question about hardware firewall

Archived from groups: comp.security.firewalls (More info?)

I have just installed a d-link DI-624 wireless router. My question is
if I leave all of the default filter and firewall settings as is am I
adequatly protected. If not what changes do I need to make to still
be protected but still have good access to the internet and email etc.

Thanks Ashley

Archived from groups: comp.security.firewalls (More info?)

On 2 Apr 2004 09:12:27 -0800, *email_address_deleted* (Ashley Kuehn) wrote:

>I have just installed a d-link DI-624 wireless router. My question is
>if I leave all of the default filter and firewall settings as is am I
>adequatly protected. If not what changes do I need to make to still
>be protected but still have good access to the internet and email etc.
>
>Thanks Ashley

Ashley,

A NAT router is good, basic protection. But don't think of it as total
protection - just as the outermost layer of protection. Also, since this is a
wireless network, there are additional precautions which you should take.

For effective protection, you need a good layered defense. Each layer is
necessary because no layer produces complete protection.

The first layer is your NAT router (hardware firewall). If you have broadband
internet, or PPP-compatible dialup internet, you can and should use a hardware
firewall.

The second layer is a software firewall, or a port monitor like Port Explorer
(free) from <http://www.diamondcs.com.au/portexplorer/index.php?page=home>. See
various discussions in comp.security.firewall for good advice on choosing a
firewall. This layer lets you see incoming internet traffic (backs up the NAT
router), and outgoing internet traffic (backs up the antivirus and antispyware
protection).

The third layer is good software. This layer has multiple components.

AntiVirus protection. Realtime, plus a regularly scheduled virus scan.
Regularly updated.

Adware / spyware protection. Realtime, plus a regularly run adware / spyware
scan. Regularly updated.
Complete instructions, using Spybot S&D and HijackThis (both free) are here:
<http://www.spywareinfo.com/forums/index.php?showtopic=5187>.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Harden your operating system. Check at least monthly.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file with:
eDexter <http://www.accs-net.com/hosts/get_hosts.html>
Hostess <http://accs-net.com/hostess/>
HostsFileReader <http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe>

Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.

The fourth layer is common sense. Yours. Don't install software based upon
advice from unknown sources. Don't install free software, without researching
it carefully. Don't open email unless you know who it's from, and how and why
it was sent.

The fifth layer is education. Know what the risks are. Stay informed. Read
Usenet, and various web pages that discuss security problems. Check the logs
from the other layers regularly, look for things that don't belong, and take
action when necessary.

In addition to the above precautions, which apply to any small LAN behind a NAT
router, there are specific precautions which you should take with a wireless
LAN.

Enable WEP / WPA. Use non-trivial values for each. (No "My dog has fleas" ).
Enable MAC filtering.
Disable DHCP, and assign an address to each computer manually.
Change the subnet of your LAN - don't use the default.
Change the router management password, and disable remote (WAN) management.
Don't disable SSID broadcast - some configurations require the SSID broadcast.
But change the SSID itself - to something that doesn't identify you, or the
equipment.
Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?. Take action when appropriate.
Install a software firewall on every computer connected to a wireless LAN. Put
manually assigned ip addresses in the Local (highly trusted) Zone. Open the
following ports for file sharing only in the Local Zone: TCP 139, 445; UDP 137,
138, 445.
Use non-trivial userids and passwords on every computer connected to a wireless
LAN. Disable or delete Administrator and Guest userids.

Finally, Ashley, don't contribute to the spread of email address mining viruses.
Please learn to munge your email address properly, to keep yourself a bit safer
when posting to open forums. Protect yourself and the rest of the internet -
never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.