I have a few PCs (with WinXP OS) connected to a hub, and the hub is connected to a cable modem. All PCs have different IP addresses such as
10.0.1.x(provided by ISP), though ISP network is behind NAT. Everything works fine when I disable firewall on my XPs. When I enable firewalling my PCs don't see each other. What shall I do to make my network fully functional, and to protect PCs with firewall. Is there a firewall program which you can recomend me ? Or can I configure WinXP firewall to let my PCs communicate ? Thanks.
"bobjan" wrote in news:1108724377.731351.209410 @g14g2000cwa.googlegroups.com:
You can get yourself a cheap NAT router and make it the gateway device for the WAN and LAN and let it be the ICS device for the machines on the LAN. You can take the hub and plug into one of the LAN ports on the router to extend the LAN if need be and let the router with its DHCP server issue IP (s) to your machines.
By using a NAT router which is a plug it up and go device with little or no configuration on your part, you can disable the XP FW on the machines and they will be able to see each other. The NAT router will provide the same protection as the XP FW, which is only stopping inbound threats, but the NAT router does it for the entire network and is better protection too. You only need one IP from the ISP if using a router.
Gerald Vogt wrote in news:4215de44$0$972$ firstname.lastname@example.org:
The NAT router is no worst than using that XP FW - it's better. I could have said go get a low-end WatchGuard like I use, but not everyone wants to fork-up that kind of cash. I was hoping a Hotbrick would be a viable solution for this kind of situation but I have my doubts about the support and its longevity. Anyway, the router provides the protection that the XP FW is doing plus it gives the OP the ICS and he can dump the XP FW, since he is having so much trouble trying to configure it on the machines for networking. One could supplement the NAT router with IPsec that's on the Win2k, XP, and Win 2K3 O/S(s) with the AnalogX rules implementation that will allow networking on the LAN and protect the machines.
I got news for you, but NAT doesn't make anything harder and is stronger than a user maintained personal firewall application running on the users machine. Any firewall running on a users machine can be compromised by the user and other malicious scripts when the user doesn't understand, completely, the security issues.
NAT routers give more protection than Windows XP SP2 firewall service, by taking control of exploits out of the hands of the user and Windows.
Many ISP's have moved to blocking the MS file sharing ports, so using the ISP to share files may not work in some location. Also, having open file shares exposed to the internet makes you a larger target - not to mention a perfect target for the next undocumented exploit.
A NAT router is cheap, protects the computers even without a firewall application, lets people get online without being compromised as soon as they connect, and gives users chance.
Gerald Vogt wrote in news:421601f6$0$975$ email@example.com:
All I am saying here is that the router provides the plumbing automatacilly or the (ICS) without implementing ICS on the computer's NIC.
I have used IPsec to protect the LAN behind the Linksys router in the example of the Analogx implementation of using IPsec. It's not implemented as a VPN LAN situation but more as a FW like solution on the machine with traffic allowed on the LAN networking ports and closing or opening other service related ports and protocols.
The site seems to be down. But it's another example of using IPsec like a FW.
I got to get back to studying these last 50 Transcender practice test questions before I take the first out of 4 MSCD tests for .Net at 12:00 pm today a damn 3 hour test -- prey for me as I'll need it. ;-)
First, lets get one thing clear, a ROUTE that provides NAT and implements SPI is not a firewall. It has some firewall like features, but is not a true firewall.
Actually, SP2 and personal firewall applications running on their personal computer are very subject to compromise and misconfiguration in addition to any undiscovered flaws in the OS.
A NAT router, even without SPI, does not expose the user to anywhere near the level of threat that running without one would/does.
While there have been exploits for CISCO and also the cheap routers with NAT, they have been fixed and are required certain configurations to exploit. The typical users software firewall, including SP2, is very subject to being disabled by a virus/trojan or even spyware, and that's just for what is known currently.
There are two directions of protection we need to get clear:
1) Inbound, unauthorized, traffic - a router with NAT will better protect the users computer(s) than a personal firewall will for this type of threat.
2) Outbound, unauthorized, a personal firewall is capable of stopping this type of threat, but only of the user is smart enough to not compromise the firewall themselves. In many cases users will permit outbound without understanding what they are allowing. This represents a serious threat to users and their information.
In all cases, for a typical home user, NAT is the first and primary method that should be implemented, there is very little that NAT interferes with that home users are impacted by. File sharing is one, but most home users are not permitted to run file sharing services in their ISP's acceptable use policy.
I would never setup a home user without a NAT router device with NAT enabled, users are basically ignorant by choice and that means they are very vulnerable.
You should reconsider your position on NAT for home/small users, even single computer users.
What does that mean? What do you want to do? I would assume you mean "file sharing" but you are unclear about it. What exactly do you want to do?
Yes, the XP SP2 firewall can be configured for that. Just enable the file sharing communication in the firewall. The SP2 firewall should offer you the necessary exceptions for that.
But either way, I do not recommend the configuration you have. Any access you allow between your computers is open in the whole network ie. anyone else using your ISP can also access your computer! So basically, whatever you can do someone else might be able to do, too. Even if you use authorization it is absolutely unreasonable to offer a service (file sharing) to the internet or in your case at least to anyone using your ISP.
Replace the hub with a proper hardware firewall. Then the firewall protects your little network with your computers and you don't even need the firewalls on the computers depending on what you do with your computers...
Bottom line: don't do what you want to do but do it right and get a hardware firewall. Anything else is just unreasonable.
I would not recommend that. Why by a NAT router that weakens the security when you can do it properly: use a firewall (or get a router that can be configured as real "firewall"). You don't need NAT and it only makes things harder. Get a firewall that blocks the in-coming traffic to the network and leaves the internal traffic regaring file-sharing etc. in the internal one. As the ISP does provide more than one IP address you don't need NAT.
Sorry. As you were talking about hardware, I was, too. It was unclear of me. I meant: use a hardware firewall. The XP FW nor any other software firewall on the computers itself can protect the network sufficiently.
You don't need the ICS. Each computer can have its own connection. If you can avoid NAT it is always better. NAT can never work 100% correct. This is due to the mapping and cannot be avoided.
Well, you could as well create a virtual private network on top of the existing network. Again, no NAT necessary. I am not sure, though, if a group of XPs can be configured that way without a domain server. I don't know the AnalogX. If it does properly setup IPSec that way, it would certainly be good.
Anyway, all I was saying: you don't need NAT and I would avoid it if possible.
That is what I am writing about in other threads all the time. As we were talking about routers and I assume in my answer a 'real' firewall, ie a hardware device. The other ones are software firewalls.
Compromises of the software firewall are a completely different issue. They exist but are unfortunately often forgotten. But, anyway, I would not call a misconfiguration of a firewall by the user a "compromise". The compromise is that what happens after that. That's a minor thing. Sorry for my unclear formulatation before.
This is incorrect. First of all, I assume here that you do not mean a NAT router but a router/firewall with SPI and NAT translation. Without the firewall it is not really worth much anyway. Second, as everything it depends on the scenario at hand that defines security issues and the quality of the solutions. Third, I doubt a NAT firewall with a single computer behind it would necessarily improve security of this single computer directly connected with only the SP2 firewall. The NAT fireall does offer a different attack surface but is vulnerable as well (as Cisco demonstrated a couple of time). Hardware firewalls have not too often been targets of attacks. But if you take some of the Netgear or Linksys routers that are very popular and that run Linux on it, you can easily think what this could mean. So for a exact comparision it would mean to find out about the quality of either implementation...
It presumably does work in the given situation. (Assuming "seeing" is file sharing)
What I said.
A hardware firewall does protect the network. The first NAT implementations where very bad. Nowadays they are better. But still the concept of NAT on top of a firewall always does decrease the security you could have without NAT due to its concept. In general, NAT is however the only possibility to connect their LAN to the internet, because they only have on internet IP at their disposal. In the given scenario, this is not necessary and thus the NAT would be the first thing I would deactivate on the firewall/router I would get.
Gerald, I have 10 IP on my home service, and I run 4 subnets behind a real Firewall appliance with more than 20 systems at any given time. My firewall provides for the ability to assign both public (not nat) and natted segments, but I use NAT since there is no benefit in running a public IP on any of the systems.
My situation is different that most, I install firewalls for the networks I design, I do this for medical centers, nursing homes, government groups, commercial businesses, and for the occasional small shop.
The given scenario is a perfect example of why the op should have been using a NAT solution - it would keep all the traffic related to their LAN inside their network and it would never have to reach the ISP's device. It would also protect the internal network from malicious external traffic.
Well.... I considered your position and based on the information I had and with the other post, I still suggest that you reconsider NAT for base installations, even those with one IP and one computer. Use of a personal firewall application, weather it's ZoneAlarm, Sygate, SP2 FW, etc... is just an accident waiting to happen for any place that doesn't have a security/firewall person on hand to monitor/set it up and maintain it.
Based on the OP's need to share files between two computers, a NAT ROUTER solution is the perfect and optimal method. Anything that puts the two computer on the public network is a security risk when File/Printer sharing is enabled.
Even if you want to share files between two computers across the net, not on the same ISP, file sharing using MS file sharing methods is still the wrong path to take. The proper path would be to enable PPTP Passthrough on the router and then configure the two remote machines to VPN to each other through the routers (one would require port forwarding for PPTP).
I hate to sound like I'm about too, but none of us that do this for a living, and those of us that have never had a compromised network/system, would suggest running a Windows PC directly on the Internet with any type of personal firewall as the only means of protection, at least not any of us that get paid for solutions.
Gerald Vogt wrote in news:42168112$0$974$ firstname.lastname@example.org:
What's NAT got to do with taking a router hooking it up and plugging some computers into the LAN ports (wire NIC's) or using (wireless NIC's) and having those machines wired to wired, wireless to wireless, or wire to wireless share resources because the router is providing the resource sharing between machines? Maybe, my use of the acronym ICS is off and it should be just CS (connection sharing) or RS (resource sharing), but that's what I mean about the plumbing automatically produced by the use of the NAT router for the machines and the LAN.
Again you have to differeniate between flaws of the firewall itself which my the system vulnerable and the OS flaws. The OS flaws are there one way or the other. Therefore they are irrelavent for this very issue.
SP2, PFWs and any hardware firewall as well is subject to compromise and misconfiguration. (side-note: I guess 50% of the hardware firewall/routers with wireless are actually wide open because completely unconfigured, thus statistically it may even be that more firewall/router are extremely vulnerable than others.)
Irrelevant. We never compared any solution against running nothing. We were comparing software and hardware firewalls.
Note: A hardware firewall/router may as well be reconfigured from the inside. If I think that so many wireless routers are in default configuration, I would assume that there are as many or even more routers without wireless in default configuration. It should be extremely easy for an interuder in many cases to just configure the HW FW to open a port forward...
And never said anything against that. Nowhere. Read it again. I may just wrote "firewall" the first time but I told you I meant a real hardware thing, not the software thing.
A hardware firewall without NAT protects your system better than a NAT router/firewall better than SP2 FW better than PFW. (O.K. It's incorrect, too, because the NAT router/firewall is not really a router but a gateway...)
Something like that is what I am telling people all the time. And still you are wrong. A PFW is only capable of stopping some of this threats. This is easy to circumvent just by tunneling through IE for example. Only applications that nicely cooperate with the PFW will be detected. But people unfortunately believe it works always and everywhere...
You change subject and mix various different scenarios which you never define. It does not make much sense to reply with solutions for the typical home user without defining it (although we probably have about the same idea of him) to an answer in a specific scenario that is given here... (For the typical home user that has a NAT device is does not matter if ISPs block file sharing or not, or allow it or not. It never crosses the device.)
You usually don't have a choice. Here you have.
You should really read what you are answering to. The given scenario allows to avoid NAT, so you should do. Most people don't have the option and have to use NAT because they only have on IP address available. If you can have more, don't use NAT. NAT is a way to make holes into your firewall to allow responses to out-going requests. Why do you want to do that if you are not required to?
Anyway, taking my answering for a specific scenario and telling me to reconsider my position for home/small users is, well, ...
Well, if there is no benefit you free to do whatever you want to do. I pointed out that NAT has been often problematic in the past. It is more stable now but you don't really know about the quality of the implementations. NAT is vulnerable as protection mechanism. Even the perfect implementation of NAT is vulnerable. That is due to the design as mapping mechanism of one IP address to many IP addresses which never can be perfect. A properly crafted UDP packet send to the right port of your NAT device with the right timing will go through and may infect the receiving computer behind the device. I don't have the numbers are the chances for an attacker are, but you cannot avoid it.
If you use a hardware firewall without NAT you get the same plus you are not vulnerable to any problems due to NAT...
I agree with PFWs. I don't so much agree with SP2 FW if you set it to "On", "No Exceptions", and you do not use the Administrator account but only a limited user account instead. Someone, who does not do that will screw up the hardware router as well. If you turn off the SP2 FW (which you can do only as admin) at times, you will put your computer into a DMZ. If you allow exceptions you most likely will do that with your HW router as well. If you work as Administrator, my guess would be that you don't change the default password of your HW router either.
I don't have numbers at hand on this subject, though. These are just a couple of thoughts why I doubt you can simply say, HW router is always better. I believe that there is no clear advantage on either side. If used properly both work the same. If not used properly, neither one will do.
Again, no. That is the purpose of a dedicated firewall. It is not a security risk if it is properly set up. NAT does not hide or protect a computer from the public network. It is on the network the very same way as it is without NAT. The firewall on your NAT router does provide the protection. NAT only makes the holes into the firewall to let the traffic through. That way it weakens the security a firewall can provide. If one of your computers on the inside does contact a file sharing service outside of your network, NAT will open the firewall for responses back.
A dedicated firewall is setup to block ports you don't want traffic go through. If you don't want file sharing you just block it specifically. There will never ever any file sharing traffic going through then. No NAT can temporarily open a door there. It's just blocked. With a little bit more effort you can also set up a fairly good out-going block as well and only allow the necessary out-going traffic to ports that you really want to use...
We are not sharing files across the net. Sharing files across the net is a bad idea and requires something else. We are sharing files on a LAN here. That's not ideal, but fairly common and not the total security nightmare. If you are afraid of that but IPSec underneath.
I feel you are a little bit worried if you don't have NAT because of the missing added "security". It seems scary in the beginning to know that the IP address of your computer in the LAN is actually an internet IP and that browsing for example works just like normal if it was connected directly. I understand the fear that you may think, if it has an internet IP address and it has an open MS filesharing service it may happen that your firewall may fail or whatever... It seems safer to have a different IP address than you think nothing is going through directly. The mistake here is that the NAT algorithm in between is non-deterministic. The whole mapping problem is. Most time is looks good and it works and gives you the feeling of security because of the different IP addresses. In reality you are as directly connected as with NAT and the difference lies in the firewall. If you set it up properly the dedicated firewall does the same as your NAT firewall but is not vulnerable to risks due to NAT as I pointed out before with my example. Most bigger companies use firewalls and they work fine. If they are using a private network they go through proxies not through NAT.
NAT appliances, for the last 5 years, have not been problematic, at least not in the NAT part.
In the last few years the only issues I've seen with routers that provide nat has been a couple exploits that required the user to have it set in the default mode and then to visit a site with a specially crafted string that would reset the router and allow remote control - it was noted quickly and patched.
You keep talking about any problems with NAT, but the simple fact is that NAT is not really problematic for the 99% of home users that would implement it.
A hardware firewall without NAT is nothing like a being live on the Net, in fact, you can be as well protected without NAT as long as you use a real firewall, not some personal software or a router claiming to be a firewall. The point is that there is no reason to subject the personal computer to the traffic that being directly connected to the Net would have them subjected too.
Well, you have to problems with the above - 99% of Windows home/SOHO users are running as Administrator level accounts on their machines and they don't know a thing about Exceptions.
If those same users were to purchase a Linksys BEFSR41 unit, or a D-Link
604 unit, and just drop it in place, they would have to make no changes in most cases and they would eliminate about 80% of the threats to their systems.
I don't have numbers either, but I have designs and clients that can back my statements - using a NAT solution for networks as a first layer means to protect them is a much superior method than having them on public IP's with any personal firewall running on their computers.
The key point is that NAT protects, even in the default mode of most of the cheap devices, far better than a personal firewall for most cases, and it's not something that the users have to, or need to, configure.
Completely wrong - NAT does not expose the computers directly to the Internet in any way. The NAT device handles the routing of all traffic in/out of the network to/from the computers and the Internet, the traffic between the computers inside the network never reaches the public side of the router.
Yes, almost - the router will allow the internal machine to get-back data from any machine the internal machine contacts FIRST. The external machines can not share data with the internal machines UNLESS the internal machines first contact the external machines, and then it's only good for the session that was started, it does not allow communications once the session is dropped.
The next point is that a NAT device is not a firewall, you need to stop thinking of it as a firewall, NAT has nothing to do with the firewalling. The fact that Marketing types decided to call it a Firewall after a couple years of marketing does not make it a Firewall.
And many of the NAT devices also allow port blocking to outbound destination ports - in fact I always block outbound to ports 135 through
139, 445, 1433/1434, 1026/1027 in those cheap routers. File sharing across the net should not be done using Windows file sharing methods, that's the wrong way to do it and it exposes the computer to many thousands of attackers.
If you have the ports exposed to the net then you run a direct risk of someone reaching them and getting into your computer. Sharing files on work/personal computers inside the home using a public IP is just plain silly in todays cheap router/nat world, there is just no reason to subject yourself and your data to the risks that you know about and the risks that you don't know about.
No, I have do disillusions about your network, I do this type of stuff for a living and see networks like yours all the time. We get calls from compromised businesses that are setup like you have your systems and they are calling because they've been compromised.
You are completely wrong - you are not "as directly connected as with NAT". I can show you the logs from a typical NAT device to prove it, in fact, if you had ever used a NAT Router (like a D-Link or Linksys or NetGear) you would already know this.
Proxy or NAT, most companies use a PRIVATE address scheme in their offices and networks. Sure, you can proxy, but the proxy has two NIC's and one is inside and one is outside the local network. You would never see a secure company running with all of their computers on the public network.
A firewall and a NAT router are different devices, they are not even close in functionality.
As I've said before, any network running with public IP's is not secure, I don't care how you look at it, a public IP on a company or personal network is not secure. Sure, there can be exceptions, I'm sure I could setup a Windows 2000 or 2003 server to be secure while on a public network (and have), but I'm not about to do it for a secure solution for a business or personal network.
Most of the people that have home computers, I would guess over 90% of them, that are connected via cable/dsl directly to the internet would directly benefit from a NAT device and would have little if any trouble. Additionally, they would be more secure, have to purchase less software (personal firewall software) and see a performance boost in their computers from not having to constantly block the thousands of probes daily. Oh, and they would not be subject to drive-by hacking attempts either.
Not entirely, many use a Private address for EVERYTHING in their network, many companies use 10.0.0.0/8 for their offices and branches. Many others use a group of 192.168.0.0/24 with each office getting the next
192.168.X.0/24 network and then they build dedicated VPN's between offices. Other office used 192.168.0.0/24 for a LAN and then
192.168.1.0/24 for the DMZ.
Actually, most businesses don't want a Class A/b/c network, since they don't need them and since they are already behind a firewall with NAT'ed networks there is little need for them. Sure, they might have a /27 network and use a couple public IP from behind a firewall that's also doing NAT, but most companies will not risk using public IP's on their networks.
Actually, NAT when used with a firewall appliance does not mean that any computer can get out. In fact, in most cases, even when the HTTP Proxy is used in a firewall where the internal network is NAT'd, you still have to create a rule that permits X IP or X subnet access to that HTTP service outbound.
Now, there are two different things here, and we need to define them in simple terms:
1) NAT as provided by Linksys/DLink/Netgear and other simple NAT routers. These devices generally allow all outbound by default and block all inbound unsolicited by default. They may or may not include SPI as a feature. They are not firewalls, but they do protect the internal network from intrusion. Some NAT devices can block outbound port traffic as well as specific IP's inside the network from accessing the external network.
2) Firewalls - appliances that also provide NAT and Proxy services - these are things like Sonic/WatchGuard/PIX/Netscreen/Others. These devices also block inbound, may block all outbound by default, and generally require rule additions in order to even resolve public DNS for web browsing. They have often have base rule sets that the administrator can add/remove and allow for custom rules. A rule does not necessarily imply in or out bound and may be used with both or one direction. Appliances can also (many times) detect an attack of various types and block the source for X minutes (or permanently). These devices can also use Proxy services built into the units to filter SMTP/HTTP/FTP and other types of traffic for malicious content (such as removing bad attachments from inbound SMTP traffic).
3) Personal Firewalls - these are applications that run on a computer used by a person, typically a workstation. These are very configurable and are often misconfigured as the typical level of the user is very limited in knowledge. Personal firewalls block both in and outbound and often have nice features that track applications in addition to ports being used. The drawback to a PFW is that it is very subject to user misconfiguration, OS exploits, other user based exploits, and can be very confusing to most users. These are also going to utilize CPU cycles to function and may impact system performance to a noticeable degree that the user is not happy with. These applications are not to be used as a first line of defense on any network/system.
4) Computers running/working as Firewalls that are not used by users - like a CheckPoint firewall - see Firewall Appliance above. These are not subject to the problems that Personal Firewalls are.
If you follow these ideas/thoughts then you can build secure networks and secure systems.
Gerald, the problem is that while you and I understand NAT and other routing methods and security, many people don't and can't afford to buy quality routers or even know the difference.
In most cases, where we talk about these things in this group, it's about small businesses or home users that are on a budget and need some form of protection. In those cases I would never suggest a personal firewall, and I would never suggest a PFW for a server or system on a public network that was just NAT'd.
I think we're on the same page, but I'm not 100% sure.
In my mind there is no acceptable reason to expose a server or workstation (or any device other than a router/switch/firewall) directly to the internet. There is also no reason to consume public IP's for business services for every computer in the company.
I'll stick to suggesting a NAT solution as found in the available devices for SOHO/home users as the first layer. I'll also stick with suggesting firewall appliances for business/commercial/public systems.