In these cases, you can use Inbound Filters to limit that exposure by specifying the IP addresses of internet hosts that you trust to access your LAN through the ports that you have opened. You might, for example, only allow access to a game server on your home LAN from the computers of friends whom you have invited to play the games on that server.

Inbound Filters can be used for limiting access to a server on your network to a system or group of systems. Filter rules can be used with Virtual Server, Gaming, or Remote Administration features. Each filter can be used for several functions; for example a “Game Clan” filter might allow all of the members of a particular gaming group to play several different games for which gaming entries have been created. At the same time an “Admin” filter might only allows systems from your office network to access the WAN admin pages and an FTP server you use at home. If you add an IP address to a filter, the change is effected in all of the places where the filter is used.

Add/Edit Inbound Filter Rule

Here you can add entries to the Inbound Filter Rules List below, or edit existing entries.

Name

Enter a name for the rule that is meaningful to you.

Action

The rule can either Allow or Deny messages.

Source IP Range

Define the ranges of Internet addresses this rule applies to. For a single IP address, enter the same address in both the Start and End boxes. Up to eight ranges can be entered. The Enable checkbox allows you to turn on or off specific entries in the list of ranges.

Save
Saves the new or edited Inbound Filter Rule in the following list. When finished updating the Inbound Filter Rules List, you must still click the Save Settings button at the top of the page to make the changes effective and permanent.

Inbound Filter Rules List

The section lists the current Inbound Filter Rules. An Inbound Filter Rule can be changed by clicking the Edit icon, or deleted by clicking the Delete icon. When you click the Edit icon, the item is highlighted, and the “Edit Inbound Filter Rule” section is activated for editing.

In addition to the filters listed here, two predefined filters are available wherever inbound filters can be applied:

Allow All

Permit any WAN user to access the related capability.

Deny All

Prevent all WAN users from accessing the related capability. (LAN users are not affected by Inbound Filter Rules.)

In Windows 95, the default MTU was 1500 octets (eight-bit bytes), partly because this is the Ethernet standard MTU. The Internet de facto standard MTU is 576, but ISPs often suggest using 1500. If you frequently access Web sites that encounter routers with an MTU size of 576, you may want to change to that size. (Apparently some users find that changing the setting to 576 improves performance and others do not find any improvement.) The minimum value that an MTU can be set to is 68.

For more recent Windows systems, the operating system is able to sense whether your connection should use 1500 or 576 and select the appropriate MTU for the connection.

The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility. RFC 3833 attempts to document some of the known threats to the DNS and how DNSSEC responds to those threats.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS. RFC 4398 describes how to distribute these certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.

What is the vulnerability in the DNS?

The efficient work of storing a response that functions as a mid-way point between an end user’s computer and an authoritative server is performed by a caching name server, usually operated by an ISP (Internet Service Provider). The DNS was designed to allow this caching server to accept the first response it receives. It is possible, without the verification provided by DNSSEC authentication, for a malicious user to flood this caching name server with a spoofed response that is, most often, intended to dupe the end user into providing personal and or financial information to what appears to be his or her intended destination.

How does DNSSEC work?

DNSSEC works through a system of keys. At each stage in supplying a DNS query response through the chain that takes it back to the initiator’s machine, a known key and a private key must be matched. In this way, the response to the query is authenticated and the response validated.

Ethernet networks are packet-based and have no concept of a connection or circuit and also lack basic security features to protect against IP and MAC conflicts and rogue DHCP servers. By using PPPoE, users can virtually “dial” from one machine to another over an Ethernet network, establish a point to point connection between them and then securely transport data packets over the connection. It is mainly used by telephone companies, since PPPoE is easily integrated with the current dial-up AAA systems and fits perfectly into the current ATM backbones. The protocol also permits very easy unbundling of DSLAMs where required by regulators, since the user would simply use a different login into PPP, then the ATM circuit would be routed to the user’s ISP. Also pre-paid traffic bucket business models can be created with PPPoE more easily than with DHCP or multiplexing multiple users with different speed tiers or QoS through 1 DSL modem or by creating a different login for each static IP purchased by customers.

ZipIt is a Macintosh program that compresses and uncompresses files in the “zip format”. The zip format is popular on the IBM and on other platforms, such as Unix. You can tell if a file is in zip format simply by examining its name: if it ends in ‘.zip’, it is a zip file. (Note that if it ends in ‘.Z’ or ‘.gz’, it is NOT a zip file. The former belongs to a program called Compress, and the latter to a program called GZip.)

The zip format is most useful when compressing files destined for another computer platform, such as the IBM, or for uncompressing zip files received from other platforms. ZipIt can create zip archives intended solely for the Macintosh, but the zip format is not a standard compression format on the Mac.

MAC filter can filter each computer through MAC address in LAN; can also bind one MAC address with a static IP address. Following shows a [MAC Filter Config] dialog:

MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network.

While giving a wireless network some additional protection, MAC Filtering can be circumvented by scanning a valid MAC (via airodump-ng) and then changing the own MAC into a validated one. This can be done in the Windows Registry or by using commandline tools on a Linux platform.

While electronic mail servers and other mail transfer agents use SMTP to send and receive mail messages, user-level client mail applications typically only use SMTP for sending messages to a mail server for relaying. For receiving messages, client applications usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system (such as Microsoft Exchange or Lotus Notes/Domino) to access their mail box accounts on a mail server.

SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail.

Step 2: Click View network status and task under Network and Internet.

Step 3: Click Connect to a network.

Step 4: Select your wireless network name, check the box for Connect automatically, and click Connect.

Step 5: Type the network security or pre-share key for the network and click OK.

There are two basic forms of WPA:

• WPA Enterprise (requires a Radius server)
• WPA Personal (also known as WPA-PSK)

Either can use TKIP or AES for encryption. Not all WPA hardware supports AES.

WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into each WLAN node (Access Points, Wireless Routers, client adapters, bridges). As long as the passwords match, a client will be granted access to a WLAN.

Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials.

The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system – dictionary attacks for example. Another issue may be key management difficulties such as removing a user once access has been granted where the key is shared among multiple users, not likely in a home environment.

Other vendors have marketed Super G products as 108G Technology, 108Mbit/s 802.11g, and Xtreme G. Manufacturers that have licensed Super G technology from Atheros include Airlink 101, Clipsal, D-Link, Intelbras, Netgear, Nortel Networks, Planex, SMC, Sony, TRENDnet, SparkLAN, Toshiba and ZyXEL. In general, Super G products from different vendors are all interoperable in Super G mode.

Non-standard channel bonding extensions to 802.11g, such as Super G, have been criticized for creating interference on all Wi-Fi channels, potentially causing issues with other wireless devices in the band such as neighboring wireless networks, cordless telephones, baby monitors, and Bluetooth devices. However, Atheros claims that in real-world scenarios with physical separation and walls, closely located networks will not experience any interference from a Super G network.

Super G is one of several competing proprietary approaches that were developed to increase performance of 802.11g wireless devices, such as 125 High Speed Mode from Broadcom, MIMO-based extensions from Airgo Networks, and Nitro from Conexant.