Nick

I changed a friend's Internet access from USB modem to a router/firewall (Vigor 2600VG). Now it seems that his son can't use emule because the firewall is blocking the ports. My friend uses his pc for business & the pc must be secure. The 2 computers (father + son) are in the same IP address range, but are not using network sharing.

If I open a load of ports for emule on the router (4661, 4662, 4665, 4672, 4711) what does this mean security-wise for the business computer?

JackClark

It increases the risk. You friend should look at what his son is using emule for then decide if it's worth the risk to his business.

EXSCOOBY

plus he will be damning himself to the firey pit for all of eternity.........................
(or something eh jack tell em!!)

JackClark

Well done my son, your training is nearly complete.

Nick

Thanks Jack

What can actually happen to the accounts computer? Could it get hacked though the open ports, or would he have to be running emule to be hacked? (He is using XP Pro SP2 & integral SP2 firewall + McAfee Virusscan 2006 - just the anti-virus version).

If I opened the ports & forwarded them to his son's internal IP address, would that then risk the accounts computer?

JackClark

Which ever way you look at it, they share a network. Ask the administrators of networks on here if they allow some machines access to the ports used for emule. Even the slightest risk is still a risk that most wouldn't take.

Kieran_Burns

iTrader: (1)

The golden rule for access is: None.

You restrict ALL ports by default and then open up the ones you want. ONLY the ones you want.

If you run a local firewall on each p..c in the scenario above - and restrict the emule ports on the fathers machine it will give SOME protection.

However, if the sons p.c. IS compromised then this is the backdoor to the fathers - unless the two machines are restricted from each other.

Nick

Thanks guys

My preference is to not open the ports, but it's a request from an old freind & I need to be sure if I say "no".

The father's pc is on the same IP range (192.168.1.x), but is not sharing anything, also the workgroups are not the same name.

Maybe I can suggest it's ok, but the accounts computer would need Zonealarm?

Nick

Assume that the son's computer is constantly compromised (it's a typical student computer... in a mess). How do I restrict them from each other?

mike1210

the vigor acts as a perimeter firewall but provides no internal protection from machine to machine unless you have set up rules. Enabling the windows firewall on the business machine would be a good move. Gives internal protection from the other machine. Ensure no exceptions are on the wall, especially file and print sharing. These are the main ports 137, 138 139 and 445

also edited to add, Mcafee will help with the virus trapping side of things

edited to add again (doh) the vigor has an option to set separate VLANs on the 4 ports. On my 2600G its in the VLAN/Rate Control menu. Enable it and tick the boxes to put them on separate networks, this should as good as isolate the PC's from each other

Nick

That's great - thanks very much! The SP2 Firewall is already enabled on the business computer. So I can open the relevant ports, put the 2 pcs on separate vlans, do I suggest that the business pc also has ZOnelarm installed to protect the open emule ports?

mike1210

the open emule ports are only open on the other computer. From the outside world, the draytek is re-directing those ports to the son computer. On the business computer, those ports are not accessible from the outside world as traffic comming in will re be re-directed to the son computer. In a typical setup, you have 1 Public IP Address, so ports can only be redirected to 1 computer on your network. To re-direct the same ports to more than one computer you would need more than one public IP Address. The private IP address are generated to allow computers to communicate on your network (192.168.xxx.xxx), however whatever computer you use, as soon as it leaves the router, it will have the same public IP address

Putting the PC's on seperate VLANS really is a brick wall defence. The son computer could not access the other computer in any way so you are safe there.

Zonealarm? Its up to you, what i do is use the Firewall packet filter on the router to only allow certain ports out onto the net. By default on the draytek routers, all traffic leaving the network is allowed, which isn't good if a virus gets on to your machine.

If youre interested what i do bind IP to Macs, and setup outgoing rules for each machine on the network. First rules being block if no further match rules for both TCP and UDP traffic. Then create rules so certain IP's can go out on certain ports for example

UDP port 53 DNS lookups (would be needed for the net)
Port 80 HTTP - General Internet
Port 443 HTTPS - Secure Internet

PM me if you want to do it this way its a bit fiddly but works really well, the FAQ's on the draytek site have great info in them (www.draytek.co.uk)

One + for Zone alarm is that it can restrict outgoing traffic by application (ie it will tell you when something is trying to go out from the PC). Routers do this to some extent but you need to know What protocol and ports the application uses