broadband security

  • Thread starter Thread starter Jeff
  • Start date Start date
J

Jeff

The possibility of broadband has finally arrived to the residential area I
live in and I will soon be setup with Cox for broadband. So I am
considering security implications.

The PC that will be connected to the cable modem is part of a 4 PC home
wireless network. All 4 PCs in the wireless network have Zone Alarm (as
well as virus and spyware defenses) but are linked to each other in Peer to
Peer connections without a wireless router.

I am assuming that the cable modem will have a built in hardware firewall
(but maybe not). I am wondering how much of the data in the other PCs
connecting to the PC with the cable modem might be at risk through the
broadband. Is that a concern? What should I do to protect the data on the
other PCs linked by wireless since some of the folders are obviously shared
on the wireless network.

Thanks for any advice and help.
 
Jeff said:
The possibility of broadband has finally arrived to the residential area I
live in and I will soon be setup with Cox for broadband. So I am
considering security implications.

The PC that will be connected to the cable modem is part of a 4 PC home
wireless network. All 4 PCs in the wireless network have Zone Alarm (as
well as virus and spyware defenses) but are linked to each other in Peer
to Peer connections without a wireless router.

I am assuming that the cable modem will have a built in hardware firewall
(but maybe not). I am wondering how much of the data in the other PCs
connecting to the PC with the cable modem might be at risk through the
broadband. Is that a concern? What should I do to protect the data on
the other PCs linked by wireless since some of the folders are obviously
shared on the wireless network.

Thanks for any advice and help.
Click to expand...

Most cable modems do not have a built in firewall. Get a wireless router and
hook the modem up to it. Routers with a built in firewall can be had for
less than $100.00.

Kerry
 
Here's what you can do to enhance the security on your PC
http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx

Internet firewalls: Frequently asked questions
http://www.microsoft.com/athome/security/protect/firewall.mspx

Antivirus software: Frequently asked questions
http://www.microsoft.com/athome/security/protect/antivirus.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

:

| The possibility of broadband has finally arrived to the residential area I
| live in and I will soon be setup with Cox for broadband. So I am
| considering security implications.
|
| The PC that will be connected to the cable modem is part of a 4 PC home
| wireless network. All 4 PCs in the wireless network have Zone Alarm (as
| well as virus and spyware defenses) but are linked to each other in Peer to
| Peer connections without a wireless router.
|
| I am assuming that the cable modem will have a built in hardware firewall
| (but maybe not). I am wondering how much of the data in the other PCs
| connecting to the PC with the cable modem might be at risk through the
| broadband. Is that a concern? What should I do to protect the data on the
| other PCs linked by wireless since some of the folders are obviously shared
| on the wireless network.
|
| Thanks for any advice and help.
|
|
| --
|
| Jeff
 
kerry@kdbNOSPAMsys- said:
Most cable modems do not have a built in firewall. Get a wireless router and
hook the modem up to it. Routers with a built in firewall can be had for
less than $100.00.
Click to expand...

I agree with getting a NAT Router as a barrier device between the
DSL/Cable modem and the computer/network, it's a no-brainer and should
be done by all ISP's when the person subscribes.

The only disagreement is in the "firewall" term. Most of the sub-$100
devices are not firewalls, they are just NAT Routers that appear to have
Firewall-Like features and actually only provide their base protection
by means of NAT, not by true firewall methods.
 
From: "Jeff" <[email protected]>

| The possibility of broadband has finally arrived to the residential area I
| live in and I will soon be setup with Cox for broadband. So I am
| considering security implications.
|
| The PC that will be connected to the cable modem is part of a 4 PC home
| wireless network. All 4 PCs in the wireless network have Zone Alarm (as
| well as virus and spyware defenses) but are linked to each other in Peer to
| Peer connections without a wireless router.
|
| I am assuming that the cable modem will have a built in hardware firewall
| (but maybe not). I am wondering how much of the data in the other PCs
| connecting to the PC with the cable modem might be at risk through the
| broadband. Is that a concern? What should I do to protect the data on the
| other PCs linked by wireless since some of the folders are obviously shared
| on the wireless network.
|
| Thanks for any advice and help.
|
| --
|
| Jeff
| (e-mail address removed)
|

To add to the security of any SOHO Router I suggest going into the Router and block both TCP
and UDP ports 135 ~ 139 and 445. This will help keep hackers and Internet worms out and MS
Networking information from leaking out.

You also have to take all measures to secure your wireless access point. You have to make
sure that no one can drive up in front of your house with a wireless notebook and get a
connection. Such practices are common and is know as "war driving". That person might
steal personal information from you or do something nefarious and you would be responsible
for that person's actions. That is why it would be imperative to secure the Wireless
Internet connectivity. Such measures are using Wireless Encryption Protocol (WEP) and only
allowing specified MAC addresses access to the wireless network. You must also realize that
even if you have a router with a "true" FireWall and block the ports I indicated, if you
don't secure the wireless network then a miscreant will access your network and will be
behind the FireWall (Aka, being within the enclave).
 
Sorry for top posting, but if I understand what you are saying (I am a total
novice at this) is that rather than connect the wireless network as I now
have it (simple peer to peer) I should modify it by purchasing a wireless
router which, if I understand you correctly, I should then interpose between
the cable modem and all the PCs that connect through it. Did I understand
correctly?

Does this mean I then need to disable the peer to peer wireless setup I now
have (it took me forever to get it working <grin>) and replace it with the
other type of wireless (not peer to peer)? On my present home wireless
network I have changed the standard SSID and use WEP. The adapters do not
have WPA capability.

I already own an unused Dlink DI 514 wireless router. Is that adequate as
the router to interpose between the cable modem and the network? If not what
should I be getting? This is a 2.4 Ghz network and I am not in the markket
to replace all the adapters.

Thank you for the help. (I'll have to look up the difference between NAT and
true firewall).
 
David said:
To add to the security of any SOHO Router I suggest going into the
Router and block both TCP and UDP ports 135 ~ 139 and 445. This will
help keep hackers and Internet worms out and MS Networking
information from leaking out.

You also have to take all measures to secure your wireless access
point. You have to make sure that no one can drive up in front of
your house with a wireless notebook and get a connection. Such
practices are common and is know as "war driving". That person might
steal personal information from you or do something nefarious and you
would be responsible for that person's actions. That is why it would
be imperative to secure the Wireless Internet connectivity. Such
measures are using Wireless Encryption Protocol (WEP) and only
allowing specified MAC addresses access to the wireless network. You
must also realize that even if you have a router with a "true"
FireWall and block the ports I indicated, if you don't secure the
wireless network then a miscreant will access your network and will
be behind the FireWall (Aka, being within the enclave).
Click to expand...

I already have changed the SSID to a weird one and use WEP (these adapters
are 2.4 and do not have WPA capability). Is that OK?

Thanks for all the advice. I will try to follow it.
 
From: "Jeff" <[email protected]>


|
| I already have changed the SSID to a weird one and use WEP (these adapters
| are 2.4 and do not have WPA capability). Is that OK?
|
| Thanks for all the advice. I will try to follow it.
|
| --
|
| Jeff
| (e-mail address removed)
|

It's a good start. Read up on the subject and the manual and do what you can.
 
Sorry for top posting, but if I understand what you are saying (I am a total
novice at this) is that rather than connect the wireless network as I now
have it (simple peer to peer) I should modify it by purchasing a wireless
router which, if I understand you correctly, I should then interpose between
the cable modem and all the PCs that connect through it. Did I understand
correctly?

Does this mean I then need to disable the peer to peer wireless setup I now
have (it took me forever to get it working <grin>) and replace it with the
other type of wireless (not peer to peer)? On my present home wireless
network I have changed the standard SSID and use WEP. The adapters do not
have WPA capability.

I already own an unused Dlink DI 514 wireless router. Is that adequate as
the router to interpose between the cable modem and the network? If not what
should I be getting? This is a 2.4 Ghz network and I am not in the markket
to replace all the adapters.

Thank you for the help. (I'll have to look up the difference between NAT and
true firewall).
Click to expand...

I don't think I saw the post where you mentioned having a Wireless
router and I was replying to another reply about it.

With a DI514 wireless router, if that's what it's called, and I didn't
look it up, you should see the following:

1) Cable/DSL connection from ISP hardware to your DI-514
2) Inside the DI-514 there is something that relates to DHCP and your
internal LAN subnet (like 192.168.1.x or 192.168.0.x....)
3) If you check the IP on your laptop (or wireless client) and it's
something like 192.168.x.y then you are using NAT built into the
wireless device (DI-514).

If you have an IP like 24.95.x.y or 64.y.d.s or something other than
192.168.x.y or 10.x.y.z then you may be in Bridge mode and have a full
open public connection, and anyone can get directly to your laptop.

Changing the SSID, disable it's broadcasting, enabling WPA or WEP if you
can't do WPA, etc... all the minimum needed.
 
David H. Lipman wrote:
Click to expand...

Yep. Why bother to hack via the 'net if you can tune into as a member
of your LAN, and bypass all Internet-facting defences entirely?
I already have changed the SSID to a weird one and use WEP (these adapters
are 2.4 and do not have WPA capability). Is that OK?
Click to expand...

Not very - WEP is breakable. Personally, I'd rather have to plug in
bits of wire than trust WiFi "security", but that's just me.

Also, you prolly have hidden admins shares exposing the whole of all
HDs to writes, so an attacker can easily drop code into (say) a
Startup group and be up and running after you restart Windows.

XP Home is said not to expose these hidden admin shares.
XP Pro is said not to expose them if the account password is blank.
XP Pro will expose them if you have an account password.
XP Tasks won't run if account password is blank.

See where this is leading to? Users are likely to use a trivial
account password in order to get Tasks to run (the only way, in
pre-SP2 XP) and then hide the need to use the password via TweakUI
Autologin etc. and then forget about it -> rape via admin shares.


------------ ----- ---- --- -- - - - -
Click to expand...
The most accurate diagnostic instrument
in medicine is the Retrospectoscope
 
cquirke (MVP Windows shell/user) said:
Also, you prolly have hidden admins shares exposing the whole of all
HDs to writes, so an attacker can easily drop code into (say) a
Startup group and be up and running after you restart Windows.

XP Home is said not to expose these hidden admin shares.
XP Pro is said not to expose them if the account password is blank.
XP Pro will expose them if you have an account password.
XP Tasks won't run if account password is blank.

See where this is leading to? Users are likely to use a trivial
account password in order to get Tasks to run (the only way, in
pre-SP2 XP) and then hide the need to use the password via TweakUI
Autologin etc. and then forget about it -> rape via admin shares.
Click to expand...

Now that is very worrisome. I'm on XP Home SP-2. How do I find out about my
hidden admins shares (whatever they are) and how do I make them secure?

Thanks.

Jeff
 
Now that is very worrisome. I'm on XP Home SP-2. How do I find out about my
hidden admins shares (whatever they are)
Click to expand...

XP Home is said to be safe where admin shares are concerned, but I
apply registry settings to kill them anyway.

The main admin shares are:
- IPC$, used by RPC. Can be killed only for remainder of runtime
- c$, d$, e$... which expose the entire volume, \ onwards

There are others, e.g. as used for printer driver sharing, but I
haven't chased them up. Here's the .reg:

<paste>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000

</paste

Note: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000

Note: Some malware enters via these shares, and having entered,
applies this setting to kill the shares. Then, when the av cleans up
the malware, it reverses this setting so that the shares are open
again, thus attackable again.

So if you apply this protection, and have cleaned up active malware,
you should re-check (or re-apply) the setting.
...and how do I make them secure?
Click to expand...

If you don't need admin shares, then in addition to "making them
secure", kill them altogether. Non-existance trumps "restricted
access", so I like to do both.

If you do need admin shares, then you have to do what you can to
"secure" them and leave it at that.

Firstly, XP Home is said not to expose admin shares.

Next, admin shares go wherever File and Print Sharing (F&PS) goes.
For all network adapters that do not need F&PS, unbind it from that
adapter's network stack. For example, let's say you have a LAN over
which you do file sharing, dial-up networking to access Internet, and
WiFi and FireWire that you do not use at all. You want this:

LAN card: [X] F&PS
Dial-up networking: [_] F&PS
WiFi adapter: [_] F&PS
FireWire adapter: [_] F&PS

You can also suppress F&PS at the firewall level, though that is not
as easy. SP2 makes it easier to block F&PS through the firewall, but
if you go into the per-adapter detail (needed if you want to block
F&PS on some devices, but allow on others) you don't see anything that
looks remotely like F&PS in the list of what you can do.

That's for XP's built-in firewall. With add-on firewalls, YMMV.


Then you can apply a password band-aid to restrict access further
(though frankly, if someone gets close enough to guess passwords, I'd
say they'd been too close for comfort for a while).

A null password is said to preclude access to admin shares completely,
but http://cquirke.mvps.org/pwdssuck.htm applies; no password means no
barrier to setting any password. In that sense, passwords are not
"optional" in that one can remove the facility altogether.

The other approach is to set a strong, guess-resistant password, and
take the risk of being locked out if you ever forget it.


The difficulty is where you are forced to use the same network adapter
for both LAN access (including file sharing) and Internet access.
This is common where you share a single Internet access point, such as
a broadband connection, across multiple PCs.

With Win9x, it was really easy; you'd use TCP/IP for Internet traffic,
and some other protocol (i.e. NetBEUI or IPX) for LAN traffic. Then
you could keep F&PS off TCP/IP, slam up the firewall as hard as you
like, and conduct your F&PS via the other protocol.

But XP's networking is, in my experience, too broken to do this; I
could not not get a mix of XP and Win9x to "see each other" if I used
any protocol other than TCP/IP - including the hidden NetBEUI.

So now you're forced to have F&PS exposed to the Internet, which is
really, really stupid. That's why I'd insist on using a NAT router
for the broadband, and not some half-assed "modem" that is bound into
a particular PC, which then shares it via Internet Connection Sharing.


As for wireless networking; it's OK between your Internet device and
the rest of the world (as that's public anyway), but I would not use
it within your LAN. It's too non-impossible to tap into your LAN
directly (bypassing NAT etc.) via WiFi, IMO.

-- Risk Management is the clue that asks:
Click to expand...
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
 
cquirke said:
"cquirke (MVP Windows shell/user)" <[email protected]>
wrote
Click to expand...
Now that is very worrisome. I'm on XP Home SP-2. How do I find out
about my hidden admins shares (whatever they are)
Click to expand...

XP Home is said to be safe where admin shares are concerned, but I
apply registry settings to kill them anyway.

The main admin shares are:
- IPC$, used by RPC. Can be killed only for remainder of runtime
- c$, d$, e$... which expose the entire volume, \ onwards

There are others, e.g. as used for printer driver sharing, but I
haven't chased them up. Here's the .reg:

<paste>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000

</paste

Note: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000

Note: Some malware enters via these shares, and having entered,
applies this setting to kill the shares. Then, when the av cleans up
the malware, it reverses this setting so that the shares are open
again, thus attackable again.

So if you apply this protection, and have cleaned up active malware,
you should re-check (or re-apply) the setting.
...and how do I make them secure?
Click to expand...

If you don't need admin shares, then in addition to "making them
secure", kill them altogether. Non-existance trumps "restricted
access", so I like to do both.

If you do need admin shares, then you have to do what you can to
"secure" them and leave it at that.

Firstly, XP Home is said not to expose admin shares.

Next, admin shares go wherever File and Print Sharing (F&PS) goes.
For all network adapters that do not need F&PS, unbind it from that
adapter's network stack. For example, let's say you have a LAN over
which you do file sharing, dial-up networking to access Internet, and
WiFi and FireWire that you do not use at all. You want this:

LAN card: [X] F&PS
Dial-up networking: [_] F&PS
WiFi adapter: [_] F&PS
FireWire adapter: [_] F&PS

You can also suppress F&PS at the firewall level, though that is not
as easy. SP2 makes it easier to block F&PS through the firewall, but
if you go into the per-adapter detail (needed if you want to block
F&PS on some devices, but allow on others) you don't see anything that
looks remotely like F&PS in the list of what you can do.

That's for XP's built-in firewall. With add-on firewalls, YMMV.


Then you can apply a password band-aid to restrict access further
(though frankly, if someone gets close enough to guess passwords, I'd
say they'd been too close for comfort for a while).

A null password is said to preclude access to admin shares completely,
but http://cquirke.mvps.org/pwdssuck.htm applies; no password means no
barrier to setting any password. In that sense, passwords are not
"optional" in that one can remove the facility altogether.

The other approach is to set a strong, guess-resistant password, and
take the risk of being locked out if you ever forget it.


The difficulty is where you are forced to use the same network adapter
for both LAN access (including file sharing) and Internet access.
This is common where you share a single Internet access point, such as
a broadband connection, across multiple PCs.

With Win9x, it was really easy; you'd use TCP/IP for Internet traffic,
and some other protocol (i.e. NetBEUI or IPX) for LAN traffic. Then
you could keep F&PS off TCP/IP, slam up the firewall as hard as you
like, and conduct your F&PS via the other protocol.

But XP's networking is, in my experience, too broken to do this; I
could not not get a mix of XP and Win9x to "see each other" if I used
any protocol other than TCP/IP - including the hidden NetBEUI.

So now you're forced to have F&PS exposed to the Internet, which is
really, really stupid. That's why I'd insist on using a NAT router
for the broadband, and not some half-assed "modem" that is bound into
a particular PC, which then shares it via Internet Connection Sharing.


As for wireless networking; it's OK between your Internet device and
the rest of the world (as that's public anyway), but I would not use
it within your LAN. It's too non-impossible to tap into your LAN
directly (bypassing NAT etc.) via WiFi, IMO.

-- Risk Management is the clue that asks:
Click to expand...
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
----------------------- ------ ---- --- -- - - - -
Click to expand...
Click to expand...

Thank you very much for all that detailed help. I greatly appreciate it.

Jeff
 
Tinkerer said:
Open a command prompt and type in "net share" without the quotes.
Click to expand...

Thanks Tinkerer. I did as you said on my laptop and got:
...............................
Share name: IPC$
Resource: (The column is blank)
Remark: Remote IPC

The Command completed successfully.
................................

Not sure what that means, good or bad? <grin>

Jeff
 
Sorry I missed this before Jeff. I assume cquirke has answered your
questions...:-)

--

Cheers,
Tinkerer


Tinkerer said:
Open a command prompt and type in "net share" without the quotes.
Click to expand...

Thanks Tinkerer. I did as you said on my laptop and got:
...............................
Share name: IPC$
Resource: (The column is blank)
Remark: Remote IPC

The Command completed successfully.
................................

Not sure what that means, good or bad? <grin>

Jeff
 
Back
Top