Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Sincere1]

I'm an intermediate level computer user, but completely new to NAS, don't know a thing about Linux, and am dangerously under educated about home networking security.  I have read all the basic stuff, but network communications and security layers gets pretty deep very quickly.

I have a DNS-232 running FW 1.07, behind a D-Link 2640B wireless router/DSL modem.  Setting options in the 2640B reminds me of reading MOBO instructions: 1000 options, zero guidance.

How secure is my NAS sitting behind the default 2640B firewall?  I should add that also behind the firewall are my wireless laptop using WPA2, my desktop machine (wired), and my son's desktop (wired) that is a viper's nest of malware, adware, trojans, etc.

Thank you!

[gunrunnerjohn]

Well, your son's machine seems to be the issue here.  

If you want real security, I think I'd get a firewall between him and the rest of your network. 

[Sincere1]

Can you steer me to some education on dividing a home network up?  I have to share the internet connection, but I don't have to share the network - only I'm not sure how to set up my "mini-network" to exclude him from it.  All machines are using Win XP.

Also, I'm curious about how secure the NAS is from the outside world.  I get the general idea that the firewall using NAT pretty much hides my NAS from the internet.  Is there anything that weakens that security?  Or is there anything I should do to strengthen the default security?

Thank you

[gunrunnerjohn]

Any port forwarding through the router will weaken your security.

If you want to be secure, here's my recipe.

Buy a second router and connect it's WAN port to one of the LAN ports on the primary router.  Connect all the "insecure" machines (like your son's) to the first router.  Connect all the network devices you wish to have protected from him and the Internet on the secondary router.

[P01arBear]

Instead of having 2 routers, you could also snap on an "AlphaShield" external firewall, it's cheap and...Has been proven to be unhackable up to know. There was a 2M$ contest to hack it, no one won. The only thing is, this firewall is so safe...It can be hell with some softwares such as msn.

You see, this alphashield doesn't let data in unless you have "asked" for it. Let's say you're on msn, people won't be able to write to you unless you have started the conversation. Your computer becomes a vault on the inbound side, but this doesn't affect the outbound. It just makes you unreachable from outside, but if you let a virus in your network (downloads), then the firewall isn't going to be much help. The alphashield is good if you want to totaly secure your PC because you have confidential data and don't use it for gaming or chating, but only for surfing websites.

If this is what you want, I suggest you get it by ebay, usualy around 60-80$.

On the other hand, for something less intrusive I recommend using a GOOD anti-virus with a firewall also on each computer. I swear by Eset's Nod-32. You can get their SmartSecurity kit wich includes an anti-virus and firewall, or just the anti-virus wich a separate free firewall such as PC tools, wich is free and well rated for windows XP (on Vista it wasn't rated as well). There are other good firewalls like Outpost and Online Armor also, and anti-viruses such as Kapersky and Bitdefender wich are all very respected.

Usualy mixing a router (better if you have one with SPI firewall) plus a GOOD RATED anti-virus and firewall on each computer, then you're pretty much as protected as can be. Of course, there could be some other small tweaks that could help, but for what it's worth, the solutions above should do the trick.

Like said above, every port open is a breach.

[gunrunnerjohn]

The two routers are cheaper, easy to install, and require no fooling around with the software or allowing each package access.  As long as you don't forward any ports, you are quite safe behind almost any SOHO router, SPI is pretty standard nowadays.  Remember, he already has one router. 

[fordem]

You see, this alphashield doesn't let data in unless you have "asked" for it. Let's say you're on msn, people won't be able to write to you unless you have started the conversation. Your computer becomes a vault on the inbound side, but this doesn't affect the outbound. It just makes you unreachable from outside, but if you let a virus in your network (downloads), then the firewall isn't going to be much help. The alphashield is good if you want to totaly secure your PC because you have confidential data and don't use it for gaming or chating, but only for surfing websites.

You could apply this description equally well to any NAT router even my old Linksys BEFSR11 which had NO firewall - you see, that is exactly how NAT works - NAT allows all outgoing connections and keeps track of where (which host) they came from and uses that information to direct the incoming response - however - if the incoming data does not match an existing outgoing request, the NAT router has no clue where to send it and simply discards it.

So what you have is nothing more than some slick advertising copy.

More to the point - gunrunnerjohn's solution is really the only inexpensive way to deal with his particular problem, which quite simply is that he already has a compromised host on the inside of his perimeter firewall, so, what a cracker would do is take control of the compromised host and use it to attack the other "unprotected" targets on the LAN.

[Sincere1]

Yes, I see what you mean.  Here I had been thinking I could somehow create my own private XP home network and exclude my son.  I hadn't thought about the fact that once they're past the NAT firewall, my best defense is gone.

Too bad I didn't think to ask these questions before I shelled out good money for my 2640B, because I intentionally bought it as an "all-in-one".  I'll now have to start pricing another wireless G router since the expensive first router converts my DSL.

Can I split the DSL line and just stick him on his own router?  I'd still have to spend for a DSL/router combo, but I could keep the modern features and wireless of my 2640B.  Or does my ISP provide only one IP address at a time, so nixing the "two dsl modems" idea?

Thank you

[gunrunnerjohn]

You can't use two modems, one modem to a DSL line.

You just need a secondary router to do what I suggested.  What's so special about the D-Link 2640B, looks like a pretty standard DSL gateway to me.

[Sincere1]

The 2640B has modern wireless features like WPA2.  It also allows specific port forwarding which I understand not all routers do (but most?), and I believe UPnP.  I'm not interested in the last two but my son is.

I suppose I'm undereducated on this subject also, but when I was shopping for the current router, it seemed like router/DSL modem combos were harder to find.

If I'm going to keep my secure wireless, I'll need to place the 2640B second in line.  So is it hard to find a modem/router with port forwarding capability to place first in line?

Thank you

[gunrunnerjohn]

Actually, WPA2, uPnP, and port forwarding are standard features of almost any current generation router.  Since you already have that router in place and your son's connecting through it, my previous suggestion seems made to order for you.  I can't think of a new router that doesn't offer WPA2.  I'd suggest the D-Link DNS-615, it's available regularly for $40 or even less, and it's a decent 802.11n router.  I have one here, and it's worked well for some time.

[fordem]

Under NO circumstances should you give your son access to uPnP unless you figure out a way to get a firewall between his system and the rest of your network.

uPnP provides a mechanism where the software on his computer can automatically configure the router permitting all sorts of mayhem to be achieved.  Personally I would disable uPnP.

[gunrunnerjohn]

With the secondary router, all uPnP is going to do is allow him to nuke himself faster on the Internet.   Obviously, you don't enable uPnP on the secondary router! 

[fordem]

With the secondary router, all uPnP is going to do is allow him to nuke himself faster on the Internet.   Obviously, you don't enable uPnP on the secondary router! 

That would qualify as the "firewall between his system and the rest of your network" that I am advocating.

[gunrunnerjohn]

That would qualify as the "firewall between his system and the rest of your network" that I am advocating.

100% correct, it's the cheapest way I know to totally isolate yourself from such a situation.  I have a similar arrangement here for the wireless network.  I actually have two wireless networks, the "public" one that I really don't care what happens on, and my private one that is restricted to my connections.