posted
I realize my setup has not been optimum for security but rather more as a convenience for me. Since 2004 I've had a Dynamic IP on my HN7000S and I have simply ran a Cat5 Cable from the modem to a 8 Port Switch, and then branched out to my other computers from there. No routers involved, other than the Hughes. I've always had the MS Firewall on, and about half the time running Avira Anti-virus.
Ok ... a few days ago I upgraded to the Pro Plus Plan with a Static IP. Now... IF I run the same cabling setup that I had, I'm thinking the security risk is greater than before ... since my new IP appears to be more accessible from the outside. I do NOT know if my system can be compromised by just sitting idle ... or is it compromised only when I click on something, or download something that has a virus embedded?
I can add a Linksys Router ... but if I could get by without making my hardware more complex ... that would be nice.
Since 2004 I've been infected a couple of times and have been able to clean it up easily. My User Names and Passwords are in KeePass and encrypted .. but how safe that really is, I don't know. I do online banking .... but it's all automated. Any unusual charges they call me ... and have even issued a new CC when something suspicious comes up. I only get online to reconcile. I access my IRAs online, but they have all kinds of safeguards before I can even log on, and they call me if any transactions change. But getting a Static IP may throw a new wrinkle in my security, so I'm trying to evaluate if I need to make changes.
Any insight or thoughts will be greatly appreciated.
Jim
-------------------- Jim ------------------ F1 DataStorm | D2 | HN7000S | 89W | 1170 MHz | SL3 HD LinkSys WAP | SFF PC & LCD | SandPiper TT | Located Posts: 322 | Registered: Jul 2005
| IP: Logged |
posted
you certainly could be compromised just sitting idle with a static ip, especially with open ports. with a router you might be slightly more protected because you can choose to only open the ports you are using through port forwarding. i said "might" because i am certainly not the most knowledgeable in this area. i would think if you were running a fire-walled router and had firewalls with some anti-virus software (try avg free) on your pc you should be good to go. might be over kill, might not. I'd rather go over board and be protected.
-------------------- 1977 MCI Bus Conversion
Real Men Love Jesus! A little about me...Faith Ministries At the moment, we are Here F1 Datastorm|D3|HN7000S|83W 1390|Linksys WRT54G w/DD-WRT Firmware|2 wireless laptops|Netgear SPH200W WiFi Skype Phone Posts: 494 | From: CONUS | Registered: Jun 2008
| IP: Logged |
posted
If you have a good firewall, you are fairly well protected. If you have no firewall it is generally accepted that an open computer will be infected in a matter of minutes when exposed to the internet. Thomas said "with a router you might be slightly more protected" but how that should have read is "with a router you will be greatly protected."
Your dynamic 7000S was a router with all ports closed.
It is now a router with all ports open.
If you add a router between the modem and your switch you will be back to where you were, except that you can choose to open/forward ports where you want to run a service. That can be a pain to configure, but doing it that way is far and away the most secure.
posted
Jim - to give a slightly different opinion...
There is nothing a firewall on a router will do, that you can not do with firewall software on your computer. If you only have one machine, using firewall software is simpler and cheaper.
ZoneAlarm is an example of free software that's been around forever and works well, and there are several others. Even the Windows firewall will give you pretty good protection - it's just a pain to configure it exactly the way you want it.
-------------------- Terrestrial Wireless (finally found an alternative!) Posts: 233 | Registered: May 2007
| IP: Logged |
posted
Since few people ever configure anything in any firewall something like Zone Alarm is over-kill for almost everyone, especially those using a Hughes modem. With a static IP you are going to have to have a router in place to take advantage of this address and then the Windows firewall will be the second line of defense (likely unnecessary as well, but I'm not going to turn it off). If you install ZA you have to turn off Windows firewall. While there is a free version of ZA, I am not sure how ZA can be any cheaper than the free Windows firewall or the free firewall in your router.
-------------------- Bill Adams Winegard Company Posts: 15688 | From: Traveling the Western US | Registered: May 2003
| IP: Logged |
posted
It is also generally much more difficult to configure the exceptions necessary in a firewall to run services than it is to port forward from a router.
Lots of other issues. Example: If you have any file sharing going on between local computers you have to have holes in your firewall for the file-sharing ports. Those are normally opened automatically when you enable file sharing. If there is no upstream firewall (i.e. a router), the file sharing ports are open to the internet.
I haven't checked in awhile, but the last time I looked the prizes available for someone to actually hack through a router with no ports open were still unclaimed.
Essentially a router is a perfect inbound firewall. It will not protect against something going out.
posted
Ok ... I think I'm starting to see the picture. My HN7000S has all ports open since I have a Static IP, and my Windows XP only has the ports opened that I've configured in Exceptions, plus the ones that certain programs have opened themselves. I have Avira running as my Anti-virus program. Since I move files back and forth a lot, all my computers have printer and file sharing turned on. Do I understand it correctly that a hacker can burro through ANY open ports and retrieve information and/or install malicious software ... or only under certain circumstances? For instance FSHost needs UDP Port 23456 open and TCP Port 80 open, plus I needed to open about a dozen other ports. What about the "required" ports for just average use? Are they accessible too? Thanks all for your input .... it helps in understanding a lot.
Jim
-------------------- Jim ------------------ F1 DataStorm | D2 | HN7000S | 89W | 1170 MHz | SL3 HD LinkSys WAP | SFF PC & LCD | SandPiper TT | Located Posts: 322 | Registered: Jul 2005
| IP: Logged |
posted
If you haven't done so, go to www.grc.com and run shields up to get a report on what ports are open, and what vulnerabilities they leave you open to.
For anyone reading this that has a dynamic IP note that it doesn't apply - all ports will be seen as open, when in fact all ports are closed. Static IPs DO have all ports open through the modem.
posted
It's been a while since I've been there and it was a refresher for things I'd forgotten about ... like Network Print Sharing via Port 139. So I turned it off both in the Network Icon "Properties" and in the Firewall Exceptions. Oddly enough ... it still indicates "open" even after I've rebooted. It would appear to me that the port is always open through the Hughes Static assignment for me .... and is probably closed in my computer system that I configured to be one number above that. So I don't see a way to test the actual computer I'm using that I configured 1 # above my Static IP. In conclusion, it appears that whenever I test for an open port they will always indicate open ... because the Hughes Static IP blocks no ports, but I really can't test this computer? I tried another .... UDP 2300 ... not checked in Exception ... but open when I probe. I used www.grc.com and www.canyouseeme.org.
It also seems weird that if I go to www.whatismyip.com it shows an entirely different # .... maybe an intermediate server?!?
Anyway ... back to the books and Google.
-------------------- Jim ------------------ F1 DataStorm | D2 | HN7000S | 89W | 1170 MHz | SL3 HD LinkSys WAP | SFF PC & LCD | SandPiper TT | Located Posts: 322 | Registered: Jul 2005
| IP: Logged |
posted
When you go to whatismyip.com you go by http, which is proxied and shows the proxy server at Hughes.
When you go to Shields up it is https, which is not proxied. What IP is used will depend on how you are getting there.
If you are using a computer with a dynamic IP (192.168.0.x) it will show the modem's IP. If you are using a computer with a static IP set, it will show that IP. If it does not, your configuration is wrong in some way. The modem would show all open, but the computer should only show open if they are, in fact, open.
If you have a router, normally the router has the static IP on its WAN, and all computers have dynamic IPs (typically 192.168.1.x). Then the only ports that should show as open would be ones forwarded in that router.
posted
Wow .... so much to learn, so little time, especially at 72!
I do not at this point have a router. I DO show the correct Static IP with a probe from grc.com for my personally configured computer. But ... when I do the port testing does that mean that a probe coming from www.grc.com is probing my modem, or probing my computer that has the Static IP that I configured (one number higher)? The reason I asked follows.
For example: In the Firewall Exceptions Window, I had a UDP Port 2350. As a test I deleted it and rebooted my computer. Using grc.com to test, it still shows open ... so I'm wondering if Windows Firewall is really working ... or if grc.com does not check my actual computer but only the Hughes Modem?
Sorry to be such a bother .... I have been "cutting and pasting) and am really trying to understand and learn this. I DO appreciate the guidance and advice.
-------------------- Jim ------------------ F1 DataStorm | D2 | HN7000S | 89W | 1170 MHz | SL3 HD LinkSys WAP | SFF PC & LCD | SandPiper TT | Located Posts: 322 | Registered: Jul 2005
| IP: Logged |
posted
If you think www.grc.com is scary, think about the hackers using powerful tools like NMAP to probe your system. They have ways of using SYN/ACK protocol components to see open ports and some very stealthy tricks with random numbers to fool primitive firewalls. When I put a server on the internet, I depend on stronger tools than a M/S built-in firewall and I check it with NMAP. The enemy is upon us and we need to learn to use his tools!
posted
Ok .... Sounds like what I REALLY should do and should have done all along. I do have a WRT54GL Wireless G Router I bought last summer ..... There wouldn't be any disadvantage to using this particular model that also has wireless capability, would there?
-------------------- Jim ------------------ F1 DataStorm | D2 | HN7000S | 89W | 1170 MHz | SL3 HD LinkSys WAP | SFF PC & LCD | SandPiper TT | Located Posts: 322 | Registered: Jul 2005
| IP: Logged |
UBBFriend: Email this page to someone!
Printer-friendly view of this topic
