Internet Firewalls Discussion - Page 4 - Canadian TV, Computing and Home Theatre Forums
Reply
 
LinkBack Thread Tools Search this Thread Display Modes

post #46 of 93 (permalink) Old 2007-01-21, 02:05 PM
OTA Forum Moderator
 
Join Date: Jan 2005
Posts: 24,878
Quote:
Nice analogy Stampeder, thanks for that, is that your own discription?
Ya I wrote that on another forum to a nice guy who was getting hopelessly mixed up on the terminology and thought he was well protected by just his anti-virus software - I've seen my post pop up in other places too, which is okay by me.



stampeder is offline  
Sponsored Links
Advertisement
 
post #47 of 93 (permalink) Old 2007-01-22, 10:54 PM
 
Join Date: Feb 2004
Location: montreal
Posts: 333
Using static IP's and firewalls

I've done a search on this topic but didn't find anything. If anyone can point me to any resource I'd appreciate it very much.

I'm pretty much knowledgeable when it comes to wireless setups but am still unsure of the proper settings for maximizing security using static IP addresses and firewalls.

First off I have a D-Link DI-624 router set up with WPA security. I'd use WPA2 but the wireless card on another laptop my daughter uses doesn't support it.

I also assigned two static IP addresses for both laptops and blocked off the remaining range. This was done to accomodate my torrent client and add an extra layer of security by blocking off uneeded IP's.

My problem is this. I tried to connect to the router without setting up a static IP address and it connected leading me to believe that my router is still assigning IP addresses dynamically. My DHCP server shows as enabled and my static DHCP as disabled. Is this normal? When I try to disable the server it grays out the static DHCP options. However, the Static DHCP Client List does show the two laptop addresses I assigned.

My other problem is the firewall settings. Is there anywhere I can go to read up on proper firewall settings, particularly with the DI-624.

Any suggestions?
dynot is offline  
post #48 of 93 (permalink) Old 2007-01-23, 12:00 AM
.
 
Join Date: Jan 2003
Location: London, ON
Posts: 6,296
Quote:
Originally Posted by dynot
I'm pretty much knowledgeable when it comes to wireless setups but am still unsure of the proper settings for maximizing security using static IP addresses and firewalls.
I don't think that what you are doing provides any extra security. All it does is provide fixed TCP/IP addresses for certain MAC addresses. Disabling DHCP does not provide extra security either. I suggest you leave DHCP enabled as you have it and do the following:

1. Select Advanced -> Filter.
2. Select Mac Filters.
3. Select "Only allow computers with MAC address listed below to access the network".
4. Then select the DHCP clients from the drop down lists. (Or type in the MAC addresses of your computers.)

My router is a DI-704 but the DI-624 should be very similar. The router manual should be available for download from the support section of the D-Link site.
I_Want_My_HDTV is offline  
 
post #49 of 93 (permalink) Old 2007-01-23, 12:18 AM
 
Join Date: Oct 2005
Location: Ajax, ON
Posts: 299
Dlink has a very good support site that provides FAQ's for all their products and even emulators to walk through config.

http://support.dlink.ca/products/vie...uctid=DI%2D624
(Not sure which revision of 624 you have, I just picked the rev. A)

1. I would suggest using WPA-PSK and use a passphrase that is complex (includes #, special characters, upper and lower case).

2. Use MAC filtering as was suggested I_Want_My_HDTV, and don't disable DHCP Server.

3. I would enable DHCP Server and Static DHCP if you want to make sure that if you turn on and off your PC's that you don't get any IP conflicts upon bootup with an already booted up PC. The DHCP Server must be running for the Static DHCP to work from what I can see, that is only logical as well.

http://support.dlink.com/emulators/di624/h_dhcp.html

Sony KDL46HX800, BDPS470|Pio 1020|PS3 80G|Athena AS-F1s, C1|Energy VMinis, V10|Moto VIP1232|HOne|APC UPS
MediaRoomManiac is offline  
post #50 of 93 (permalink) Old 2007-01-23, 01:12 AM
Veteran
 
Join Date: Feb 2003
Location: Victoria, BC
Posts: 1,768
MAC filtering is very weak security and easily subverted.

The best wireless security is simply using a long and complex WPA-PSK passphrase (as suggested above). If you do that, the chances of anyone else getting on your wireless network are virtually nil.

Here's one of many sites that can generate good strong random keys for PSK:
http://www.kurtm.net/wpa-pskgen/

Mike / technut
technut is offline  
post #51 of 93 (permalink) Old 2007-01-23, 10:10 AM
 
Join Date: Feb 2004
Location: montreal
Posts: 333
Thanks for the replies guys...

I do use WPA-PSK with a long passphrase including numbers & letters.

I read somewhere that blocking off unused IP's is a good idea if you're not going to use them. Would prevent someone on the outside from connecting to your network, which makes sense to me if there's no address to connect to. Whether this is true or not, doesn't hurt since I don't need any other addresses.

As for MAC address filtering, whenever I try to use it I cannot connect. I know I'm using the right adapter MAC (checked it with ipconfig /all) but I don't get a connection at all. When I disable it, it connects right away.

What about firewalls? Read on another site that the best starting point is to deny all traffic and then set up those apps that need access. But how do I know which apps need access?
dynot is offline  
post #52 of 93 (permalink) Old 2007-01-23, 03:38 PM
 
Join Date: Dec 2005
Location: Toronto
Posts: 662
To test the security of your firewall/network such as to verify if you have any common ports which are open to the outside world, file shares that are visible, and so on, check out this site: GRC Shields UP.

Just like the site linked to above, GRC also has a page that generates long random passwords that could be used for wireless security: High Security Password Generator.

As others pointed out the best defense is to use a layered approach. That includes using a router that has SPI and updated with the latest firmware. For wireless, it should be secured by WPA (minimum, WPA2 with AES preferred) using the long passwords as prescribed above. It also helps to disable SSID wireless broadcast, enable MAC address filtering, disable DHCP, and disable UPnP relying instead on manually forwarded ports that are used by applications that you know you are using.

For the PC/Workstation, it helps to have a combination of software firewall, anti-virus, anti-spyware software running.

On the software side of things, an added layer of defense would be to use Firefox with extensions such as NoScript, Adblock with Filterset.Update, etc. This should block those 3rd party sites that can potentially carry or link to payloads that can install nasties on your computer. Of course the PC OS AND the software running on it (such as Office, etc.) should be up to date with patches. For example, Microsoft has just released patches for Excel and Outlook (from versions 2000 onwards) last week... You can update your Office by visiting Microsoft's Office Update Site and selecting the Office Update link (upper right hand corner, 3rd link).

Securing your PC has become almost a full-time job nowadays...

Last edited by cyclo; 2007-01-23 at 03:52 PM.
cyclo is offline  
post #53 of 93 (permalink) Old 2007-01-23, 04:58 PM
OTA Forum Moderator
 
Join Date: Jan 2005
Posts: 24,878
That's a very good site for home users to test their systems - thanks for the new bookmark.



stampeder is offline  
post #54 of 93 (permalink) Old 2007-02-11, 04:06 PM
 
Join Date: Oct 2005
Posts: 7
Hey stampeder. If I want to set up a linux firewall pc where is a good place to start to get myself up to speed?

I have most of an old p3 sitting around doing nothing and have been thinking about this project for a little while.

I am not a techie, but am pretty good at picking up what I need to know. I am familiar with unix systems in a general sense, but have never installed an confitugured a linux system.

Fred
fredf is offline  
post #55 of 93 (permalink) Old 2007-02-11, 07:03 PM
OTA Forum Moderator
 
Join Date: Jan 2005
Posts: 24,878
Hi Fred, much of what I've done with my firewall/gateway has been a work in progress over the years so I haven't sat down and documented it, but I checked out some bookmarks I had and came across this link to one of the most complete and thorough HOWTOs I've seen on the topic:

http://www.howtoforge.com/ubuntu6.06_firewall_gateway

It does a bit more than mine, so about the only thing I would add to theirs is the Squid Caching Proxy server, which you can find a tutorial about here:

http://www.squid-cache.org/



stampeder is offline  
post #56 of 93 (permalink) Old 2007-02-11, 11:43 PM
 
Join Date: Oct 2005
Posts: 7
Thanks stampeder. Thats more of a head first, full speed ahead link. Not sure I want to do a roll-your-own on my first try.

I did some more searching and found a few good links. I need to understand what my options are, and there seem to be quite a few.

Fred
fredf is offline  
post #57 of 93 (permalink) Old 2007-07-10, 03:08 PM
 
Join Date: Jun 2007
Posts: 68
Firewall issue with 360

I want to play online with my 360 (I do have a gold account). I recently reset my firewall for McAfee and now I am having trouble with the ports that I need to open:

UDP 88, UDP 3704 & TCP 3704

The thing is... I don't know where to find these ports, and whether I need to open them through MS firewall, my wireless router firewall, or through McAfee firewall.

Any assistance would greatly be appreciated...

Thanks...
bleach is offline  
post #58 of 93 (permalink) Old 2007-07-10, 03:21 PM
Veteran
 
Join Date: Jan 2006
Location: GTA IV
Posts: 1,768
If the McAfee firewall is on your PC, then neither it nor the MS firewall should affect the 360. The only settings I think you should have to change would be on the wireless router - unless your McAfee is somehow tied in to your wireless router. If that's the case ignore the rest of this.

Normally the 360 would be initiating the connection from behind your firewall, so the ports would be opened in the expectation of a response from the Live servers. If you needed to open those ports you would have to map them to the IP address the 360 is using on your LAN. If you do that, you should probably assign the 360 a static IP address.

Or you could put the 360 on the router's DMZ. That should bypass the firewall completely. I haven't heard of any DOS attacks or hacks that attack 360's on the Internet?
Dioneo is offline  
post #59 of 93 (permalink) Old 2007-07-10, 03:37 PM
 
Join Date: Jun 2007
Posts: 68
I appreciate your help greatly; I am not too saavy with this and would like to inquire at how I would put the 360 on the router's DMZ.

Also, what exactly is a DMZ?

Thanks...
bleach is offline  
post #60 of 93 (permalink) Old 2007-07-10, 03:49 PM
Veteran
 
Join Date: Dec 2001
Location: Brampton, Ontario
Posts: 10,415
DMZ is a "borrowed" military term that stands for "De-Militarized Zone". As applied to routers, it's a physical port on the router that bypasses the hardware firewall.

I don't know McAfee at all, but software can indeed control the ports on your router through uPnP. Otherwise, the data doesn't flow through your PC at all, so the software firewall has no affect on the 360. Really, for most home installations, the hardware firewall in your router is sufficient protection and software firewalls on your PC is overkill. It all depends on you though, and how worried about security you are.

What brand/model router do you have? I can probably look up the manual on-line and instruct you on how to make the necessary changes.
JohnnyG is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Canadian TV, Computing and Home Theatre Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools Search this Thread
Show Printable Version Show Printable Version
Email this Page Email this Page
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome