Set up simple network and ensure security

[balm]

thank you golden,

im just trying to "understand", why i shouldnt disable some of the outbounds, and why is netbios the only disabled (outbound/inbound)?

thanks (as you can see im new to this)

 

[wilywombat]

Hi, been out of town for a couple of days. Personally I would disable any of the outbound that I wouldnt be using eg If you don't use telnet or IRC then disable these and any others from your list that you dont use. Make sure you don't disable HTTPS or HTTP though!! (You need HTTPS to carry out any secure comms such as bank accounting, Paypal etc. )

 

[balm]

welcome back , thank you.
so if i use basic home applications, ms office, windows live mail, gmail, IE8, & home network, i will basically keep ONLY https, http, smtp, imap, pop, enabled

 

[wilywombat]

Thats correct, go ahead and fill your boots!!!

 

[balm]

Whats going on,

all of sudden i cant connect to windows live mail gmail account on the laptop and cannot SEND emails.

It says cannot connect to IMAP server xxx.xxx.x.x:143 (routers IP address), error 10061...configuration IMAP...Port 143...code 800ccc0f...etc

ive tried everything, including disabling avast antivirus, rebuild email account, restart router, all settings are identical on both the desktop and laptop, (i think).

the desktop email works no problem.

the only things that changed since this problem started is i reset windows firewall to default rules (inbound blocks all except corenetworking / outbound all is allowed)...

any idea whats blocked my sent gmail WLM emails from my wirelss laptop only???

The isp Bell sympatico could not solve it!

thanks


edit: after redoing the account here is the latest message:

An unknown error has occurred.
Subject 'weeee'
Server Error: 421
Server Response: 421 Cannot connect to SMTP server 74.125.157.109 (74.125.157.109:25), connect error 10060
Server: 'smtp.gmail.com'
Windows Live Mail Error ID: 0x800CCC67
Protocol: SMTP
Port: 25
Secure(SSL): No

 

[wilywombat]

Suggest you retrace your steps and do a sytem restore to before you disabled any of the windows firewall settings as it appears that you have stopped something essential from getting through the firewall. Personally, I use Comodo Firewall Pro which is free rather than the windows firewall, its easy to setup and there is plenty of reporting what is going through your firewall. The only thing about Comodo is that it works so well that sometimes you may feel nagged when it asks you if you want to allow such and such program to change your settings. But hey, at least your sure its doing its job and it does get very high ratings for security.

 

[balm]

willy, thank you....


1. can you take another look at my post #17, because you had mentionned to change the IP range to 5+- numbers, whats best for security purposes i can do on my router...?

2. re. my windows firewall, i understand some people just block all outbound traffic also (even behind a NAT router), so if i do this, i assume i need to open exceptions for web, email, etc...etc...otherwise ill end end up with problems, correct?

3. also configuring windows defender, in options, default actions, i left all items as "recommended action based on definition", then i did NOT enable "apply recommended actions"...is this ok as is...(BTW, i have never received any message warnings, even though avast picks up on issues) ?


thanks

 

[wilywombat]

Hi Balm,

thank you,

my router/modem:


in "edit advanced home network settings" tab,

Sets the IP address range used by the home network. You can choose from three standard configuration options (the default is 192.168.1.0/255.255.255.0), or configure the network settings manually.


"settings - private network" section, Sets the IP address range used by the home network. You can choose from three standard configuration options (the default is 192.168.1.0/255.255.255.0), or configure the network settings manually.

"configure manually" radio button is on, "enable dhcp" is checked (and shows 1st and last dhcp address), also has "default dhcp pool" radio button on,

...in "current settings - device list" section, it shows the two computers with the 1st, & 2nd addresses from the dhcp range

in "edit adress allocation", "settings", "Specify Device Addressing and Public/WAN IP Address Mapping",
it shows each computer with "current address"m (1st, & 2nd address), and under "address assignment" there is drop down list with first item "private from pool: xxx.xxx.x.x" and all sequencial "private fixed: xxx.xxx.x.x" adresses (in dhcp range) following....


1. does the router use dhcp to assign static ips...?

2. if wanting more security what defaults need to be changed and to what?

3. if these addresses arent static, is it better to assign static addresses to the computers and if so how?

thank you

In answer to your latest q's:-

1. The bestyou can do for security is to set the number of available i/ps in you DHCP pool to the number of computers on your network + 1 i.e. using the default setting you have (192.168.1.0/255.255.255.0), assuming you have 2 computers on the network, you would set the highest available i/p to 192.168.1.2. This gives 3 addresses available from 192.168.1.0 to 192.168.1.2. The first, 192.168.0.1 is used as the i/p for the router and the other 2 are used for the networked computers. The router allocates the available pool of addresses to computers as they log onto the network and will only use the available range that you set up previously. Using the example settings, this means that if you have 2 computers that have logged in, then a friend comes to visit, they cannot use your network as there is no available DHCP address available until one of the 2 computers leaves the network. This is why I suggested having a spare address or 2 to allow for visitors, smartphones or ipods to connect to the network. As long as you setup to use WPA2 security, having the extra addresses available should not increase your security risk.

2. Yes that is correct, but if you are unfamiliar with setting up firewalls it could be better to get a well known commercial firewall such as Zonealarm or Comodo as these are easier to setup. If you do go this way, you should disable your windows firewall as the 2 firewall (windows and the one you install) may clash and cause you problems...look at it like 2 siblings trying to agree!!

3. Yes, its OK but you will get any alerts notified to you and be asked for a response. Again, personaly I use Microsoft Security Essentials(free) as my anti-virus and Malwarebytes Anti-Malware instead of Windows Defender. Im not saying that this would be best for you but both are worth investigating as they are the ones most recommended here in the forums...

 

[balm]

thanks wily, youve been very generous, i appreciate your input....

1. so reducing the pool to the number of computers, removes the "room" for the bad guys, but doesnt this increase the odds of them spoofing the addresses used (is that even doable)? - im just trying to really wrap my head around this....


2. doing this, is it essentially the same as assigning a static IP to the computers, since it will only ever be one of two usable addresses?

3. i read a security tip is to also change the routers default ip address....?


thanks

 

[wilywombat]

Hi Balm,

Its been my pleasure to help you...Knowledge is a luxury best shared!!

In answer:-

1. You are correct in your description re the"room" for bad guys, but don't forget that the addresses are "inside" your router. I guess the best analogy for a router is a doorway with a signpost inside the door that points the way. If you use the inbuilt hardware firewall then this is like having a security guard on the door. Remember the signpost I mentioned? well that contains the addresses in your DHCP pool, so you need to have been allowed "inside" the door to read the signpost!

2. DHCP or Dynamic Host Control Protocol is a means where your router assigns the pool of addresses as and when needed. Remember the signpost earlier? DHCP is the bit that says on the sign this way to get to this ip address and there you will find computer "x". The greater the number of pool adressses you have, the greater the number of blank signpost pointers available. Also, when you shutdown your computer, the router clears the connection of ip address to computer "x" on the signpost and makes the address available to somebody else that is allowed to pass through the door.

3. Yes, changing the routers default ip address is good. Just remember to keep the address recorded somewhere safe such as on a piece of paper stuck to the bottom of the router. This is advised as it is all too easy to forget the ip address and lock yourself out of the router. (This can be overcome but you would have to reset your router and put all your settings back in)

 

[balm]

thank you wily, hopefully other beginners might benefit from the basic discussion here...


1. i noticed in the MAC address filtering, my network computer is addressed by its name, is that the same as its numbered (physical) mac address?

2. if i use the automatically connect to wireless network, is there any risk of connecting first to someoneelses nearby unprotected/open wireless network- iassume no since by default my network would be "preferred"...?


3. i just noticed in the wireless network properties a setting named "enable WLAN connection settings", should this be enabled, and what is it (so far i never enabled it)?

 

[wilywombat]

Hi Balm,

1. Your network computer name is setup when your OS was installed or if you change it subsequently. The numbered (physical) mac address is a unique number that is assigned to your network adaptor when it is manufactured. If you use mac address filtering, you will add a further layer of security but it depends on how paranoid you want to be!!

2. You will normally connect to your preferred network first but any network whether open or protected will show up as a detected network if the signal is sufficient. Its just that you would not be able to connect to the protected network as you wouldn't have the WPA2 password key(assuming WPA2 security). Do not set up your network with WEP security as this is as good as an open book to a drive by hacker as it is easy to crack with the correct tools.

3. The simple answer to this is, how did you set your wireless connection up and is it working? If you used the manufacturers setup disk or it came ready setup on your system and it is unchecked, leave it alone as it is not needed!

 

[balm]

thank you.

1. so lets say im a bit obsessed, to enable MAC filtering I need to enter the following addresses (from ipconfig /all) :

a) wlan adapter - physical (6 pairs of 2 digits, separated with hyphen) - would be wireless laptop device;

AND

b) ethernet adapter - physical (6 pairs of 2 digits, separated with hyphen) - would be ethernet cabled desktop device


Note: i can ignore router "access point" settings MAC address (i assume this is the MAC of the router itself)

also i noticed the "hardware address" in router settings for the ethernet connected desktop does NOT match the physical address seen in ipconfig /all for the same device?


2. Re. open networks vs my own, so the automatically connect option i enabled can only ever do an automatic connection ONLY to my own network, as opposed to automatically connecting to a nearby fully open network ...correct?

can you comment these?

 

[wilywombat]

1. MAC filtering only applies to wireless networking ( after all, if you are connected to the router via ethernet you areconnected physically via wires!!)

2. If you have selected your network as the one to connect to then the system will try to connect to this first. If you select a different open network subsequently, then when you reboot, it will try and connect to that open network first.

 

[balm]

Gotchya, thanks!

 

[wilywombat]

Pleasure!!

 

[balm]

1. i understand i can change the router default private ip address to another custom one thru the router config, do i also have to reset in cmd windows?

2. my isp told me to assign private static ip address to each computer i can leave all DHCP settings as is in the router config (enabled DHCP), and just assign the ones i want on the computer itself....is this all thats required?

3. in your opinion is any of this REALLY necessary security wise, given a small home network, and the WPA2 encryption...

thanks

 

[wilywombat]

Hi Balm,
You still have some doubts Eh?!!!

1. Re changing the router default address, this issue was dealt with in #30 above.

2. Your ISP needs to read #28 and #30 above to see how DHCP works! If you leave DHCP enabled (best option), the DHCP server takes care of the ip address allocation and you DO NOT need to set any of this up in your computers.

3. Remember your question earlier in #33 about MAC filtering? The same answer is also true for WPA2 encryption ie. it only applies to wireless networking. The advice for reducing the range of DHCP addresses applies whether you have all wireless or mixed wireless/ethernet networking as this does leave less addresses for a hacker to guess. The main arsenal on your side is the routers inbuilt firewall and DHCP to make ip allocation easier.

Remember...they are not all out to get you...just a few scumbags!!!

 

[balm]

thanks, hope i didnt ware you down yet....im trying to get up to speed after ZERO knowledge about networks/routers....im getting there now!


i know a few scums can really cause havoc though...i learned the hard way...

re. 2. i think i didnt express properly, its because i asked them how to set "static" adresses in the computer....but i get your point....BTW...my ISP tech support is VERY scary....maybe i know more than some of them now, thanks to being here!


Until the next time...thanks again!

 

[wilywombat]

Hey Balm, my pleasure. If you have any other probs, come back to the forums and ask and someone will always help!!