Subj : Re: For Trouble re Home Network Security To : alt.tv.farscape From : Nick Date : Thu Sep 08 2005 20:04:45 From Newsgroup: alt.tv.farscape TNW7Z7Z7Z12345 wrote: > Trouble wrote: >> >> TNW7Z7Z7Z12345 wrote: >> >>> Cut/altered a little from my original post -- >> >>> My router is the Airport Extreme Base Station. I have the >>> wireless network closed, encrypted (only WEP though, not WPA) >>> plus have the OSX software firewall on in my laptop. So I >>> assume my laptop is relatively safe. >> >> Sounds like its as safe as the ABS can make it. >> >>> However, I also have an older Mac desktop (OS9 so no software >>> firewall) connected to the router via ethernet cable. That's >>> the one I wonder about. >> >> Well if you don't have Port Mapping open, you should be >> relatively safe from direct attack. The main concern would be to >> watch what you download from that machine. A good anti-virus >> package is a typical recommendation for that. >> >>> The router configuration options mostly seem to be for the >>> wireless network. The only settings that I guess cover both the >>> wireless network and the ethernet connection to the desktop are >>> "WAN privacy" settings. >> >> WAN Privacy? Hmmm, do you know what version of the setup you >> have? > > The link you gave me below (instructions) is excellent! Thank you > for that. If you go to that page > , scroll > down, and then click on: "Airport Tab (start here)", on the page > that takes you to, look at the 4th bullet. That explains the "WAN > Privacy." > > Now I'm very bummed; it says: "...enabling any of them allows > people connected to the upstream network to connect to your AEBS > and potentially change its settings. For example, this could be > anyone attached to the cable or DSL network." > > That means I should turn off "remote printer access," but when I > do that, wireless printing gets very funky (I have to go through a > several minute process of deleting and re-selecting the printer). > I will probably upgrade the OS in the next few months (and then > upgrade my airport software); maybe that will allow wireless > printing with that option "off." > > >>> (although I'm not sure about that). Out of paranoia, I shut >>> off SNMP access, remote configuration, and default host, >>> although I haven't a clue what they are. The only thing I'm >>> allowing is remote printer access, as there seems to be a glitch >>> with wireless printing when that is off. >> >> These shouldn't hurt anything. >> >>> If I go to the Symantec website and do one of those free >>> security probes, they tell me (and I have no idea what any of >>> this means) that ICMP ping is open, all other ports are closed, >>> but that the only port that is actually stealth or hidden is >>> HTTP Port 80. >> >> ICMP ping helps your ISP troubleshoot your connection. >> >>> I assume the scan is reading the router, not my computer, so >>> that's the router firewall that is all closed up. >> >> Yes, the computer has one IP address, probably in a private IP >> range, and the router has the real world IP address given to you >> by your ISP. Checks of the port security go against the Router >> unless you've opened ports up through the router to allow direct >> computer access. Sounds like you haven't. >> >>> But I had hoped that my WAN settings would make the router >>> "stealth" or hidden, which obviously they don't. >> >> A determined attacker would find Stealth and hidden anyway, there >> is a whole art out there of analyzing port closed, and no >> response messages. >> >> Standard behavior for the router would be to keep all these ports >> closed until you access the internet, or send a request for a >> webpage, email, or file, at that point any web, mail, or file >> response from the requested site is considered legitimate and >> allowed in through the router, when that session is over the >> router closes up. >> >>> Would you consider my setup safe? I don't worry too much as >>> nothing out there targets Macs, but I wonder about it when I >>> turn on filesharing. >> >> By turn on Filesharing you mean just open the program? Anti-Virus >> would help more here to protect you than anything else. If you >> have to open a port through the router to get your filesharing to >> work, then you've opened a door to attackers, and a software >> firewall wouldn't hurt. > > By "Filesharing" I mean creating a little network between my > laptop and desktop to pass files back and forth. To do this I > have to specifically turn on "Sharing" on at least one machine. > There seems to be two ways to share - via AppleTalk (older and > probably safer protocol) which I can't always get to work. And > the other involves sharing over the internet or via TCP/IP or > something (I can't see the exact name right now, as they are on my > OS9 Desktop, and I'm on the OSX laptop). > > Anyway, now I am guessing that sharing must open one of the ports > in the router. (I just found this web page from 2002, which has > info. for exactly my set up: > http://wcts.whitman.edu/whit.bits/october2002/MacFileSharing.html). > A long time ago I had a fantasy of keeping sharing on all the > time so I could zap files back and forth. But now, out of fear, I > turn it on only for a few minutes at a time. And that website > seems to confirm that caution. > > But I'm still confused. Would sharing between my two computers not > work if my cable connection went dead? Or does via "internet" or > "TCP/IP" simply mean using the router? And how is it that > businesses have internet access and internally share files all the > time without making themselves vulnerable? Do they use different > routers - one for internet access and one for file sharing? File sharing inside your network won't require the opening of any ports since it is all happening on the internal side of the router. .