Networking and firewalls

[Sandeep]

Hi, I am new to networking in general and have some questions:
1) When I connect up two computers to my router through 100Mbps LAN connections and then try to copy a file from one to another, I get Sygate Personal Firewall showing a max outgoing transfer rate of about 1.8MB/s. Is this normal, because I would have expected something closer to 12.5MB/s from the apparent connection speeds?
2) Similarly, when I have a 54Mbps wireless connection to the router and send a file to a computer connected to the router by a 100Mbps LAN connection the max outgoing data transfer shows up as about 900KB/s. While this is consistent with the speed I got for the dual 100Mbps connection, this also seems correspondingly low considering the bandwidth numbers on their own. Is this normal?
3) I've tried to set up file and printer sharing on all the computers in my network. They can do this successfully, but only when I set an 'Advanced Rule' in Sygate Personal Firewall for each computer allowing the range of internal IP addresses my router assigns for the network complete access through the firewall. Is this a security risk of some sort? I can imagine one of the computers may accidentally have the 'defence' breached, and once this happens couldn't it could easily pass into all the other computers in my network since the firewall allows this full access? If I don't have this 'Advanced Rule' though, then the computers fail to see the shared folders and can't reach the shared printer. Is there some way for me to tighten up the rule, perhaps with specific ports to allow file and printer sharing but not anything else? This would seem best because I don't need anything else from the network, since each ocmputer has access to the router itself.

Sorry for all the simple questions, but everyone has to start somewhere.

[Ralph Bacon]

1) Get a really large file of known size (eg 100Mbytes). Time the transfer. Work out bytes per second. Is it still only 1.8Mbytes/sec which is certainly slow?

2) Ditto. Also, download NetMeter which is free for personal use and will show you exactly what speed you are really getting. I wouldn't rely on Sygate for monitoring your network speed.

3) In order to share files your firewall must, of course, allow those computers through (in both directions). However, as long as your network is NATted (eg your home network is 10.247.x.x, or 192 .168.x.x) then there is no extra security risk as such.

Of course, if one of your computers got a virus it could be passed to other computers in your network if you allowed them full access (which the firewall on each PC almost definitely won't; it will allow communication just for file sharing). But of course you're running both firewall and anti-virus on each PC in your network, aren't you? (And probably a spyware detector too, these days - try the Microsoft beta version, I've heard good report about it).

Hope this helps a bit...

[Sandeep]

Thanks for the hint about NetMeter. It confirms what Sygate was giving a rough indicator of, but there are some complications.

One way transfer is running at about 5.2Mbyte/s. Is this normal throughput for a wired 100Mbps connection?

Transfer between the same computers but in the opposite direction is limited to about 1.9Mbyte/s. This is with a file transfer from my newish laptop to the 4-year old desktop. The PC has about 15% hard disk space free, is running Windows Millennium and has 256MB RAM, while the laptop is much higher spec. Do you think there is something on the desktop which is limiting its ability to write to the hard disk at greater than 2Mbyte/s so the transfer speed is being limited to just that?

I haven't tested out the wireless side, and I have another laptop that I can connect to further investigate the wired LAN issue, but all that will have to wait till tomorrow (later today really).

Is the ~5Mbyte/s fast enough or does it still seem low? Should I be aiming for that between all the wired LAN connections?

As for the firewall side of things.....I am running the firewall on each computer (along with anti-virus, anti-spyware, etc) but if my 'Advanced Rule' is on the firewall on all the computers (since they don't communicate otherwise) then wouldn't that allow any program on any port from one computer to access another in the network? Heres what the rule I have set is explained as in Sygate:

Quote:

Rule Summary:
This rule will allow both incoming and outgoing traffic from/to IP address(es) 192.168.0.1-192.168.0.9 on all ports and protocols. This rule will be applied to all network interface cards.

This seems a little bit too open for my liking. Is there some way to tighten up the rule without disrupting file and printer sharing in my network?

Thanks for your help.

[Ralph Bacon]

Yes, NetMeter is good, isn't it?

On a very quick PC-2-PC test on my 100Mbit network I got between 6 and 7 Mbytes/sec on a single 50Mbyte file transfer. So your 5Mbyte is probably not that far off the norm. perhaps it depends on the speed of your PC, your hard disk speed, the make of network card etc at the end of the day.

The other way, I got only 5Mbytes/sec but the receiving computer was a much lower spec (500Mhz VIA Eden) so I'm not that surprised.

Regarding file sharing, you most certainly don't need all the ports and protocols open. In fact I would say the opposite. Shut all ports EXCEPT those used for file and print sharing (eg port 445 on Windows XP).

In fact, here's a very good article explaining it all:File and Printer Sharing. As I don't know what OS you're running this tells you how they differ too in terms of file and print sharing etc. Have a good read. And lock down your PCs!

[Sandeep]

Very useful article.

I've now got a rule like this:

Quote:

Rule Summary:
This rule will allow both incoming and outgoing traffic from/to IP address(es) 192.168.0.1-192.168.0.9 on TCP local port(s) 139. This rule will be applied to all network interface cards.

The connection between a Windows XP laptop and my Windows Millennium desktop seems fine for file and printer sharing. I'm not going to pretend I took all the information in though - I'm not sure how port 139 alone allows for full functionality considering they said SMB was important but that runs via port 138. Anyway, I think if I can set up an advanced rule to allow complete access via just one port and it still allows me to do everything I want in my network, then that's secure enough.

Any further opinions or advice Ralph? Like I said I'm a beginner to home networking, and I can use any tips you may have

[Ralph Bacon]

Well, you can always test your network to see how "secure" it is using Steve Gibson's website. It will "probe" your network (mmm...) and let you know how secure he thinks it is.

As that article states, however, he does tend to sensationalise things a bit (that's not to denigrate his excellent work in making network security issues public, however).

His site is https://grc.com/x/ne.dll?bh0bkyd2 (actually this is a direct link to his "Shields Up" page). Well worth a look.

Regarding your use of a single port (139), this is indeed the "File Sharing" port. What I'd be interested in though, is whether you can now still "ping <machine name>" where <machine name> is the name you have given your laptop (and from there to PC) because I think to do that you need port 137 open. It may also be used to populate the Network Neighbourhood names. How do you map a drive to another machine, by name or IP address? Or perhaps you map a specific share, as in \\machine name\<share name>?

[Sandeep]

Actually I've always passed that particular test with full stealth - I think this is because it is testing my router, and that configuration hasn't been changed from the default with all inbound communication being blocked.

Now that you've brought it up, this is no doubt the reason that on my 'Attached Devices' page in the router setup where it has previously given the machine name, it now says unknown even though the devices are attached and working properly - I thought it was just some random thing, but it must be because I'm blocking the other ports. I can ping my router (by the assigned network IP address) but can't ping from one computer to another.

You ask some interesting questions about the 'Network Neighbourhood' setup. When I said I was a beginner I meant it! I first set up the network using the Windows XP Networking Wizard on my laptop, and used a floppy disk to transfer the settings to my other computers. I had no idea if it would work out but it did (once I realised that turning off the firewall on each computer was needed in order for them to communicate). I then proceeded to set up the advanced rule already discussed and things were working but seemed insecure, which is what led me to start this thread.

I have no idea how 'mapping the drive' works. I've seen the option in the 'Tools' menu but never used it. On each computer I simply have a single shared folder (is this the 'mapping a specific share' you speak of), and have added the printer connected to my desktop which allows printer sharing.

I guess I could allow port 137 if it will allow me to ping within the network. I do have one remaining problem though, in that another laptop with Windows 2000 seems to 'see' the shared folder on the Windows Millennium desktop (and can share the printer attached to it) but doesn't show the two Windows XP laptops' shared folders on the Network Neighbourhood. This has been a problem even when I had my previous advanced rule allowing traffic on all ports, so it's unrelated to the changes I've made since. When I go to 'Add a new network place' and explore a bit around there, only the desktop seems to exist, with neither of the Win XP laptops available to create a connection. Any idea what may be happening? It's not a big problem since I only really need it communicating with the desktop, but I would like to see what I am doing wrong which prevents it from networking with these other laptops.

[Ralph Bacon]

You're right in saying that your router is being checked, not your PCs. That alone, though, should give you restful nights because your router is a pretty good first line of defense. My router reports "closed" not "stealthed" but it doesn't worry me, despite Steve Gibson's site displaying the alarming "FAILED" warning on my results page!

So you're using Network Neighborhood to "map" to your shared drives? I've found it notoriously unreliable, as it requires NETBIOS communication to get it working properly over a lengthy time frame; as you have now blocked most ports it's even less likely to work properly between your XP laptops and your ME desktop!

From one of your XP laptops, try using Tools, Map Network Drive. In the pop-up box, enter the "name" you have given your ME (or other) machine preceeded by two backslashed to indicate it is a machine name (eg \\MEDEVIL) followed by the name of the shared directory. The full thing will look like this: \\MEDEVIL\MYSHARE and press OK. If it says something like "unable to connect to MEDEVIL" then it does not know how to convert MEDEVIL to its IP Address. We can deal with that if and when the error occurs.

If it works then you will see a new "Drive" letter in your Windows Explorer list that is "mapped" to the share on whichever other computer you are connected to.

Let me know what happens! FYI I used to have all the problems you are describing but over the years I've learned to resolve them (and, of course, upgrading everything to XP makes life sooo much simpler!).

[Sandeep]

Well the network connections between the two XP laptops and the ME desktop have been stable (I only keep them running during the day, so the longest they have had to run is about 20 hours). Still, I gave your suggestion a go and was able to connect the Win 2000 laptop to the XP laptops. However, it can't be connected through the desktop. This asks for a password but then doesn't recognise it, probably because it hasn't given me the option of entering the Win 2000 laptop's username like the Win XP laptops had.

Are there settings to allow a different username to log in to the laptop via the Windows ME desktop?