Strange problem with software or hardware router.. - Firewalls

This is a discussion on Strange problem with software or hardware router.. - Firewalls ; Hi all I have narrowed down a strange phenomenon I get between my Win2k computer network, router and NIS (Norton internet security) 2003. All PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Strange problem with software or hardware router..

  1. Strange problem with software or hardware router..

    Hi all


    I have narrowed down a strange phenomenon I get between my Win2k
    computer network, router and NIS (Norton internet security) 2003. All
    PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
    the updates. L2TP Cable internet is through 3Com wireless
    Officeconnect 3CRWE554G72T router.


    The problem is this: every few hours, one of the computers (any one,
    not a particular one) will have a partial failure of internet service-
    I can't browse the web but email, skype and FTP still work. After a
    10-30 minutes the problem rights itself. The other computers in the
    network don't usually experience this problem in the same time (i.e.
    they are fine except the one that does't work). I thought my router
    has a hardware problem but then I noticed that every time the problem
    happens, just before it my NIS 2003 reports a "portscan" of
    192.168.1.1 (domain 53).

    192.168.1.1 is of course, the router address...
    I have tried to have the PC's configured statically (with DNS
    servers)
    as well as DHCP automatic config, it doesn't imrove the issue.
    If I disable NIS 2003 and then immediately enable it, internet service
    resumes...
    I scanne all open ports with a web security site and it reports that
    only port 113 is closed (the rest are stealthed).

    That's as far as my networking skills go


    Thanks...!


  2. Re: Strange problem with software or hardware router..

    developmental2@walla.com wrote:

    > I have narrowed down a strange phenomenon I get between my Win2k
    > computer network, router and NIS (Norton internet security) 2003. All
    > PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
    > the updates. L2TP Cable internet is through 3Com wireless
    > Officeconnect 3CRWE554G72T router.
    >
    > The problem is this: every few hours, one of the computers (any one,
    > not a particular one) will have a partial failure of internet service-
    > I can't browse the web but email, skype and FTP still work. After a
    > 10-30 minutes the problem rights itself. The other computers in the
    > network don't usually experience this problem in the same time (i.e.
    > they are fine except the one that does't work). I thought my router
    > has a hardware problem but then I noticed that every time the problem
    > happens, just before it my NIS 2003 reports a "portscan" of
    > 192.168.1.1 (domain 53).
    >
    > 192.168.1.1 is of course, the router address...
    > I have tried to have the PC's configured statically (with DNS
    > servers)
    > as well as DHCP automatic config, it doesn't imrove the issue.
    > If I disable NIS 2003 and then immediately enable it, internet service
    > resumes...
    > I scanne all open ports with a web security site and it reports that
    > only port 113 is closed (the rest are stealthed).
    >
    > That's as far as my networking skills go
    >
    > Thanks...!


    Thanks for what? I fail to see the problem. You've intentionally installed
    a software for the purpose of randomly ****ing up your network. And now you
    can see this happening. What's strange about that?

  3. Re: Strange problem with software or hardware router..

    developmental2@walla.com wrote:
    > I have narrowed down a strange phenomenon I get between my Win2k
    > computer network, router and NIS (Norton internet security) 2003. All
    > PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
    > the updates. L2TP Cable internet is through 3Com wireless
    > Officeconnect 3CRWE554G72T router.


    There's no SP5 for Windows 2000.

    > The problem is this: every few hours, one of the computers (any one,
    > not a particular one) will have a partial failure of internet service-
    > I can't browse the web but email, skype and FTP still work. After a
    > 10-30 minutes the problem rights itself. The other computers in the
    > network don't usually experience this problem in the same time (i.e.
    > they are fine except the one that does't work). I thought my router
    > has a hardware problem but then I noticed that every time the problem
    > happens, just before it my NIS 2003 reports a "portscan" of
    > 192.168.1.1 (domain 53).


    Concratulations. You just discovered why automatic network shunning
    (like e.g. the "block attacker's IP address" feature implemented by
    NoISe) is utterly braindead.

    What you're experiencing is most likely this: NoISe regards incoming
    traffic with the source IP of your router as an attack (for whatever
    reason), and subsequently blocks the IP address of your router for about
    half an hour. Bang! No Internet for this host.

    [...]
    > I scanne all open ports with a web security site and it reports that
    > only port 113 is closed (the rest are stealthed).


    "Stealth" is another braindead "feature" of NoISe. A computer is not
    invisible just because it doesn't respond to echo requrests.

    Why do you need a personal firewall on your hosts anyway? Filter
    unsolicited traffic on your network borders and remove NoISe from your
    hosts.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  4. Re: Strange problem with software or hardware router..

    On Feb 17, 4:58 pm, Ansgar -59cobalt- Wiechers
    wrote:
    > development...@walla.com wrote:
    > > I have narrowed down a strange phenomenon I get between my Win2k
    > > computer network,routerandNIS(Norton internet security) 2003. All
    > > PC's in the network have Win2k, SP5 IE6 SP1, andNIS2003 with all of
    > > the updates. L2TP Cable internet is through3Comwireless
    > > Officeconnect 3CRWE554G72Trouter.

    >
    > There's no SP5 for Windows 2000.
    >
    > > The problem is this: every few hours, one of the computers (any one,
    > > not a particular one) will have a partial failure of internet service-
    > > I can't browse the web but email, skype and FTP still work. After a
    > > 10-30 minutes the problem rights itself. The other computers in the
    > > network don't usually experience this problem in the same time (i.e.
    > > they are fine except the one that does't work). I thought myrouter
    > > has a hardware problem but then I noticed that every time the problem
    > > happens, just before it myNIS2003 reports a "portscan" of
    > > 192.168.1.1 (domain 53).

    >
    > Concratulations. You just discovered why automatic network shunning
    > (like e.g. the "block attacker's IP address" feature implemented by
    > NoISe) is utterly braindead.
    >
    > What you're experiencing is most likely this: NoISe regards incoming
    > traffic with the source IP of yourrouteras an attack (for whatever
    > reason), and subsequently blocks the IP address of yourrouterfor about
    > half an hour. Bang! No Internet for this host.
    >
    > [...]
    >
    > > I scanne all open ports with a web security site and it reports that
    > > only port 113 is closed (the rest are stealthed).

    >
    > "Stealth" is another braindead "feature" of NoISe. A computer is not
    > invisible just because it doesn't respond to echo requrests.
    >
    > Why do you need a personal firewall on your hosts anyway? Filter
    > unsolicited traffic on your network borders and remove NoISe from your
    > hosts.
    >
    > cu
    > 59cobalt


    Thanks for that. The reason I left NIS on my pc's is because I
    figured the hardware NAT "firewall" is not the same as a real
    firewall, i.e. it can't protect against many types of security risks
    that something like NIS can (with all of its admitted flaws).
    I have also thought about opening the 192.168.1.1 ip for unlimited
    traffic on NIS (i.e. placing the gatway IP inside the NIS DMZ), but
    isn't that the same as removing NIS?

    Thanks


  5. Re: Strange problem with software or hardware router..

    developmental2@walla.com wrote:
    > On Feb 17, 4:58 pm, Ansgar -59cobalt- Wiechers wrote:
    >> development...@walla.com wrote:
    >>> The problem is this: every few hours, one of the computers (any one,
    >>> not a particular one) will have a partial failure of internet
    >>> service- I can't browse the web but email, skype and FTP still work.
    >>> After a 10-30 minutes the problem rights itself. The other computers
    >>> in the network don't usually experience this problem in the same
    >>> time (i.e. they are fine except the one that does't work). I
    >>> thought myrouter has a hardware problem but then I noticed that
    >>> every time the problem happens, just before it myNIS2003 reports a
    >>> "portscan" of 192.168.1.1 (domain 53).

    >>
    >> Concratulations. You just discovered why automatic network shunning
    >> (like e.g. the "block attacker's IP address" feature implemented by
    >> NoISe) is utterly braindead.
    >>
    >> What you're experiencing is most likely this: NoISe regards incoming
    >> traffic with the source IP of yourrouteras an attack (for whatever
    >> reason), and subsequently blocks the IP address of yourrouterfor
    >> about half an hour. Bang! No Internet for this host.
    >>
    >> [...]
    >>> I scanne all open ports with a web security site and it reports that
    >>> only port 113 is closed (the rest are stealthed).

    >>
    >> "Stealth" is another braindead "feature" of NoISe. A computer is not
    >> invisible just because it doesn't respond to echo requrests.
    >>
    >> Why do you need a personal firewall on your hosts anyway? Filter
    >> unsolicited traffic on your network borders and remove NoISe from
    >> your hosts.

    >
    > Thanks for that. The reason I left NIS on my pc's is because I
    > figured the hardware NAT "firewall" is not the same as a real
    > firewall, i.e. it can't protect against many types of security risks
    > that something like NIS can (with all of its admitted flaws).


    If by "protect against many types of security risks" you mean
    controlling which program communicates outbound: NoISe doesn't protect
    against those risks, because the moment it detects a threat, your
    security has already been compromised.

    > I have also thought about opening the 192.168.1.1 ip for unlimited
    > traffic on NIS (i.e. placing the gatway IP inside the NIS DMZ), but
    > isn't that the same as removing NIS?


    If you must keep using NoISe (for whatever reason): just disable the IP
    blocking feature.

    cu
    59cobalt
    --
    "Personal Firewalls are crap. Throw away any personal firewall. Personal
    Firewalls are bad[tm]."
    --Malte von dem Hagen on security-basics

+ Reply to Thread