yongsua 16 Posted March 16, 2015 Share Posted March 16, 2015 (edited) Hi, I actually just want to authenticate my router or gateway to communicate with my computer. I have a virtual box therefore I would like to allow only two authenticated zone(exclude discussion for default 127.0.0.1 as Trusted zone). The first zone should only include gateway and my computer. The second zone should include only gateway and my computer, virtual box LAN IP and virtual box public IP. I really do not want any other local host to communicate with me within LAN. It seems that ESET does good job at blocking ARP requests within LAN but is it really independent from firewall? For me, the authenticated zone is only for firewall but will not affect IDS to continue to inspect the whole LAN network. ESET IDS seems like a NIDS over the whole LAN network and I think only one computer should be allowed to use IDS feature if ESS is installed on other hosts system to avoid conflict or should I enable the IDS feature on all host system. Besides, ESET keeps asking me to authenticate 192.168.1.1/255.255.255.0 with the DNS IP 192.168.1.1 but I really do not want to authenticate as I have mentioned that I do not want other hosts to communicate with me. ESET keeps asking me to define the network location and if I select "Home", it will be set as a automatically authenticated zone which has a name i.e. DnsIP 192.168.1.0/255.255.255.0 (Differs from DNS server in zone editor, do not get confused). One question from me is the Zone feature affects IDS or just firewall? Edited March 16, 2015 by yongsua Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 16, 2015 Author Share Posted March 16, 2015 To make my statements understandable, I would explain briefly on what I want. 1) I do not want any other hosts to communicate with my computer except my gateway within the LAN 2) If the 1) is successfully implemented with Zone editor, would the IDS still able to inspect the whole LAN? 3) ESET keeps requesting me to respond to the network location of automatically generated authenticated zone every time I boot my computer. This automatically generated authenticated zone by ESET is also the zone that I don't want since it contradicts with my need as stated at 1). This zone is given with a name i.e. DnsIp...blah..blah... blah... Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 16, 2015 Author Share Posted March 16, 2015 Finally I think I have understood it. The DnsIp indicates a LAN which cannot be deleted or denied to appear in Zone editor. The key of the authentication is actually the authentication type. I have modified the authentication type that only allows a specific IP which is able to view me in LAN. Now I know Trusted Zone means my computer is visible to a group of computers in LAN. Am I right? Pls verify this for me. I have also realized that the IDS would not be affected if I only add a specific IP into my trusted zone. It is still able to catch and block ARP request within the LAN. Link to comment Share on other sites More sharing options...
rugk 397 Posted March 16, 2015 Share Posted March 16, 2015 (edited) Zones are just lists of IP addresses. I think the zone you talk about is the "Trusted zone". This is only set when you select the network as "home network". This zone represents the LAN. The IDS like we name it here is a NIDS. HIPS is another thing, but similar (based on the name) and so they have both the same aim: to prevent intrusion. (about your first point) This has nothing to do with zones. Use rules if you want to allow or deny communication. But of course in this rules you can include the "zones". (e.g. "allow inbound communication for X/Y from the local zone") IDS has nothing to do with zones or the firewall. It happens independent from these components. (however it may be react differently based on the chosen network mode and whether some data comes from the local network)ARP spoofing attacks are of course always blocked. would the IDS still able to inspect the whole LAN?Of course! (about your third point) Just choose the network mode you like. If you want to "hide" your device from other hosts in the LAN just choose Public network. However - of course - you won't able to use file/printer sharing. The necessary communication from your router to you is always allowed. Edited March 16, 2015 by rugk Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 16, 2015 Author Share Posted March 16, 2015 (edited) Thanks for the reply. ESS NIDS does block ARP requests within the LAN such as ARP requests from xarp (a famous ARP spoofing app). However, I am having an issue with the IGMP. ESS firewall log shows me "unusable rule" message for this IGMP. Every host in my LAN is blocked to communicate with the IGMP IP address. Since I am not using any multicasting network, I think it is safe to ignore the message but it is kinda annoying for me. Edited March 16, 2015 by yongsua Link to comment Share on other sites More sharing options...
rugk 397 Posted March 16, 2015 Share Posted March 16, 2015 This one? https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol This is just a protocol. If you have problems then they must be caused by a application using this protocol. Link to comment Share on other sites More sharing options...
Recommended Posts