Return to index: [Subject] [Thread] [Date] [Author]

My Experience This Weekend (WAS: How to check your Internet secur ity)

[Subject Prev][Subject Next][Thread Prev][Thread Next]
I'll now report on my experience of this weekend:

1. The Linksys DSL/Cable Modem Broadband router was a nice convenient size,
approximately 9" x 9" by 3" high, with a simple and logical LED display
("blinky lights" my ten year old daughter calls them). It was of course a
snap to install, although I already had the cabling there so that's the
biggest part of why.

2. The setup of the router is also very straightforward; you simply pull up
a web browser, and browse to http://192.168.1.1/ which is part of a chunk of
IP addresses (from 192.168.1.1 to 192.168.255.255; classically known as a
"Class B Network") that are reserved for "local addressing only" (i.e. they
will NEVER be accessible from the Internet). The setup is done in the
resulting web pages. It's almost self explanatory, although I admit I've
been doing this sort of setup long enough that it is intuitive to me.
Really, all you need is the sheet of instructions including IP addresses (if
you have static IPs), gateway IP, netmask, etc., that should have been given
you when you had your DSL or Cable Modem installation done.

3. I also set up my Win boxes to carry TCP/IP (I had this turned off
previously per the Steve Gibson instructions at http://www.grc.com/). I went
ahead and called those two computers, plus the Linux server, 192.168.1.2,
192.168.1.3 and 192.168.1.4 respectively. I could have set the thing up for
DHCP--dynamically assigned IPs--if I'd wanted. The router can function as a
DHCP server, a really neat feature).

4. The FIRST problem I noticed is, although I could "ping" each of my
machines from any other, and I could likewise "ping" the router, I could NOT
get out to the net! Could not even "ping" the gateway at my ISP!

5. After fiddling with it until late Friday night, I finally went to bed
with my network hidden from the Internet, and vice versa.

6. Next morning, called Linksys support. Huzzah! They have 24/7 installation
support! I did have to wait on hold almost half an hour, but I got a human
on the line. We went through several diagnostics, and he informed me that HE
could "ping" my router from the 'net, so I knew that the hookup to my DSL
modem was okay. After scratching our heads, he suggested that I use the
router's INTERNAL IP address (i.e. the one it presents to the LAN,
192.168.1.1) as the gateway address in the Windows (and Linux) TCP/IP setup.
VOILA! That worked! Ergo, the router serves as a gateway from my LAN to the
WAN (my ISP's network), and my ISP is the gateway to the greater, wider
world of the Internet. Makes sense in retrospect!

7. After that, I fiddled with the "advanced options". Ostensibly, NO ONE can
initiate a connection to ANY TCP or UDP port FROM the Internet to your
network when the router is in place. It simply refuses them. BUT since I'm
running an email and web server from my Linux machine, I DO want people to
be able to connect to it. You have the option of a "DMZ" which exposes ONE
internal IP address directly to the 'net. You would simply assign that
machine an "Internet eligible" static IP, and traffic "passes through" the
router to that one machine tranparently.

However, I want more security than that, so I set up the advance option
called "port forwarding". This lets a connection from the Internet be
accepted by the router and sent directly to the corresponding port on an
internal machine. It just looks to the Internet side as if you are
connecting with a single computer, router notwithstanding. The good thing
about it is that you can select the ports you want (I am forwarding ftp,
pop, smtp, and http, and nothing else) and all OTHER connections are
refused! So you've essentially gone from the 65,000+ ports available to (in
my case) four! No way for a trojan horse to get in there.

And it WORKED! Email and ftp, etc., continues to be accessible.

8. I left my BlackICE Defender installations running on the two other (Win)
PCs, just to see the difference. Of course it's only been one weekend, but I
am usually scanned at least ONCE a day, and as often as five or six times a
day. The last three days BlackICE shows NO SCANS AT ALL! I must assume that
the scan attempts are continuing, but NO WAY can they get through the
router! This is really great.

9. Also previously my Linux box had attempted connections made to it a few
times per day on average. This weekend, in all of the three days there were
only TWO attempts to connect to the FTP port, which of course failed.

10. One last thing I'm gonna do is forward port 22, which is for SSH (Secure
Shell) to the Linux machine. I've installed SSH1 which uses various
encryption methods on the Linux box, and I can then allow those who I'm
permitting to do so, access to the Linux machine from outside the
firewall/router over an encrypted connection. Lastly, I'm gonna finish
setting up LDAP for authentication, and my LAN should be secure for now.

In summary: While I've been assured by others I could've done all this with
Linux, buying additional cards, cabling, etc., I think all that plus the
pain of setting up filtering rules with Linux's IPCHAINS, etc., would have
taken more time (and ultimately money) than the $170 Linksys router took.
I'm very happy with the purchase and would recommend it to anyone with a
similar need to mine.