News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Win7 “Cascaded Firewall”

    Posted on HappyElderNerd Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 7 Win7 beyond End-of-life Win7 “Cascaded Firewall”

    This topic contains 5 replies, has 4 voices, and was last updated by  mn– 5 months ago.

    • Author
      Posts
    • #1726518 Reply

      HappyElderNerd
      AskWoody Plus

      One of the potential liabilities of extending Windows 7’s useful life is that “We don’t know what we don’t know.”  Specifically, I’m concerned that various security/virus defenders may wither and no longer have updates as the cretins of the Internet discover new ways to assault users.  I’m using what I consider a reliable, supported product (Webroot Secure Anywhere; https://www.webroot.com), and (she says, with crossed fingers) I’ve not been victim of an attack (yet).

      As our systems get older, they “drift” away from the original functionality, and may–inadvertently–create problems.  One of those is local network protection from myriad threats out on the Internet–from kiddies to professionals–that could breach the WAN-to-LAN router.  So, I decided, a few years ago, to create my own “layered” defense.  I call it “cascade routers.”

      I’m using what I consider a reliable, supported product (Webroot Secure Anywhere; https://www.webroot.com), and (she says, with crossed fingers) I’ve not been victim of an attack (yet).  That’s conventional.

      But wait, there’s more!  In addition to having Webroot on all LAN systems, I have a two-tier Internet connection:  Between the incoming WAN line, and the main Internet router with all the security widgets, I have inserted a simpler router, with my assigned WAN IP address exposed to the world.  That router translates to an unconventional (aka “uncommon”) IP address on it’s LAN side.  The second router (from a different manufacturer) connects to the first router, and transports to/from the internal network that is, again, an unusual range of IP addresses for the home LAN.  I call this melange “cascaded routers.”  I intentionally make the configurations unconventional (for one example, non-continuous LAN-side addresses) to increase an intruders’ workload.  The “external” router is, relatively, less complicated than the “internal” router…that way, there’re fewer resources an intruder can use to reconfigure that router to be able to get through to the second router.

      Why?  Because criminals are opportunists.  Given an unlocked door adjacent to a locked door, they’d choose the former.  I’m just adding the complexity of forcing any wanna-be intruder to figure out how to reach and reconfigure the SECOND router (different vendor, more complex features, that must be configured from the LAN side), and do so reliably, before they can interfere.  Why should they bother, when there are so many unprotected victims they can more easily attack?

      What’s your view?  Am I on a fool’s errand, or do you think I can discourage threats…and, if so, how would YOU improve on it?

    • #1726806 Reply

      mn–
      AskWoody Lounger

      That’s well into the “diminishing returns” category I’d say. There are very very few things that a second firewall helps against, that a properly configured single firewall/router/NAT box doesn’t already handle. (Properly configured meaning no configuration access from the outside at all, and stateful firewall with unexpected outside-originated connections blocked…)

      Unless you have a DMZ setup with some devices in the semi-trusted intermediate network of course.

      Firewalls don’t help much with browser/email/other such malware that comes in over an encrypted connection through a believed-good server that just may be compromised… or also carries untrustworthy data as is typical with email.

      2 users thanked author for this post.
    • #1726857 Reply

      HappyElderNerd
      AskWoody Plus

      Messages that get through the cascade are dealt with conventional software products.  But I have had one experience of an unknown party tinkering with my LAN/WAN router configuration (6 or 7 years ago), and never had one ever again.  It works for me…so far.

    • #1727003 Reply

      BATcher
      AskWoody_MVP

      If you are that concerned about being hacked, you might want to look at a “security appliance”. The downside is that they cost £lots. Or even $lots.

      BATcher
    • #1731016 Reply

      anonymous

      I don’t think this is paranoia. According to the tech who hooked me up to my ISP, the ISP has access to settings on my modem/router. They have an external login through the WAN side. That’s a point of compromise.

      Granted, that alone wouldn’t get them onto my LAN. But if there is any exploit in the ISP-provided modem/router that hasn’t had a firmware update in nearly a decade now, I could see that being a way in. Log in, perform exploit, get on the LAN.

      A second router that you actually can control in its entirety makes sense. You can make sure it keeps the latest firmware patches and make sure it does not forward on any UPnP requests from your computer.

      All of that said, I don’t really think that’s a big concern with the Windows 7 EOL security issue. The main issue is there isn’t that people can get in from the outside directly. It is of running software that uses exploits in Windows 7 that will have been patched in Windows 10. Too much hardware security could make us feel safer than we actually are.

      My main idea right now is to do the same thing to my web browser that I use for software from sketchy websites: run it in a sandbox. I’ll probably eventually also do that with any software that is not from some big company or is open source and heavily updated.

      But I won’t even start that until there’s actually some big exploit in the wild that affects Windows 7 but not Windows 10, and that the browsers say they can’t mitigate.

      • #1731526 Reply

        mn–
        AskWoody Lounger

        Well yeah. If you use the ISP’s provided router, they usually have access to the settings. With even a minimally competent ISP this is better than a completely unmanaged router.

        (My home ISP actually does push firmware updates for the models they manage, and has in the past sent replacement DSL modems when there was a significant problem in the older model…)

        But, if you don’t trust the ISP (for any reason), then you’ll need to have your own router/firewall the ISP doesn’t have management access to. Exactly how you’d do that, will depend on your deal with them – in some cases you’d replace the ISP-provided box, in other cases you’ll add one of your own after it.
        And either way, if you don’t trust the ISP, you don’t trust the label on their box that says “firewall”, so it doesn’t count as one.

        (That’s not going into other possible reasons to replace your edge router… you might end up doing that anyway even if you do trust the ISP.)

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Win7 “Cascaded Firewall”

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.