Looks like the pfSense team has put out their first release candidate for the version 2 of the open source pfSense firewall.
Looks like the pfSense team has put out their first release candidate for the version 2 of the open source pfSense firewall. This is a great firewall that will run on just about any hardware. It has as many features as commercially available firewalls and works great. I’ll be doing a few upgrades shortly and may post about it here.
Take a look at the blog post about this release on the pfSense site.
Free protection without installing any software. The solution is simple, just use the right DNS to prevent the traffic from entering your network in the first place.
If you could protect your whole network from malware, adware, porn and other web sites that should not ever be viewed by employees or children, wouldn’t you do it? What if I told you that you can, and you don’t even have to install any software anywhere in your network? I usually go by the old adage that if it sounds to good to be true, it probably is. This is one time where that’s not true.
My secret weapon is called OpenDNS. I use pfSense firewall at home and I also have installed this great freeBSD based firewall at three other customer’s sites. Although the ISP for each of these sites supply their own DNS server, I do not point the firewall to their DNS. I simply set the DNS server address on the General Setup page to point to
Using OpenDNS does not really slow things down in any way (not that anybody can truly notice anyway). Also, OpenDNS is introducing a free service to protect you from the Conficker worm. Read this post from The Register to see all of the details. Go on and create yourself an account on OpenDNS. You’ll be able to do filtering based on 27 categories. The service you get for free from these guys is top notch.
Update: Looks like has just published a very concise page about the Conficker worm and how to deal with it. Check it out at http://technet.microsoft.com/en-us/security/dd452420.aspx
Update (Feb. 10): Looks like OpenDNS official blog has more information about their new feature.
In a Windows XP network, NetBIOS is on by default. There are some misconceptions regarding whether NetBIOS is required in order to have file sharing working. In fact, that is not the case. This post will explain what I found out when investigating the impact of removing NetBIOS from our corporate network.
Do you still have NetBIOS turned on on all of your workstations and servers in your corporate LAN? This old network protocol puts you at risk and should be killed without prejudice!
There are quite a few reasons why NetBIOS is bad for your network.
- NetBIOS is an inneficient protocol. It is very chatty with lots of broadcasts.
- When used with its defaults settings, it can be used by the bad guys to gather information about your network and users. This is done through null sessions. An excellent source of information on null session can be found in the (old, but still true) page titled NetBIOS Null Sessions: The Good, The Bad, and The Ugly.
- Although it can now be routed across LANs by using NetBIOS over TCP/IP (NetBT), it was never meant to be used in a WAN environment.
- The original design of NetBIOS was actually for a LAN of about 70 users.
One of the major misconception about NetBIOS is the fact that people think that it has to be there in order for you to have a file share to serve files to your network users. That is actually not the case.
File sharing on your LAN
NetBIOS uses these ports:
- UDP 137: NetBIOS name service
- UDP 138: NetBIOS datagram service
- TCP 139: NetBIOS session service
In actual fact, a workstation that tries to connect to a file share might start by trying using those ports. Windows will automatically fall back to using SMB, which is on port TCP 445. You might have heard of SMB (Server Message Blocks) and CIFS (Common Internet File System) in the same conversation. That’s because CIFS is actually a dialect of SMB.
The downside of disabling NetBIOS
I found only two problems that you might run into if you disable NetBIOS. Another side effect is that this will affect trusts between forests. This is definitely true for domains at the Windows 2000 functional level or even a Windows NT to Windows 2003 trust. In a simpler network with only one domain in your forest, this will not be an issue.
The other negative impact that I found is the fact that you no longer browse for computer in Network Neighborhood (Windows 98) or Microsoft Windows Network (Windows XP). When NetBIOS is enabled in your network, the master browser collects information about all the computers in the network. That information is then propagated every 12 minutes to all workstations. This can be displayed in the network neighborhood or using the NET VIEW command. In effect, this is how name resolution was done, by using the list maintained by the master browser. WINS is the other name resolution method in the NetBIOS world. This method is no longer used by Microsoft OS since Windows 2000.
How to deal with NetBIOS
The best thing to do, is simply to eliminate NetBIOS. You probably won’t miss it. Most likely, if your network has more than a few computers in it, you are using DHCP. You can use DHCP to easily disable NetBIOS on your workstations. In a smaller setting, you can change the configuration on each computer in your network by doing the following (instructions for Windows XP):
- Click Start, point to Settings, and then click Network and Dial-up Connection.
- Right-click Local Area Connection, and then click Properties.
- Click Internet Protocol (TCP/IP), and then click Properties.
- Click Advanced.
- Click the WINS tab, and then click Disable NetBIOS over TCP/IP.
This method disables NetBIOS Session Service (which listens on TCP port 139). It does not disable NetBIOS completely. If you do not want to have SMB enabled, you can disable it all at once by using the following instructions:
- From the Start menu, right-click My Computer, and then click Manage.
- Expand System Tools, and then clear the Device Manager check box.
- Right-click Device Manager, point to View, and then select Show hidden devices.
- Expand Non-Plug and Play Drivers.
- Right-click NetBios over TCP/IP, and then click Disable.
This disables the SMB direct host listener on TCP/445 and UDP 445.
Before you make such an important change in your network, you need to do some serious testing. This is especially true if you have a lot of different servers and applications. I intend to post again with the result of my testing and the effect that disabling NetBIOS had on our network.