Results 1 to 8 of 8

Thread: Configuration question

  1. #1
    ccannard Guest

    Default Configuration question

    I am running the Security Suite after just installing it. The computer has a Gig E connection that is phsically connected to my network and a Wireless connection through a Wireless Bridge. I do not trust the wireless network and would like to completly segregate ALL traffic from the Wireless network. What I wish to accomplish is to protect my LAN should the wireless network become hacked.
    So to sum things up, I do not want anything on the Wireless network to be able to use the PC to cross into the LAN.
    Is this possible, and if so, how do I configure it.
    Thanks.

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: Configuration question

    Hi!
    not an expert on networking... but you can simply set the wireless connection as 'Internet' in the ZA firewall --> Zones (if it is listed there). This way wireless will be treated external to your LAN.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    ccannard Guest

    Default Re: Configuration question

    Sorry for the delay in getting back to you. I was out on vacation.
    I have already set the Wireless network as an Internet Zone. My understanding of your response is that by placing the Wireless network into the Internet Zone that it will only allow traffic to the server but not through the server.
    Is this correct?
    Thanks.

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: Configuration question

    Hi!yes and no. It will allow connection if they are originating from you (your system)while dropping any other attempt to connect to you.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    ccannard Guest

    Default Re: Configuration question

    So if a user were to hack into the computer via the wireless network and gain controll of the server remotely, then they would still be able to access everything on the LAN side of the server.
    What I am looking for is a solution that basically prevents anything from the wireless
    network (Even if the computer becomes compromised) from traversing the computer into the wired LAN.
    Is this possible with Zone Alarms or not?
    Thanks.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Configuration question

    They could not "hack" into your computer unless your allow them to do so.
    The ZA in the default configurations will prevent this.

    They could only gain control of the any server aspect of the router/gateway IF they could log into the router using your secret login name and password (you did change the default login/password did you not?).
    They could not log in to anything on the local area network or open ports of these devices unless they are able to login remotely (you did set up login accounts on your PCs?).

    Basically you are protected by the ZA from wireless war drivers or wireless hackers, if you use the proper encryptions (wep or wep2), have correctly mac'd in all of the computers to the routers and statically assigned IPs for the computers according to the router's route tables.

    IF you are still overly concerned about intruding war drivers, then I would suggest to use a strict double nat approach. This is not related to the ZA nor is it really required. But that is the correct answer to your question.
    The route table of the wireless would exist below and out of the higher route table of the wired router. No overlapping would be used or even considered.
    Thus a computer (ie 192.169.1.2) in the route table of the wireless (ie 192.169.1.1-192.169.1.254) would be out of the wired computer (ie 192.169.2.2) of the wired routers route table (ie 192.169.2.1-192.169.2.254).
    Any computer of the higher route table will be able to connect to any device of the lower route table (that of the wireless router), but no computers of the lower route table would be able to connect to any of the computers of the higher route table (that of the wired router).

    I will save you work and point you to a good start at understanding how double nat/routers work:

    http://www.grc.com/nat/nat.htm

    http://www.grc.com/nat/nats.htm

    The rest is up to you.
    I have no desire on helping any user online how to do a double nat arrangement.
    It is easy once it is done after the first time and is very easy after that first time, but the first time for double nat set ups just confuses many peoples (who have little understanding of route tables or routers or local area networking).

    Oldsod.

    Message Edited by Oldsod on 06-23-2008 03:29 PM
    Best regards.
    oldsod

  7. #7
    ccannard Guest

    Default Re: Configuration question

    Yes I do have the highest level of encryption available to me configured, mac addresses locked down, authentication required on the computer using LONG complex passwords, and using static IPs. I do not allow wireless in the network because of how easy it is to hack through even the strongest encryptions out there right now. That is my concern. I actually have a hardware firewall between this computer and my network so I am blocking things there also, but some ports have to be open to allow the application running on the box to work. I just wanted to make sure that I had as puch protection working against any future hackers as possible.
    I was not aware that Zone Alarms prevented the typical war driving / wireless hacking techniques. That is good to know.
    Thanks for your input.


  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Configuration question

    The IP's of the wireless connected computers can be blocked off in the wired computer's ZA Zones (of the firewall).

    Wireless protection in the Zone Alarm was introduced long ago, when the ZA Pro and the ZA Plus and the ZA Wireless versions were still available. Only the ZA pro survived, since it evolved into a combination of all three. The ZA suite, ZA antivirus and ZA antispyware versions of all off spring of the now combined/finalized ZA Pro.

    Open the ZA | Firewall | Advanced and set the ZA for optimal security.
    Set the wireless coinnections to Internet or unTrusted (Automatically put new unprotected wireless networks (WEP or WPA} in the Internet Zone ).
    And set it up for the correct connection (This is a client of an ICS/NAT gateway running ZoneAlarm ...)

    The actual MAC of the gateway/router can be blocked or allowed in the Expert of the Firewall. it is found in the Gateway option. You could lay in rules and block the MAC along with the IP of the wireless and allow the MAC along with the IP of the wired router/gateway. Along with the appropiate DHCP (bootps) and DHCP Client (bootpc) ports that are always needed. Plus you could use the MAC and IP in the Expert to block the unwanted wireless computers from the wired desktop or control the ports and the connections.

    I have just have helped another ZA user with using a rules for the DHCP with the correct MACs in this post:

    http://forum.zonelabs.org/zonelabs/b...ssage.id=52448

    If you wish to do the same only adapted for your own situation, I will assist you or answer your questions.

    You could still do both the double nat and do the extra Expert rules in the ZA.
    Not only would the network be tabled for maximum security, but the firewalls would be correctly setup for maximum security at the same time ( as far as the local area network is concerned).
    On the other hand, the ZA will see the network MACs and work silently with the information and appropriately for the best security. Without any user intervention or use of Expert rules.

    Oldsod.

    Message Edited by Oldsod on 06-23-2008 05:31 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •