Run Roadrunner through USB or network card? (1 Viewer)

[MikeyWeitz]

PS--their is no saftey difference between a SB connect and a PCI ethernet. Thier is without a doubt a speed increas with PCI over ethernet, wether it be trnasfer speed or a general computer speed issue.

 

[John Stone]

IMHO, anyone who has broadband but doesn't have a broadband router (or at the very least a separate *NIX-based system to act as a firewall) deserves to be hacked.

That's a ridiculous thing to say. Those words may come back to haunt you one day. What about someone who simply doesn't know better, do they deserve to be hacked? Let's say you've done the best you can to secure your network. What if I find a security hole that *you* don't know about on one of your boxes, do I have the right to hack it just because I have more knowledge than you? No, of course I don't.

Oh, and a number of non-"*NIX" Operating Systems are quite capable of acting as a firewall/gateway.

 

[John_Berger]

Quote:

You don't have the right to hack me whether I'm protected by a firewall or not!
But the simple fact of the matter is that hackers ARE out there even though they have no right to do what they do. And if you think that installing a piece of software on the box that is being protected will provide "more than enough" security, you need to start reading the various professional security magazines and web sites that are available.
And considering that single-port broadband routers with NAT and packet dropping can be found for less than $50, it's a small price to pay to piss off would-be hackers.

 

[Armando Zamora]

And considering that single-port broadband routers with NAT and packet dropping can be found for less than $50, it's a small price to pay to piss off would-be hackers.

While I'm not running a network and only have a stand alone workstation using my broadband connection, all this talk about hacking is giving me the heebee geebees. I'm running a software firewall and now this issue has me thinking that I'm short on protection. What NAT router would be recommended for my purposes?

 

[John Stone]

Quote:

Don't forget to mention the many security problems in some hardware firewalls (search your Bugtraq archive). Unlike software firewalls, many of which can patch themselves automatically, the chances of your average user finding out about and updating the operating system on their hardware firewall are not very good.

 

[John_Berger]

What NAT router would be recommended for my purposes?

There are plenty out there made by various companies. LinkSys is the one that I use, but I believe that NetGear, D-Link, and other make them. They're inexpensive dollar-wise, but they're value can really be seen by having them log all incoming attempts.

I get no less than 100 attacks per day on mine. Now, most of them are undoubtedly self-replicating trojans/viruses that are trying to propagate themselves on exposed systems and not real "attacks", but at least once a week someone does a port scan and several times a week someone tries multiple, systematic methods.

I once had a multihomed, Linux firewall on a separate box, a firewall software called ipchains which rejected all incoming connections, NAT software -- everything that a broadband connection needed for a home network. I still got whacked. That was when I decided enough was enough and bought a LinkSys broadband router. No problems since, although many have tried.

 

[John_Berger]

Unlike software firewalls, many of which can patch themselves automatically, the chances of your average user finding out about and updating the operating system on their hardware firewall are not very good.

Well, I have no sympathy for people who don't keep their hardware or software up to date anyway. It takes two minutes to hop onto the company's web site to see if an upgrade is available, and the vast majority of upgrades are incredibly easy to do.
I categorize the people who don't keep up-to-date drivers with those who refuse to make back-ups of their data (the "It Will Never Happen To Me" syndrome) and then scream when their hard drive dies or gets damaged resulting in lost data, aka Steven Thrasher.

 

[Armando Zamora]

John and John, thank you for all the info. Let me first say that I respect both your views on this issue. As a common user with no in-depth knowledge of network security, the info and "debate" that you've presented serves as a learning tool to help me assess and ultimately decide what's best for my situation.
With that in mind, I've chosen to try to make my setup as secure as possible. Overkill..maybe. Paranoid...definitely. Don't want some shmuck to hack into my system and get all my cheater codes for my video games.
Now I just have to decide on what router to purchase. I'm leaning towards a Linksys, but there are too many trimlines to choose from. I can't discern the difference among them. It's between the:
Linksys Model BFSR11;
Linksys Model BFSR41; or
Linksys BFSR81.
Decisions, decisions!!!

 

[John Stone]

Well, I have no sympathy for people who don't keep their hardware or software up to date anyway. It takes two minutes to hop onto the company's web site to see if an upgrade is available, and the vast majority of upgrades are incredibly easy to do.

You're not living in the real world. The average user doesn't know how to do this. Even those who do know better often neglect to update their software on a timely basis. It's easy for people like us to expect other people keep up with all that stuff, but the average user is not thinking about network security and patches, they just want to surf the web and recalculate their spreadsheets.

 

[John_Berger]

I can't discern the difference among them.

There is no functional difference between the three of them.
The BFSR11 has one network port (not including the one for the broadband connection itself). Unless you connect to a separate hub or switch, you will not be able to share your connection to more than one PC.
(Actually, you can still share that connection, but not without a hell of a lot of headaches if you're not familiar with multihoming and other issues that I need not rehash. I absolutely had to make this clarification, you understand.)
The BFSR41 has four network ports so that you can connect four PCs to the router. That way you don't need to connect a separate hub/switch if you have four or fewer PCs.
The BFSR81, as you can surmise, has eight ports, so you can connect up to eight PCs without a separate hub or switch.
They're all the same and use the same base firmware, so the best one for you is solely dependent on how many ports you'll need. Get what you need or what you think you'll need. If you need to expand further in the future, you'll only need to buy a separate hub/switch.

 

[John_Berger]

The average user doesn't know how to do this.

You and I were average users once, too. Even if they don't know, it's in their best interests to learn. We did. They don't even need to get close to the level of knowledge that we have - just enough to keep themselves out of trouble. "Once a month, check for an update. Put it on the calendar if need be." If that's too much to ask of them, then we might as well just tell them to hook their PC up to their broadband connection and have fun without any concerns.
**sigh** So how much longer before we finally admit that we're never going to see eye to eye in this issue? :rolleyes

 

[Brad_V]

May as well ask this... how good do you think the various website security tests are? I'm sure a hacker out there somewhere has the knowledge to do anything he wants if he wanted, but it's like any other kind of thief -- the good ones will steal it no matter what, but most aren't smart enough.

I've been using Tiny Personal Firewall for maybe a year now, and now that I have cable I really see the hits coming. Mostly minor stuff, probably not even a threat or a real hack, but a couple clicks sets a rule and takes care of all of that type. Very easy, surprisingly. Every online scan test I've done tells me my protection is fantastic, etc. Do those tests have merit?

 

[John Stone]

**sigh** So how much longer before we finally admit that we're never going to see eye to eye in this issue?

Yeah, we both have better things to do. Our points have been made. We admins sure can go at it, huh? Most of my co-workers would love to see this thread. My security policies at work have been described as "evil", "over-bearing", "stifling" and "draconian". I'm known as John "Security and convenience are rarely seen holding hands" Stone. They would never believe that the same person making their lives a living hell would ever take the "liberal" side of a computer security argument. John, I think we see eye-to-eye more than we let on when it comes to network security, but time and experience has taught me that what is theoretically the best situation does not always perform as expected in practice, especially when you throw someone who knows little to nothing about computers (let alone security and patches) into the mix. I know this is where our philosophies start to part ways, so on that note I agree that we should agree to disagree.

 

[John_Berger]

May as well ask this... how good do you think the various website security tests are?

If you're thinking of the sites that I think you're thinking of (say that three times quickly), they're a place to start and nothing more. All that they really do is a port scan to see if anything responds. Even then, they only do the common ports. Considering that there are 65,000+ ports available and maybe a few dozen or hundred get scanned, I would not consider those web security tests to be anything more than a starting point -- but they're at least pretty good starting points!

However, all that is takes is some kind of back door on a non-standard port for someone to get to your system. That's why something like a broadband router which drops (by default) ALL incoming connections is a probably the best first-defense for broadband users.

Now, IIRC some of those web sites do offer a complete port analysis, but I believe that some or most of those sites charge for those scans and they take quite a long time to complete. I'll admit that it's been a while since I've visited one of those sites, so they might have changed by now.

 

[John_Berger]

so on that note I agree that we should agree to disagree.

Done.
HEY! What was that?
Was that a collective sigh of relief that I just heard from the HTF admins?

 

[John_Berger]

I will say this, however...
For anyone who thinks that I'm against installing Zone Alarm, I'm most certainly not. Zone Alarm not only provides inbound security, but it also provides outbound security as well.
For example, if some piece of spyware is on your machine (which is what you get for installing Kazaa, you naughty person!) and tries to communicate to the Mother SpyWare Ship server without you knowing it, Zone Alarm will most likely catch that and alert you to it.
So, installing Zone Alarm is not a bad thing even if you have a broadband router. Of course, being more selective on what you install would do the same thing.

 

[Brad_V]

I'll ask that guy I mentioned who hacked through Zone Alarm (four different ways I was told) and quote here what he says about it. He and others then went to Black Ice at the time, I think, but reading up on grc.com .... Steve Gibson apparently thinks Black Ice is complete garbage.

Anyway, for those in this thread who think firewalls are unimportant, read at grc.com about the 13-year-old hacker who attacked the grc servers multiple times and shut them down, read about Windows XP plug-and-play security and XP security/firewalls in general, and then if you're not freaked out enough, do the shields-up, probe scan, and leak tests. My computer using Tiny Personal Firewall had everything come up "stealth" and no leaks and all that, so it passed those tests at least. Anyone who thinks a firewall of at least some kind isn't important, take the tests and let us know how it goes.

And on mine, I made sure to have a couple file-sharing programs open while I did it. The tests still came up with nada.

 

[John_Berger]

I'll ask that guy I mentioned who hacked through Zone Alarm (four different ways I was told) and quote here what he says about it.

Give him John Stone's IP address.
I'M KIDDING!!!

 

[Brad_V]

Maybe you guys have already heard of the trick... I'm not a computer tech, so maybe it's not big deal. Beats me. He said as long as you can ping the server, you have a good chance of getting past Zone Alarm (depending on what security measures have been set) by using Windows Explorer or Internet Explorer to drop you right onto the person's C: drive.

If someone wants to give me an ip address and permission to try, let me know.

 

[John Stone]

He said as long as you can ping the server, you have a good chance of getting past Zone Alarm (depending on what security measures have been set) by using Windows Explorer or Internet Explorer to drop you right onto the person's C: drive.

So that's the extent of his "4 ways to hack Zone Alarm"? It sounds to me like he's talking about nothing more than accessing open NetBIOS shares via TCP/IP, which has nothing to do with any weaknesses in Zone Alarm. There's nothing new or technical about exploiting open shares, I could teach my mom how to look for and "exploit" them in less than 2 minutes. Besides, that sort of thing A) Is old_hat B) Lame C) Zone Alarm blocks by default and D) I use a non-routable protocol for NetBIOS stuff on my LAN.
Feel free to give him my IP address. Please ask him if I can share his "whitepaper" (and my firewall logs of his thrashing around in vain) with my friends over a few beers. Thanks.