What is more secure?

Discussion in 'other firewalls' started by FireDancer, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    When networking home computers what protocall is more secure, TCP/IP, IPX/SPX, or NetBeui? I ask because I am wanting to set up a home network with 2 XP home machines and 1 Win98SE machine. First off lets talk about bindings, If I am thinking correctly bindings are what is used to control the protocalls comunication in a certain manner and if I have several protocalls installed but only want to use one certain one for my network then I need to remove the bindings on the other protocalls so that they will not try to inerfere with the network. Am I correct? TCP/IP is what I need strictly to accses the internet and nothing else. I have IPX as well as NetBeui installed.

    As explained to me earlier, Netbeui is not recconized by a firewall (if I understood correctly) and thus this would enable me to leave my present firewall rules in place concerning NetBios 137-139 DENY all traffic UDP/TCP IN/OUT any application any port. Am I correct in assuming this?

    But I use Cable modem and DHCP Broadcasting which also leaves me to belive that I would need to add certain rules within my firewall for Microsoft Networking and the trusted address group.

    I want a network that is secure from outside attacks but I also need to let my firewall control the network protocalls locally so that comminication is not hinderd. The last time I tried to set bindings I lost internet connection on win98se machine and am affraid of doing this again. Any advise/links/tutorials would be greatly appreciated. I have searched the net on how to accomplish this and found nothing that meets my needs/concerns.

    Best Regards,
    FireDancer
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas

    If you're using a hardware router, you don't need to do anything further. If you're using a software NAT-based router like ICS or Sygate, as long as you unbind Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks from the copy of TCP/IP that is bound to the network adapter that connects you to the Internet, you're secure. In both these cases, you don't really need to use NetBEUI for File and Printer sharing unless you like a "belt and suspenders" approach.


    This is a good site to learn networking.

    Practically Networked
     
  3. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    RonJor,

    Thanks for the link and the reply. The biggest problem I am haveing is getting to the bindings in Win XP (home) I have got NetBeui installed on it but cannot find where to bind/unbind for the proper protocalls. The link you gave was good. If I understand correctly..running Netbeui for my network should allow me to leave my current firewall settings for NetBios 137-139 DENY IN/OUT ANY PORT/APP.

    Regards,
    FireDancer
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    I don't believe you need netbeui if you are behind a router as explained in the previous post.


    netbeui
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    I am not networked. My machine is behind a router. This is the way my setup looks.

    As long as you unbind Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks from the copy of TCP/IP that is bound to the network adapter that connects you to the Internet, you're secure.
     

    Attached Files:

  6. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello FireDancer

    Even though you are using XP on two machines please have a look at this page. It pertains to Windows 9x and it has an excellent explanation of TCP/IP vs. NetBEUI vs. IPX/SPX. It is very informing!

    Let us know what you think of it!

    Be seeing you.
     
  7. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    RonJor and Qsection,

    Thanks so much for the help and the link you posted Q was exellent!!!! My network is up and running smoothly and the best thing is that it is in no way in danger of accsessing the net. I went ahead with NetBeui even though I didnt need to but as it was explained to me earlier in another post else where
    that NetBeui and I Quote

    " I suggest you install NetBEUI on all three machines and use that for your internal sharing. It cannot see and is not seen by a firewall so you won't have issues there. It cannot see or be seen across a router unless you have a fancy one and do some really serious tweaking so basically your NetBEUI traffic is completely invisible from the internet."

    Once I got it set up and understood what I was doing and wanted that was the choice for me. I like the fact that my Firewall doesnt acknowledge 135-139 now there not even listening :) I still have to learn more about the bindings in WIN XP home and make a few adjustments but I feel better now about the set up I have now and will refine it tomorrow...Q thanks for the link it was great!, as well as easy to understand both machines see each other and niether failed a full test at Shields up in all aspects. True Stealth all the way around...thanks again both of you

    Regards,
    FireDancer :p
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    For the sake of discussion as you seem happy with NetBeui ...

    Your current rules in Kerio could be left as is if you used TCP/IP. Kerio has a networking section where you can allow file sharing for a trusted network (your LAN) and still use your existing rules for everything else.

    With Kerio (or any other rule based firewall), you also have the option of defining specific rules for LAN systems and file/printer sharing instead of using the global networking option if you want further control and the ability to monitor this traffic.

    As ronjor noted, with your router in place, your internal network and shares are already safe from the outside. If you want to have control over network protocols and file/printer sharing, you will not likely be able to do this using something like NetBeui as most software firewalls are not capable of seeing/restricting this traffic. Using TCP/IP you would be able to control/monitor this traffic.

    Your router will be responsible for these results.

    Regards,

    CrazyM
     
  9. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hello CrazyM,

    It is always a pleasure to hear from you. Well let's see... first off I am happy with NetBeui do to the fact that I got it to work.!!! LOL Second I am networking 2 XP (home ) machines to my WIN98 machine and could not or more was not sure how to set them up properly with TCP/IP and the Trusted Addresses. Everytime I tried I would have another problem I wasnt sure how to handle.


    As far as Kerio goes I am not to sure of how the trusted Addresses work or for that matter I am no brain when it comes to networking. I dont know if i need to use a network/mask or network/range for the IP's. To be honest I am affraid of making a sever mistake with TCP/IP and getting into trouble.

    I am more comfortable with WIN98 then XP and XP scares me when it comes to handeling the protocalls as well as managing the firewalls and certain services that might accsess the net. Bottom line here is that my systems were stand alones and even with that in mind I am still not to sure about controling services within the firewall on the XP machines. I would like to be able to set up my network with TCP/IP but am just not to confident right now. Another quick question for you is do the machines need to ping each other on a local network?

    Here are a few captures of my current rules that I am concerned with. Hope this might help you understand my fears a little bit better if I wasnt clear in my post. I want to learn but anyone who helps needs paticence :) Thanks for your reply.

    Very best regards,
    FireDancer
     

    Attached Files:

    • Bios.jpg
      Bios.jpg
      File size:
      11.4 KB
      Views:
      187
  10. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Sorry I could not seem to get all the attachments into one post
    FD
     

    Attached Files:

    • ICMP.jpg
      ICMP.jpg
      File size:
      13.4 KB
      Views:
      183
  11. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    :) :) :) :) :)
     

    Attached Files:

  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It is always nice when things work ;)

    Was it configuring the proper firewall rules causing the problem?

    If you are using the Microsoft Networking tab in Kerio it depends on whether you want to allow specific LAN IP's, a range of IP's or the entire LAN subnet. Any of these should be OK, just a matter of how much you want to restrict this LAN traffic. If all systems are hard wired to the router and you are not concerned about physical access to the network, the easiest is to allow the subnet (192.168.1.0/255.255.255.0). Your screenshot shows a range, which is fine, although if your router is in default configuration, those IP's are dynamic - not likely to change, but could. You might want to consider going with fixed IP's for the LAN systems. Makes custom firewall rules a little easier, and some router configurations may be easier with fixed IP's. If you use wireless at all, then you would want to consider a fairly strict rule set along with other configuration considerations.

    If NetBios is enabled on all systems, and you use the Microsoft Networking tab in Kerio, that should cover your firewall configuration. I am not sure if this option allows you to monitor this traffic if required. For that you would probably have to configure LAN specific rules for your rule set.

    They would function without allowing it, but you can safely it allow for the LAN systems. Sample ICMP rules from a rule set of mine including LAN systems.

    ICMP rules:
    Rule #20: 'Allow Echo Request'
    Allow My Address [8] <-> All Addresses [0] (F)
    Rule #21: 'Allow Echo Reply LAN'
    Allow My Address [0] <-> 192.168.5.1-192.168.5.5 [8] (F)
    Rule #22: 'Allow Dest Unreachable'
    Allow My Address <-- All Addresses [3] (F)
    Rule #23: 'Allow Dest Unreachable LAN'
    Allow My Address [3] --> 192.168.5.1-192.168.5.5
    Rule #24: 'Allow Dest Unreachable DNS Servers'
    Allow My Address [3] --> [DNS Servers]
    Rule #25: 'Allow Time Exceeded'
    Allow My Address <-- All Addresses [11] (F)

    Regards,

    CrazyM
     
    Last edited: Jul 12, 2004
Loading...
Thread Status:
Not open for further replies.