Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: a few questions and suggestions (best read with coffee)
PostPosted: Sun Sep 11, 2011 11:40 pm 
Offline

Joined: Sun Sep 11, 2011 10:06 pm
Posts: 2
Hi...

I've been playing around a little with your software (the Free version of Neorouter), and it works like a charm on my Windows 7 x64 Machines...

But i've got a few questions/suggestions....

1) Does the Neorouter client use UPnP to penetrate standard (NAT)Router-firewalls ?

Most Routers i've seen running in the wild all have UPnP support (and most software nowadays also make use of it (uTorrent for instance)). Having the Client to use UPnP would ease NAT/Firewall penetration on home routers.

Off course, this could be a little messy if Bridged Mode is active, since some people want to use UPnP within the virtual network (also a future request by looking at the forums here ;) )...

But that could be solved if the DHCP range of the Virtual Network is filtered out from the UPnP Broadcasts on the Local Network and the Virtual Network UPnP broadcasts are redirected to a build-in UPnP server within Neorouter Server.

Or basicly blocking ports 1900 and 2869 TCP (The Standard UPnP Ports) between the Local LAN and the Virtual LAN and having a Local UPnP server (which is in the Home Router) and a Virtual UPnP server (within Neorouter Server)

Optionally, Neorouter could relay UPnP Broadcasts within the Virtual Lan by using the Built-in Virtual UPnP server to communicate with the Local UPnP server when using Bridged mode. A Bit of a Master-slave UPnP server-idea in the way DNS servers do it...



2) I've Noticed that once the Neorouter Client has logged in, the connection becomes permanent (the computer is fully connected even if you don't sign in at the Network Explorer and have the store password/automatic sign-in options disabled)...

Even if you reboot, the connection is made, no User/Password needed... This is a bit of a security risk, isn't it ?

I've worked this around a bit by setting the "Neorouter Client service"-service to Manual startup, and remember to "Disconnect & Quit" instead of just quitting the Neorouter Network Explorer.

But basicly, if the service is started out of the blue, even with the startup option on "Manual", the connection would be fully up immediately...

It would be better if the connection at the Client-side would be initiated AFTER you Signed in at the Network Explorer, and if Network Explorer is closed, the connection will be closed too.... So not a seperate "Quit" and a "Disconnect & Quit" option, but just "Disconnect & Quit"...

And off course at the server side, that it needs a Login/Password from the Client at every Initial connection. The Neorouter Server should not recognize a client computer (and User) by signature/certificate Only.

Neorouter server should use Signatures for Location-awareness (to know where the client user is logging in) and for a list of trusted client-computers only, and an additional Username/Password for Initial connection from a client to the server ...



Anyways... those were my 2 cents ;)

(i guess your Coffee's gone cold now... :P )

Grtz,

Shadowguy


Top
 Profile  
 
 Post subject: Re: a few questions and suggestions (best read with coffee)
PostPosted: Mon Sep 12, 2011 8:21 am 
Offline

Joined: Mon Dec 22, 2008 10:19 pm
Posts: 436
hi Shadowguy,

Thank you for trying NeoRouter and appreciate the feedback.
1) For P2P connections we support NAT traversal methods like STUN and STUNT, and the success rate has been very high, especially with home or business routers.

UPnP is a neat solution too, but I do not share your view on its popularity :). Although most routers supports it, the feature is usually turned off by default.

As for the future, we are watching the leading manufactures as they debate the role of NAT in the IPv6 world. Some of them believe NAT still can provide extra protection against Internet traffic, but others believe the OS firewall should be sufficient. No matter what they decide, you can count on NeoRouter to bridge the gaps.

2) NR Pro and Mesh editions support the Access Control feature that allows admins to disable access for anonymous user and grant/deny a user access to certain computers. Please see User's Manual "4.4 Access Control List".
For NR Free users, please invite only trusted users to join your virtual network. If you need to invite untrusted users, please control permissions on each computer. For example, require password to access a shared folder.

Thanks again for the feedback. we hope you enjoy NeoRouter as much as we do.

Thanks,
Luke

_________________
Luke - NeoRouter Team


Top
 Profile  
 
 Post subject: Re: a few questions and suggestions (best read with coffee)
PostPosted: Mon Sep 12, 2011 5:47 pm 
Offline

Joined: Sun Sep 11, 2011 10:06 pm
Posts: 2
Thanks for the Info Luke....

1) But (yeah, i'm butting ;) ) I used to work for several ISPs, and installed many many(and then some) triple play installations (TV, Internet and Telephone) at consumer homes here in Holland, so "I've been around the block" and i don't agree with that UPnP is turned off by default by most manufacturers...

Sure, STUN and STUNT NAT traversal works okay too... My own D-Link DIR-655 (which also had UPnP on by default) happily supports it ;) But in some scenario's (especially with cheap routers like Sitecom or Sweex) UPnP is better supported...

the most popular routers here are Linksys, Sitecom, Sweex, Netgear, ICIDU, D-Link, Draytek and Asus.... and for what i've seen... all had UPnP ON by default....

I Guess that's Because Mediaplayers like the Xtreamer, HD Playon! etc. are becoming very popular here, and most LCD TV's here are beginning to support DLNA too... and DLNA works best with UPnP enabled ;)

This is also why there are requests of implementing UPnP support here in the forums, since they want to acces their media files through neorouter (Point-to-site mostly) so they can play them at their friend's place....

Anyways.... IPv6 talk is "Hot" at the moment (since there are no free IPv4 addresses left ;) )... but implementation's slow ;) especially when manufacturers are bugging about using NAT or not ;) (gheheh... NAT or Not ;) )

Next to the fact that a lot of home routers have to be replaced in order to cope with IPv6.... So the whole thing, It's gonna take a while, so where stuck with IPv4 and NAT for now ;)


2) Invite trusted computers into the network.... Well, that's the main idea anyway ;)

But what if one of the trusted computers is stolen when using the Free version ? My Girlfriend for instance has a Laptop only, and we use Neorouter to play LAN games with others, and she also carries it around as she goes ;)

Setting ACL's on shared folders per computer works indeed (With User Groups setup, NTFS permissions set etc.. (Doing your MSCA/MSCE thing the way Microsoft likes it)), but i guess you know too how fast Usernames and passwords are found if you would bruteforce a seperate Windows "Sitting duck" machine... (Firewall-settings are easy to disable when a thief has his hands on a computer and he's using something like Bart Lagerweij's BartPE and it's implemented remote registry editor for instance)

Building a domain system with Kerberos, certificates and SSL/NTLMv2 encryption etc. is a solution off course... But that's a little bit overkill for "mere Mortals", isn't it ? (Next to the fact that my (and other people's) mediaplayer and DLNA-using TV doesn't support Domain logon properly ;) )

But ok, quickly changing the password on fileservers and NAS-es works for most users... but still.... the virtual network still can be accessed and sniffed since initiating the VPN-connection doesn't require user/password....

So basicly: changing the neorouter domain name each time is the only way to ensure "safety", and this means that all users have to change too, which is quite the hassle, changing all instead of just one... If the professional (payed) version of Neorouter works in the same way as the free version in terms of initial connections (Fully connecting to the virtual network with no user/password needed at startup)... This would be a reason for a business (and it's Administrator) to NOT implement Neorouter....

So i'm gonna do some competition-talk (sorry for that ;) )... Logmein's Hamachi (including the Free version in both managed mode and standalone mode) does need a User/password for initial connection after starting up their Network Explorer-like client, and disconnects immediately after shutting down their Network Explorer-like client... Most (free) VPN-implementations with the same purpose as Neorouter and Hamachi work like this...

Also performance-wise, a client only connecting to the Neorouter server computer when needed instead of allways constantly being connected at the moment the "Neorouter Client service"-service is started on the client computer, is much better.... So the Neorouter server can just worry about the actual active users instead of both active AND inactive users and their connections...

So I guess that's something to think about Luke ;)

Nevertheless... Neorouter is more stable and faster than Hamachi for what i've seen and i prefer Neorouter because of that.... But in terms of security, i prefer Hamachi..... So, do you see my Dilemma ? ;)

Grtz,

Shadowguy


Top
 Profile  
 
 Post subject: Re: a few questions and suggestions (best read with coffee)
PostPosted: Tue Sep 13, 2011 8:38 am 
Offline

Joined: Mon Dec 22, 2008 10:19 pm
Posts: 436
hi Shadowguy,

The Access Control feature of NeoRouter Pro and Mesh is a unique feature that allows the admin of an NR domain to manage the firewalls on all the computers in one central place. Admin can specify which user has access to which computer:port. Then nrservice on the target computer inspects incoming connections/packets in the virtual network and determine whether they are allowed or denied.

Thank you for bringing up the Hamachi comparison, because it is a topic we discuss quite a bit at NeoRouter.
1) One of your arguments for Hamachi is that it requires network password to establish connection while NeoRouter only checks computer signature.
Hamachi remembers the network password on the computer and will not prompt user for password again. For both solutions, once a computer is added to the virtual network, it can always connect. So if you lose a laptop, both solutions allow you to blacklist it.
2) One of your argument is that the connection lifetime for Hamachi is tied to the GUI app, but NeoRouter's connection is always on.
The connection lifetime is actually managed by user. If a Hamachi user has an unattended server, he/she can configure Hamachi to be always on. If a NeoRouter user wants to disconnect, he/she can choose "Disconnect and Quit" from the system tray icon. The connection lifetime does not change the level of security of your network.

In conclusion, NeoRouter Free has the same level of security as Hamachi. If you invite untrusted users to your domain, please setup firewall on each computer to prevent these users from accessing sensitive data/services. Adding a user to the virtual network is as if this user plugs in his computer to your router.

NeoRouter Pro/Mesh provides better security with the unique Access Control feature (User's Manual 4.4 Access Control List). The ACL of a host specifies which users are granted or denied access to the host and which specific services or ports are allowed. Administrators can use ACL to manage a NeoRouter domain that has users with different trust levels.

Thanks,
Luke

_________________
Luke - NeoRouter Team


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron