Re: Internet connection sharing on a LAN

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On Wed, 13 Apr 2005 23:10:54 -0600, "Steve Winograd [MVP]" <winograd@xxxxxxxxx>
wrote:

>In article <acmq51dj4l4pm881k3n6dpklusk6aue035@xxxxxxx>, Chuck
><none@xxxxxxxxxxx> wrote:
>>>I agree with you that a [home broadband] router is a better solution
>>>than ICS for most users. However, a typical router won't work with
>>>cable modems or DSL modems that only have USB outputs.
>>>
>>>Why do you say that "a router is the responsible solution" and "All
>>>computers will be safer"?
>>>
>>>If you're implying that using ICS is irresponsible and unsafe, I
>>>disagree. In my opinion, a network with an ICS host computer using
>>>Windows XP's built-in firewall or a third-party firewall program is
>>>just as "responsible" (whatever that means) and just as safe as a
>>>network with a router.
>>>
>>>I also disagree that "All computers will run better" with a router.
>>>Client computers work exactly the same whether they connect to the
>>>Internet through an ICS host computer or through a router.
>>
>>Steve,
>>
>>You make a point about the USB issue. I personally do not recommend USB
>>broadband modems for 3 reasons:
>>1) Support for Ethernet is built into Windows, but support for a USB networked
>>modem frequently means installing another driver.
>>2) I prefer to devote my USB bus to non-networked applications. The Ethernet
>>controller is for networking.
>>3) Using a USB broadband modem prevents you from using a NAT router.
>>
>>IMO, a NAT router is something that should be used between every computer and
>>the internet.
>>
>>In principle, I agree with you about the personal firewall issue. A personal
>>firewall (preferably a certified ICSA firewall, not ICF / WF) provides almost as
>>much protection as a NAT router. This discussion goes on periodically in forums
>>like comp.security.firewalls.
>>
>>There are two reasons why I prefer a NAT router over (in addition to) a personal
>>firewall, even a certified one.
>>1) The personal firewall, running on your computer, runs under the operating
>>system. The personal firewall is endangered, like any other portion of the
>>operating system (and any applications), by your internet activity. Any
>>malware, which you might import as data (thru the NAT router or personal
>>firewall), can interfere with the effectiveness of a personal firewall, just as
>>it can with the operating system or any application.
>>2) The personal firewall, running on your computer, contributes to the CPU
>>load, and to the instability of the computer, and the applications. If
>>improperly configured, a personal firewall can also contribute to confusion by
>>the owner. Just Google for reports by folks who write that Zone Alarm (or other
>>firewall) is using 100% of CPU, and who discover that it's set to report all
>>"intrusion attempts", and it's spending time analysing probe attempts by
>>infected computers near the subject computer, and logging each "intrusion". A
>>NAT router blocks (drops) such probes, so the personal firewall can concentrate
>>on reporting real security problems.
>>
>>In principle, I agree with you about the ICS issue too. ICS does not place an
>>appreciable amount of load upon, nor cause noticeable instability in, the
>>computer it runs on. By turning your computer into a software router, and using
>>an extra network connection (either a modem, or an Ethernet connection), it does
>>cause just a small amount of setup complexity, CPU load, and instability,
>>factors which I prefer to avoid. To say nothing of its insistence in forcing ip
>>address 192.168.0.1 upon the network interface.
>>
>>I've worked with ICS both here and in person, and I will say repeatedly that the
>>price of a NAT router is far exceeded by the cost of the annoyance and time
>>spent dealing with ICS.
>>
>>With NAT routers costing $100 and up, as they did just a few years ago, ICS was
>>a good idea. Nowadays, with NAT routers costing $40 (at Walmart no less), using
>>ICS, except in very limited circumstances, just isn't worth it.
>>
>>Subtracting $10 for an extra (unbranded) network card, from $40 for a name brand
>>NAT router, gives you $30. How much of your time can you get for $30?
>
>Chuck, thanks for your detailed response to my questions. You've
>obviously given a lot of thought to the subject, and you've given me
>some new things to think about.
>
>I also recommend Ethernet, not USB, for broadband modems, whenever
>possible.
>
>I hadn't thought about the possibility that malware could attack and
>disable a firewall.
>
>Yes, the news groups are full of messages from people who can't get
>file and printer sharing to work with firewalls. I've had cases where
>nothing that I could do (short of un-installing it) would get Norton
>Internet Security to allow sharing. Fortunately, it's easy to set up
>XP's Internet Connection Firewall or Windows Firewall to block access
>by other Internet users while allowing file sharing on the LAN.
>
>ICS's insistence on using 192.168.0.1 is truly annoying. I was a
>systems programmer for many years, and I can't think of any technical
>justification for such inflexibility.
>
>I've installed routers for clients who have a cable modem and a single
>Win98 computer. It's easier, less expensive, and just as effective as
>having them pay me to install a software firewall.

YW, Steve. It's good to occasionally question, and enumerate, the details
behind the recommendations.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
.

Relevant Pages

  • Re: Internet connection sharing on a LAN
    ... >>cable modems or DSL modems that only have USB outputs. ... >>If you're implying that using ICS is irresponsible and unsafe, ... >>network with a router. ... I agree with you about the personal firewall issue. ...
    (microsoft.public.windowsxp.network_web)
  • TCP/IP wont renew to routers addy
    ... I don't have ICS (assuming that's internet connection ... internet direct without the router. ... ICF (Internet Connection Firewall) which I turned off. ... What is ICS? ...
    (microsoft.public.windowsxp.network_web)
  • Re: Router with a software firewall. Is this possible?
    ... > router w/ a 4 port switch. ... I know I could do it with ICS, ... I just want a dedicated machine handling my dialup/ ... > firewall to keep it all upstream of the LAN. ...
    (comp.security.firewalls)
  • Re: Router with a software firewall. Is this possible?
    ... > router w/ a 4 port switch. ... I know I could do it with ICS, ... I just want a dedicated machine handling my dialup/ ... > firewall to keep it all upstream of the LAN. ...
    (comp.security.firewalls)
  • Re: Breadbored questions
    ... It's not actually the router bit of it that you need, ... phone line into the 'pooter. ... And the firewall cummsinverihandhi. ... Much simpler than faffing about with modems. ...
    (uk.rec.sheds)