Could someone offer me some good advice with easily followed steps or a link to a guide or tutorial for helping me setup IPX/SPX as the protocol used by my home network so that I can use TCP/IP to still access the internet but be able to set TCP/IP up so that it cannot be used to browse the computers on my home network and only IPX/SPX can be used for browsing between the existing systems. On my home network at present I have 3 pcs and a shared network printer. Two of the Pcs are running Windows XP professional and 1 is running Windows 98 second edition. They are networked together via a NAT capable Lynksys etherfast cable/dsl router and access the internet via an adsl connection with a static ip address. Also, I've read that the NAT in my router is a fairly capable firewall to keep my home network safe from the internet, is that so? If that is the case then as that my router is the model BEFSR41 Lynksys etherfast router with the newest firmware, are there any special settings I can use on the router itself to enhance security on my network as well? I also ran into a recent problem while setting up my network. If I just have TCP/IP installed, setup to obtain an IP address automaticly from the router and no other protocols, I am for some reason unable to browse my home network or even see the other computers on the network, this being after I have shared resources, made sure they are all using the same workgroup name, and made sure that user accounts needed exist on each system. If anyone could help me address that issue as well it would be greatly appreciated. Thanks very much for any help anyone can offer.

I'm doing what you describe, but Windows 2000 and XP make it difficult to set up.

The first thing you need to know is IPX/SPX configuration doesn't work anything like the friendly TCP/IP configuration.

Here's how to use IPX/SPX with Windows 2000 / XP.

Open "Network and Dial-up Connections" from the control panel or start menu. You should see a connection for your LAN (Local Area Network. Click the right mouse button to get a menu, then click the left mouse button on "Properties".

The first thing is to add the protocols. Click "Install", then click on "Protocol" in the list, and click "Add". You want to add "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol".
Enter an internal network number, like "12322221" it doesn't really matter what number you choose. Set the frame type to "Auto Detect".

Click "Install" again, then click on "Protocol" in the list, and click "Add". You want to add "NWLink NetBIOS". There are no options to set for this protocol.

Now, make sure ALL the protocols are checked in the list for your LAN, including "Client For Microsoft Networks", and "File and Printer Sharing for Microsoft Networks".

The next problem is how to disable NetBIOS over TCP/IP, while leaving "NWLink NetBIOS" enabled. This is very well hidden. In the "Network and Dial-up Connections" folder menu, click "Advanced". Then click "Advanced Settings...". Click on your Local Area Connection" in the list of connections. You should see a number of things listed with check boxes.

Under "Client For Microsoft Networks", make sure "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol" is checked, and make sure "Internet Protocol (TCP/IP)" is not checked. "Client For Microsoft Networks" should also have a check mark.

Under "File and Printer Sharing for Microsoft Networks", make sure "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol" is checked, and make sure "Internet Protocol (TCP/IP)" is not checked. "File and Printer Sharing for Microsoft Networks" should also have a check mark.

Now, you will want to change the protocol ordering so that the NWLink protocols come first. Under "Client For Microsoft Networks", click on the line that says "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol" (not the check box). If this line does not appear first, under "Client For Microsoft Networks", click the up arrow to the right of the window, to move the line up.

Under "File and Printer Sharing for Microsoft Networks", click on the line that says "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol" (not the check box). If this line does not appear first, under "File and Printer Sharing for Microsoft Networks", click the up arrow to the right of the window, to move the line up.

Now click "OK" to save your changes.

If you go back and look at your "Local Area Connection", you will see something unusual. Click the right mouse button on "Local Area Connection", and then click the left mouse button on "Properties". You should see that "Client For Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" both have a gray check marked box. That means they are only bound to some (not all) of the protocols, which is what you want.

If you do not want TCP/IP protocol available at all on your LAN, you can un-check the "Internet Protocol (TCP/IP)" listed in your "Local Area Connection" properties. You won't be able to ping, use FTP or anything else if you totally disable TCP/IP. Be careful if you re-enable TCP/IP because you may have to go back and un-check the settings in "Advanced Settings..." again. Microsoft assumes you want Microsoft Networking for ALL protocols you enable!

It may take a while for your network to recognize that other computers are there, because IPX/SPX uses broadcasting to detect other machines.

WARNING: When you create dial-up connections, do not check the "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol". That will allow IPX/SPX access to your computer files. Unchecking "File and Printer Sharing for Microsoft Networks" and "Client For Microsoft Networks" disables those ONLY for TCP/IP (not for NWLink protocol). Probably your ISP doesn't support NWLink protocol anyway, but it's better to be safe.

When you create dailup connections, you should ONLY have a check mark next to "Internet Protocol (TCP/IP)". You might also see something called "Qos Packet Scheduler" whick is OK to enable with a check mark.

If you do want to dial in to an IPX/SPX (Novell Netware) network, then you should check ONLY the "NWLink IPX/SPX/NetBIOS Compatible Transport Protocol" for that dialup connection. You don't have to check anythings else, and it still magically (strangely?) gives you the Microsoft Networking protocols. I do this for work, since our company still uses IPX/SPX.

=========================================

Windows 95 and Windows 98 computers handle IPX/SPX differently. If you want them to be visible on the network, you need to check the "Enable NetBIOS over IPX/SPX" option when you install the "NWLink IPX/SPX" protocol. For those operating systems, you need to look at the bindings for every entry listed in the protocols. You can find the list by clicking "Network" in the control panel.

What the heck is a binding? It's basically a connection from one protocol to another protocol. The bindings list for a protocol shows all the protocols that are above it (using it). Windows 95/98 shows the protocol bindings in the "Network" settings from left to right. The protocols on the left are using the protocols on the right.

For example:
File and Printer Sharing -> TCP/IP -> Your Lan Card

That shows that "File and Printer Sharing" uses "TCP/IP" and that "TCP/IP" uses "Your Lan Card". If you only have one thing being used by TCP/IP, unfortunately you don't get the nice list of bindings. It just shows "TCP/IP" all by itself.

If you want to unbind "File and Printer Sharing" from "TCP/IP" you have to right click on "TCP/IP" and then click "Properties". On the bindings page, uncheck the "File and Printer Sharing" binding.

For ALL entries that say "TCP/IP", uncheck the bindinds to the "Client For Microsoft Networks" and "File and Printer Sharing for Microsoft Networks". You can also uncheck the bindings of those two protocols to "IPX/SPX Transport Protocol". You want to leave those two protocols enabled in the bindings for "NetBios over IPX/SPX" for the local area network card ONLY. You also need to leave the "NetBios IPX/SPX" binding checked for the "IPX/SPX Transport Protocol". You should uncheck the "IPX/SPX Transport Protocol" binding for the dialup adapter if you don't want to dial up to an IPX/SPX network.

The only thing that should be bound to dialup should be the TCP/IP protocol. The only thing that should be bound to the network card, should be IPX/SPX protocol, and TCP/IP protocol (if you want it).

The key thing here is what has the "Client For Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" bindings checked. Those protocols will allow access to your computer files. Any protocols underneath (to the right of) those protocols will also allow access to your files.

When you create dialup connections in Windows 95/98, you will see that you can choose up to three protocols for the dialup connection. They are "TCP/IP", "IPX/SPX", and "NETBEUI". Normally you ONLY want to check "TCP/IP".

If you want a dialup connection to an IPX/SPX network, then ONLY check "IPX/SPX" in the dialup connection.

If you're confused about Windows 95/98 I can to post more detailed information.

I noticed you had another question. Why can't you see the other computers on the network?

To see other computers on the network you have to have all of the following set up.

- Network card
- Transport protocol (TCP/IP or IPX/SPX)
- NetBIOS (for TCP/IP or for IPX/SPX)
- Client for Microsoft Networks
- File and Printer Sharing for Microsoft Networks
- Bindings (connections) between the protocols

If you didn't install "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks", and make sure that they are bound to "TCP/IP" then you would not be able to see other computers on the network.

If you just install TCP/IP for example, you will not see other computers in Network Neighborhood.

Client for Microsoft Networks allows your computer to see other computers (get files from other computers).

File and Printer Sharing for Microsoft Networks allows your computer to share files so that other computers can see the files.

A transport protocol is just a way for the information to travel on the network. It can be TCP/IP, IPX/SPX, or NETBEUI. Microsoft is abandoning NETBEUI.

NetBIOS is how Microsoft Networking talks to some transport protocols. This is very confusing, because NetBIOS is automatically included with TCP/IP protocol (and not even shown separately). You may see this referred to as NETBT (NetBIOS over TCP/IP).

For IPX/SPX, NetBIOS is NOT included, and is shown separately.

Windows 95/98 also defaults to an old way of using IPX/SPX, which doesn't use NetBIOS at all. So there are really two ways to use IPX/SPX transport protocol (with or without NetBIOS).

Windows 95/98 doesnt use NetBIOS with IPX/SPX unless you enable it. Windows 2000/XP always uses NetBIOS with IPX/SPX.

So, a 2000/XP system won't see Windows 95/98 on the network unless you enable "NetBIOS over IPX/SPX" on the Windows 95/98 computers.

Here are the possibilities (remember NETBT is hidden):

File & Printer Sharing --> NETBT --> TCP/IP --> LAN Card
Client For MS Networks

File & Printer Sharing --> NetBIOS IPX --> IPX/SPX --> LAN Card
Client For MS Networks

File & Printer Sharing --> IPX/SPX --> LAN Card
Client For MS Networks

For dialup you can have the same things:

File & Printer Sharing --> NETBT --> TCP/IP --> Dialup
Client For MS Networks

File & Printer Sharing --> NetBIOS IPX --> IPX/SPX --> Dialup
Client For MS Networks

File & Printer Sharing --> IPX/SPX --> Dialup
Client For MS Networks

For better dialup security you really want this.

(nothing) NETBT --> TCP/IP --> Dialup

Since "NETBT" is hidden you can't unbind it from TCP/IP. Not only that, but some other things like Microsoft DCOM (Distributed Component Object Model) always use NETBT. There is a program on the Gibson Research Site at http://grc.com/ that will allow you to disable DCOM. The program is called "DCOMbobulator".

Now you're probably wondering, where does my web browser fit into all this?

Basically it works like this.

Web Browser --> TCP/IP --> LAN Card
Web Browser --> TCP/IP --> Dialup

As you can see, your web browser works perfectly well without Microsoft Networking. All it needs is the TCP/IP transport protocol, and a network card or dialup link.

Ok, after reading a few various other posts as well as replies to this one, here is my current setup. So far this is working for the Pcs on the network to be able to see one another and communicated to share files, incidently the speed of the network for browsing shared folders has gone up greatly since I stopped using TCP/IP for my LAN. In my current setup I have 3 PCs, 2 of which running Windows XP professional with SP1 and all updates from Micrsoft installed, one of which running Windows 98se with all updates from Microsoft installed. They are connected to each other via cat5e or cat6 ethernet cabling and 10/100 network cards going to the Lynksys cable/dsl NAT router which connects directly to our ADSL "modem" for internet access. In my current setup I have TCP/IP installed on each system and configured so that it is not bound in the bindings to client for microsoft networks or for file and printer sharing for microsoft networks. I have IPX/SPX with netbios installed and configured on each system for LAN communication. At present I the Windows XP software firewall disabled and have disabled any additional software firewalls on the network. Things seem to be running fast, smooth, and efficient. I am also figuring that since the LAN is not using TCP/IP for communication with each other that the network is fairly secure. However, I am curious, will the NAT built into the router provide sufficient security for protecting each Pc that is networked through it to the internet connection or should i keep a software firewall like ZoneAlarm installed? Likewise, is there anything else I can do to help increase the security of my home network and help protect user privacy on the internet?

I recommend visiting the Gibson Research site.
http://grc.com/
Click on "Shields Up" to run a test of how secure your router actually is.
You can also run security tests from DSL Reports.
http://www.dslreports.com

A well designed NAT router works like a firewall, since it blocks incoming TCP/IP connections, and UDP packets. Not all NAT routers block everything. A NAT router with a built in firewall is usually better at blocking unwanted communication.

Should you run firewall software on your computers? Probably not, unless you will be using dialup frequently. You certainly should configure your dialup connections to be as secure as possible. Packet filtering in the newer Windows operating systems will do that.

If you need to open a lot of ports on your NAT router for gaming, or other reasons, then you may want to put firewall software on your computers. Keep one PC for gaming, and don't put any personal or sensitive information on it.

Don't use AOL (sorry all you AOL lovers). There are too many ways to hack into AOL. Don't leave instant messenger programs running all the time (do you really chat all day long?).

Communication is not the only PC security issue.

- Communication security
- Denial Of Service (DOS) attacks
- Web pages with script viruses or other exploits
- Email with script viruses or other exploits
- Shareware or Freeware with hidden advertising trojans
- Plug-Ins for your web browser that may be malicious
- Files from people
- Hacked software

OK, some of what follows may be obvious, but you'd still be surprised at how many people forget about it.

Communication security is mostly handled by your NAT router. You should also disable unnecessary remotely accessible services on your computers (like DCOM). The Gibson Research site has a utility to disable that. Using IPX/SPX for your Microsoft Networking is a great idea, since it closes that remote service for TCP/IP.

Hopefully your NAT router will block most Denial Of Service (DOS) attacks. If they exploit some bug in the operating system, the NAT router should be immune. Some DOS attacks simply try to flood your network with packets. That might cause your NAT router to stop communicating, but your computers should still continue running. DO NOT enable remote administration for your router. DO NOT enable remote ping from the WAN for your router.

Web pages are a difficult problem to deal with. Set the security in the web browser to disable as many things as you can, or at least ask you before executing scripts on web pages. Be wary of personal web sites, and web sites offering great deals or free things. If you are asked about downloading something to view a web page, think about the web page first. If you're not sure the web page is probably safe, don't download and install things.

People are often misinformed about "certificates" that pop up when you download something. All the certificate verifies is that it came from a specific company or author, and has not been modified. There is really not much to stop someone from getting a certificate for software containing a virus (either intentionally, or accidentally). Read the certificate before you install the software. If you're not sure what it installs, click no. Some companies are legitimately asking you if you want to install advertising software on your computer. If you click yes, you just agreed to install it.

Email is another problem area. My first suggestion is don't use Outlook Express or Microsoft Outlook. Those are probably the first Email programs that a hacker is going to consider attacking. There are plenty of other Email programs like Eudora from Qualcomm, that work as well (or better). You will probably have to spend some money to buy an Email client that has the features you want. Turn off any automatic preview functions, and you may even want to turn of HTML displaying for Email messages.

Here are some email security measures you probably haven't thought about.

Don't use your internet/DSL account name as your email address. Create an additional mailbox, screen name, or email alias, and use that. Otherwise you are telling the world your login account name every time you send an email message.

If you have to post your email address somewhere, create a graphic image of the email address, and then post the graphic. Programs that harvest email addresses can't see it. If you have to use text, put extra characters in your email address, like "jsmithNO@SPAMbellsouth.com". Then tell people to take out the "NO" and "SPAM" when they reply.

Don't click the links in an email, even to remove yourself from the mailing list. Hover the mouse cursor over the link, and look at it carefully. Is it a recognizable web site? Does it refer to files on your hard disk "//C:/Documents And Settings/...". Does it run a script on a web page? If you're not sure about an email removal link, you should be able to go to the web site, and find some way to remove yourself from the email list. If you're not even sure about the web site, then just totally ignore the email.

Most email removal links are just a way for a spammer to verify that your address exists, and you read the email. Replying to the email, may also give a spammer more information about you.

Nobody will email software updates to you. Your bank will not email you to say that you must go do something on their web site. Basically any email instructing you to go do something on your computer, or a web site should be considered suspect. Be careful. Sometimes email can use subtle wording to cause you to react and go do something.

Shareware or Freeware sometimes also has advertising software built in to it. Usually the license agreement will mention it, if you read the whole thing. Check the "Program Files" folder before and after you install new programs. Also check "Add/Remove Programs" in the Control Panel. If anything unexpected shows up, then it's time to be suspicious. Take a look at what programs are normally running on your computer. Do that once in a while, and print out the screen, or write down the names. If something new shows up, investigate it. There are programs you can use to scan for adware on your computer.

Plug-Ins to look at web pages, videos, play audio, games, etc. can have malicious code hidden in them. Again, think about where you're browsing, and if it's worth the risk to install the plug-in.

Never assume that a file you get from anyone is safe. That includes when the person says "I already virus scanned this file and it's OK". Your friends may not have up to date virus scanning software, or they may have a virus that modifies the file after they scan it.

Probably the most important thing is to have a virus scanning program that actively checks email, files, and scripts for viruses. Keep the virus list up to date. Check the web for new viruses and take any special precautions to detect or prevent the viruses.

Another suggestion I have is don't install new programs or even updates unless you need them. That will not only expose you to less security risks, it may keep your applications from crashing as much. I generally don't automatically install updates. Periodically I take a look at what's on the Microsoft site, and elsewhere, and then I decided if I need the update. Microsoft Security updates can sometimes add as much security risk as they remove.

Most people don't know that you can order update CD's from Microsoft for just the shipping (usually $10 to $12). That's how I get my updates for Internet Explorer and my operating system. That way I can reinstall exactly the same things again (from CD). Microsoft is notorious for having different versions of something, and not saying that the March version of Service Pack 1 is slightly different than the April version of Service Pack 1.

If you're going to update something, download the update to a folder before you install it. Sometimes it's difficult to figure out how to do that, but it's worth doing. Keep a folder with all of your installed updates, so you can reinstall them. Burn a CD with the updates once in a while.

Don't use hacked or unlocked versions of software. Some hackers like to add viruses to the hacked software they give out for free. Always try to download programs from the web site of the company that wrote or sells the program. You're less likely to get a virus with the software, and you're also more likely to get an up to date, working version.