WiFi roaming for laptops

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

Here’s what seems to be a fundamental security issue with the CIS Firewall:

I have it installed on a laptop that connects to my home LAN via WiFi, it gets a private IP 192.168.1.x which is typical for default router configurations. Now, using the stealth port wizard I set my Home LAN to be trusted which added 2 global firewall rules to allow both in and out connections from this home LAN.

Now I’m taking the same laptop to a public hotspot that also assigns IP addresses in the 192.168.1.x subnet. My laptop will still consider this LAN as trusted which in fact it no longer is.

I think Comodo should be smart and define a network based on more than a subnet, but maybe also include the gateway MAC address and/or the WiFi SSID and adjust accordingly when the network changes.

Meanwhile, what is the solution? What should I do when I go to a public hotspot? Remember to re-run the stealth port wizard and block all incoming connections?

2

I would rather change the configuration of your router and set the DHCP Server to assign IP addresses from less typical scope (in example 192.168.200.0/24 or 192.168.252.0/24).

The other option would be to edit the current Network Zone in CF and replace the network address with MAC addresses corresponding to all computers in your LAN and to a router.

3

Or 10.10.1.x range I had my computers all set to fixed IP’s in this range from previous router so it was easier to change the router.
Dennis

4

Yes, I’m using a less common subnet already and also /27 instead of /24, it was the first idea that came to mind, but it still doesn’t guarantee that some hotspot isn’t using the same subnet …

Using the MAC address of the LAN devices is such a pain :frowning:

5

I didn’t say that this solution will guarantee the safety, but definitely it was some workaround which increased it.
If you chose really some random and not typical network address for your LAN then it is very unlikely that some hotspot would have the same addressing. If I were you I would go with MAC addresses or some other solution maybe, like TrustConnect which is basically a VPN.

6

I guess the other thing I could do is create a more CIS paranoid configuration, save it and select it when at a hotspot. Hopefully I will remember to do so before it’s too late. But using a more unusual subnet for the home LAN is still a good idea in case I forget to select the “paranoid” configuration.

I think Comodo should come up with a clever solution to this problem, maybe an easy switch mode to block all incoming connections, regardless of any rules.