Firewall – Trusted vs. Internet

Topic

New Reply

I am using eTrust Personal Firewall which seems to be set up a lot like ZA. So my question is – What is the difference between zones – Trusted vs. the Internet?

I have an entry in Firewall/Zones for my 192.168.1.0/255.255.255.0 network connection, which gives me access to the internet through my router/cable modem. And it is in the Trusted zone. When I set up the firewall, it automatically put this entry there for me so I didn’t have to decide about it.

What else would I ever add to this panel and when would I use the Internet zone? Guess that is more than one question!

Reply | Quote

Replies

Do you have other computers on your local network?
If so they are blocked, if they are NOT listed.

DaveA I am so far behind, I think I am First
Genealogy....confusing the dead and annoying the living

Reply | Quote

I have two computers – connected via the router/cable modem. They are my PC, (via RJ45) and my Mac (which connects wirelessly). Both are able to connect and receive email okay. Both have 192.168.x.x numbers. Do I need to add them? To the Trusted zone?

Reply | Quote

Yes, add them, by specifying their IP addresses.

Ian

Reply | Quote

I do have my settings set the same way as you show in your post 562,889 so at least we have one thing in agreement! And I will add my two IP numbers as well.

The internet zone is just everything else that you don’t include in the trusted zone.

Okay now I’ll show my complete ignorance – what do you mean by your statement – which is in italics above?

More questions – Why do they give the option of Internet zone? What is it used for? When would I put something in that zone? Now I am on a roll – lots of questions!

Reply | Quote

[indent]

---

The internet zone is just everything else that you don’t include in the trusted zone.

---

[/indent]
I just mean that the two other computers on your home network are the trusted zone. The rest of the world is the internet zone.
[indent]

---

Why do they give the option of Internet zone? What is it used for? When would I put something in that zone?

---

[/indent]
They give the option so that you can apply stricter security to the rest of the world – I don’t want you (no offence – nor anyone else outside my household either!) getting access to the files on my hard disk. That’s why I use a firewall. You don’t put anything in the internet zone. It is where every computer in the world is, apart from those you have put in your trusted zone.

Ian

Reply | Quote

Thanks for your reply and no offense taken. I wouldn’t want anyone snooping through my stuff either! I think I have my firewall set up pretty much the way I want it now and feel better about it – at least until I think up more questions! And after doing some more reading of the posted information in the Lounge, I think I’ll add back in my DNS and DHCP IPs to the trusted zone as well – based on this post 543,867 of Rebel’s. These two entries were puzzling me too because I didn’t know which way they needed to be – “Trusted or Internet” but it looks like “Trusted” is where they should be placed.

Thanks again for clearing up some of my questions!

Reply | Quote

Trusting all PCs in your private address range is okay unless you have a wireless access point. Then you might want to be less trusting because of the possibility that a stranger could connect into your private address range. Using WPA (Pre-shared Key) and a strong password on your wireless access point should limit the risk of that. And using a password on any shared folders also is a good idea. Finally, closing off any ports that locals don’t need to access also is a good idea. I don’t know how you do that in ZA/eTrust, but another user probably could tell you.

Reply | Quote

I do have my wireless protected with a password so I feel fairly comfortable about it, never complacent though! And I decided to give both computers a Shields Up test. They passed – all stealth. And at last, I am finally able to see both the PC and the MAC. The only other thing I need to figure out is how to password protect shared folders. The sharing and permissions dialog box is a lot different than what I was used to on the Windows NT box (I’m using XP Pro now) I’m wondering if that is because I need to look into the Local Security Settings and change something in there? Anyway, I am further along than I was!

Reply | Quote

> I do have my wireless protected with a password so I feel fairly comfortable about it,

There are a number of different ways to protect a wireless network with a password. Some of these are fairly secure, others are fairly easy to crack. If you are using WEP then a hacker simply needs to log packets for a few hours to be able to find your password. Depending on where your network is, and how many hackers are likely to be interested, this may be an acceptable level of risk.

StuartR

Reply | Quote

Hi SuartR – We live on a fairly busy state highway with the nearest neighbor being about a quarter of a mile away so I don’t “think” I’ll have any problems with someone hacking in. Of course I realize that nothing is impossible anymore.

While looking at my router settings, I see there is a place where I can limit access by requiring the MAC address of that computer, and then the computer must also have the correct SSID and WEP settings to be able to access my wireless connection. At least this is what I understand about it as I read through the descriptive information?

There is also an area where I can turn off SSID Broadcasting, which I have done. And lastly I guess I could hard wire this computer instead of using the wireless feature since it is a desktop and sits quite close to the router. I was experimenting with the features of wireless and how it actually works! Plus it is nice to eliminate at least one cable from the mess.

Reply | Quote

It is worth turning off the SSID broadcast, as this will prevent people running standard Windows software from seeing your network. The SSID would still be available to anyone running a linux system with a wireless “sniffer”.

It really isn’t worth enabling MAC address filtering. Even standard Windows systems allow people to transmit a fake MAC address, and it is easy to pick these up with the same “sniffer”.

The best change you could make, if your Network Access Point supports it, is to enable WPA encryption instead of WEP.

regards,

StuartR

Reply | Quote

…is to enable WPA encryption instead of WEP.

It does support this feature and I could make this change. It has a box that limits the key lifetime. The description of this feature says: This setting determines how often the encryption key is changed. Shorter periods provide greater security, but adversely affect performance. If desired, you can change the default value (which is currently 60 minutes). That isn’t much time? I realize that if they made the time unlimited, it would no longer be as secure as it was meant to be but I am not sure I want to worry about changing this password key very often. Maybe if I lived in the middle of a densely populated area, it would concern me more. If it were something that could be done maybe every three months instead of every hour, it would be more feasible…based on the same principle of the length of time given to users before they have to change their passwords. That wouldn’t be quite so demanding. If I did my math correctly, the router program won’t let me enter 907,200 minutes.

Reply | Quote

WPA key changes happen automatically in the background, that is why catching a few hours worth of packets won’t crack them. The only reason for making the key change more frequent is if you are moving many Megabytes of data so that too many packets would be exposed in one hour.

If you can configure your switch and your network cards for WPA-PSK then you give them a PreSharedKey (PSK), which is only used for the very first few packets, whilst they negoitate a key. They then negotiate new keys every hour (or whatever you have set) so that the key cannot be cracked by someone collecting packets.

StuartR

Reply | Quote

So this is done automatically by the program with no further intervention by me?

Reply | Quote

Yes, you just set the initial key at each end. This initial Pre Shared Key is used each time the devices connect, and then the key negotiation is completely invisible to you.

StuartR

Reply | Quote

StuartR – Thank you! I appreciate the explanation and patience – I shall give it a go to see how it works.

Reply | Quote

An update! I was able to accomplish the more secure connection but I kept having trouble being disconnected after around 2 hours. Since this is a MAC that I am working on for wireless, it isn’t as simple for me to figure out yet, how to refresh connectivity, etc. So I have gone back to being hardwired to the router. It’s more secure anyway and I won’t have to fuss with disconnections. I have disabled the wireless in the router dialog page and can always enable it if the kids show up with their wireless laptops! Thanks for all the help. I definitely understand that router a bit more. Maybe one of these days I will graduate from the beginner network level!

Reply | Quote

Hi Skitterbug,
[indent]

---

If desired, you can change the default value (which is currently 60 minutes)

---

[/indent] Just as a test for the Mac connectivity, you could set this value to 0 (ie. the key wouldn’t change) and see if this makes a difference.

Reply | Quote

Obviously your router needs to be able to communicate with your computer. As Dave A has said, if you have other computers in your network, they need to be in the trusted zone to be able to communicate with your computer. The internet zone is just everything else that you don’t include in the trusted zone. This simply enables you to give a higher level of access to your local network than you would to the big bad world the other side of your router. You don’t need to add anything to the internet zone, you just set the security settting at an appropriate level.

It seems to me that eTrust Personal Firewall is more than just set up a lot like ZoneAlarm – as far as I can see it is ZoneAlarm rebadged.

I’ve shown below an example of settings in ZA showing the difference between security in the two zones. Set like this, the other two computers in my house can see my files, and print to my printer.

Ian

Reply | Quote

When I was ready to ‘come back’ to the free ZA product I read someplace on their web pages that as part of the installation you should make sure that your LAN is entered as trusted. Not sure where I found it and this is the best I can do right now: Zone Labs: Service & Support. I also had to add the two DNS IP addresses of my cable ISP to stop ZA from giving me warnings. I guess my cable guy (ISP) is polling my machine to see if I’m still here. I never checked it out any further, so I don’t know if I made a boo-boo or not.

Reply | Quote

Hi Al,

Thanks for the clarification about Trusted versus Internet. I really didn’t understand the difference between the two selections or what the benefit of one over the other would be. But I think, “I’ve got it” now. This whole business of router and firewall protection and proper set up can be complicated and confusing. Thankfully, I have an excellent place to come and ask questions and I always appreciate the super help that is given!

Reply | Quote