> packet filtering FW router, FW appliance or gateway computer using a
>> network FW solution running on the machine with the machine/OS properly
>> locked down to face the Internet, which I don't include PFW(s)/personal
>> packet filters running at the machine level as they are NOT FW
>> solutions. I don't care if it's a MS, Linux, Apple or anything else
>> solution.
>
> Again, there is nothing wrong with that but you also could save the money
> for the router.
There are a whole lot things that one can do or not do. The point is moot.
>
>> And about the process thing, the buck stops with the end-user what he or
>> she is doing, not doing, knows how to do and what not to do.
>
> Yep thats the point, the result is you are not better protected with an
> router.
The router is a better solution in the overall protection from the Internet
for the home user than having a computer that is directly connected to the
modem, and therefore, it has a direct connetion to the Internet, and
you're not going to convice me otherwise.
>
>> And they can start here.
>>
>> http://www.claymania.com/safe-hex.html
>
> Sure, but secunia,zone-h, security focus etc. are a little better, depends
> on the person itself.
The point the bottom line is the buck stops with the O/S. It doesn't stop
anywhere else, and one's abilty to run in a secure situation, based upon
knowledge.
>
>> And I want to make this clear. I am not in a debate with you about this.
>> If you start going in that direction, then I am going to drop you like a
>> hot potato. I don't think you can do it, as it doesn't seem that you
>> could mind your own business in the first place -- nothing against you
>> personally. ;-)
>
> All what I say is: You are not more secure if you using one of these
> routers, no debate no stress.
You're not secure using a whole lot of things, if one doeen't know what he
or she is doing with the technolgy in the first place.
> Everybody can and should do what he want.
That's the point. And did the OP listen to you, and not go with the router
based upon what you were and are saying? All I saw was he complimented his
secuirty by including the router, a wise decision. ;-)
As the Rock would say, *IT DOESN'T MATTER!*
>
> cheers
I want to make very clear. I have nothing against you personally. :)
Bye
Re: Router Issue.
am 17.10.2007 13:20:43 von Burkhard Ott
Am Wed, 17 Oct 2007 06:31:20 -0400 schrieb Mr. Arnold:
> "Burkhard Ott" wrote in message
> news:ff4h3r$mla$1@el-srv04-CHE.srvnet.eastlink.de...
>> Am Tue, 16 Oct 2007 20:02:11 -0400 schrieb Mr. Arnold:
>>
>>> That's wireless and that's Linksys. One egg doesn't apply to all
>>> solutions.
>>
>> Do you have the firmware source code?
>> I read about serveral others, but mostly dos issues.
>
> Does anyone have the source code? You have to know that this is a moot
> point.
The point is you are not more secure with one of these router, you
shouldn't suggest it to others.
> The average home user knows nothing about this. So, this is a moot point
> as well.
read above
> Nothing is going to protect in this situation. What is your point?
r.a.
> So what about a router that's using SPI? What about a router that's a
> packet filtering FW router working with the OSI model to filter packets? You
> know they do exist.
Have you ever seen a networkdevice which supports tcp/ip and does not
working with the OSI model?
So every existing device which supports the tcp/ip stack has to work with.
> Once again, if the computer is compromised and software is doing this
> running on the computer, it's not the router, FW appliance, gateway
> computer running FW software or anything else's responsibility to stop it.
> It's over and it's moot. I don't care if the solution cost $10,000 that's
> sitting there.
> Once again, this is a software situation/issue running on the computer,
> with the O/S. It's whoever is sitting behind the mouse doing the
> pointing, clicking and using the keyboard responsibility. One has to
> know what one has, and what one is doing with any program, application
> or technology. How is this the fault of the router? How is this the
> responsibility of the router?
It doesn't depend on the price there are a lot of models which
could be comprimized by buffer overflows (the filter inside the router is
mostly the problem), also the firmware is mostly pretty old etc. you name
it.
> BTW, I am a programmer by profession, for Windows Web, desktop and
> client server solutions, and I have been doing it since 1980. I do
> know what you're talking about. You can take it to the bank too that I
> understand and know what you're talking about.
And..? I am systemprogrammer under unix/linux, it has nothing to say.
> Some can and are more than a simple FW. They cost more than $50-$70
> considerably more than $50-$70, a typical price for a router for home
> usage, and they are using NAT too, which NAT is not FW technology.
has nothing to do with the price
>> I only say you are not saver with an router, thats it.
>
> I disagree.
Sure, accepted.
> I only update a firmware when there is a need to update the firmware due
> to some fuctionallity that I may need or a secuirty related issue, just
> like what you are doing with your Open Source solution you talked about.
> Just because a vendor comes out with an update does one need to go to an
> update. In other words, if it's not broke, then you don't fix it some
> cases and not all cases.
What I try to tell you is, it is never impossible to break in and no
device can protect you 100%.
> To be honest, I don't think you can do it. I think you have a one track
> mind.
No you're totally wrong.
> So? I use them both and none of the machines I use have been compormised
> due to it. Again, it all depends upon who is sitting behind the wheel
> and is doing the driving.
Absolutely right, read above and you find that you told others a router
makes it more secure, I said thats not true.
> I guess you don't know what a packet filtering FW router is about. There
> are FW routers that are more than some solution for home usage.
Ok, big guru tell me what is the differnce between a packetfilter and the
filter in tose routers.
The most devices run a embedded linux/BSD with iptables or pf or similar.
Filter on application layer looks (mostly) only for the protocollcode.
Now I am really curious what I can learn from you.
> That's the point. And did the OP listen to you, and not go with the
> router based upon what you were and are saying? All I saw was he
> complimented his secuirty by including the router, a wise decision. ;-)
I understand and I diagree and wrote my points to that stuff.
> I want to make very clear. I have nothing against you personally. :)
Ok, I understood, I repeat it if necessary you are not more secure with an
router.
cheers
Re: Router Issue.
am 17.10.2007 13:26:26 von goarilla
Mr. Arnold wrote:
>
> "Burkhard Ott" wrote in message
> news:ff4h3r$mla$1@el-srv04-CHE.srvnet.eastlink.de...
>> Am Tue, 16 Oct 2007 20:02:11 -0400 schrieb Mr. Arnold:
>>
>>> That's wireless and that's Linksys. One egg doesn't apply to all
>>> solutions.
>>
>> Do you have the firmware source code?
>> I read about serveral others, but mostly dos issues.
>
> Does anyone have the source code? You have to know that this is a moot
> point.
>>
>>
>>> The solution that you're talking about requires two things. 1) That one
>>> knows the FW solution very well to use it and configure it properly.
>>> 2) That
>>> one knows the O/S or platform. Both are learning curves that the average
>>> home user CANNOT accomplish this.
>>
>> Nope, the scenario is pretty easy, track down a tcp fingerprint most
>> devices sends you also the firmeware version, most devices support only
>> one RFC1918 Network (NAT), so can read the manual because the most user
>> let the these IP's untouched even DHCP. The rest is just using brain and
>> hope the target is a litte stupid.
>>
>
> The average home user knows nothing about this. So, this is a moot
> point as well.
>
>>> A router, a packet filter FW router or FW appliance is a plug it up and
>>> go device that provides instant protection from the Internet and most
>>
>> No, all device I've seen have NAT from LAN to WAN from port 1 to 65535
>> on,
>> the goal is to place a piesce of software on the client computer (not the
>> router), this software can connect from inside to outside, thats the way
>> you can do what you want.
>
> This has nothing to do with it. A computer that has software that has
> compromised the machine and is making solicitations to a remote IP is
> not going to be stopped in this situation. I don't care what solution
> such as a router, packet filtering FW router, FW appliance, PFW, packet
> filter or whatever is being used. It's not going to be stopped. So what
> is your point?
>
>> Think about bot networks and especially why they exists.
>> As you write that wouldn't be possible, because your router protects you,
>> thats not true.
>
> Nothing is going to protect in this situation. What is your point?
>
>> A router has usually only one sense, it's the point if you network 'ask'
>> for other networks (public IP's, all wich are not in the broadcast), the
>> router itself only know a way to these networks and forward these
>> packets,
>> nothing else.
>
> So what about a router that's using SPI? What about a router that's a
> packet filtering FW router working with the OSI model to filter packets?
> You know they do exist.
>
>> The firewall on these cheap routern watches only src-ip to dst-ip, maybe
>> they track the connection (SYN,ESTABLISHED,RELEATED etc.).
>> Think about the described scenario above, the piece of software lets say
>> is an keylogger and logs for user:pass in all tcp packets to port 110
>> etc.
>> or better ssh connection, then you can succesfull enter a server maybe.
>> After a while, if he has something nice, it sends an email, or transfer
>> the informatin via IRC, HTTP whatever.
>> You router will accept that traffic and I got what I want.
>> Now think about that without a router, you would have the same steps.
>
> Once again, if the computer is compromised and software is doing this
> running on the computer, it's not the router, FW appliance, gateway
> computer running FW software or anything else's responsibility to stop
> it. It's over and it's moot. I don't care if the solution cost $10,000
> that's sitting there.
>
>>
>>> need very little configuration on the end-users part. Granted, some of
>>> these solutions are more complicated than that. But the fact remains
>>> that for the most part, one can take one of these devices out of the box
>>> and go with it.
>>
>> Thats the point, if you click "block all evil" do you know all evil is
>> now
>> outside? Have you disabled activeX in IE and some of these can still run?
>> I guess you understand what I mean.
>
> Once again, this is a software situation/issue running on the computer,
> with the O/S. It's whoever is sitting behind the mouse doing the
> pointing, clicking and using the keyboard responsibility. One has to
> know what one has, and what one is doing with any program,
> application or technology. How is this the fault of the router? How is
> this the responsibility of the router?
>
> BTW, I am a programmer by profession, for Windows Web, desktop and
> client server solutions, and I have been doing it since 1980. I do
> know what you're talking about. You can take it to the bank too that I
> understand and know what you're talking about.
>>
>>
>>> Yes. some are stupid enough to connect the router to a computer acting
>>> as a gateway with the router stitting behind it, when it should be the
>>> other way around. But some have no choice but to do that. But most are
>>> going to do the right thing and let the router act as the gateway device
>>> with what protection it can provide from the Internet from unsolicated
>>> inbound traffic.
>>
>> read above
>
> And if you click block all with anything what does it mean. Your point
> is moot.
>
>>
>>> What are you talking about?????? The router is going to stop unsolicted
>>> scans and attacks from the Internet at the border. Let's clarifiy here.
>>> We are talking about a home user sitting there with one machine or maybe
>>> the home user has two machines or more on a home network. We're not
>>> talking about business class solution, and the home user is really small
>>> potatoes in the long run, unless they start opening ports for someting
>>> like a Web server that they have any bussiness doing in the first place,
>>> because they don't know how to protect the Web server nor the O/S or
>>> anything else.
>>
>> read above
>
> Sorry, I have no need to do it.
>
>>
>>>>> That's part of it, but a router also provides protection too for a
>>>>> machine or machines from unsolicted scans and attacks from the
>>>>> Internet, as it sits in front of the computer to stop them.
>>
>> a route is designed to route packets, some can also act a simple firewall
>
> Some can and are more than a simple FW. They cost more than $50-$70
> considerably more than $50-$70, a typical price for a router for home
> usage, and they are using NAT too, which NAT is not FW technology.
>
>>
>>
>>> Look man, the router's job is to stop unsolicited inbound traffic from
>>> reaching the computer. That's the router's job. What you're talking
>>> about is solicited traffic. Nothing can stop the user sitting behind the
>>> mouse doing the pointing and clicking with the mouse or typing at the
>>> keyboard, doing the solictation for traffic. And no software running on
>>> the computer is going to do it either, protect them fro him or herself.
>>> Most PFW solutions have snake-oil in them with the impression that it's
>>> some kind of security blanket that's going to do just that. They can't
>>> do it.
>>
>> I only say you are not saver with an router, thats it.
>
> I disagree.
>
>>
>>> If it's going to happen, then it's better that something is there that
>>> is not going to be taken down so easily. as something running on the
>>> computer with the O/S that has a direct connection to the Internet.
>>> That's not the case with a standalone border device. Its software is
>>> not running on the computer as opposed to the software running on the
>>> computer with the O/S when it's knocked out. At least with the border
>>
>> Yes and no, when did you your last firmeware update on your watchguard?
>
> I only update a firmware when there is a need to update the firmware due
> to some fuctionallity that I may need or a secuirty related issue, just
> like what you are doing with your Open Source solution you talked about.
> Just because a vendor comes out with an update does one need to go to an
> update. In other words, if it's not broke, then you don't fix it some
> cases and not all cases.
>
>>
>>
>>> Or maybe, you can't understand this, and you cannot think
>>> out side the box.
>>
>> Sure, there is no need to discuss like an a....
>
> To be honest, I don't think you can do it. I think you have a one track
> mind.
>>
>>> The other thing is one has to know that the computer has been
>>> compormised, and no junk in PFW(s) are going to help to do that.
>>
>> read above
>
> You're not talking about anything I don't already know.
>
>>
>>> One have to use the right tools to make the discovery and most don't
>>> know how to do it.
>>
>> Sure, because all are stupid.
>
> That's most are ignorant. It doesn't mean that they are stupid. You do
> know the differnce don't you, just like you were isgnorant at one point?
>
>>
>>>
>>>
>>
>> Thats absolutely the best site to get security informations, all what
>> written ther is absolutely true.
>> BTW: They still not patched the URI hole in Outlook and IE.
>
> So? I use them both and none of the machines I use have been compormised
> due to it. Again, it all depends upon who is sitting behind the wheel
> and is doing the driving.
>
>
>>
>>>> There is nothing wrong with a router, only the sentence "you're more
>>>> protected..".
>>>
>>> Where did I say that? You point it out. All I said is that the machine
>>> is better protected with the use of a border device such as a router,
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> You told it again.
>
> I think it's in your mind, and you're reading into it what you want to
> read into it.
>
>>
>>
>>> a stop all and ends all solution. The router's job is to stop
>>> unsolicited inbound scans and attacks from the Internet from reaching
>>> the computer.
>>
>> read above, a router routes packets.
>
> I guess you don't know what a packet filtering FW router is about. There
> are FW routers that are more than some solution for home usage.
>
>>
>>> I have been in this NG since year 2000. I have heard it all, seen it
>>> all, and I have learned from the best. And I wouldn't connect to the
>>> Internet if I have the control of it without a border device such as a
>>> packet filtering FW router, FW appliance or gateway computer using a
>>> network FW solution running on the machine with the machine/OS properly
>>> locked down to face the Internet, which I don't include PFW(s)/personal
>>> packet filters running at the machine level as they are NOT FW
>>> solutions. I don't care if it's a MS, Linux, Apple or anything else
>>> solution.
>>
>> Again, there is nothing wrong with that but you also could save the money
>> for the router.
>
> There are a whole lot things that one can do or not do. The point is moot.
>>
>>> And about the process thing, the buck stops with the end-user what he or
>>> she is doing, not doing, knows how to do and what not to do.
>>
>> Yep thats the point, the result is you are not better protected with an
>> router.
>
> The router is a better solution in the overall protection from the
> Internet for the home user than having a computer that is directly
> connected to the modem, and therefore, it has a direct connetion to
> the Internet, and you're not going to convice me otherwise.
>>
>>> And they can start here.
>>>
>>> http://www.claymania.com/safe-hex.html
>>
>> Sure, but secunia,zone-h, security focus etc. are a little better,
>> depends
>> on the person itself.
>
> The point the bottom line is the buck stops with the O/S. It doesn't
> stop anywhere else, and one's abilty to run in a secure situation, based
> upon knowledge.
>
>>
>>> And I want to make this clear. I am not in a debate with you about this.
>>> If you start going in that direction, then I am going to drop you like a
>>> hot potato. I don't think you can do it, as it doesn't seem that you
>>> could mind your own business in the first place -- nothing against you
>>> personally. ;-)
>>
>> All what I say is: You are not more secure if you using one of these
>> routers, no debate no stress.
>
> You're not secure using a whole lot of things, if one doeen't know what
> he or she is doing with the technolgy in the first place.
>
>> Everybody can and should do what he want.
>
> That's the point. And did the OP listen to you, and not go with the
> router based upon what you were and are saying? All I saw was he
> complimented his secuirty by including the router, a wise decision. ;-)
>
> As the Rock would say, *IT DOESN'T MATTER!*
>
>>
>> cheers
>
> I want to make very clear. I have nothing against you personally. :)
>
> Bye
>
i'm sorry to reply to this post but i was just reading it while i was
eager to ask this
you are clearly against personal firewalls on workstations but what
about dedicated machines
with personal firewalls eg: a shorewall, monowall, OpenBSD firewall for
instance
or is your opinion just that all of them are simply snakeoil and the
only way to go for security
appliances is dedicated hardware solutions (eg the code is firmware).
because i do use personal firewalls on my workstations since i don't
have a dedicated firewall sitting
between my NAT router and switch. now in your opinion should i just
flush all my iptables, remove inetd, remove comodo on
windows machines and just buy one hw firewall appliance ?
Re: Router Issue.
am 17.10.2007 13:36:06 von Ansgar -59cobalt- Wiechers
goarilla <"kevin DOT paulus AT skynet DOT be"> wrote:
> i'm sorry to reply to this post but i was just reading it while i was
> eager to ask this
> you are clearly against personal firewalls on workstations but what
> about dedicated machines with personal firewalls eg: a shorewall,
> monowall, OpenBSD firewall for instance
Those are not personal firewalls.
Aside from that: trim your quotes.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Re: Router Issue.
am 17.10.2007 15:25:24 von MR. Arnold
> i'm sorry to reply to this post but i was just reading it while i was
> eager to ask this
> you are clearly against personal firewalls on workstations but what about
> dedicated machines
> with personal firewalls eg: a shorewall, monowall, OpenBSD firewall for
> instance
> or is your opinion just that all of them are simply snakeoil and the only
> way to go for security
> appliances is dedicated hardware solutions (eg the code is firmware).
No I didn't say that, I got nothing against packet filters as long as they
are acting as packet filters. If a personal FW or personal packet filter
starts going beyond that with application control and things of that
nature, then I have a problem with that. It's snake-oil those features in
the packet filter, trying to protect the end-user from his or herself that
the features cannot do. I will disable those features.
I use the Vista packet filter on the laptop computer while away from my
Watchguard FW appliance. When I am at home,
then I have no need for any packet filter running on the Windows or Linux
machines. I want to make a point that this is my situation. It may not fit
your situation depending upon who else is on your LAN that you may need to
protect the machine from using a personal packet filter on the machine.
>
> because i do use personal firewalls on my workstations since i don't have
> a dedicated firewall sitting
I have been in shops that not only had a $10,000 FW solution protecting from
the Internet, but all the machines had the XP pro FW enabled too.
> between my NAT router and switch. now in your opinion should i just flush
> all my iptables, remove inetd, remove comodo on
> windows machines and just buy one hw firewall appliance ?
I would say to get a FW router or a low-end FW appliance to better protect
the LAN and the machines on the LAN from the Internet. What other protection
you may need to provide beyond that you'll need to make that determination.
May I suggest that you read the two links that I gave with my last post to
the OP. You should understand *What is a FW* and *What does the FW do?* in
the first link. If the solutions you're talking about don't use two or more
NIC(s) facing the WAN/Internet and use one or more NIC(s) facing the LAN,
then it's not a FW solution and is just a machine level packet filter.
I'll paste it here. I have to get some a little sleep before I have this
phone interview at 2:30 pm.
Bye
What is a firewall?
A firewall protects networked computers from intentional hostile intrusion
that could compromise confidentiality or result in data corruption or denial
of service. It may be a hardware device (see Figure 1) or a software program
(see Figure 2) running on a secure host computer. In either case, it must
have at least two network interfaces, one for the network it is intended to
protect, and one for the network it is exposed to.
A firewall sits at the junction point or gateway between the two networks,
usually a private network and a public network such as the Internet. The
earliest firewalls were simply routers. The term firewall comes from the
fact that by segmenting a network into different physical subnetworks, they
limited the damage that could spread from one subnet to another just like
firedoors or firewalls. Figure 1: Hardware Firewall
Hardware firewall providing protection to a Local Network
Re: Router Issue.
am 17.10.2007 15:29:12 von MR. Arnold
There is nothing else to discusse with you as you have missed the point
entrierly.
Bye
Re: Router Issue.
am 17.10.2007 16:08:42 von Sebastian Gottschalk
Mr. Arnold wrote:
>
>
>> i'm sorry to reply to this post but i was just reading it while i was
>> eager to ask this
>> you are clearly against personal firewalls on workstations but what about
>> dedicated machines
>> with personal firewalls eg: a shorewall, monowall, OpenBSD firewall for
>> instance
>> or is your opinion just that all of them are simply snakeoil and the only
>> way to go for security
>> appliances is dedicated hardware solutions (eg the code is firmware).
>
> No I didn't say that, I got nothing against packet filters as long as they
> are acting as packet filters. If a personal FW or personal packet filter
Ah, at first a PFW should even get so far to become a usable packet filter
at all. Means:
- not being vulnerable to decade-old attacks (IP fragment reassembly...)
- not being vulnerable to trivial DoS conditions (SYN/FIN/ICMP/UDP flooding)
- providing access to TCP flags, packet filter states and Layer 7 states (if
it interprets such protocols) in the rules
- scriptability
> starts going beyond that with application control and things of that
> nature, then I have a problem with that. It's snake-oil those features in
> the packet filter, trying to protect the end-user from his or herself that
> the features cannot do. I will disable those features.
You typically can't. It will still hook functions and still be vulnerable to
DoS and validation problems (typically leading to privilege escalation).
Re: Router Issue.
am 17.10.2007 22:59:19 von goarilla
Sebastian G. wrote:
> Mr. Arnold wrote:
>
>>
>>
>>> i'm sorry to reply to this post but i was just reading it while i was
>>> eager to ask this
>>> you are clearly against personal firewalls on workstations but what
>>> about
>>> dedicated machines
>>> with personal firewalls eg: a shorewall, monowall, OpenBSD firewall for
>>> instance
>>> or is your opinion just that all of them are simply snakeoil and the
>>> only
>>> way to go for security
>>> appliances is dedicated hardware solutions (eg the code is firmware).
>>
>> No I didn't say that, I got nothing against packet filters as long as
>> they
>> are acting as packet filters. If a personal FW or personal packet filter
>
>
> Ah, at first a PFW should even get so far to become a usable packet
> filter at all. Means:
>
> - not being vulnerable to decade-old attacks (IP fragment reassembly...)
> - not being vulnerable to trivial DoS conditions (SYN/FIN/ICMP/UDP
> flooding)
> - providing access to TCP flags, packet filter states and Layer 7 states
> (if it interprets such protocols) in the rules
> - scriptability
>
ok iptables doesn't doesn't allow to filter on application headers
but you can however only allow certain apps
>> starts going beyond that with application control and things of that
>> nature, then I have a problem with that. It's snake-oil those features in
>> the packet filter, trying to protect the end-user from his or herself
>> that
>> the features cannot do. I will disable those features.
>
>
> You typically can't. It will still hook functions and still be
> vulnerable to DoS and validation problems (typically leading to
> privilege escalation).
Re: Router Issue.
am 18.10.2007 00:15:23 von Sebastian Gottschalk
goarilla wrote:
> ok iptables doesn't doesn't allow to filter on application headers
> but you can however only allow certain apps
iptables/netfilter doesn't filter by applications/PIDs/whatever, only by
e(U|G)ID at best, and even that just for management issues. Anything beyond
is the scope of SELinux, and even there it's just for completeness, not for
actually providing any hard security boundary.
Re: Router Issue.
am 18.10.2007 00:45:34 von goarilla
Sebastian G. wrote:
> goarilla wrote:
>
>
>> ok iptables doesn't doesn't allow to filter on application headers
>> but you can however only allow certain apps
>
>
> iptables/netfilter doesn't filter by applications/PIDs/whatever, only by
> e(U|G)ID at best, and even that just for management issues. Anything
> beyond is the scope of SELinux, and even there it's just for
> completeness, not for actually providing any hard security boundary.
from the man page
--cmd-owner name
Matches if the packet was created by a process with the
given
command name. (this option is present only if iptables
was com-
piled under a kernel supporting this feature)
offcorse this is only for outbound traffic
and if you rename a cmd to an allowed command all bets are off
Re: Router Issue.
am 23.10.2007 03:09:56 von unknown
Post removed (X-No-Archive: yes)
Re: Router Issue.
am 23.10.2007 03:26:28 von Sebastian Gottschalk
WaIIy wrote:
> I use Zone Alarm Pro and have no troubles.
That's an obvious contradiction.
Re: Router Issue.
am 25.10.2007 22:40:03 von goarilla
Sebastian G. wrote:
> WaIIy wrote:
>
>> I use Zone Alarm Pro and have no troubles.
>
>
> That's an obvious contradiction.
you really hate ZA don't you ? :D
Re: Router Issue.
am 26.10.2007 02:31:52 von Sebastian Gottschalk
goarilla wrote:
> Sebastian G. wrote:
>> WaIIy wrote:
>>
>>> I use Zone Alarm Pro and have no troubles.
>>
>> That's an obvious contradiction.
> you really hate ZA don't you ? :D
Not actually. I just know how to recognize malicious software, being
malicious either by intend or my total incompetence. And I'm not afraid to
tell this honestly to others.