firewalls on a lan with boradband???

lomb

i have networked two computers together on a lan using a basic netgear hub. i want to connect the hub to the dsl modem to enable broadband on the network. i also want to firewall the network from the internet.
ive tried windows firewall and it states that if i enable file and printer sharing internet users can view and change files etc so i installed zone alarm. this is fine as under zones, the 10/100 network card comes up as internet and the internet works on both, however they cant see each other on the network without putting the 10/100 ethernet zone on trusted in which case i persume the firewall is non existant.
i have caved in and ordered a linksys wireless adsl modem and firewall all in one solution with spi and nat firewall features.
is there a solution where i can have a soft ware firewall on a network and fileshare and printer share.
obviously il have the hardware one in the next day or so but what is the solution to the problem, i have also tried kerio and that says u need win route which has firewalled lans cabability but i couldnt see it. in any case i wish to stick to a tested solution to the problem. any advice?
also can i lock all the ports and vulnerabilities using the linksys with the exception of whatever port is needed for firefox etc.
this is a mission critical application in a business and i cannot let my computers be hacked or infected from the web, thanks.

lomb

ive reenabled windows firewall after removing zonealarm. i noted this has an option to create an exception for file and printer sharing. also if u double click this it lets u creat an exzception only for the local subnet. zonealrm didnt do this and neither did kerio free.
is this ok with this and a nat/spi hardware firewall?

_CreeD_

To use Zonealarm in this config. you would indeed add the Subnet for your LAN to the trusted Zone. It classifles each area by subnet, not interface...even though the 2 seem to go together in this case it's important to remember that even though your NICs are receiving packets from the internet via the DSL router it is a relay system based on the logical boundaries of the subnets involved. The internet is not part of your local subnet (You'll see ZA shows something like 192.168.1.1/255.255.255.0 as the Address, this means this area is the IP range from 192.168.1.1 to 192.168.1.254, anything else is not to be included in rules for this interface) and therefor packets received from it are treated differently to those generated on your own LAN. Soooo even though you are using the same physical interface to receive local and internet packets the Firewall can easily distinguish which ones are really trusted and which ones need to be intercepted.
In short: The source IP of the packets defines the Zone, not the physical interface. This would not compromise security as the only area it makes you vulnerable to attack from is the other PC to which you are connected, the internet is still untrusted.

Just make sure ZA is installed on BOTH pcs (Just in case you haven't already)

lomb

thanks, what is the difference between windows firewall and zonealarm?
i didnt see any option in zonealarm to allow the network to be in a subnet. the only option was under zones where u have an option to allow it to be trusted or internet. allowing it to be internet disables the networking, allowing it to be trusted persumably disables the firewall?
in anycase windows firewall seems very good with the exceptions clearly specifying the subnet/internet.
will i be 100% secure with a nat/spi firewall and windows firewall?
can i block all ports out/in except the one required to do basic web surfing with the hardware firewall?
will this gaurantee that i cant be hacked?
thanks again

_CreeD_

Actually since you have a small'ish lan if you want to lock it down as tight as can be it might better to be more exclusive. We'll setup Zonealarm to only trust traffic from your 2 PCs. I don't know how familiar you are with IP setups so apologies if any of this is patronising.
I presume your PCs are using DHCP with the router acting as the DHCP server. I also presume the router is using the range 192.168.1.1/255.255.255.0 , allocating anything from x.x.x.2-x.x.x.254 to your 2 pcs. Your router should then be 192.168.1.1 .
Sooooo first up on each PC go START / RUN / CMD and run IPCONFIG . Write down the Default Gateway and verify the IP address is in the range 192.168.1.x (x isn't important, just that the addresses have those first 3 numbers). The Default Gateway is the address of your router.
With that done you need to specify permanent addresses for each PC.
START / SETTINGS / NETWORK CONNECTIONS, and right-click your LAN card, select Properties and double click TCP/IP . Switch from "Obtain An IP Address Automatically" to "Use the Following..." . On the first PC enter 192.168.1.100, Mask 255.255.255.0, Default Gateway = the address you wrote down earlier when you ran IPCONFIG, should be 192.168.1.1. On the second enter the address 192.168.1.101 and the same as above for the mask and gateway. The reason I'm recommending .100/.101 instead of .2/.3 is in case you accidentally add a network device later with DHCP enable, the router might allocate .2 or .3 and create a conflict (Many routers allow you to specify a range of addresses to avoid for just this reason but there's no need to go into that here). So, you could use .2 or .3 if you like it's up to you, and won't make a difference to performance.
When you have that done reboot and make sure you can ping each PC from the other, eg. From PC1 - START / RUN / CMD "PING 192.168.1.101", on PC2 do the same but use 192.168.1.100 . This will test connectivity and that the IPS/Masks etc. are all fine. If it doesnt work make sure the firewalls are disabled for the moment and double check the TCP/IP settings.

Presuming that's all working fine by now this is how you tell Zonealarm to accept traffic from each.
Open ZA's control panel and click the FIREWALL tab, then ZONES and ADD, choose IP ADDRESS from the popup menu. Set the zone on the next tab to Trusted and add the IP address of the other PC (Ie. on PC1 you will enter 192.168.1.101, on PC2 enter 192.168.1.100).

Thats it. It may seem a bit complex depending on how familiar you are with IP settings already but knowing how to manually enter the values can come in very handy for a number of reasons. It should take about 10 minutes or so, 20 if you're doing this all for the first time, but the end result is a firewall that ONLY trusts the IPs you just specified. Since we didn't add 192.168.1.1 anything coming into your network from the router (And therefore the internet) is NOT trusted and correctly filtered by the firewall.
If you add more machines later follow the same procedures for manually entering the IP settings and then adding it to your trusted list (You can also define ranges of IPs like .100-.110 if you want in ZA to save time but that's not necessary right now).


EDIT:
The other questions:
Personally I don't trust a Microsoft Freebie, though they did improve Windows Firewall in SP2, ZA is well regarded and I've never had any problems in the years I've been using it.
The lack of being able to specify ports in ZA is a problem but it does give you per-application control instead which is excellent imho. Ie. You can block one app. from accessing a port but allow another to work perfectly with the same port instead, with simple port blocking it's on/off only.
A hardware firewall is a good addition to software, but not absolutely necesary imho. You will never be 100% secure so you are dealing with degrees of security instead of absolutes, you have to evaluate security level vs. cost. For the home user a solid software solution is usually fine. If you do add a hardware firewall, or use port blocking on a more advanced routers you can take 2 approaches. For absolute security lockdown everything and then add exclusions as you need them (Eg. 80 for HTML, 53 for DNS etc. , and then any custom ports for the games/apps you use), or do some googling on the most insecure ports and block them specifically - the latter is not very secure though as ports are easily changed, the former means you will need to do some research on the common ports you are likely to need (the example of DNS is one people often miss, and then wonder why they can't access webpages by name). It depends on how often you want to be updating your exclusion list.

lomb

_CreeD_ wrote:

Actually since you have a small'ish lan if you want to lock it down as tight as can be it might better to be more exclusive. We'll setup Zonealarm to only trust traffic from your 2 PCs. I don't know how familiar you are with IP setups so apologies if any of this is patronising.
I presume your PCs are using DHCP with the router acting as the DHCP server. I also presume the router is using the range 192.168.1.1/255.255.255.0 , allocating anything from x.x.x.2-x.x.x.254 to your 2 pcs. Your router should then be 192.168.1.1 .
Sooooo first up on each PC go START / RUN / CMD and run IPCONFIG . Write down the Default Gateway and verify the IP address is in the range 192.168.1.x (x isn't important, just that the addresses have those first 3 numbers). The Default Gateway is the address of your router.
With that done you need to specify permanent addresses for each PC.
START / SETTINGS / NETWORK CONNECTIONS, and right-click your LAN card, select Properties and double click TCP/IP . Switch from "Obtain An IP Address Automatically" to "Use the Following..." . On the first PC enter 192.168.1.100, Mask 255.255.255.0, Default Gateway = the address you wrote down earlier when you ran IPCONFIG, should be 192.168.1.1. On the second enter the address 192.168.1.101 and the same as above for the mask and gateway. The reason I'm recommending .100/.101 instead of .2/.3 is in case you accidentally add a network device later with DHCP enable, the router might allocate .2 or .3 and create a conflict (Many routers allow you to specify a range of addresses to avoid for just this reason but there's no need to go into that here). So, you could use .2 or .3 if you like it's up to you, and won't make a difference to performance.
When you have that done reboot and make sure you can ping each PC from the other, eg. From PC1 - START / RUN / CMD "PING 192.168.1.101", on PC2 do the same but use 192.168.1.100 . This will test connectivity and that the IPS/Masks etc. are all fine. If it doesnt work make sure the firewalls are disabled for the moment and double check the TCP/IP settings.

Presuming that's all working fine by now this is how you tell Zonealarm to accept traffic from each.
Open ZA's control panel and click the FIREWALL tab, then ZONES and ADD, choose IP ADDRESS from the popup menu. Set the zone on the next tab to Trusted and add the IP address of the other PC (Ie. on PC1 you will enter 192.168.1.101, on PC2 enter 192.168.1.100).

Thats it. It may seem a bit complex depending on how familiar you are with IP settings already but knowing how to manually enter the values can come in very handy for a number of reasons. It should take about 10 minutes or so, 20 if you're doing this all for the first time, but the end result is a firewall that ONLY trusts the IPs you just specified. Since we didn't add 192.168.1.1 anything coming into your network from the router (And therefore the internet) is NOT trusted and correctly filtered by the firewall.
If you add more machines later follow the same procedures for manually entering the IP settings and then adding it to your trusted list (You can also define ranges of IPs like .100-.110 if you want in ZA to save time but that's not necessary right now).


EDIT:
The other questions:
Personally I don't trust a Microsoft Freebie, though they did improve Windows Firewall in SP2, ZA is well regarded and I've never had any problems in the years I've been using it.
The lack of being able to specify ports in ZA is a problem but it does give you per-application control instead which is excellent imho. Ie. You can block one app. from accessing a port but allow another to work perfectly with the same port instead, with simple port blocking it's on/off only.
A hardware firewall is a good addition to software, but not absolutely necesary imho. You will never be 100% secure so you are dealing with degrees of security instead of absolutes, you have to evaluate security level vs. cost. For the home user a solid software solution is usually fine. If you do add a hardware firewall, or use port blocking on a more advanced routers you can take 2 approaches. For absolute security lockdown everything and then add exclusions as you need them (Eg. 80 for HTML, 53 for DNS etc. , and then any custom ports for the games/apps you use), or do some googling on the most insecure ports and block them specifically - the latter is not very secure though as ports are easily changed, the former means you will need to do some research on the common ports you are likely to need (the example of DNS is one people often miss, and then wonder why they can't access webpages by name). It depends on how often you want to be updating your exclusion list.

THANKS, thats big help. i am partially familiar with the alloting a specific address to a computer in the past. but thats helped alot, thanks again:)
il also lock down the ports with the hardware firewall i think creating a couple of exceptions.

lomb

_CreeD_ wrote:

START / SETTINGS / NETWORK CONNECTIONS, and right-click your LAN card, select Properties and double click TCP/IP . Switch from "Obtain An IP Address Automatically" to "Use the Following..." . On the first PC enter 192.168.1.100, Mask 255.255.255.0, Default Gateway = the address you wrote down earlier when you ran IPCONFIG, should be 192.168.1.1.

hi again, can i ask if thats what u eenter in the first box what do u enter in the box below or do i leave it blank where it says after double clicking tcp/ip, it says "use the following dns server address, do i leave this blank? it goes from obtain dns automatially to this, so i persume something needs to be entered?thanks again

_CreeD_

Follow the steps for running IPCONFIG with the system set to DHCP but add /ALL to the end, ie. "IPCONFIG /ALL", you will see the DNS addresses you need listed here.

lomb

thanks again:)