Re: Internet connection sharing on a LAN
- From: "Steve Winograd [MVP]" <winograd@xxxxxxxxx>
- Date: Wed, 13 Apr 2005 23:10:54 -0600
In article <acmq51dj4l4pm881k3n6dpklusk6aue035@xxxxxxx>, Chuck
<none@xxxxxxxxxxx> wrote:
>>I agree with you that a [home broadband] router is a better solution
>>than ICS for most users. However, a typical router won't work with
>>cable modems or DSL modems that only have USB outputs.
>>
>>Why do you say that "a router is the responsible solution" and "All
>>computers will be safer"?
>>
>>If you're implying that using ICS is irresponsible and unsafe, I
>>disagree. In my opinion, a network with an ICS host computer using
>>Windows XP's built-in firewall or a third-party firewall program is
>>just as "responsible" (whatever that means) and just as safe as a
>>network with a router.
>>
>>I also disagree that "All computers will run better" with a router.
>>Client computers work exactly the same whether they connect to the
>>Internet through an ICS host computer or through a router.
>
>Steve,
>
>You make a point about the USB issue. I personally do not recommend USB
>broadband modems for 3 reasons:
>1) Support for Ethernet is built into Windows, but support for a USB networked
>modem frequently means installing another driver.
>2) I prefer to devote my USB bus to non-networked applications. The Ethernet
>controller is for networking.
>3) Using a USB broadband modem prevents you from using a NAT router.
>
>IMO, a NAT router is something that should be used between every computer and
>the internet.
>
>In principle, I agree with you about the personal firewall issue. A personal
>firewall (preferably a certified ICSA firewall, not ICF / WF) provides almost as
>much protection as a NAT router. This discussion goes on periodically in forums
>like comp.security.firewalls.
>
>There are two reasons why I prefer a NAT router over (in addition to) a personal
>firewall, even a certified one.
>1) The personal firewall, running on your computer, runs under the operating
>system. The personal firewall is endangered, like any other portion of the
>operating system (and any applications), by your internet activity. Any
>malware, which you might import as data (thru the NAT router or personal
>firewall), can interfere with the effectiveness of a personal firewall, just as
>it can with the operating system or any application.
>2) The personal firewall, running on your computer, contributes to the CPU
>load, and to the instability of the computer, and the applications. If
>improperly configured, a personal firewall can also contribute to confusion by
>the owner. Just Google for reports by folks who write that Zone Alarm (or other
>firewall) is using 100% of CPU, and who discover that it's set to report all
>"intrusion attempts", and it's spending time analysing probe attempts by
>infected computers near the subject computer, and logging each "intrusion". A
>NAT router blocks (drops) such probes, so the personal firewall can concentrate
>on reporting real security problems.
>
>In principle, I agree with you about the ICS issue too. ICS does not place an
>appreciable amount of load upon, nor cause noticeable instability in, the
>computer it runs on. By turning your computer into a software router, and using
>an extra network connection (either a modem, or an Ethernet connection), it does
>cause just a small amount of setup complexity, CPU load, and instability,
>factors which I prefer to avoid. To say nothing of its insistence in forcing ip
>address 192.168.0.1 upon the network interface.
>
>I've worked with ICS both here and in person, and I will say repeatedly that the
>price of a NAT router is far exceeded by the cost of the annoyance and time
>spent dealing with ICS.
>
>With NAT routers costing $100 and up, as they did just a few years ago, ICS was
>a good idea. Nowadays, with NAT routers costing $40 (at Walmart no less), using
>ICS, except in very limited circumstances, just isn't worth it.
>
>Subtracting $10 for an extra (unbranded) network card, from $40 for a name brand
>NAT router, gives you $30. How much of your time can you get for $30?
Chuck, thanks for your detailed response to my questions. You've
obviously given a lot of thought to the subject, and you've given me
some new things to think about.
I also recommend Ethernet, not USB, for broadband modems, whenever
possible.
I hadn't thought about the possibility that malware could attack and
disable a firewall.
Yes, the news groups are full of messages from people who can't get
file and printer sharing to work with firewalls. I've had cases where
nothing that I could do (short of un-installing it) would get Norton
Internet Security to allow sharing. Fortunately, it's easy to set up
XP's Internet Connection Firewall or Windows Firewall to block access
by other Internet users while allowing file sharing on the LAN.
ICS's insistence on using 192.168.0.1 is truly annoying. I was a
systems programmer for many years, and I can't think of any technical
justification for such inflexibility.
I've installed routers for clients who have a cable modem and a single
Win98 computer. It's easier, less expensive, and just as effective as
having them pay me to install a software firewall.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)
Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
.
- Follow-Ups:
- Re: Internet connection sharing on a LAN
- From: Chuck
- Re: Internet connection sharing on a LAN
- References:
- Internet connection sharing on a LAN
- From: Barry Sharp
- Re: Internet connection sharing on a LAN
- From: Chuck
- Re: Internet connection sharing on a LAN
- From: Steve Winograd [MVP]
- Re: Internet connection sharing on a LAN
- From: Chuck
- Internet connection sharing on a LAN
- Prev by Date: Re: Strange networking problem
- Next by Date: Re: Strange networking problem
- Previous by thread: Re: Internet connection sharing on a LAN
- Next by thread: Re: Internet connection sharing on a LAN
- Index(es):
Relevant Pages
|
