Subj : Re: For Trouble re Home Network Security To : alt.tv.farscape From : TNW7Z7Z7Z12345 Date : Thu Sep 08 2005 03:58:10 From Newsgroup: alt.tv.farscape Trouble wrote: > > TNW7Z7Z7Z12345 wrote: > > > Cut/altered a little from my original post -- > > > My router is the Airport Extreme Base Station. I have the wireless > > network closed, encrypted (only WEP though, not WPA) plus have the OSX > > software firewall on in my laptop. So I assume my laptop is relatively > > safe. > > Sounds like its as safe as the ABS can make it. > > > However, I also have an older Mac desktop (OS9 so no software firewall) > > connected to the router via ethernet cable. That's the one I wonder > > about. > > Well if you don't have Port Mapping open, you should be relatively safe > from direct attack. The main concern would be to watch what you download > from that machine. A good anti-virus package is a typical recommendation > for that. > > > The router configuration options mostly seem to be for the wireless > > network. The only settings that I guess cover both the wireless > > network and the ethernet connection to the desktop are "WAN privacy" > > settings. > > WAN Privacy? Hmmm, do you know what version of the setup you have? The link you gave me below (instructions) is excellent! Thank you for that. If you go to that page , scroll down, and then click on: "Airport Tab (start here)", on the page that takes you to, look at the 4th bullet. That explains the "WAN Privacy." Now I'm very bummed; it says: "...enabling any of them allows people connected to the upstream network to connect to your AEBS and potentially change its settings. For example, this could be anyone attached to the cable or DSL network." That means I should turn off "remote printer access," but when I do that, wireless printing gets very funky (I have to go through a several minute process of deleting and re-selecting the printer). I will probably upgrade the OS in the next few months (and then upgrade my airport software); maybe that will allow wireless printing with that option "off." > > (although I'm not sure about that). Out of paranoia, I shut > > off SNMP access, remote configuration, and default host, although I > > haven't a clue what they are. The only thing I'm allowing is remote > > printer access, as there seems to be a glitch with wireless printing > > when that is off. > > These shouldn't hurt anything. > > > If I go to the Symantec website and do one of those free security > > probes, they tell me (and I have no idea what any of this means) that > > ICMP ping is open, all other ports are closed, but that the only port > > that is actually stealth or hidden is HTTP Port 80. > > ICMP ping helps your ISP troubleshoot your connection. > > > I assume the scan is reading the router, not my computer, so that's the > > router firewall that is all closed up. > > Yes, the computer has one IP address, probably in a private IP range, and > the router has the real world IP address given to you by your ISP. Checks > of the port security go against the Router unless you've opened ports up > through the router to allow direct computer access. Sounds like you > haven't. > > > But I had hoped that my WAN settings would make the router "stealth" or > > hidden, which obviously they don't. > > A determined attacker would find Stealth and hidden anyway, there is a > whole art out there of analyzing port closed, and no response messages. > > Standard behavior for the router would be to keep all these ports closed > until you access the internet, or send a request for a webpage, email, or > file, at that point any web, mail, or file response from the requested > site is considered legitimate and allowed in through the router, when > that session is over the router closes up. > > > Would you consider my setup safe? I don't worry too much as nothing > > out there targets Macs, but I wonder about it when I turn on > > filesharing. > > By turn on Filesharing you mean just open the program? Anti-Virus would > help more here to protect you than anything else. If you have to open a > port through the router to get your filesharing to work, then you've > opened a door to attackers, and a software firewall wouldn't hurt. By "Filesharing" I mean creating a little network between my laptop and desktop to pass files back and forth. To do this I have to specifically turn on "Sharing" on at least one machine. There seems to be two ways to share - via AppleTalk (older and probably safer protocol) which I can't always get to work. And the other involves sharing over the internet or via TCP/IP or something (I can't see the exact name right now, as they are on my OS9 Desktop, and I'm on the OSX laptop). Anyway, now I am guessing that sharing must open one of the ports in the router. (I just found this web page from 2002, which has info. for exactly my set up: http://wcts.whitman.edu/whit.bits/october2002/MacFileSharing.html). A long time ago I had a fantasy of keeping sharing on all the time so I could zap files back and forth. But now, out of fear, I turn it on only for a few minutes at a time. And that website seems to confirm that caution. But I'm still confused. Would sharing between my two computers not work if my cable connection went dead? Or does via "internet" or "TCP/IP" simply mean using the router? And how is it that businesses have internet access and internally share files all the time without making themselves vulnerable? Do they use different routers - one for internet access and one for file sharing? > > What I would give for an old fashioned manual that attempted to explain > > this to a lay person... > > Ahem... For ABS with the 4.0 Setup utility > http://www.vonwentzel.net/ABS/Configuration/OSXExtreme/ > > Does that look familiar at all? > > I read the manual from Apple, but its great for installation, not helpful > for troubleshooting. IF your setup screens looked anything like the ones > from the link above, I can easily walk/talk you through any of them. > > Sounds like you're reasonably well off... with the three standard > caveats; > > 1. Keep the System up to date > 2. Keep any Anti-Virus up to date (if you're worried about filesharing) > 3. A software firewall will help if you open ports in the router direct > to the internet (some P2P apps require open ports for better performance) Again, thank you so much for your time! - TNW [To e-mail me, remove 12345 from my address.] .