|
| Affordable
web conference |
Question:
I have a Linksys WRT54GS. I'd like
to set up port forwarding to be able
to use Net meeting.
I went to the ms web site and it lists
a whole bunch of ports to be opened
when using a firewall and it is
very confusing. can somebody tell
me if there is an easy way to accomplish
this? STOSELECT
Answer:
I went to the ms web site and
it lists a whole bunch of ports to
be - opened when using a firewall
and it is very confusing. -
can somebody tell me if there is an
easy way to accomplish this?
Netmeeting's Remote Desktop Sharing
will work through a Linksys router
using port forwarding. If you are
wanting to do all that video stuff
with Netmeeting, then the router has
to be H.323 compliant. There are H.323
compliant routers.
Other than that, if the router is
not h.323 compliant put the machine
into the DMZ of the router and have
a personal firewall solution that
can deal with H.323 to protect it.
I don't seriously expect the GUM (Great
Unwashed Mess) to ever understand
even the basics of encryption and
security. Even the ones that
do run into absurdities such as creative
ASCII to Hex conversions, cryptic
settings, creative protocols, and
stupid security ideas such as broadcasting
NULL's for the SSID.
The user should be presented with
a selection template on installation.
There should be a choice of
common applications with presets for
each such as Corporate Network, Hot
Spot, Open Access, VPN Gateway, and
of course, custom settings. Expecting
the user to know about access point
isolation, VPN through, and ACL's,
is a bit like requiring the automobile
buyer to learn auto mechanics before
being allowed to drive. Such
templates are common in Cisco IOS
based routers, where the complexity
of the initial setup is often well
beyond the abilities of even experienced
users.
-1) By knowing how to use the PFW
solution properly as machine level
-protection (can't call it a FW as
it's not). And not depending on things
-such as App Control or the rest of
the stuff within them that is snake-
-oil. I'm not a big fan of Steve Gibson
and calling anyone that has never
attended a security conference or
appears on a security mailing list,
as security expert is ludicrous. However,
he does have a point with his snake
oil security tests. I read his
stuff, extract what I can, and ignore
his alarmist conclusions and warnings.
There's value in there somewhere.
The same applies to others that
have found individual flaws, potential
security holes, and exploits. I
once found a real security hole in
a commercial Unix OS, but was ignored
by the manufactory. Only when
someone else wrote and exploit tool
was the problem addressed and fixed.
Careful what you call snake
oil.
I have a problem with personal firewall
software (Zone Alarm, Windoze XP SP2
firewall, etc). They are "user
decision based" fire walls. In
other words, they only work if the
user makes the correct decision when
the popup appears demanding a decision.
My experience with inspecting
ZoneAlarm, Norton, McAfee and WFW
configurations is that users constantly
make the wrong decisions. I've
found numerous machines with active
trojan horse's running, where the
user simply clicked "accept"
because he got tired of having the
popup warning appear. This is
ludicrous, stupid, worthless, and
dangerous. As I previously ranted,
a personal firewall is a great tool
in the hands of an experienced and
conscientious user. However,
with the commonly inexperienced member
of the GUM, it's of limited value.
-2) If one has an Windows O/S where
it has security and it has been harden
-to attack or secured by disabling
*shares*, Trick question: How
does a member of the GUM disable shares
or even see them? Perhaps they
are swift enough to know about the:
NET VIEW \\your_IP (or
NETBIOS machine name) trick that will
show the visible shares. But
what about the hidden C$ administrative
share and XP's default shared folder?
I have a hell of time just finding
which directory is being shared. I
constantly see machines that use Briefcase
to replicate files have the entire
C: drive shared just to get the stupid
Briefcase to work. I also find
XP boxes with proper user login pwords
signed, but a blank pword for administrator.
I would normally just disable
all sharing, but crippled XP Home
doesn't allow disabling simple file
sharing. I have to kill the
shares one by one. Of course
every user login is an administrator
by default, which is convenient, but
insuring that a mistake is universally
destructive. I won't even go
into what can be done to XP with physical
access.
This is hardened security?
- This is an excellent list. I
can tell whomever wrote it has had
some experience. Securing the
backup tapes and cdroms is not often
included in such a list. Were
I interested in attacking a specific
machine, it's much easier to steal
the backups than to attack the machine
directly. Now, getting the backup
vendors to use real encryption is
another story. I have friends
in the business and they claim it's
not a useful requirement and will
ruin their data integrity checking.
-The buck stops with the O/S and it
doesn't stop anywhere else, if you
-have an O/S where security can be
implemented. Does informing you of
defects make an automobile safe? There's
some argumentation over the principle,
but the consensus seems to be that
manufacturers are responsible for
delivering safe products. Methinks
that extends to data security and
safety, but your EULA may say otherwise.
-There are other links besides the
one above that will clue in the -clueless.
The clueless don't read such links
or they wouldn't be clueless. Even
if they do read the recommendations,
many of the tweaks are undone almost
immediately after a hardware reset,
operating system upgrade, or manufacturers
"system restore" ceremony. Is
eternal vigilance also the cost of
security?
-If the machine has been compromised
and the malware executed, it has been
-compromised and no snake oil solution
that has been spawned by Gibson is
-going to stop it. If the machine
has been compromised, a PFW, host
based -network FW, router or FW appliance
solution is not going to stop malware
-and its outbound traffic initially.
Make up your mind. Is the personal
firewall like a lock and key barrier
to access, or is it a burglar alarm
that informs the user that they've
been screwed? With user decision
based PFW solutions, methinks the
burglar alarm is the proper application It
doesn't really prevent access, but
does inform the user that someone
is trying to drill through the door.
I have yet to see a PFW that
does both adequately.
-The key is to not allow the malware
to reach the machine and practice
-safe hex. The other key is to recognize
dubious activities once the -machine
has been compromised by using the
proper tools and one looks -around
for themselves from time to time and
not depend solely on -solutions that
can be circumvented and defeated.
I get far too few calls from customers
asking for clarification of some of
the pop-up messages delivered by ZoneAlarm,
MS Anti-Spyware beta 1, and other
impediments to computing. Even
I have to decode the cryptic mumbo-jumbo
that some of these deliver in my face.
Self-respawning spyware will create
the same warning over and over until
the user selects "accept"
just to make the messages go away.
Recovering from the wrong decision
is also a common exercise on behalf
of my customers.
-I do use the tools in the link form
time to time like Active Ports and
-Process Explorer and look for myself
and what is happening on the -machine.
- Nice article. One problem.
The user would be expected to
know and recognize the difference
between normal and bogus processes
and drivers. I can barely keep
up on the myriad of driver names and
would never expect a member of the
GUM to be able to do the same.
-No NAT router for home usage is running
*true* FW software. It may be -using
NAT and some other FW like features
like SPI but its not running FW -software
in the traditional sense. All stateful
packet inspection does is offer the
router a way to determine which side
of the firewall a packet is coming
from in order to prevent a WAN side
attacker from spoofing an inside IP
address. This is an important feature
and very useful, but does not mean
that firewalls that lack SPI are garbage.
The same thing can be done with
packet filters.
The endless discussions on what features
constitute a "true" firewall
has wasted considerable time in the
various networking newsgroups and
mailing lists. There are some
that suggest that anything that does
not p the ICSA Labs certification
tests are worthless. I don't
know (or care). I have very
few problems dealing with attacks
originating from the internet with
common cheap NAT routers. Well,
I do have some problems from the internet
with users that do considerable port
forwarding that point to flawed or
insecure inside services. I
just had the web
server on my weather station successfully
compromised by an attack from the
internet because I was one version
behind on updates and fixes. Anyway,
I consider the typical NAT firewall
to be good enough, even without SPI,
ACL's, and certification. However,
setting up a DMZ defeats all the protection
and relies totally on the user decision
based personal firewall, which I have
almost no confidence in staying alive
or secure.
-Of course you have some high-end
NAT routers that come close to being
a -FW appliance but they are not running
true FW software. And you can use
a -NAT router as a border device considered
to be a total FW solution -designed
to protect a network. I'll resist
the temptation to ask what features
are missing in a cheap NAT router
that are required for a "true"
firewall. I can list a considerable
number of protocols and features that
a typical Cisco router supports, but
how many of those features are useful
for the average home user, and how
many of them are comprehensible by
the user or even the installer? Adding
features do not necessarily equate
to better security.
I guess I cheat. Our neighborhood
LAN uses a Cisco 2514 router (with
the fan ripped out so I don't have
to listen to the noise). My
local ISP's free wireless
 |
|
|
|
|
