I have a question about the following. Since a while my father (he's retired and has a lot of spare time now) has a broadband connection, just on one computer, without doing any special things, only surfing, emailing and adjusting his favorite toy, Beatnik atomic clock. I have installed ZA on his computer, which blocks a lot of attacks, as he spends a lot of time surfing the web (he is crazy about it now he has his broadband connection ;-)). I have considered buying a hardware firewall for him. I know there have been very lengthy discussions about the fact whether router-firewalls are really firewalls or not, and I do not understand everything said in those discussions. Of course he has an anti-virus program installed (AVG from Grisoft), and I have managed to get into his head with a very strict "no opening of email attachments policy". He is also very strict in checking the automatic update process, so threats from inside his computer are probably less likely to be important.
I have found the following device I considered of interest:
formatting link
My questions are (supposing I would buy & install this device) (and please hold in mind that I am not a network expert at all, I am a newbie to this):
Would the protection given by this be better or worse than the one given by Zone-alarm?
Can the system function safely without Zone-alarm installed or would it still be needed (and in that case, would it add anything or just be useless? And does my father, in his very simple "setting" or "environment" miss much from the more expensive devices, or are they only needed when e.g. running some sort of server?
Is configuring a device like that difficult?
How does the device update itself? Automatically without my father having to care about it (I may be a newbie but he is even more ignorant and I can't visit him every minute of the day).
Is it possible (well, it will be possible, but will it be possible for me after doing some reading and researching on the web, I am a newbie but am a quick learner and are a bit above the average computer user, though not an expert) to install a program which allows me to control his computer when using such a device (my father is an expert in messing things up so it would be VERY handy if I could fix some things from my place? I suppose this question is closely related to question 3.. BTW if there is some sort of program that You would specifically recommend for doing this, Your input would be very appreciated (I realise this is OT).
Are there other devices, let's say below 200 euro's (suppose that can be more or less compared to 200 US$, it's just an indication), that You would recommend above this one? If so, which one('s)? Wireless is not needed as his computer is only 4 m away from the access point.
Any other suggestions?
Following is on behalf of my father as well: First of all, thank You already for reading my long (boring) posting! Second: Thank You very much in advance for any replies! Third: English is not my mother tongue, so please be so kind as to forgive me my errors...
Anything NOT running on his computer is better - reasoning being that he can make a mistake and let something through with ZA, and with the router/firewall appliance he won't be able to configure it.
Yes, without ZA, the system would still be protected, but with ZA, the system could detect a problem if he compromises his own system. The dual layered approach is favorable for people that are likely to be infected.
I reviewed this last night and though it was a nice SOHO unit. It does not appear to be Drop-In ready, but seems like it would be simple to install for my mother-inlaw. The manual is very nicely laid out and seems easy to understand. I'm ordering one to test with.
No, it clearly needs user intervention to apply updates. In most cases, appliances only need updates for enhancing features, most of the updates are not to further harden the device. (most of the ones I work with are very hardened and only add features through updates, but there are some security updates). With this device, since there is little talk of it in the groups, it would be hard to say how often they issue updates.
Yes, you could to a remote connection many ways - you could buy the VPN version that permits you to make a direct connection to the unit itself, which would let you access his computer. You could also install VNC on his computer, set it to run on a non-standard port (like 34912) and then connect across the internet to VNC on 34912) and make sure that it's passworded (with a strong password). If you get one of the remote control programs that doesn't show an Icon on the task bar he would not know it's there - so he wouldn't have an opportunity to mess with it :)
In his case, as well as many home users, it would appear that all he needs is a simple NAT device, most run about $50 US. If you were to install a cheap Linksys BEFSR41 unit, keep ZA on his computer, and get something like Norton Antivirus 2005 for him, he should be safe. I use AVG, but install NAV for home users that can afford to purchase a license. AVG is good, but I trust NAV more.
One other thing - get him a copy of the free SpyBot Search & Destroy at
formatting link
and a copy of the AdAware SE (free) from lavasoft.
Anything NOT running on his computer is better - reasoning being that he can make a mistake and let something through with ZA, and with the router/firewall appliance he won't be able to configure it.
Yes, without ZA, the system would still be protected, but with ZA, the system could detect a problem if he compromises his own system. The dual layered approach is favorable for people that are likely to be infected.
I reviewed this last night and though it was a nice SOHO unit. It does not appear to be Drop-In ready, but seems like it would be simple to install for my mother-inlaw. The manual is very nicely laid out and seems easy to understand. I'm ordering one to test with.
No, it clearly needs user intervention to apply updates. In most cases, appliances only need updates for enhancing features, most of the updates are not to further harden the device. (most of the ones I work with are very hardened and only add features through updates, but there are some security updates). With this device, since there is little talk of it in the groups, it would be hard to say how often they issue updates.
Yes, you could to a remote connection many ways - you could buy the VPN version that permits you to make a direct connection to the unit itself, which would let you access his computer. You could also install VNC on his computer, set it to run on a non-standard port (like 34912) and then connect across the internet to VNC on 34912) and make sure that it's passworded (with a strong password). If you get one of the remote control programs that doesn't show an Icon on the task bar he would not know it's there - so he wouldn't have an opportunity to mess with it :)
In his case, as well as many home users, it would appear that all he needs is a simple NAT device, most run about $50 US. If you were to install a cheap Linksys BEFSR41 unit, keep ZA on his computer, and get something like Norton Antivirus 2005 for him, he should be safe. I use AVG, but install NAV for home users that can afford to purchase a license. AVG is good, but I trust NAV more.
One other thing - get him a copy of the free SpyBot Search & Destroy at
formatting link
and a copy of the AdAware SE (free) from lavasoft.
"René" wrote in news:419204f6$0$44063$ snipped-for-privacy@dreader2.news.tiscali.nl:
surfing,
opening
father
possible
computer
expert
posting!
MAKE YOUR COMPUTER FIREWALL SECURE !!! It is very likely that the software you are using to protect your computer isn't doing a complete job. All your "information" on your computer could be exposed !!!"
***You can guard your PRIVACY with our software !!! *** This program has proven effective in years of trials on thousands of computers !!
Take this challenge -- go to our website at: myinvisusdirect.com/spotty3443 Explore the websight and take the free computer scan. Find out for yourself how much dangerous material is deposited on your computer. Search for for viruses, spyware, adware, trojan horses, and hacker tools. Investigate the firewall provided by the software.
THIS SOFTWARE IS THE REAL THING !!!! And the best part is that it can be FREE !!! E-mail me if you have any questions. Paul snipped-for-privacy@yahoo.com
As Leythos said, a hardware solution would be a more secure and easier way to block your father's system from the internet. Any type of DSL/Cable Modem will pretty much be a plugin, power up and minimal configuration for you to get it going. Plus, nothing comes in unless you specifically configure it to. But everything will go out just fine for him. As for a secure way for you to access his system remotely, that would depend on what OS you and your father have. If you have Windows2000 or XP, there is a terminal server that you could use. However, this would require you to open up a hole in whatever type of firewall you used. And for security reasons, because using the default access, the port it uses is a well know port and would be scanned to see if it was open. The best approach for using this would be to change the port that the terminal server uses. This is not a simple thing to do so you probably wouldn't want to consider this option. The most secure way for you to help out your father if he has problems is to go there and help him out.
Thank You very much for Your reply. I have some more questions, and have put them in a posting as a reply to Leythos' reply. I would be very gratefull if You would be willing to look at them as well.
Thank You very much for replying. I have added some questions in Your posting below. I hope You will be willing to have a look at them:
"Leythos" schreef in bericht news: snipped-for-privacy@news-server.columbus.rr.com...
please
You mean that suppose e.g. a trojan horse gets on his computer, ZA will notice the outgoing data, and the external firewall wouldn't?
Wouldn't she be willing to do some configuring at my father's place ;-) ?
When do You expect to get it? I hope that You will post Your findings about the machine here. I am already quite sure I want to get one but maybe You'll have more info soon...
What I was wondering about, when someone discovers some new sort of weak spot in Windows and the owner of the computer has not updated his OS immediately and there is an update of e.g. ZA, will the firewall, in this case ZA, also help protecting the user from attacks that aim at this weak spot? And if the answer is "Yes", is there a difference in the protection of this kind between a firewall like ZA and an external firewall? I do not fully understand that many firewall-applications like ZA get updates very often while an external firewall does not need security-updates that often, like You stated (You might read this line as "I don't believe You", but that is not correct, I actually don't understand why one firewall needs "adjusting of it's hardening" more often than the other one).
Yes, but the VPN version is much more expensive (iirc 350 $ vs. 100$) and quite soon I am going to get a broadband connection as well, so I would like to buy two of those firewalls (note at the same time, first one to see if I like it). I presume VNC is an application that does the same thing but from within his computer?
I think this is what Jeff mentions in his reply. I agree with him that the safest thing to do, would be to visit my father, but maybe there is a way in which he can enable the software after we have spoken each other on the phone and disable it after the problem has been fixed. Then again, I guess this would imply having to re-configure the FW every time which perhaps be too difficult for him. What I have been wondering about is, whether a VPN-connection can be used when one doesn't have a fixed IP-address (we don't)(and we are happy about that). How does one computer manage to find the other one? Or do You need to get the address from one computer and tell it to the program on the other one? And what about program like PC-anywhere? Would something like that be usefull in our situation? Suppose I would have a VPN. What would that look like on the computer? Is it just an extra computer in "My network places"? Or would it be possible to actually make my computer show everything from his computer, I mean, would I see his desktop and be able to use the applications on his system just as if I was working on his computer in his living room?
You higly underestimate the messing capabilities of my father... ;-).
Is there any such program that You would especially recommend? (Preferably open source or freeware off course, but the quality is the most important). I might already do some reading if You'ld have some names for me.
Yes, but if the extra 50$ to get the "real" firewall from hotbrick, and this does add something to the protection quality, my father will be more than happy to spend it. Apart from that, it get's paid by the union my father does some volunteer work for on his computer (only small with not many very private data, mostly only names and adresses). Another question that came to my mind is the following. Hot brick has many firewalls, and many are very expensive. Is there also a difference in the specific "firewalling" capabilities between those, or is it just the other specs that differ, like managing many users and providing VPN-services?
Sorry, forgot to mention this in my first posting, but he already has those programs.
If You would allow me to just ask one more question that is a bit OT in this NG, I would be very gratefull (I ask it because we are talking about networking already and the two of You seem to know what Your talking about). I would very much like to learn to fully configure a network WITHOUT using wizards, because after having used a wizard, I still haven't got the faintest idea about what I have actually done. I am reading the book "TCP/IP unleashed" which is very good (and thick), but not everything I want to know is in there. Usually when You buy a book about networking, it starts telling about all the kinds of cables there are and such. I am not interested in that. Many tutorials/books also explain how to use those wizards (I think they are clear enough themselves). Worst are the books that first start talking about the wiring and then tell You how to configure the network with the wizards. I have not been able to find a tutorial with google that thoroughly explains the real configuring of a network, without using the wizard. I don't know which words to use in Google. If You say "-wizard", You will also "loose" the pages that say "Have You ever wanted to configure Your network without wizards? Then this is the page for You!", which would be exactly what I want. So my question is: Does anyone of You know of a good tutorial on the web, or a book, that will show me how to fully install and configure a network without using those stupid wizards that hide everything from You?
Again I thank You very much for Your replies, and also I thank You in advance for reading this posting.
A router/NAT device will not notice anything going in/out, it just passes connections based on something your computer initiates. This means that if you request a web page, it will let the site send you the web page. If your computer gets infected with a virus, that wants to contact the
formatting link
web site, the computer will make the connection and the router will permit it to reach the site and the router will also permit the site to return the data requested.
A personal firewall application that runs on your computer will often be good enough to see that it's not asked you if you want "myvirus" to be able to contact the internet and will block it until you say "No/Yes" to the "allow access to internet" question for that application.
Look at a router/NAT is a big Door with a knob only on the inside - anything that can turn the knob (only on the inside) can get out without any problem. Things on the outside can't get inside unless something opens the door from the inside.
The good think is that unless you open the door, nothing comes in that you didn't want in. This means that all of your neighbors infected computers will hammer the router and not your computer.
I'm setting up a couple exchange servers for a large group, it may be a couple weeks before I have any time to 'play' with one since my plate is quite full.
Ah, levels of protection. In the case of ZA or other Firewalls, the updates are sometimes to add enhanced features and not to fix bugs, other times it's to fix bugs. In the case of the ones I use, most of the fixes have been for enhancements, adding to the existing filter property, or just stability, only a few have been for security type updates. The reason that one may need updates and not another is that they are all different applications, made by different groups, at different times, with different ideas of how to best detect and stop threats.
If you have a router or firewall appliance in front of your computer, even without patches and updates you can safely install Windows (unpatched) on the computer without fear that it will be compromised (as long as you don't browse the web to anywhere but Microsoft to get updates) while you are building it and patching it.
There are ways to install a new windows system, from scratch, and get it on-line and updates without it being compromised, but you have to know what to disable and when it's safe to connect the network cable.
VPN is more expensive because it takes more to implement it, but it is the proper method to use.
If you just want to support a single computer, as long as you know his IP address, then VNC (free version, latest rev) is a simple way to do it. The catch is that everyone and his brother (and his mother) knows what ports to scan looking for exposed remote control applications. When I install VNC, even in a protected network, I always change the port number that it listens on. You could FORWARD PORT 31234 to his computer from the internet (through a router) or create a exception for it in Zone Alarm, and then install VNC on his computer with an ICON on the desktop so that he can start it when needed. This would allow him to start VNC when he needs your help and you to access his systems as though you were sitting there - your keyboard and mouse work control his system and you can see anything on his screen on your screen.
VNC is not a VPN type solutions, it's just a remote control application.
No, just put a START and STOP Icon on the desktop for VNC, use a strong password, and configure it to use a different port, above 30000, and you don't have to touch anything in the firewall/router/ZA.
There are a couple methods, and since the firewall appliance will be the object getting the public IP, it's the only thing that will know it. If you get into the firewall you can see what your public IP is, and ZA will tell you if you use it directly connected to the public, but with an Appliance you have to access it do determine what your IP is. You could also visit a web site that checks your computer and tells you what your IP is:
formatting link
The link above will tell you what your assigned Internet Address is, at least in the typical home user (single dynamic IP) not running through a proxy.
PCAW is expensive, VNC is free.
VPN is a network connection between two networks or systems, it has nothing to do with seeing his computer/desktop. Imagine a VPN as being a very long cable that stretches directly between your computer and his computer with no one having access to it anywhere along the way. That's all it is - a network connection that only allows the two ends to read data from each other. You would use VNC once you got the VPN working, but you would not connect to his PUBLIC internet address, you would connect from your protected (inside the firewall device network) address through the VPN, using VNC, to his private address which is inside his firewall.
For inside companies, where we don't want to make it obvious, but people can still see it in the task bar, we use an old product called Remote Administrator, much like VNC, but you can hide the ICON and password protect all settings and connections, and it will even let you use NT authentication. We have clients that have VNC installed, in default port, with a single password, on hundreds of computers in their network (not our idea) and they don't have problems with it - the users leave it alone.
You might do well to send them an email and tell them what you want to do and ask them to suggest the proper device for your needs. In your case, while a VPN device is nice to have, a simple router with NAT may be all you really need. If you were to combine a NAT box with SPI, and then run ZA on his computer, exposing the VNC port/application, even if you left it running all the time, you might find that he's just as not- exposed as if he were running the brick.
It doesn't sound like he has the router/NAT box - if you put that in the solution then you've got all he really needs. If you add in blocking of outbound ports at the router of 135,136,137,138,139,445 then you make it harder for his computer to spread infections should it be compromised.
Not off the top of my head, and networking is a wide subject. The first thing is to understand the cables, the types of cables, and how to make them, then to understand the difference between a switch and hub, then managed and unmanaged, then VLANS, then routers, then NAT, then routes, then firewalls.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.