Re: XP Pro does not map Computer Names to Network IP addresses Why?

On Mon, 30 May 2005 16:25:44 GMT, Dennis@xxxxxxxxxx wrote:

>Chuck <none@xxxxxxxxxxx> wrote:
>
>>Dennis,
>>
>>The Trusted Zone, if for the subnet, is controlled by the 255.255.255.0 yes.
>>Meaning that's 255 addresses you would trust. If you only have say a dozen
>>computers, that would include 240+ addresses open to abuse.
>>
>>If you have a wireless LAN (ie can't control the physical media like with a
>>wired LAN), you ought to permit access thru the firewall on each computer only
>>to known computers that YOU own. If an intruder associated with your WAP, and
>>you were Trusting your subnet, he would be half in already. If you trust only
>>individual ip addresses, assigned by you, he would have a harder time getting
>>thru your personal firewalls. And if you manually assign ip addresses, he would
>>have to figure out your subnet before he could assign himself an address.
>>
>>Do you understand how incredibly stupid Walter Nowakowski (the wardriver
>>mentioned in the first link from my webpage) was? Yet he was surfing away.
>>Imagine how smart the smart wardrivers are. If you're going to have a WLAN, you
>>better not make it easily available. The folks that provided service that
>>Walter hijacked were so lucky that he got caught, and they probably don't even
>>know that they were providing his service.
>
>I'm a little confused on what a subnet is. My router network ip is xxx.xxx.1.0
>and it's subnet is 255.255.255.0. the gateway is xxx.xxx.1.1 Let's suppose that
>I've restricted all my computers in the router to be on xxx.xxx.1.200 to
>xxx.xxx.1.255. Let further suppose that I have 4 computers on the network.
>What would be the subnet addresses I would put into ZAP's firewall zones?
>
>Thanks again for all your help!

Dennis,

If you have 4 computers, plus the router, on the LAN, with a subnet mask of
255.255.255.0, that leaves 250 possible addresses to be hijacked by a wardriver.

The only secure setup in the ZAP Trusted Zone would be individual entries - the
router, plus the 4 computers, one entry at a time.

The router subnet setting determines your subnet. If the router LAN IP address
is xxx.xxx.1.1, and the subnet mask is 255.255.255.0, the subnet will be
xxx.xxx.1.0/24 (another way of saying xxx.xxx.1.1 / 255.255.255.0). This gives
you a subnet with 255 possible host addresses (0 - 254) (you can't use address
255 - it's for broadcasts).

Now, how did you restrict the computers? Would that be the DHCP scope? If so,
that only says that the DHCP server will assign addresses xxx.xxxx.1.200 -
xxx.xxx.1.254. But even though the DHCP scope covers only 200 - 254, any
computer can assign itself a fixed ip address of anywhere in 0 - 254 (less of
course the address used by the router LAN address, generally but not always 1).

If the subnet permits 255 addresses, the scope of the DHCP server only restricts
DHCP assignments. It doesn't restrict addresses that can be used. If you
restrict your DHCP scope to whatever, a wardriver can still assign himself any
address inside or outside that range, but on the subnet.

The only valid way to restrict by subnet is to setup a subnet mask properly.
This means that YOUR computer population has to be conveniently numbered at
exactly a power of 2 less 1. Simplest example - if you have 255 computers, a
subnet mask 255.255.255.0 would work. If you have 127 computers, use
255.255.255.128. If 63 computers, use 255.255.255.192. Do you see the
mathematical sequence here?

If you have 4 computers plus a router, you have 5 addresses. You could use
255.255.255.248, which would give 7 possible addresses. This would leave 2
addresses for use by any wardriver that associates with the WAP, and DHCP will
happily assign one if requested.

For any subnet, restricting purely by subnet is a dodgy procedure.

--
Cheers,
Chuck
http://nitecruzr.blogspot.com/
Paranoia is not a problem - it's a normal response from experience.
My email is AT DOT
actual address pchuck sonic net.
.

Relevant Pages

  • Re: Networking a printer
    ... This will remove the problem with trying to get the computers on the different subnets talking to each other reliably. ... You might also want to make sure that the route table includes a path from each subnet to the other subnet. ... Are you using network printers or printers attached to a PC and then shared? ... The Internet would connect to the router, the router would connect to the switch, and all the other computers would also connect to the switch. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Valid Sonicwall Config?
    ... IP numbers that can be assigned to computers and stuff are in ranges ... This is for a Subnet Mask of 255.255.255.0 ... to go through a router to get there. ... All that stuff about Gateways & DNS Server will ...
    (comp.security.firewalls)
  • Re: The specified network name is nolonger available
    ... It should be rebuilt every time you reboot the host. ... My best guess now is the problem is that each of your computers is ... What are the addresses and subnet masks ... computers (and acts as a hub rather than a router) -- and only routes ...
    (microsoft.public.win2000.networking)
  • Re: File Sharing problem in a multiple router office with a peer t
    ... I'm finding computers do the most illogical things. ... print and ping the other subnet gateway but not allow me to access computers ... I'm I just looking at a $500 router with ...
    (microsoft.public.windowsxp.network_web)
  • RE: Cross-domain browsing
    ... are replicated to all WINS servers. ... 136712 Common Questions About Browsing with Windows ... >linked using RRAS VPN demand-dial connection and each is in its own subnet. ... >correctly in both domains and for computers in either domain. ...
    (microsoft.public.win2000.networking)