General security advice

Posted on 2006-06-01
Last Modified: 2013-11-16
The other day on a different question, r-k said that he wouldn't use ZoneAlarm.   That got me thinking that I should review what I'm doing.   Here's my network layout:

- A DSL modem connects me in bridge mode to my ISP.
- I run a cable for the DSL modem to a WRT45G broadband router's Internet port (router1).
- From router1, some physical cables go to computers and
- From router1, one physical cable goes to another WRT45G router (router2)
  - router2 connects via WiFi to two laptops and several PDAs
- From router1, several PDAs attach via WiFi

- Router1 has its firewall enabled
  - the only ports allowed through are 25 and 110 (I run a mail server)
- All my systems (non-PDA) behind the router1 firewall run ZoneAlarm
  - Firewall is enabled
  - AntiVirus is enabled
  - Incoming and outgoing E-mail protections are enabled
- All my systems (non-PDA) behind the router1 firewall run Microsoft's AntiSpyware

I'd like a critique and some clean advice on how I might best arrange this for
- minimum fuss
- least money
- best security

and some explanations why you suggest what you do.

Many thanks in advance.
Question by:gallymon

    Author Comment

    Let me add that I should have said 'rearrange' not arrange.   I have no objections to changing s/w and/or h/w if the reasons are compelling.
    LVL 5

    Expert Comment

    Nothing wrong with Zone Alarm...You seem to have things under control.

    Author Comment

    Well, I'm not too confident of your answer as I forgot to mention how I secure my WiFi and that should have been part of any comment.

    With the WiFi, I do the following:

    - I use 40 bit WEP
    - I have a table of MACs and only those which are mine can pas into the network.
    - I do broadcast my SSID though I know it is better not to.

    If there's something better than ZoneAlarm, I'd like to know and I'd like to know what the best anti-virus and spyware solutions are currently.
    LVL 32

    Expert Comment

    I should maybe clarify what I may have said about ZoneAlarm. There is nothing much wrong with it, and in general it is a better firewall than most others that I have tried (e.g. I think it is better than Kerio). The reasons I don't use it myself are four (1) It is more obtrusive than the XP firewall, i.e. puts up many pop-ups asking whether you want to allow this or that (2) It installs many drivers and services that are bound to suck up memory and cpu, though not quite as bad as Norton  (3) It can interfere with certain updates and other software installs, though infrequently, and (4) The free version is more like nagware, it keeps trying to trick you into signing up for the paid version.

    Against these we have to balance the main advantage of ZoneAlarm - It can block outgoing traffic, and this would seem like a major advantage, since the XP firewall blocks no outgoing traffic. What if we were to acquire a trojan, would it not be best to have a window pop-up and tell us about it?

    For a certain class of users, ZoneAlarm is indeed the best firewall. I would classify them as users who are advanced enough to understand pop-ups, but still engaging in risky habits so they might acquire some malware. (perhaps such users might frequent sites like this one...).

    However, my experience has been that the vast majority of users do not fall in this group. The problem is that just about all but a very few users will click on "Allow" when presented with a pop-up they don't understand but which appears routinely. This may be compared to the dreaded EULA's that we all love to read when installing software. I can't remember how many I've read, but it is sure a lot less than the number of times I clicked on "I Agree". Such is the case with ZoneAlarm pop-ups - there are too many of them, and most people can't tell which one to allow and which one to block. Many a time I've had to clean up an infected machine with ZoneAlarm installed, and the owner had been happily clicking on "Allow" without knowing why.

    Therefore, the main advantage of ZoneAlarm is not a real advantage for most people, and we are left with the nuisance factor. That is why I use the XP firewall. OTOH, if you are happy with ZoneAlarm and don't mind the extra bother, it is just as effective as the XP firewall, and there is no reason to change.
    LVL 32

    Assisted Solution

    To address your real question:

    I recommend (on each user PC):

    (1) a software firewall, either ZoneAlarm or XP Firewall
    (2) Any one AV program that you can keep updated.
    (3) Windows Defender (new name for MS anti-spyware)

    Real protection still depends on the users not clicking on untrustworthy links and attachments, keeping in mind that the malware writers are getting ever more clever, not to mention making fewer grammatical errors.

    I am wondering why you have router-2 at all. Is that to extend the range of the wireless network?

    If WEP is working well for you it's probably OK, but WPA is both easier to use and more secure. But it depends, if you are dealing with sensitive (e.g. financial) information then definitely go WPA and stop broadcasting the SSID. But if it's more of a routine office environment then what you have should be fine.

    Last but not least, there is no security like having nightly and/or weekly backups, with preferably an off-site copy.

    Good luck.

    LVL 5

    Accepted Solution

    Hi gallymon

    I would second r-k on the Zonealarm point - there is nothing intrinsically wrong with it and it does offer controls over outgoing traffic (which is the main negative point regarding the built in XP SP2 firewall) - but if you are using an edge firewall then this can be used to provide outing traffic control. - Personally I find Zonealrm to be a pain for the reasons stated - users do not want to have to deal with pop-ups asking them if X or Y should be permitted.

    One thing I would add - the main weakness around WEP is that it is possible to crack the keys if you capture enough packets so in addition to the above advice I would suggest regularly changing your wep passwords.




    Author Comment

    r-k and kevin,

    Thanks for your responses.  I beleive I have what I wanted.   I'm glad to know/believe that my setup is reasonable.   I have been using ZoneAlarm for several years and with it and careful habits, it has been a very long time since a nasty has gotten into my systems.

    r-k, the reason I use the router on the edge is because I used to use my main system, a quad CPU server2003 machine, to do the routing function and that meant that I had to leave it running all the time for others on my network  to have Internet access.   With the WRT45G router, I can now shut down my local machines if I want and the two college students here can still use the Internet.  The second router is at a distance from the first and its main purpose is the help spread the WiFi cloud smoothly through my house.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now