safe to disable firewall?

Hello,
I'm having trouble with getting True Image to work on my system so I've been advised to disable my firewall to see if there's a conflict. Here's my question: We have an unknown computer riding our network. I thought we got rid of them but they're back. If this person is on our network (shows up on the DHCP Client List) just how easy is it for them to access our computer info with the firewall down-- for that matter, how hard is it for them to access our computer info when the firewall is up?
Thanks,
kc

 

Could you tell us a bit more about the configuration of the PC's and the network?

Why the focus on the firewall as the potentially offending application? Some bits of indirect evidence or a guess at this stage?

Any other security/monitoring software installed?

Blue

 

Hi Blue,
I was using Norton Internet Security (firewall and antivirus) on a WinMe compaq laptop that I want to create a backup image of and save to a desktop over a network connection. The network is comprised of Belkin 54g wireless router, 2 notebooks, and a desktop (all belking 54g stuff).
When I was unable to get True Image to work, tech support's original suggestion was to uninstall but I didn't want to do that because I didn't want my computer completely unprotected and, frankly, Norton can be a bear to uninstall. They then advised disabling. Here is what they said:

"there may be settings in these programs that makes them recognize Acronis software as virus or a danger of any other sort even though Acronis True Image doesn't perform any destructive actions. Also there may be a problem with driver installation that can be interrupted with Symantec Antivirus."

I know that Norton can be snarky sometimes but I didn't want to be completely without a firewall so I turned Norton's firewall off from startup and installed Zonealarm. The computers are in the firewall's trusted zones and, for the backup procedure, i've reduced the security level to 'no firewall' in attempts to get things working. It still didn't work.
I'm trying to do what tech support advised but I'd like to know just how vulnerable I am if I completely disable my firewall-- especially with the return of our network lurker.
As for the antivirus software, I turned that off and tried again before I contacted tech support the second time.

So, how vulnerable am I if I turn off the firewall for several hours?

thanks,

kc

 

Was anything showing up in the NIS or NAV logs?

If they were wanting you to uninstall/disable the firewall to troubleshoot why add another one into the mix?

I take it this lurker is someone who has tapped into your wireless network? Do you have it configured properly/securely?

Edit:Is your home wireless network vulnerable? Tips to help keep others from hijacking your system

If you have an unwanted/unknown computer connecting to your wireless network you should deal with that first.

Regards,

CrazyM

 

kcvale,

Strange. Well, the fact that you are not seeing any messages from within Norton suggests that the initial Acronis explanantion is wrong - that is, it is very unlikely that the firewall/AV is ascribing malware like intentions to TI. That doesn't mean there is not a compatibility issue, only that it seems incorrect to point to active interaction between Norton and TI.

If someone is hopping on your wireless LAN, obviously some tightening is in order, it's a question of where are you now in the overall possible sets of configurations and where you need to be to eliminate the visitor. What security measures are now active on you wireless branch? I assume some level of encrypted access (WEP, WPA?; number of bits?), broadcast SSID (yes/no?), MAC level filtering? Before making any specific changes here, let's get a sense of how you're configured now. Assuming the lurker really wants to get on your wireless, you should be able to set things up so that your network is secure for the test at least.

Alternatively, test the machine in question off the network, then it is immaterial whether the lurker is present or not, although I'd personally deal with the lurker first - as you've already seemed to decide.

Aside from TI not working, any other obvious symptoms or is it just hanging at some point?

Blue

 

What you can and cannot reasonably do depends on what you have. At the minimum, it is clear that you need to encrypt to some level. Take some time to readup on wireless security, here is a decent starting point. It gives you some idea why simply changing and/or disabling the SSID broadcast doesn't really work except for transient casual intrusions. You do need to encrypt.

Personally, if you could do it, in one step I'd:

• Change the SSID again (this is just to add one more block - if you do nothing else, the situation won't change)
• Change the router admin login password
• Go to static IP addresses and shrink the available address pool to equal the number of PC's that need to be supported. Details here are router dependent, I assume you can do it with your equipment
• Encrypt with WPA-PSK and have a nice long complex key

Seems like a few steps, but no need to go through this again.

Blue

 

A couple of free tools that might help:

AirSnare provides wireless system intrusion detection and can alert you of it and help to track an intruder:
http://home.comcast.net/~jay.deboer/airsnare/index.html

LucidLink provides security for wireless networks, if you click on the Buy button you will see that it is free for a 3-user home office.
http://www.lucidlink.com/index.asp

I love free stuff.

 

Ok, I've changed the ssid and added encryption. My lurker disappeared. I ran into trouble trying to figure out how to change to a static ip address. I have a cable modem with a dynamic ip address. Is it possible (and if so, how) to make this stable?
I also downloaded airsnare. And am checking out lucidlink.
I feel much better about my network's security. But I still wonder about the wisdom of turning off my firewall to troubleshoot True Image. Now that I'm a little better protected, is this safe to do?

Thanks so much for all of your help.

kc

 

That is good to hear.

I believe Blue was referring to assigning static IP's to the LAN systems, not the router itself. Some routers allow you to define the size of the DHCP pool (number/range of IP's the built in DHCP server will hand out) or disable the DHCP server altogether. If you use static IP's on the PC's, MAC filtering and disable the DHCP server it is another way to set limits how many systems can connect to the network.

With the lurker gone and if you trust the remaining systems on the network you should be fine disabling the firewall to troubleshoot True Image. The router will protect the LAN system(s) from unsolicited traffic from the Internet.

Regards,

CrazyM

 

Thanks for your help. I guess I'm off to troubleshoot TI.
kc

 

CrazyM,

That's precisely where I was heading with that and the logic behind it.

The other reason I suggested this - if you found yourself unable to log onto the LAN, that would be an immediate flag that the lurker may have returned. The advantage is that you wouldn't have needed to continually check for the lurker's presence.

Blue