If i am using 4 LAn computers with ADSL connection and all 4 of them connects to internet trough router(router you recommend it :) How can i best protect one LAn computer which is very important for me regarding the security from other 3 LAn computers which i would not watch alot to be clean from viruses ,Trojans etc. Is the threat that comes from my 3 LAn computers bigger than internet threat?
Install a second router, connect it's WAN connection to the LAN connection on the first router, then connect the important computer to the second routers LAN. This will allow the important computer to get internet access and to reach the other computers, but it won't allow the first three computers to reach the important one because NAT would block it.
Waste of money. You can properly configure your computer's firewall to block internal machines, even most routers now have firewall functionality built in.
Sorry, but you're wrong. The Windows firewall can be changed by programs running under an admin account, the windows firewall opens file/printer sharing by default in some setups.
A NAT Router is not going to expose those OS flaws.
$50 to protect a machine without the user having to constantly check the Windows Firewall Exceptions.... Well, it's painless and works.
Very nice idea. Maybe i should point out that important LAN comp would not need any file sharing with other 3 The question now is should i do what you told me or what sil propose about soft firewall be enough
So what about the time at boot and login, when the personal FW cannot be started first before anything else? It can be like the TCP connection is started and other machines on the LAN with malware can access the machine, because the FW was not made available before TCP was started on the machine and was available.
Routers do segregation of networks even in a home environment. The router doesn't have to be booted and started, unlike a host based solution running on a computer, which will not allow a machine to be attacked behind a router because it's never down or booted like what would happen on a host based solution.
If I want total separations of machines in a LAN situation, I would be doing it with a two router solution.
You can get a second good router on sale for about $20.
Ok great so another router is the way to go BTW i dont care about spending 20-200$ if that is the best solution . What second router should i use ,what is best known for good firewall and security performance?
----- Original Message ----- From: "sinisa" Newsgroups: comp.security.firewalls Sent: Saturday, October 07, 2006 9:41 AM Subject: Re: security question
I'll put it do you this way. A standalone device solution, in your case, such as a second router if you want absolute protection from the other machines on the LAN is the best solution. .
The security is in the separation of the two networks, in your case, where as, the machine you're trying to protect will not receive any unsolicited inbound traffic not only from the Internet but from other machines on your LAN. The second router is going to flat-out stop that from happening.
The second router is only going to allow inbound traffic back to the machine that the machine has sent outbound traffic to it whether that be outbound traffic is to a remote IP on the Internet or to another machine on the LAN. You put that second router in play and the machine will not be able to talk to other machines in a LAN situation connected to another router. Nor will the other machine connected to the other router will be able to talk to the machine that has been segregated.
The router you need to make sure that it has all the bells and whistles on it you want is the gateway router that's connected to the modem and is the Internet facing router. The router that's doing network segregation behind the gateway router can be an el-cheap-o of anything you want. It doesn't make a difference.
I saw a guy in another NG post that he got a Linksys for $10 at Best Buy.
Ok,so first gateway router that is connected to modem should be the good one Can you recommend which one with all the bells and whistles should i buy then,because i think i have el-cheap-o right now My old d-link 604 is maybe best to use for network segregation (second router)
There are two things to consider in the two solutions:
1) Hardware solution provide a fixed means of protection that can't be screwed up if you screw up your OS or soft firewall.
2) Soft-firewall will work, but, if you screw up the firewall or if there is a exploit or if any number of unknown applications punch an exception in the Windows firewall, well, you're not really protected or isolated.
So, if you want something that work, but it does cost about $50, then you use Hardware to isolate the important machine from the others and then it doesn't matter about exploits in the OS/Apps.
I have customers that have labs (where the hold classes) and each lab is separated by a NAT appliance that is connected to a DMZ network - this means that all of the labs can reach the internet, some can route traffic back to the labs from the public side (we won't go into that here), but none of the labs can reach into the other labs. While you could TRY and do that with Native Windows XP, it would be a mess and could easily be compromised.
I design secure networks and infrastructure for a living, it's what I based on company on and how I keep making a living.
Just about any NAT Router (often called a firewall by the misinformed) will do what you want. Key thing to remember, both routers MUST HAVE DIFFERENT PRIVATE NETWORK RANGES.
It would also be best if you can assign the WAN address for router 2 with a fixed IP in Router 1's LAN (like 192.168.3.2) - but this also means that you need to know your ISP's DNS numbers and such.
For now i am going to copy paste this what you wrote so i can read later(few months later because i didnt even buy my secure PC yet but i will dont worry i didnt waste your time for nothing ;-) I know my ISP's DNS numbers but where and how to configure what you just told me i hope to figure that out myself or expect me coming back later on this group to bother you again :-)
I, as well as many of the others, will still be here when you need help. Most NAT Appliances have a web interface that is easy to understand and simple to use.
I like the D-Link and Netgear lines, and have mostly given up on Linksys and NEVER buy Belkin (for residential NAT appliances).
I've found their quality and features lacking over the last couple years and that as other vendors increase quality and features, Linksys has dropped it in areas that make a difference to me.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.