[Ham-Computers] RE: Why is DSL/Wideband more "hackable"?

[Hsu, Aaron (NBC Universal)]

Hi Phil (et al),

I think most have answered your questions already - yes, broadband
connections are more of a target due to their "always-on" nature.  They are
also "preferred" by hackers as they are "broadband" and won't get the
response latency from dial-up users.

I do question your decision to purchase ZoneAlarm vs a router.  A router
will offer you a first line of defense against hackers by providing a NAT
firewall (Network Adress Translation).  NAT firewalls are simple, but
effective.  By positioning itself between your computer(s) and the Internet,
it takes the brunt of hacking attempts.  In fact, you'll probably notice
that ZA will no longer report incomming intrusion attempts as the router is
effectively "blocking" all of them.

Most of the newer SOHO routers today also include an SPI firewall (Stateful
Packet Inspection).  This ensures that the only traffic allowed into your
network is traffic that was requested from within your network - all other
packets are dropped.

Yes, this still leaves computers on your network vulnerable to trojans, but
the free version of ZA and a good AV program should handle these.  Careful
surfing should take care of the rest.

Now, your purchase decision may actually rest on what type of DSL
modem/router SBC sends you.  The 5100b, which I got last December, is itself
a NAT firewall by default.  However, it only supports one computer on the
"inside", meaning it only accepts traffic from one IP address on your
network.  This would preclude you from connecting both your computers to the
Internet without a router (or Windows ICS, which I don't recommend).  With
the 5100b AND a router, you'll effectively have dual NAT firewalls - this is
how I have my network setup at home - DSL line the 5100b, 5100b to a Linksys
router, and all my systems attached to the router (wired and wireless via
WPA).  I use BlackICE (vs ZA) and the only reports I get are usually
malformed HTTP headers, icons, or trojans/virii in e-mail.  The malformed
headers and icons are blocked by BI (or ignored by Firefox) and the
trojans/virii are handled by NAV.  In the 6 years I had ISDN and now with
DSL, I have not had any virii, trojans, or successful hacking attempts
(knock wood <g>).   

I haven't used ZA for many years (since it's infancy when it had a tendency
to completely hose your system if you un-installed it - been there, done
that), but it shouldn't prevent you from networking your computers together.
There are a lot of nuances in networking a "mixed" Windows environment (9x
with NT/2K/XP), so you might be seeing a Windows networking interaction.
You also need to make sure that ZA is configured to leave the Windows
Networking ports open so another system can connect to yours.  If you have
ZA "cranked all the way up", then Windows Networking will most likely not
work, even with the "Pro" version of ZA.  Basically, I believe you've
reached a stage that requires a bit of planning and configuration to get
everything working.  It took me a while to trust the router's firewall
enough to "turn down" BlackICE so that I could do Windows networking, but it
works once you do.  I'm sure ZA will also work the same way.

So, for your situation, my personal (and professional) recommendation is to
spend your $$$ on a good router *FIRST*.  Then consider ZA if you have any
funds left over.  A Linksys WRT54G can be had for about $60 on sale, and
they'll often also come with a mail-in rebate for another $20 or $30.  The
retail is $79.  Oh, and the WRT54G has wireless.  The BEFSR41, the basic
non-wireless router retails for about $59 and rarely is on sale or has
rebates.  Can you spot the cost effective way to go here?  I believe you're
in the SF Bay area, so check the Thursday edition of your local paper for
Fry's Electronics ads.  There's a router on sale w/rebates every weekend.
Fry's isn't the greatest place (don't get me started!), but if you know what
you want and don't deal with the sales scum, it's worth the trip.

If you need any help with the setup, send me an e-mail and I'll help step
you through.  If I have the time, I can even give you a call.  If you have
HF capabilities and the bands cooperate, we can sked a contact.

Oh, and *please* don't install the SBC start-up software!


73,

  - Aaron, NN6O