How to set optimum settings in ZA Pro?

As I have mentioned, my setup is a base XP setup. All base(default) XP services are enabled. From this, I have DHCP enabled, DNS client/service enabled. From a typical end user, these are base settings, even behind a router. Yes, changing windows settings can.will change the needs of comms, but the thread is for settings within ZA, not the OS

At this point, I have only connected out via IE from testPC.

 

Yes, this was more for Escaleder then you... sorry for the misunderstandings...

Fax

 

Not sure if this is the same thing you guys are talking about but I thought I'd throw it out there anyway...

When I was using ZA Pro 7.0.377 a while back, I had my local network set to Internet and I was getting a lot of firewall log entries denying service host - even though I had it set to super in program control. Someone on the ZA forum suggested that I add the DNS and DHCP server address as trusted. By using Ipconfig/all at the command prompt, I found that my router was the DNS / DHCP server. So I added my router address as trusted (along with the loopback adapter (127.0.0.1) and the logging problem for service host went away and never came back. I don't know if this causes a security concern...

My setup is WinXP SP2, SS 5.3, Nod32 2.7. Verizon Fios IP, Actiontec router w/ SPI and NAT.

If this info is not germane to the present discussion, please disregard and continue with this excellent and educational thread.

Regards,
Oldshep

 

Yep, that would solve the problem... but they excluded adding the router to the trusted zone.... Or more simply setting the LAN to trusted.
Its more an excercise to set everything per book. Interesting indeed but practically (day to day use) unnecessary (IMO).

Fax

 

Hello OldShep, I remember you! :

I also recall the loopback adapter point so this is question of security Stem will address when he has time.

One thing we have said the router is a key piece of the security layer, therefore I have it as Internet not trusted. Stem has not said to me as the "learner" here put it as trusted, so I haven't.

I think your post is relevant but all posts are for Stem to review and then advise, then and only then do I change a setting.

I did have to put 255.255..... in as trusted this AM to get an address.

If I really wanted to just stop the alerts and blocks I know several ways in ZA Pro I could accomplish it, but the point is to set optimum settings not those that are.... how to say this.... workarounds or methods that get rid off messages but lower the security of my PC and by extension others reading the thread!

 

OK, I didn't realize you guys were specifically trying to keep the router in the internet zone. I will look forward to Stem's comments on the security ramifications of putting the router (and loopback adapters) in the trusted zone. And I will contiue to read all further comments in this excellent thread.

Oldshep

 

@fax,

It seemed to me at the time that adding only the router address (instead of the entire Lan) was more secure. My router has a wireless connection, so if I added the entire Lan and someone cracked the wireless encryption, they could get access to my PC (?). Cracking the wireless encryption would not be trivial but if I wasn't a bit of a paranoid about stuff like that, I probably wouldn't spend so much time on these forums

Oldshep

 

Just to avoid panic on other ZA users and users of firewall in general. Adding your router to the trusted zone will not lower your security.

If we define security, the package of measures you are using for protecting your computer from an external thread, you are absolutely safe. Bet anyone to get into your system with such a setting without the direct interaction with the machine or exploiting a flaw or weak setting of the router. This has been experimented before in the community.

Vector of infection or compromised systems are 99,99% not influenced by adding your router to the trusted zone. Reason is very simple: it take more time and resources to crack a router than using a simple viral attack to comprise the OS.

I think the excercise here (still very valuable) is to secure your network communication and ensure complete control on it. It is a useful exercise to understand how network communication works.

Fax

 

Yes, indeed.. that is why I have already stated before that is more important to secure the router... i.e. change the default password (there are scripts on the net that, once loaded in your system will check hundreds of standard passwords and ID and once in the router changing your DNS).

Yes, you should use WPA/WPA2 and random password with more then 30 characters. I think they managed to bruce force WPA/WPA2 simple passwords with up to 20 characters.

Fax

 

.....Just to avoid panic on other ZA users and users of firewall in general. Adding your router to the trusted zone will not lower your security.
.....................................there is no need to panic, unless the wings are on fire and they aren't

I think the exercise here (still very valuable) is to secure your network communication and ensure complete control on it. It is a useful exercise to understand how network communication works... glad to have this thought, but the exercise here was defined in the original posts. Yes, things are being learned but the focus is to find out "How to set optimum settings in ZA Pro?" if others benefit so much the better. Let's stay on track and not question or alter the purposes, they are unchanged

Let's wait for Stem to return with his next steps....there is no rush to conclusions we are testing, learning all at the same time .

BTW no one asked me, but I have long ago changed the router default password. We are not dealing with wireless, but a simple Ethernet hard wired LAN.

 

Could somebody explian to me as to why setting the router as Internet is safer than setting it to Trusted. I need a good explaination and some details. I am really confused about this idea.

12fw

 

LOL Yes I am also very confused by this please enlighten me.

 

The only risk I can see is that if your router get "owned" your system will be open to attacks... but I beleive if your router is "owned", setting ZA to 'internet' will not help much...

But I would also welcome a more detailed and reasonable explanation on this...

Fax

 

Maybe Stem can explain it!

I asked everyone to wait for Stem's actual tests results. Now we see why!

Opinions don't cut it in a learning thread....wait, don't guess. ZA Pro is a program no doubt with some issues but all I am trying to do is learn how to optimize it on my system.

For now, lets just all agree that there are different honestly held views and opinions.

I'm not interested in learning via opinions, I like to read them but in this thread I have no intention at all of following them till proven, and verified by Stem.

 

Escalader

"Opinions don't cut it in a learning thread....wait, don't guess. ZA Pro is a program no doubt with some issues but all I am trying to do is learn how to optimize it on my system."

What issues are those exactly?

12fw

 

We may know when we are done.

There are over 90 posts now, BUT please forgive me, this thread is not an opportunity to complain about ZA or Checkpoint. That achieves zip!

I should not have said anything about issues here, I allowed myself to become distracted by the last few posts and didn't follow my own rules set in the start. I apologize.

If you want to start a thread on issues do so but I'm fishing in this thread now and learning and hopefully we can all just become

 

fax

"The only risk I can see is that if your router get "owned" your system will be open to attacks... but I beleive if your router is "owned", setting ZA to 'internet' will not help much... "

How does a wired router get owned when there is a hardware firewall in front of it and the password and the account has been changed to higher security?

Would the software firewall still block even if the router did get owned? Isn't that what a software firewall does anyways?

12fw

 

Stem:

My router/lan is set in the internet zone.

What I am asking now is what if I changed ZA Pro's custom FW settings to allow DHCP on port 67 in the internet zone?

It seems to me that that allows the address business and still keeps the router in internet? Would that still preserve optimum security and allow the address to be assigned?

But maybe I'm wrong on the way this works.

See attached jpg

 

Escalader

I thought you were talking about something from this thread. Unless you have something intended?

12fw

 

Escalader

Do you think having DHCP for port 67 opened to all of the internet is a wise decision?

12fw

 

Hi!
I guess that if the PC rely on the router for DHCP and DNS (as it is in this case) and the router is owned then you can have any firewall in front of the router but all your calls will be re-routed... so you are basically out of any control on your connections...

Fax

 

If you check, it is the LAN that is set as internet. ZA does not place only the router as trusted, but the full LAN. As from the default settings for the "trusted" zone, windows services will be open to this zone. Most will have the default settings within the "Program control" to allow these windows services (via svchost(XP)) unsolicited inbound (allow server in trusted zone). As "Escalader" as stated, there is more than one PC on the LAN, and a need not to share/connect to this, so why then trust the LAN, and allow the inbound to the services.
Not all users only have one PC on the LAN, and certainly not all users are on a Trusted LAN, so I cannot understand how anyone can say just to add the LAN as trusted.

 

Stem

The full LAN was never referred to as the router or am I missing something here? When I first installed the ZA, the first reboot after installing, showed a window with the router IP and a question to set it as trusted or internet. The entire LAN was never mentioned, just the router IP itself. The other PC on the LAN is still not included as Trusted and it still should be seen as Internet, hence not Trusted. I am not too sure where I did say LAN instead of the router.

12fw

 

12fw,

Check "firewall -> Zones" The entry will be for the LAN, not just the router: example 192.168.0.0/255.255.255.0. This entry will be for all IP`s in the range 192.168.0.0 to 192.168.0.255 (Also the "entry type" will show as "Network") So if set to trusted, you are trusting all the IP`s in that range, not just the router.

 

Thank you Stem. I see now what you mean.

So why not change this and make it just the router IP as Trusted and exclude the rest of the LAN? I am at a disadvantage since I am just a single PC arrangement. Would there not be Alerts about unsolicted packets and blocked routed packets regardless of the LAN set as Trusted?

12fw