NIS will not let me synchronize the PC Date/Time

It's very unlikely if his shares are configured correctly. Admitted, the NetBIOS and SMB stuff in Windows is pretty lousy, but so far you could only expect some DoS, but not remote compromise.

Beside that hardening makes it even less problematic.

Argh! Where exactly do you think is the difference between your home computer at 192.168.0.5 connecting to your shares in your local wi-fi LAN and a malicious computer at 192.168.0.5 in a company wi-fi LAN doing the same?

It has.

Well, then why not doing it correctly instead of choosing another evil?

Reply to
Sebastian Gottschalk
Loading thread data ...

I will repeat myself Use NAT router _with_ _firewall_

And decrease usabilty, maybe some people need some of that stuff, maybe only for experiment, maybe only to learn.

Reply to
alf

A user running a laptop on a clients network, such as a contractor that must furnish their own laptop, needing to print to the clients network printer.

In this case the PFW would block inbound connections and alert the contractor of all connections reaching their laptop, it would also allow the contractor to selectively allow inbound access to their laptop, lets say via FTP, from a single node in the customers network, while blocking all others access to it. It could also allow SQL Data (1433) access from several nodes while blocking access from all other nodes.

It would also allow the contractor to see each connection that was approved, in real time, and to monitor those connections.

Windows Firewall would not allow monitoring of the inbound connections, although the scope would meet part of the requirement, and it would not allow monitoring of other attempted connections to the contractors computer that may indicate a compromised computer(s) on the clients network.

Reply to
Leythos

Complexity -> Simple sharing off. Will user understand new approach he is going to share folders, he don't know how to configure connection.

AP IP is hardly to be same, and ZA put unprotected wi-fi to internet zone no metter what AP IP is.

Explain how, many wi-fi users will thank you. You have to configure it to put unprotected wi-fi to protected zone and protected wi-fi to unprotected zone, regardless AP IP, automatically. SSID are different for public wifi and you don't know what SSID will be.

BTW to somebody I don't know. Stop performing port scan on me, it is unlegal so please stop. I have no network services running so it is unusefull, there is nothing to connect to.

Reply to
alf

;-)

This scanning is very likely part of automated scannings. And that all of those scanners are reading this group is very unlikely ;-)

BTW: Scanning does not mean attacking. Therefore, I cannot see that it's illegal (in what country BTW?)

Yours, VB.

Reply to
Volker Birk

Pretty good advice!

How exactly would Joe Average determine if he was safe with it or not?

So if Joe Average is not sure if windows firewall works for him, he should go search for something even more complex?

And furthermore You expect him to be able to make a good choice based on product reviews and not least their history of vulnerabilities? - Come on, we are way way ahead of "Average" already.

Oh, I need to apologize here. I'm afraid I have misunderstood the definition of a Joe Average. If Joe Average is in for experiments no firewall will protect him anyway, so in that case You are right - He can just pick anyone. My guess is he will end up with the one providing the most bells and whistles and reporting the most attacks.

Yes, and You are right, it is not always good advice. It even sometimes comes close to being rude. But in many cases it actually

*is* good advice if people would just allow themselves to learn. It is'nt exactly wrong, it just is'nt the full picture. But if Joe Averages would just take some time to read a little back in this group, the same arguments and counter-arguments are repeated again and again.

I have'nt seen anyone make that claim!

Just the basics will do.

Yep, some basics will definately be great.

Now You are stretching the "Average" part again, are'nt You? ;-)

... bye bye "Average".

True, actually. Except that for Joe Averages I would say: in many cases.

Nonsense.

And of course You also neglect the most important thing: Be willing to learn - also even though You may already be influenced by marketing hype.

Reply to
B. Nice

If it's configured for filtering, usually it is as long as operating system providers like Microsoft insist on preconfiguring network services :-/

Yours, VB.

Reply to
Volker Birk

Maybe, but I have many connection attempt/min TCP 1001, TCP 1002, TCP

1003... UDP 1001, UDP 1002, UDP 1003... and so on. I think it is a port scan of somebody on me. It start to happen after I post to this group _only_ , it doesn't happening when I post to other groups or doing something else, that is why I'm changing my IP, check my headers.

Well, I can allways abuse, but I have to know non spoofed IP first. :-(

Reply to
alf

Maybe, but I have many connection attempt/min TCP 1001, TCP 1002, TCP

1003... UDP 1001, UDP 1002, UDP 1003... and so on. I think it is a port scan of somebody on me. It start to happen after I post to this group _only_ , it doesn't happening when I post to other groups or doing something else, that is why I'm changing my IP, check my headers.

Well, I can allways abuse, but I have to know non spoofed IP first. :-(

Reply to
Volker Birk

Ummm... IBTD. I see at least two possible scenarios:

- User must (for whatever reason) use a program that cannot be replaced and has one or more process(es) which cannot be unbound from the external interface.

- Road-Warrior has a notebook and wants an easy way to maintain different configurations for the company's LAN as well as customer networks.

However, neither of them applies to Joe Average.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

No.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

And why not the Windows-Firewall here?

And why not the Windows-Firewall here?

Yes.

Yours, VB.

Reply to
Volker Birk

I said before, it is all about luck.

formatting link
> In addition inform yourself about problems and additional attack vectors

If he like gambling, why not. Maybe he will win. :-) In a case of a Joe Average, means system filled with malware, network services are running software is misconfigured, anything is possible.

Depend on how good student he will be, maybe he will not need firewall.

I made it little dramatic.

OK, yes it is bye bye "average", but for somebody with will to learn that would be good.

I already answered to Sebastian, if you don't experiment and work with network services how are you going to learn. It is not stupid only if you give up from learning. Another compromise.

I said that at the beggining. To the user who like to learn.

Reply to
alf

What about using (safe) passwords on shares? A trusted computer can store them as well.

man IP spoofing man automated scanning

Eh, what? Wait a moment, just for clarification:

If you have shares on that Wi-Fi connection, you cannot put it into internet zone without breaking it.

If you don't want shares on that connection, why don't you simply bind them to the approciate local connection? Especially NetBIOS is trivial to bind, SMB can be safely deactivated.

It has zoning options.

Hm... this is new in that discussion. ZA doesn't do so either.

The SSID has at most 88 bits of secret and can be trivially sniffed from your local secure wi-fi connection.

MUAHAHA. Now knocking on the door of your appartment is illegal as well?

Stupid bots are not intelligent enough to recognize that you're no relevant target. :-)

Reply to
Sebastian Gottschalk

Hm... why do you post a NNTP-Posting-Host header line anyway? ;-)

Yeah. Do you know BR-CERT? /mail/input -> /dev/null

Reply to
Sebastian Gottschalk

Volker Birk wrote: > BTW: does Zone Alarm implement this in a secure way, or is this effectless

No, but if IP is different, and usually is. It will ask you to choose zone or you can set it up to automatically add every new network to internet zone.

Yes, Privacy off, Program Control off, and you have firewall only.

Reply to
alf

Sebastian Gottschalk wrote: > Yeah. Do you know BR-CERT? /mail/input -> /dev/null

I will look into it.

Reply to
alf

No.

You'd wish.

Heck, you cannot even send TCP-RST. You cannot refer to any states, f.e. to do something like

| checkstate | allow tcp from $other to me 21,990 setup keep-state | deny tcp from any to me 1-1023 setup keep-state | reject tcp from any to setup keep-state

which makes it pretty unusable in any serious configuration scenario.

And I wonder why not even disabling it switches off the internal "f*ck up my network capabilities" rule.

Reply to
Sebastian Gottschalk

This is a scenario where it's sensible to use a personal firewall. That may be the Windows Firewall if the User has Windows XP. With Windows

2000 for example he doesn't have this option, so he'll need to use something else.

Because AFAIK it allows for only two configurations, whereas the road- warrior may need more.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

For such a scenario the TCP/IP filtering should be sufficient for LAN adapaters, for RAS you have the RAS filtering.

Reply to
Sebastian Gottschalk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.