Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Wired Routers for Win98

- - - - -

  • Please log in to reply
61 replies to this topic

#1
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
Hello,

I have two Windows 98 and two Vista computers to take care of in my office, and I'm thinking of buying a wired router to help protect them when they go on the Internet.

Currently the computers are each connected to a switch, and otherwise they all fend for themselves with their own software firewalls. The router would be to add a hardware firewall layer to my defenses.

As currently configured, all the computers pass every one of Gibson Research's ShieldsUP!! vulnerability inspections, except for the Ping Reply test.

I have two questions:

1. Can you recommend any wired routers that work well on both Vista and Windows 98FE, or does it not really matter to the router what kind of computers are hooked up to it?

2. Considering that Win98 systems are involved (an FE tower and an SE laptop), are there any special issues I’ll need to keep in mind when setting up the wired router for the first time?

I’m not looking (necessarily) into setting up a network to enable the computers to talk to each other. I’m mainly interested in replicating the star configuration that I now have, where each computer connects to the switch and then the switch connects to the DSL modem. The only difference would be that I’d be using a wired router instead of a switch, or maybe in addition to the switch.

Any guidance you can provide will be welcome. I apologize if I chose the wrong forum section to post this on!

--JorgeA

Edited by JorgeA, 04 June 2010 - 11:11 AM.



How to remove advertisement from MSFN

#2
Mijzelf

Mijzelf

    Advanced Member

  • Member
  • PipPipPip
  • 462 posts
Any router will do, they just 'talk Ethernet', and any OS which supports Ethernet will just work.

I *think* there is already a router in your modem, else you should have 4 public IP addresses. That is not impossible, but only rare.



#3
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

Any router will do, they just 'talk Ethernet', and any OS which supports Ethernet will just work.

I *think* there is already a router in your modem, else you should have 4 public IP addresses. That is not impossible, but only rare.

Mijzelf,

Thanks, that's what I thought -- that nothing special needs to be done. But I'm new at this, so I wanted to make sure!

I checked two of my PCs on the Gibson Research site, and they have the same IP address. But then the DSL modem from the phone company is billed as just a modem. They do sell other devices that they call routers, so I figure that my modem is just a modem. And it has only one connection for a PC. Does any of this make a difference as to whether the "modem" could actually work as a router?

--JorgeA

#4
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,247 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Thanks, that's what I thought -- that nothing special needs to be done. But I'm new at this, so I wanted to make sure!

I checked two of my PCs on the Gibson Research site, and they have the same IP address. But then the DSL modem from the phone company is billed as just a modem. They do sell other devices that they call routers, so I figure that my modem is just a modem. And it has only one connection for a PC. Does any of this make a difference as to whether the "modem" could actually work as a router?

--JorgeA

If they're selling routers, it's highly unlikely the modem is a router. The fact it only has one ethernet port is another clue - even today's cheap wired routers usually have more than one internal (LAN) port, to hook up multiple wired PCs internally. I'd guess you need an actual consumer-grade router to connect to the DSL modem's ethernet port, and then you'd connect your PCs to the router's LAN ports.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#5
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
Thanks, cluberti -- I'm glad that you roam around these forums!

Would I be right to assume that you agree with me and Mijzelf (sorry everyone, couldn't resist saying that), that no particular router model or special setting is needed to get Win98 and Vista PCs working off the same router?

--JorgeA

#6
Mijzelf

Mijzelf

    Advanced Member

  • Member
  • PipPipPip
  • 462 posts
It's quite easy to find out if your modem is actually a router. When the IP address which shows up on Gibson's site (or on www.whatismyip.com) is a different one then that what shows up in winipcfg (98) or ipconfig (Vista), than it's a router.

What type of modem do you have?



#7
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

I have two Windows 98 and two Vista computers to take care of in my office, and I'm thinking of buying a wired router to help protect them when they go on the Internet. Currently the computers are each connected to a switch, and otherwise they all fend for themselves with their own software firewalls. The router would be to add a hardware firewall layer to my defenses.

There's something I don't understand here. Do you have or own a small IP-subnet, or do you connect to the internet via a single IP (either dynamic or static) ?

If you connect to the net or are otherwise assigned a single IP address, and if all computers have simultaneous internet access, then you must have NAT functionality somewhere in your network - most likely in the modem.

The network I manage is exactly like that. A DSL modem that has NAT functionality is connected to a 24-port giga-bit hub / switch. All our machines (including the win-98 machines we have) all have 1000 mb cards and our local lan runs at giga-bit speed.

It's been like this since late 2005. Between 2000 and 2005, we had an ISDN connection to the internet, but we had a 32-address subnet assigned to us, so each of our machines was directly facing the internet. Our win-98 machines had no problems with that - they had no firewall, but win-98 is not really vulnerable to network worms like NT-based OS's were. We used Netbeui for file sharing (which is secure on a lan that is exposed directly to the internet).

Running firewall software on a win-98 system is, in my opinion, complete garbage and a waste of time and resources. There is nothing to be gained by it, especially if you are already behind a nat-router.

#8
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

It's quite easy to find out if your modem is actually a router. When the IP address which shows up on Gibson's site (or on www.whatismyip.com) is a different one then that what shows up in winipcfg (98) or ipconfig (Vista), than it's a router.

What type of modem do you have?

Mijzelf,

The IP address on those two sites is in fact different from the one that shows up in ipconfig. I guess that suggests that it's a router?

In case it makes a difference, the three computers are each connected to a switch, which is then connected to that DSL device.

The device is a Westell F90-610015-06. After a Web search I couldn't really settle in my mind the question of whether it's a modem or a router, but I still suspect it's a modem.

After seeing this info, what does it sound like it is to you?

Thanks!

--JorgeA

#9
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
wsxedcrfv,

No, my setup right now is really simple. I'm slowly poking my toes into this ocean.

The PCs are not networked, at least not with each other. (File sharing is turned off on all of them.) That's not to say that I won't set up an actual network at some point, but for the time being I'm avoiding that level of complexity.

So I guess that the answer would be that the PCs connect via the same IP address, but no local network is set up (nor can any of my PCs detect one).

Here's my progression. Up till December 2008 I had a single Win98 PC connected to the Internet via dial-up. When the computer developed major problems (which seem to have been fixed), I bought a Vista system and moved up to DSL service. Once I got used to that, and the old PC seemed to get better, I decided to experiment with putting both computers on the 'Net, so I bought a switch and both of them can surf the Web at the same time, but with no networking between the two of them. Then I added a Win98SE notebook, and it surfs great at the same time, too. My Vista laptop can jump in as well, no problem.

And now that I have a handle on that, the next level is to set up a router so that these PCs can enjoy its hardware firewall. Maybe later on I'll try to network them, but right now that's beyond my pay grade....

Steve Gibson's tests indicate that my PCs are fairly well cloaked, except for the Ping Test. I'm not sure if that protection comes from the DSL modem (there's some question as to whether it's actually a router), or from my ISP, or from the computers' individual firewalls. I'm willing to learn.

Hope this helps to make my situation clear!

--JorgeA

#10
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

The PCs are not networked, at least not with each other. (File sharing is turned off on all of them.)

Whether or not the PC's are configured as a peering network, or a domain-controlled network, or neither, is not important, and has no impact or influence on your network hardware.

So I guess that the answer would be that the PCs connect via the same IP address, (...)
Steve Gibson's tests indicate that my PCs are fairly well cloaked, except for the Ping Test. I'm not sure if that protection comes from the DSL modem (there's some question as to whether it's actually a router), or from my ISP, or from the computers' individual firewalls. I'm willing to learn.

Your modem is performing NAT (network address translation) which is a form of routing. The IP address that you are assigned by your ISP is being used by your modem on it's WAN side. On the LAN side of the modem, you are most likely using 192.168.x.x or 10.x.x.x or 172.x.x.x for the IP addresses for your individual computers. Your Gibson Shield's UP test will not show anything of any value in this case because if your modem is configured for default operation, it will be blocking all unsolicited in-bound packets. Running a firewall on your windows 98 machines in this situation is of very little value because your modem is operating as an in-bound firewall. This is what most broad-band modems do these days. Maybe 5+ years ago some of them didn't do that.

You are failing the ping test because your modem is responding to ICMP packets. If you turn that off, or if you route ICMP packets to an unused LAN ip address, then you will pass the ping test. There is not much value in doing that, and sometimes for diagnostic or speed-testing reasons you want your modem to respond to pings.

You can connect any router or hub or switch to your modem without worrying about security or firewall issues.

#11
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

Your modem is performing NAT (network address translation) which is a form of routing. The IP address that you are assigned by your ISP is being used by your modem on it's WAN side. On the LAN side of the modem, you are most likely using 192.168.x.x or 10.x.x.x or 172.x.x.x for the IP addresses for your individual computers. Your Gibson Shield's UP test will not show anything of any value in this case because if your modem is configured for default operation, it will be blocking all unsolicited in-bound packets. Running a firewall on your windows 98 machines in this situation is of very little value because your modem is operating as an in-bound firewall. This is what most broad-band modems do these days. Maybe 5+ years ago some of them didn't do that.

wsxedcrfv,

Fascinating! Looks like I'll be reading up on NAT and subnets sooner than I'd thought.

You can connect any router or hub or switch to your modem without worrying about security or firewall issues.

Cool. The firewalls DO eat up some resources, so this is a tempting idea. It's too bad that there doesn't seem to be any official documentation anywhere that's specific to my particular modem (Westell F90-610015-06), so that we could explore and tinker with the settings, and maybe see what the manufacturer has to say about their product's features.

I did find the following webpage where this issue is addressed. (See "Solution #2.")

One question about dispensing with the software firewall. My understanding is that a hardware firewall stops unwanted inbound traffic, but not outbound. Wouldn't there be a use then for the software firewall, in case one of my PCs got turned into a zombie?

It's an interesting concept that you suggest, going without a software firewall. I'll look into it deeper. For now, it's starting to look like I already have the capabilities that I was looking for, so I don't need a router.

--JorgeA

#12
Mijzelf

Mijzelf

    Advanced Member

  • Member
  • PipPipPip
  • 462 posts

It's too bad that there doesn't seem to be any official documentation anywhere that's specific to my particular modem (Westell F90-610015-06),

According to this your modem is a 6100F. So maybe you can find a manual here

#13
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

Cool. The firewalls DO eat up some resources, so this is a tempting idea. It's too bad that there doesn't seem to be any official documentation anywhere that's specific to my particular modem (Westell F90-610015-06), so that we could explore and tinker with the settings, and maybe see what the manufacturer has to say about their product's features.

Mijzelf posted a link to the PDF manual. The default LAN network for your modem is 192.168.1.0. To bring up the configuration page for your modem, open a web browser and enter 192.168.1.1 into the location bar. It will ask for user name and password. User name is "admin" and password is "password".

Your manual can be directly downloaded from here:

http://www.dslreport...aft1_041007.pdf

One question about dispensing with the software firewall. My understanding is that a hardware firewall stops unwanted inbound traffic, but not outbound. Wouldn't there be a use then for the software firewall, in case one of my PCs got turned into a zombie?

A software firewall that is operating on a PC can examine and block data packets in both directions (in-bound into the computer, and out-bound out of the computer). A NAT-router can only perform in-bound filtering.

The software firewall, because it's running on the PC, will know which apps or processes are trying to send data out of the PC, and can follow and apply rules as to which are allowed to send data out of the PC.

If your PC is infected with a trojan or back-door that is trying to send data out of the PC, it's highly likely that the trojan will try to disable your firewall software before it makes the attempt. Or it will use another method to send data out of the PC that the firewall will not block. See here for an example:

http://www.symantec....-local-firewall

It's my general impression that there are very few malware agents in current circulation that are able to operate on Windows 9x/me in any way that is useful for organized botnet operators or information thieves. Just look at your own experience with running a firewall on your windows 98 system(s) and ask yourself how many times the firewall alerted you to a genuine instance of malware trying to communicate with the outside world.

When ever I have these discussions about software firewalls with people that believe in them and use them, it usually happens that they eventually say that they want more control over their computer and the various programs they run and how those programs behave, and the firewall allows them to do that. So it usually boils down to control more than security.

I think it's useful, or absolutely necessary, for NT-based PC's to be running an in-bound firewall, especially if it's a portable laptop, but that need goes away when it's a stationary desktop PC behind a NAT-router. I place very little value on out-bound firewalling as an anti-malware tactic on NT-based systems, and even less value on win-9x/me systems.

The only time you might (or should) be running an out-bound firewall is if you download certain application programs (like hacks, cracks, or keygens) and you want to contain the behavior of those programs if they turn out to be rogue or malicious (which is usually the case).

#14
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

It's too bad that there doesn't seem to be any official documentation anywhere that's specific to my particular modem (Westell F90-610015-06),

According to this your modem is a 6100F. So maybe you can find a manual here

Mijzelf,

You know, as I looked for info on my modem last night I did see that exact DSLR forum thread that you linked to, but in the process of visually scanning I did not see the sequence of characters that my eyes were looking for (F90-610015-06), so I ended up skipping it. The key, of course, was in knowing that a "6100F" is the same as an F90-610015. My Web search didn't turn up the other link you provided, and which puts the two sets of numbers together.

I continue to be amazed by the level of expertise shown by the folks who participate in the MSFN Forums, and most of all by their (your) willingess to help.

Many thanks! :thumbup

--JorgeA

P.S. Now that it's daytime, I can see clearly that my modem says, in little white letters on the front, "Model 6100F." Duh!! And here I thought I was being so sophisticated by going straight to the product label on the bottom... :blushing:

#15
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

If your PC is infected with a trojan or back-door that is trying to send data out of the PC, it's highly likely that the trojan will try to disable your firewall software before it makes the attempt. Or it will use another method to send data out of the PC that the firewall will not block. See here for an example:

http://www.symantec....-local-firewall

wsxedcrfv,

Thanks for the link. Pretty nasty technique, there.

Would you say that there's generally just too much focus on (or trust in) software firewalls?

It's my general impression that there are very few malware agents in current circulation that are able to operate on Windows 9x/me in any way that is useful for organized botnet operators or information thieves. Just look at your own experience with running a firewall on your windows 98 system(s) and ask yourself how many times the firewall alerted you to a genuine instance of malware trying to communicate with the outside world.

I've never had a case where the Norton firewall alerted me to an unknown program trying to go out on the 'Net. But there have been times where it's told me that it blocked an outside attempt to invade my Win98 PC. However, that was when the PC was on dial-up. I don't remember it happening again since I got DSL.

I think it's useful, or absolutely necessary, for NT-based PC's to be running an in-bound firewall, especially if it's a portable laptop, but that need goes away when it's a stationary desktop PC behind a NAT-router.

Let me make sure I have this right. So I can actually set up a LAN behind this Westell device, enabling file sharing and the like, while dispensing with the various PCs' individual software firewalls, and they will still have as much protection from intruders as before?

BTW, there's no chance of me going into the Internet underworld, so I should be O.K. on that score.

Thanks again!

--JorgeA

#16
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

Would you say that there's generally just too much focus on (or trust in) software firewalls?

There are a lot of die-hard win-98 users that are still running ie6, have never tried another browser, who access the internet on dial-up, and who are paranoid about security and are getting ulcers over the end of fire-wall and antivirus support for win-98. No matter how many times you tell them that win-98 is not and never has been vulnerable to any network worm, they just don't listen or understand. And those of them on broadband, with their computer behind a NAT-router, have zero to worry about.

Firewalls were useful back during the early days of commercial and residential broad-band (1998 - 2002) and back then Windows NT, 2K and XP-SP0 desperately needed to have a firewall app running on it. Lots of those machines became infected with stuff that turned them into someone's private file server (usually hidden in the recycler directory).

NT-based OS's are simply not designed well enough to be trusted to sit even on a local lan without having their own in-bound firewall. Windows 9x/me, either by dumb luck or good design, is simply far less vulnerable to network intrusion and remote control. But the popular press and technology writers have always focused way more on the NT-based os's, so when they write about Windows needing a firewall, they mean NT, 2K, XP, etc.

I've never had a case where the Norton firewall alerted me to an unknown program trying to go out on the 'Net. But there have been times where it's told me that it blocked an outside attempt to invade my Win98 PC. However, that was when the PC was on dial-up. I don't remember it happening again since I got DSL.

Any attempt to "invade" your PC would not have worked - even without your firewall if you're running win-98. Those attempts are still happening, but are being blocked by your modem now.

Let me make sure I have this right. So I can actually set up a LAN behind this Westell device, enabling file sharing and the like, while dispensing with the various PCs' individual software firewalls, and they will still have as much protection from intruders as before?

Your windows-98 systems will not and do not need to be running firewall software. Period.

Your NT-based PC's can infect each-other on the local lan (they won't be able to infect your win-98 systems - unless you share the c:\windows directory on your win-98 machines).

Your NT-based PC's will not be directly infected by any sort of worm or packet-based intrusion from the internet, but if they get infected due to you downloading and running an infected file, clicking on an viral e-mail attachment, or triggering a browser-based exploit while web surfing, then the resulting infection could spread to your other NT-based machines unless they are running their own local in-bound firewall.

Your local lan is protected / hidden from the internet as far as file-sharing goes, and even more so if you bind your file-sharing to the NetBEUI protocal instead of TCP/IP.

#17
rilef

rilef

    Junior

  • Member
  • Pip
  • 59 posts
  • OS:none specified
  • Country: Country Flag
Some DSL and cable modems are actually combo devices, combining a router and modem in the same enclosure. But your DSL modem appears to be only a simple DSL modem, designed for use only with Verizon (see http://www.westell.c...10015-06-2.html ). Google "F90-610015-06" for lots of other information on this modem.

Apparently, your dsl modem configuration can be viewed, but not adjusted, using Internet Explorer or other browser (for a "how to" see http://text.broadban...1001506-Success . Note that the Linksys router's default WEB address (http://192.168.1.1/) is the same as your Westell DSL modem's WEB address and will have to be changed prior to use. Similarly, other routers may also use http://192.168.1.1/ as their default WEB addresses, and thus their WEB addresses also would have to be changed).

I currently use an old Linksys router, which I purchased used for less than $10, then modernized or updated the firmware from the Linksys website. Linksys routers are well documented and supported on the Linksys website and easily configurable (e.g. pings and port 113 were disabled by opening the router configuration menus in my browser and checking the appropriate checkbox). But other leading brand browsers may also do the job. Also, the router does not have to be the newest or high-speed (1000 mb}, unless all other devices on the network are high-speed.

The GRC Shields Up "Ping Test" is important because, although your firewall may or may not block "all unsolicited in-bound packets", the better security is to remain invisible on the Internet to all unsolicited and potentially malicious probes. If your computer responds to an unsolicited probe with a ping, the prober now knows you're there and your IP address.

Some software firewalls use more resources than other software firewalls, so resource use may have to be considered on older computers. But, for example, I've used Sygate firewall software on an old 286 Mhz computer, with no observable degradation in performance. And, if you're running a peer-to-peer or home network, the software firewall can be configured to allow certain traffic on the home network (such as printer or file sharing), while restricting traffic, on the same physical network, to/from the Internet. Also, software firewalls are important to prevent unwanted outgoing traffic from your computer, particularly from newly installed software, whose initial behavior after installation may or may not be welcome (such as, calling home or opening up a WEB page after installation, or attempting to update the software to a newer version, or downloading and installing additional software). Some software attempt to open a WEB page in Internet Explorer, even though IE is not my default browser. A software firewall can block IE from being used by such software.

#18
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

Some DSL and cable modems are actually combo devices, combining a router and modem in the same enclosure. But your DSL modem appears to be only a simple DSL modem, designed for use only with Verizon (see http://www.westell.c...10015-06-2.html ). Google "F90-610015-06" for lots of other information on this modem.

If his modem is a Proline 6100, as described by the PDF I posted earlier, then it does NAT by default, unless you put it into a bridge mode.

Having only one RJ-45 ethernet jack for the LAN connection does not necessarily mean the device does not perform internal NAT. (Naturally, any modem that has more than one LAN jack must also be a NAT router).

The GRC Shields Up "Ping Test" is important because, although your firewall may or may not block "all unsolicited in-bound packets", the better security is to remain invisible on the Internet to all unsolicited and potentially malicious probes. If your computer responds to an unsolicited probe with a ping, the prober now knows you're there and your IP address.

It's no big deal if your modem responds to pings or not. Any automated port-scanner that's operating on your IP is just as likely to simply try all the usual ports (netbios, etc) and not waste time with a two-stage port scan.

Some software firewalls use more resources than other software firewalls, so resource use may have to be considered on older computers. But, for example, I've used Sygate firewall software on an old 286 Mhz computer, with no observable degradation in performance. And, if you're running a peer-to-peer or home network, the software firewall can be configured to allow certain traffic on the home network (such as printer or file sharing), while restricting traffic, on the same physical network, to/from the Internet.

The decision to use a software firewall should be based first and foremost on the absolute necessity that it will perform a useful function - not necessarily the resources it will use. Experience tells us that Windows 98 is not a vulnerable OS when it comes to unsolicited in-bound packets. Putting any PC behind a NAT-router automatically negates the need in the vast majority of situations to also run a firewall on the PC regardless what OS it's running.

Configuring firewall rules is usually a painful process, completely worthless in my opinion. There are better ways to establish rules or restrictions on resource use on a local lan.

Also, software firewalls are important to prevent unwanted outgoing traffic from your computer, particularly from newly installed software, whose initial behavior after installation may or may not be welcome (such as, calling home or opening up a WEB page after installation, or attempting to update the software to a newer version, or downloading and installing additional software). Some software attempt to open a WEB page in Internet Explorer, even though IE is not my default browser. A software firewall can block IE from being used by such software.


As I predicted, firewall advocates ultimately fall back to the idea that firewalls are useful (perhaps more useful) for control vs security. Usually there is little to be gained by exerting this control, in the long run, vs the time wasted and the performance hit just by having it.

If I don't want a newly-installed app to phone home, then I'll unplug my ethernet cable before I run it for the first time. How's that for an out-bound firewall?

#19
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
rilef,

Thanks for jumping in.

I sense a flame war erupting here, or maybe my question has rekindled an old argument. Hopefully what I report below will help to stop things from getting to that point.

Prompted by your post, I went into my Westell's configuration. Had to set a new password and all. I'm too new at the networking game to dare to actually change any settings in there, but it sure does look like I can change them. I even clicked a few settings on and off, but left everything unchanged in the end. (I didn't hit the "Apply" button.) Every button that I tried seemed to respond as one would expect. Maybe this will help to settle the question of whether this box is a simple modem, or a router (maybe a modem with extra features? or a combo device as you think might be possible).

If you go to page 70 of the 6100's guide, you'll find a screenshot of the general firewall settings. It matches exactly the screen that I got when I clicked on the Westell menu to access the firewall settings. I was surprised to see that the default (and current) value is "No Security," because all of my PC's did well on the Gibson tests (except for the ping test). Could that be the computers' software firewalls in action?

Thanks again!

--JorgeA

#20
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,006 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
wsxedcrfv,

See my reply to rilef.

It looks like the Westell 6100F that I have may be in fact some kind of combo device, as I can go into the settings and (apparently) change them, including firewall and port rules. (Please excuse my noobness if I'm getting the terminology wrong.)

Check out page 70 of the PDF to the manual. The general firewall settings menu is just like the one I saw when I went into my box's configuration application. Now, you'll see that the default setting is "No Security." Yet, as I said before, my PC's did pretty well on the Gibson tests. Two questions: Could that be thanks to the software firewalls -- and, if I were to uninstall them, then which of those security settings would I choose to emulate the level of protection that the current firewalls are providing?

On the other hand, since the software firewalls are already in place, one could say that there's very little additional time and effort involved in keeping them running. So isn't it possible that the question boils down to whether you want to dedicate resources on a Win98 machine to a firewall?

One last thing (for now, anyway). I assume that none of this affects the wisdom of running antivirus/antimalware applications, as opposed to a firewall?

I appreciate all the information you've been passing along -- thank you!

--JorgeA

#21
Mijzelf

Mijzelf

    Advanced Member

  • Member
  • PipPipPip
  • 462 posts
 

If you go to page 70 of the 6100's guide, you'll find a screenshot of the general firewall settings. It matches exactly the screen that I got when I clicked on the Westell menu to access the firewall settings. I was surprised to see that the default (and current) value is "No Security," because all of my PC's did well on the Gibson tests (except for the ping test). Could that be the computers' software firewalls in action?


No, it's the nature of a NAT router. An open port is a port where some service is running, on which can be connected. The router doesn't run any services on the outside, so all ports are closed. And because it costs less CPU power to ignore the 'knocking on the door' than yelling 'nobody home', the closed ports are stealth too.

When you want an open port, you'll have to forward it manually in the router's setup (or use uPnP, but that's another story), to point to a service which is running on one of your computers.

Because the NAT router already blocks all incoming traffic by nature, the purpose of a firewall on a NAT router is limited. The following options could be implemented:

- Detect a portscan and close all open ports temporary

- Block outgoing traffic to certain ip-addresses/URL's

- Block ingoing traffic to open ports from certain ip-addresses

- Deep packet inspection to filter active-X components and stuff like that

- ...




On the other hand, since the software firewalls are already in place, one could say that there's very little additional time and effort involved in keeping them running. So isn't it possible that the question boils down to whether you want to dedicate resources on a Win98 machine to a firewall?


A good firewall hardly uses any resources (as long as it doesn't do deep packet inspections) compared to antivirus software, and can provide you a lot of information about which processes are talking to whom. So it can be useful to keep a software firewall running.

One last thing (for now, anyway). I assume that none of this affects the wisdom of running antivirus/antimalware applications, as opposed to a firewall?


Indeed. It are unrelated areas.
 


Edited by Mijzelf, 06 June 2010 - 06:01 AM.


#22
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

Check out page 70 of the PDF to the manual. The general firewall settings menu is just like the one I saw when I went into my box's configuration application. Now, you'll see that the default setting is "No Security." Yet, as I said before, my PC's did pretty well on the Gibson tests. Two questions: Could that be thanks to the software firewalls -- and, if I were to uninstall them, then which of those security settings would I choose to emulate the level of protection that the current firewalls are providing?

The Security settings on the modem (as described on page 70) really makes no sense. For example, the default: "No Security (None) is ProLine’s factory default security setting. Firewall is disabled. (All traffic is passed)"

That doesn't make sense. If all traffic is passed, then where exactly will it pass unsolicited inbound traffic to? To which local LAN ip will it pass any unsolicited packets? Without configuring any port-forwarding rules, I don't see how it can pass any unsolicited inbound packets at all. If someone else has an explanation for the security settings on this modem, please explain.

On the other hand, since the software firewalls are already in place, one could say that there's very little additional time and effort involved in keeping them running. So isn't it possible that the question boils down to whether you want to dedicate resources on a Win98 machine to a firewall?

If you had a direct connection to the internet (which you would have had on dial-up) then it's your call as to whether or not you run a firewall on a win-98 system. But once you're behind a NAT-router, the use of a software firewall on a win-98 system is a complete waste of system resources if your usage is purely for security. If your intent is for program control (ie - to prevent certain apps from "calling home") or you frequently test new programs for undesirable out-bound transmission behavior, then the use of a software firewall in that instance is useful to you. If it were me, I would simply modify the program's settings so it does not "call home" instead of using a firewall.

I ran a small network of about a dozen win-98 machines (and a few NT and win-2K machines) from mid-2000 to the end of 2005 (about 5.5 years straight) and all machines had their own direct internet IP address (no NAT router). That was arguably the most vulnerable period in the life span of windows 98 to have a machine directly exposed to the internet. The win-98 systems experienced no intrusion. We had a few instances of our NT and 2K machines becoming infected with something - but I don't know if it was the result of not having a firewall on those systems, or because of user-facilitated activity (web surfing, e-mail, etc).

One last thing (for now, anyway). I assume that none of this affects the wisdom of running antivirus/antimalware applications, as opposed to a firewall?

I believe that Anti-virus apps are far less useful today, on win-98 systems, then they were say during 2002 - 2006.

Since 2006, many viral / trojan threats are polymorphic and AV software has a very poor record of detecting them during the first week or month of their existance. We get a lot of spam on certain e-mail addresses (about 50 - 75 spams per day) and usually get 1 to 2 spams per day that contain a viral attachment. I submit those viral files to virustotal.com and they are scanned by 40 AV apps (all the major AV programs plus lots you've never heard of). The detection rate is usually about 5%. If I scan the same file a month later, the detection rate will be 50 - 75%.

So you've got the following to consider:

1) Relatively poor initial AV detection rates for new malware
2) Most or all new exploits are written for NT-based OS's and simply don't function on win-98
3) Many exploits can successfully deactivate your AV software just like they can deactivate your firewall (assuming the exploits even run on a win-98 system in the first place)

Combine all three, and you come to the conclusion that running an AV app on a win-98 system has only marginal benefit.

If you want to secure your machine against malware, do the following:

1) obtain and use a hosts file. Look at MVPS.org.
2) perform Spybot SD browser innoculation.
3) uninstall ALL versions of JAVA JRE and either (a) don't run the java JRE or (b) only keep the most recent version installed on your system (see below for more instructions about Java)
4) disable .PDF file handling by your broswer. Set your browser's pdf file handling option to "save as file" instead of "launch with adobe acrobat".
5) consider replacing adobe acrobat with another pdf viewing program. Regardless of which pdf program you use, disable it's java script option.
6) run a real-time registry monitoring program. Spybot's TeaTimer option, for example.
7) put a NAT-router between your PC and your cable or DSL modem (or turn on your modem's NAT functionality). If the IP address of your PC begins with 192.168.x.x then you already have a NAT-router somewhere in your network.
8) consider running a browser-protection program called NoScript. It might make your web-surfing a bit of a pain, but it will provide a moderate amount of protection against rogue scripts found in web content.
9) obtain and run some registry files or hand-alter some of your registry keys to absolutely disable the "auto-run" feature on all drives and removable media.
10) disable all unnecessary services running on your system (if you're running XP or Vista). Disable the IPC$ network share and all administrative shares while you're at it.
11) if your modem or router has uPnP function, disable it. Consider disabling the uPnP service if it's running on your machine.

------

Windows 98 came with an old version of java that can be (or should be) uninstalled. Do this first before you install any newer version from Sun (now known as Oracle):

To get rid of the version of java that came with Windows 98, do this:

- Click Start, Run and enter this:
- RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall

You may (or will) see a message saying "If this component is uninstalled, Microsoft Internet Explorer will not be able to download files from the World Wide Web. Do you want to uninstall the Microsoft VM?"

- Click Yes to confirm the uninstall, and restart your system when it's complete.

- Delete the following folders if they are still present:
c:\windows\java
c:\windows\inf\java.pnf
c:\windows\system32\jview.exe
c:\windows\system32\wjview.exe

- Click Start, Run and enter regedit to start the Registry Editor. Browse to the following keys, highlight and delete them:

HKEY_LOCAL_MACHINE\Software\Microsoft\Java VM
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet_Explorer\AdvancedOptions\JAVA_VM

- Now go to your Add/Remove programs and look for any instance of "Java Runtime" or "J2SE Runtime" and uninstall them. All of them - except if one of them is version 5.0 Update 22 (keep that one if you have it).

- If you've deleted all Java Runtime versions, and if you don't have version 5 Update 22, then download and install that version using this link:

http://cds-esd.sun.c...dows-i586-p.exe

#23
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
Hardware and software firewalls serve different but overlapping purposes. Hardware firewalls block inbound from the entire network behind them. They block or allow traffic on a per PC basis. Being separate from the PC, they're not vulnerable to infections of that PC (as long as UPnP is disabled). But as a result of being separate, hardware firewalls are not application aware. They can't tell if it's your browser or a trojan that's connecting out.

Software firewalls control traffic in and out of individual PCs. On networks with more than one PC behind a router or hardware firewall, a software firewall can prevent one compromised PC from infecting another on the same network. Software firewalls are application aware and can block or restrict traffic from one application while allowing another to connect out freely. That makes a software firewall useful as a parental or employee control tool. Kerio 2 for instance lets you makes time sensitive rules, such as blocking the browsers access after 11:00PM while allowing updaters to work normally. I've done that for a few clients. Now their kids won't talk to me! That same software firewall stopped their P2P program from working. An installed software firewall gives you flexibility not possible with hardware firewalls.

As I predicted, firewall advocates ultimately fall back to the idea that firewalls are useful (perhaps more useful) for control vs security.

I have to disagree with that statement. Control and security are directly connected. A secure system is one you control. A compromised system is one someone else controls. That's the goal of most malware, to take partial or full control of your system. A software firewall controls the communication channel the malware would have to use. Only a small percentage of PCs are compromised by unsolicited inbound traffic. Most are compromised by the users, willingly or otherwise. It doesn't matter how good or careful you are. Unless you have 100% control over all who use that PC, friends, family, kids, and can guarantee that all of them will use the same level of care, things will happen.

Other factors also need to be considered.
  • AV support is all but done for 9X systems. We no longer have a semi-reliable way to detect malicious code in real time, not that they were very good at it to begin with. The conventional approach to security is not available to 9X users any more. This gives us 2 choices, default-deny, or trusting that 9X usn't popular enough to be targeted. IMO, the 2nd is not an option. It's trusting in blind luck.
  • Kernel EX is making it possible to run more "modern" software on 9X systems. It's also likely that it is also making it possible for more malicious code to work as well. By making 9X more functional, we may be making it more vulnerable. This is uncharted territory for 9X that needs to be explored, or at the very least, to remain aware of the possibility.
  • Legitimate sites get hacked and serve up malware. Financial institutions, facebook ads, etc. You don't have to go looking for it. The internet is much more dangerous than it ever has been before. Even the DNS system has proven to be vulnerable. There's no guarantee that where you want to go is where you'll end up. IMO, all of the web has to be treated as untrusted and potentially hostile. The common sense approach of "don't visit dangerous sites" isn't sufficient.
  • The "enemy" has changed. It's not script kiddies any more. It's professional coders and thieves. Their agendas have changed. Instead of recognition or glory, it's profit and control. In todays political climate, it can even be your own government or authorities or those of another nation. It's not just your data or your desktop they want anymore. Often it's your PC to be used as a pawn in someone elses war.
  • 98 itself might not be directly targeted as much as it used to be, but the applications running on it are, starting with PDFs and flash. If I remember correctly, Flash was used as the vector to target routers from the PC. Yes, it was fixed, but will you bet on it being a one time occurrence? Malware isn't strictly for 9X systems or NT systems. Much of it works on both. It's no different than any other user applications. I've got malware obtained from members here and elsewhere that behaves very much like a rootkit on a 9X system. It's one thing to claim that todays malware is written for NT systems. Who is even checking how much of it works on 9X, or with Kernel EX? Is anyone looking at all? IMO, that's an unverified assumption.

I'll never understand why some dismiss apps or a system "calling home" as a problem. Most trojans do this. Would you allow people you barely know to use you phone whenever they want to without asking you? How is this different, especially when you consider the personal info the app calling home has access to and the fact that you don't know what it's sending?

Resource usage is not an issue with a good software firewall. Even my old HP with a 366mhz Celeron experienced no slowdown with Kerio 2.1.5 and SSM. Yes, the combined security suites were resource hogs, but they were never designed for 9X systems to begin with. 9X compatibility was an afterthought. NIS for instance added over 90 seconds to the boot time of my old HP and reduced it's usable time to half of what it was without it. AVs are the real resource hogs, not firewalls.

Configuring firewall rules is usually a painful process, completely worthless in my opinion.

Can't agree. There is something of a learning curve involved but that same knowledge gained will also help with configuring hardware firewalls, setting up home networks, etc. Once the basics are learned, it's not that hard. We're working with an unsupported OS, which means we have to provide our own support. To one degree or another, all of it is a bit of a pain, whether it's fixing compatibility issues or testing newly found vulnerabilities. Learning the basics of the internet we want to use these 9X systems on should be part of that process. With firewall rules, when they're done, it's over. Unless you change your system, they don't change. Until recently, we've always had 2 options, pay someone to take care of our systems and security (system and AV updates) or do it ourselves. We now have one choice if we want to use 9X. If this place has proven anything, it's that we can make 9X better and safer than MS or any AV vendor ever has.

I agree with many of the suggestions, but not necessarily with the way they're implemented. Getting rid of the old software is important. I'd add IE6 to that list if your setup allows it. It's always been the biggest weakness in 9X. Instead of NoScript, I'd use Proxomitron which works with all browsers and is much more powerful (and has a much steeper learning curve). I suggest a security policy based on default-deny and enforced with the system policy editor or SSM, free version. For registry protection, no need for real time protection. A batch file running at bootup can give you a clean, optimized registry at each reboot. The link in my signature explains how to write your own.

The hosts file doesn't help much with protecting your system. It's not possible for them to keep up with malicious sites. They change way too fast. It is useful as a junk remover, such as the common ad sites, a lot of Google garbage, etc. It can also be useful for its intended purpose, a real address book for sites you need to be sure of, instead of relying on a potentially vulnerable DNS system.

#24
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,672 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

As noted, the Westell 6100F does not come with any firewall settings turned on. I am using this modem as well. I currently have it configured in Bridge Mode (like the old DSL Modems) and it is connected to a wireless router. No DHCP enabled (but WPA2) on either side, using static IPs and DNS Servers.

If you switch it to bridge mode, the light pattern will be different. You won't see an orange light anymore if you lose the network connection. Also, you will need to configure your router (or PC) to connect with the PPPoE settings in the modem. If you lose these you can get the numbers from support.

Basically what they did was make it so the modem could start the PPPoE handshake on its own instead of relying on a single computer to do it.

As far as OS requirements on networking hardware, with exception to IPv6 or other OS dependent technologies, the requirements are bound to two things only:
1. The software that comes with the product
2. The OSes that the technical support department will help you with.
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#25
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

As noted, the Westell 6100F does not come with any firewall settings turned on. I am using this modem as well. I currently have it configured in Bridge Mode.

Please explain how that modem, when used in it's default configuration, will not be acting or performing as a NAT-router, and as such will be blocking all unsolicited in-bound packets, and therefore will be operating as a 100% effective in-bound firewall.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN