Questions and Answers
SPCUG Answer Guys
|
|
 |
|
|
Questions and Answers
Here are highlights from recent Q&A sessions. Questions and responses have been edited for clarity and correctness.
|
INTERNET FIREWALLS
Q: Can I use ZONE ALARM to lock up my network?
A: Yes. You can choose the security level you want on your network as well as across the Internet. It's free for personal use, but the company charges for business use. You can download ZONE ALARM from Zonelabs.com. One thing you might want to do before you install it is go to www.grc.com, the Gibson Research Corporation site. This is the company that made SPINRITE, the first defragger program (disk defragmenter) for the PC. Now the founder, Steve Gibson, is into the Internet. He's written a program that will try to probe your system the way hackers do and will tell you what it was able to find. On an unprotected system, others can see your computer name, your drives and all kinds of things. When you run ZONE ALARM, your system is completely in "stealth mode". GRC's tool can't even see your ports! It doesn't know that you're there.
Q: Would you install this after you got your DSL line hooked up?
A: Using my laptop with a modem, I get hit about every twenty minutes. Somebody's poking at me. I was really astonished. I didn't know that much was happening. That doesn't mean anyone is messing up anything, just that someone's tapping on my door to see if I have any vulnerabilities.
A: I'll give you an example. I had a second telephone line installed today and it wasn't up for even twenty minutes when I got one of those automated, "You win a thousand dollars," spiels! It's amazing that someone found that number so fast. So, if they can find you on a phone line, they can find you on the Internet.
Q: Would you recommend this firewall for the first computer in a sequence?
A: Yes. If you have more than one computer hooked up in a network, the one that actually talks to the Internet is where it makes the most sense. I don't know that it does any harm to have a firewall elsewhere as well, but it's certainly worth putting on the first Internet-connected PC.
A: But, if you've got five IP addresses coming in, you're going to need five copies of it running.
A: That's what these pieces of software we're discussing are for. They're designed to run on a personal PC that has a vulnerable IP address. Now, if you have a server that's fanning IP addresses out, and you have a firewall there, that's a different thing. That's a different way to approach the firewall scenario.
Q: So, if you have a home network, do you just put it on the PC that's Internet-connected?
A: On the static IP, yes. In a scenario where you have a proxy server, where you have one static IP and may have 20 or 30 machines behind the proxy, there's no way they can get to the other machines through the proxy because the proxy only goes one way. It doesn't go back in.
A: In my opinion, the ultimate in firewall protection is a hardware firewall. If you have valuable information, like financial information, you probably want to go with a hardware firewall like the one BeadleNet showed us here some months back. I wouldn't risk financial information with a software firewall, but I'm a bit of a neophyte as far as firewalls go.
Q: If you were going to use DSL and have a network of two computers, could you use a hardware firewall? Where would it go?
A: The DSL line comes into your office and is connected to the DSL modem or router. A link from that modem/router goes to your firewall. Then, typically, an ethernet link goes from the firewall to your network hub.
Q: What if you have an internal DSL modem? Is that a problem? Most of the DSL modems that come with the PacBell offer are internal.
A: Then they've changed because mine is external.
A: They're using a combination DSL modem and NIC (Network Interface Card) on one card.
A: If you have a full-time DSL line and don't put some kind of firewall on it, then its possible you could have one of those denial-of-service programs put on your machine without your knowledge.
Q: I have a question regarding JPS. It used to set up an IP address, now it doesn't. Does that mean others can't get to you?
A: JPS went to a dynamic IP address assignment system rather than assigning fixed IP addresses.
A: Now, each time you dial up, you may have a different IP address than the last time you dialed up.
A: With a dynamic IP address assignment, they can still get to you, but they can't put you on a list that says, "This is the right machine and we can come back to it three days later," because that address may or may not be there.
A: Let me specify something. If you don't have file-and-print sharing activated and you're just browsing the Web, they can't get to you anyway. That's an important point to understand. If you have a small network of PCs and file-and-print sharing activated, then you're open.
A: If you have an internal modem, you could put it in an older PC and run the firewall software there. It wouldn't have to be a very fast PC.
A: You could even turn it into a router.
A: For those who would like DSL but are too far from a switch, you can actually get it today. It's called IDSL, what Pacific Bell calls its Long Reach DSL. They charge $109 a month for one static IP address but, there are other companies out there that give you more than that. I went with one of these other companies, got the IDSL, five static IP addresses, and changed my whole domain! It's available today. PacBell's idea is to put these little repeaters out in the field and give DSL to everyone within two years. It's a huge investment for them but it'll give you the speed you want. If you can't wait, however, you can go with Long Reach DSL. If you want Web hosting, that's an extra $24 per month but that's still much faster than a modem or ISDN.
A: I was talking with PacBell today. Essentially I can get DSL for $15 a month, because I can eliminate one phone line, which is $15 a month, I can eliminate my current ISP subscription, which is $12 a month, and it's $39.95 a month for the connection and the ISP subscription.
A: Roseville Telephone has some pretty good deals, too.
Q: You were saying something about Comcast?
A: Let me tell you what happened with that. Comcast was trying to install cable modems quickly before the buyout. So, they got an ISP and slated this little test program to get this thing up and running. Then they went to the cable commission and said, "We're ready to go." The cable commission denied the permit because Comcast's plan would have forced users to go with one ISP instead of allowing a choice. That's why we're not in that program right now. I think Comcast is going to pull the plug anyway because of the large investment and they're being bought out.
A: I heard they are ready to go.
A: They say they're ready to go with Zones 1, 2 and 3. Elk Grove is out of luck. I talked to Citizen's Utilities yesterday; what a joke. It will be six months or a year for that system.
A: I picked up a rumor that if you're in a neighborhood where many households get on the Net, that can slow down your speed. [Ed. This is in reference to cable modems.]
A: Sure, because the whole neighborhood is a subnet and that subnet can get crowded.
A: There's only one pipe. There are too many variables to predict, but it's gotta beat the heck out of a modem.
A: I went to a Comcast demonstration, and I went to some pages I knew wouldn't be in their cache. We started downloading some big images that I'd downloaded pretty fast over DSL. Comcast's link just wasn't as fast. That was my experience. It does beat ISDN, though.
Q: I've heard that if PacBell finds out you're hosting more than one machine, it'll terminate you.
A: I don't think so, but you should approach PacBell directly and ask.
A: If you buy the "personal service" for cable or DSL, the IP address you get is dynamic, not static. A lot of cable companies, when they started out, left some ports unblocked. Then they found people were running multiple systems and now you have to buy an enhanced version to do that. If they catch people doing it, they usually block that port. If you are on a DSL or a cable modem, you need to find out what ports their server allows you to filter through. A program, available at www.portdetective.com, lets you do that. It makes a distinction between the personal and the hosting services.
|
|
