Networking and Zone Alarm

I have a wireless D-link network card in a 98 'puter and on the Xp 'puter D-link modem running through a D-link router also wireless. As I was attempting to set everything up it became clear that Zone Alarm was interferring so I shut it down. Still problems so I uninstalled.

After all this I find that Zone Alarm leaves registry entries and dlls in you computer that further interfers with your connections .....thus, all indications tell me the 98 is connected, the Xp 'puter can see the '98 but 98 cannot send or recieve. ( It cannot connect to the net or see the XP).

I went to the ZoneAlarm site and sure enough, other people with the problem. I got detailed instructions on starting in 'safe mode' what files and registry entry to delete.

My problem however it that the registry entry that I was told to delete if not the exactly the same in name as the one that I believe I should delete.

ZoneAlm says go to regedit - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
VXD\VSDATA95 (instead of vsdata95, I have vsd and inside the file is:
default - value not set
start - 00
static VXD - "VSD "

Anyone gone in here before?

Thanx Beamuse

 

Up date: to be fair to Zone Alarm, the latest version installed on the XP computer uninstalled clean. However, the older version on the 98, I had to go into the registry and get rid of 5 keys and 8 dlls. A careful project for sure.

I am now up and running, after returning a faulty router, doing the zone alarm clean out and being on the phone with D-link for some time.

Beamuse

 

You still need a good firewall of some sort running.

 

I was told by D-link that the router will be a sufficient fire wall as I am now connected behind the router.

Could you explain why I would need a firewall?

Thanx Newt

 

Anyway, I reinstalled Zone Alarm and have it all configured now. I sure don't want to leave any room for vulnerability.

 

beamuse - I tried to find a thread /w a good explanation of NAT and why it is, sorta, kinda, not really a firewall but nothing turned up so here goes. Hopefully enough info to let you (and other) make a decision.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NAT = Network Address Translation.

NAT is a really great idea someone had to allow multiple users on a LAN (local area network) to share a single real/leased/registered/public IP address. It works as follows (and is the same if you use ICS (internet connection sharing) that Microsoft provides:

Say you have 4 PCs at home and something that will do NAT for you. The NAT device assigns itself the real (as provided by your ISP) IP address and it's the only device that can be directly seen from the internet. NAT, in turn and using DHCP usually, assigns all your local PCs an IP address in one of the private (never assigned for real) address groups. 192.168.x.x is most common. These addresses cannot cross a router and get to another network or to the internet.

When one of your PCs wants to connect to an internet address, it sends the request packet via the 'gateway' address it has and that will be the internal IP address of the NAT device. NAT traps the packet, stores info about it in a database, changes the 'From' IP from yours to the public address it has, and sends the packet out to the internet.

Any response will come back to the NAT device because that's the address it's replying to. NAT will check the packet against it's database to decide if it's a response and if so, which PC should get it. The packet is then changed and the public IP address is changed to the proper internal address and you get your response. Lots of housekeeping but hardware can do this stuff really fast.

However, if a packet comes to the NAT device that doesn't match with any request from your LAN, the packet is discarded and you never see it. So an internet probe of the public IP address never gets in. In this respect, it certainly does protect you from outside attack - and is basically doing the job of a firewall.

It provides no protection whatever if one of your PCs started the conversation though. You get spyware on your PC when you surf the web. AV software doesn't stop spyware since it isn't a virus/trojan/worm. When the spyware 'calls home' it has started the conversation from your PC so your NAT device treats the packet as legit, sends it, and passes along any response it gets right back to you. This is nothing you could notice either unless you have a real firewall installed that looks at inbound and outbound traffic. Unless your browser and similar settings are lots tighter than most of us are willing to use, the spyware could also send out a request for something that would damage your PC and that something would slip right in to you.

Firewalls

First a quick bit about IP addresses and IP Ports since you can't understand what firewalls do without knowing a little this stuff.

Any PC using TCP/IP (and all internet traffic requires that) will have one IP address in the form of xxx.xxx.xxx.xxx and that address will be unique like a house address or a phone number. At least, unique within the network where it lives and if that includes the internet, completely unique.

With any internet pipe (connection) there is an added piece that you never really see. Applications that communicate over networks use a specific port. There are around 64,000 of them available so at this point, every type of network traffic has a port it will use. The first 1000 are considered 'well known' or standard so that HTTP packets from your browser will always try to use port 80. FTP uses 20 & 21. SMTP (outbound email) uses 25 and POP3 (inbound email) uses 110. And so on. So if your PC is 192.168.0.10 and outbound HTTP packet will be from 192.168.0.10:80 and the entire address including port number is necessary.

Firewalls operate only on ports. There are two basic types.

The simplest (like the one that ships /w XP) only deals with inbound traffic and only has the option to set a port as open or closed. Close port 80 and your browser will not function. Open port 80 and any packet trying to use that port will succeed.

Better firewalls can be set to monitor both in and outbound packets and deal with them on a port by port basis as you have things set up. Good in case of a trojan or spyware app trying to 'call home' since they will normally use a strange port number and if that one is blocked for outbound traffic, they call but no one answsers.

Still better firewalls have some logic built in. Where the firewall types above are sort of like a fenced in pasture with gates that are either open or closed, a stateful firewall places a gate guard on any open gate to check any who try to enter/leave thru that gate. If they look strange, you will be notified and asked for a decision. So that, for instance, a trojan packet trying to use FTP to send stuff to it's owner or to get stuff from it's owner might try to spoof your firewall by putting port 80 on as the address while the system at the other end knows about this and will auto-transfer any port 80 packets to port 20/21. A normal in/out firewall won't notice. A stateful firewall will see port 80 traffic that looks like FTP and will block it and ask you.

Routers

The earlier home/small office routers would have been way too expensive if a good firewall had been built in so the SOHO router folks said to users that NAT was adequate protection - but they worded it so they told the truth but in a mis-leading way. There is a large enough market for SOHO router/switches these days that they've improved things and you can now buy a reasonably priced router/switch that has a hardware/firmware firewall built in. But not all of them include this as of right now so you have to check the specs carefully to see exactly what you have.

The other option is to run a software firewall on each PC but that's not nearly as good an option for two reasons. First, speed is affected. Way too much work for the firewall to do so software just can't compete with hardware for speed. Second, a software firewall can be disabled by a really clever piece of malware. Hardware firewalls are much tougher to defeat so only really high-end hacks will even try and they are concentrating on richer targets than SOHO networks.

 

Thanx Newt - that gave me good insite into just how it all works. Very clear. So, I looked at my specs on my router and I have Advanced Firewall Features:
NAT with VPN Passthrough
MAC Filtering
IP Filtering
URL Filtering
Domain Blocking
Scheduling
64/128 bit encryption.

I set my encryption key to 64 bit.
The router is a D-Link DI-624

So, after all that it looks like I have a pretty good firewall - am I missing something? If this was your system, what would you do?


Have a good one
Beamuse

 

Good system. Wish I had it. I'd use the router's firewall.

I have an older Linksys that I got when a 4 port router/switch was around $100 (this one was) and to get a firewalled one was more like $250.

I'm getting a new router/switch just to have the firewall feature although mine is operating perfectly.

 

Thanks for everything Newt. I have saved a copy of your explaination for routers and firewalls so I can refer back if I get to wondering again.

Beamuse

 

Glad it helped.

I used to get mad at salesmen who said things like, "Well, NAT is (just like, just as good as, the same as) a firewall. Then I figured out they thought they were telling the truth and didn't know any better.

 

I am sure they probably did...
I have another problem that I would like to run by you...

Ok, to say this so it is clear.....When I boot up the 98 computer, I am on the net but cannot see my other computer in network neighbourhood. If I log off and then log on again, it brings up a log-on box asking for name and password for the network. I log on and presto, there the computers are in the Network folder.

I also had used TweakUI to bypass the sign-in screen at start up and I can't seem to get it to return. I was thinking that maybe if I saw the sign-in screen that would let me go directly to the my lan.

I have changed the settings in TweakUi so my start up log-on should appear but it doesn't...

Everything else is running smoothly, just this little bug. Would appreciate any help you can give.

Beamuse

 

Happy to help out but this needs to be a new thread and in the networking section.

 

Thanks for all the input Newt it was appreciated!
Beamuse

 

Hi beamuse,

Do I understand correctly. You have reinstalled Zone Alarm and your Win98 <> WinXP works? You also said that your latest version of ZA uninstalled cleanly. What version was that? Could you also provide some links to the info you read at the Zone Alarm web site please.

 

Hi Wildswing...

Before I had the DI624 router, Zonealarm successfully protected my system for around 3 years. As you have read previously in this thread, I uninstalled the program believing that with the router, I no longer needed an additional firewall.

There was some confusion as to whether a router had a firewall or not so I did reinstall Zonealarm and had the program set up and working on both the XP and 98 until I realized that my router came with an advanced firewall. This being so, I uninstalled it again from both computers.

Running both the router and Zonealarm slowed the computers down considerably ......Note: one does not need nor is it advised to have two firewalls.

The latest version of Zonealarm ( the one that uninstalled cleanly) is found at the following link -

http://www.zonealarm.com/store/content/company/zap_za_grid.jsp

There you will see both the free and the pro version. I had the free firewall.

I hope this is not too confusing

If it is feel free to post again and I will clarify...

Beamuse

 

Thanks for the clarification!