How Are You Protecting Your Computers? 193
b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"
If I told you... (Score:5, Funny)
I'm using (Score:3, Insightful)
Ok, fine, I'll bite... (Score:5, Insightful)
Everyone does it, and just because one person has to install a firewall and another person has to hunt down drivers doesn't make either person superior to the other. Yeah I know, this is slashdot, where "Windows sux and Linux rulez", but if we're going to be asking serious questions we might as well be giving serious answers.
Myself, I use KPF [kerio.com] and AVG [grisoft.com], with AdAware [lavasoftusa.com] on the side. Fortunatly, these three programs don't have much to do, thanks to Firefox [mozilla.org] and my cheap yet trusty DI-604 [dlink.com] router. I'm actually going to be putting together a box for my parents this weekend too, so i've been busy loading up my USB flash drive with some of the aforementioned programs, and other first boot goodies. And if i'm lucky, my parents will turn over custody of their old computer (an aging P3-500) to me, which I hope to turn into my very first Linux box to muck around on. Then i'll get to experience the numerous pains-in-the-ass of both worlds! Should be fun.
Re:Ok, fine, I'll bite... (Score:2)
No, that doesn't make either person superior to the other, I'd say it does make the OS superior though.
Re:Ok, fine, I'll bite... (Score:2)
Of course, from a home user perspective, I used to not even keep AV software on my local machine. Always could have another machine scan it in case of an issue, and a clean wipe would follow if something was found.
Nowadays, I keep AVG on my machine, because I'm hooked up to two other houses via a VPN. It's not that I don't trust the other guys, however I don't have any clue as to what they could be plug
Re:Ok, fine, I'll bite... (Score:2)
How did you have another machine scan it?
Re:Ok, fine, I'll bite... (Score:2)
OpenBSD (Score:3, Interesting)
If you're loading up a USB flash drive... (Score:3, Informative)
It's not a lot of drivers and such. More oriented to useful utils that can come in handy in a pinch. It's stuff that I tend to use fairly frequently and don't like to be without.
Re:Ok, fine, I'll bite... (Score:2)
Re:Ok, fine, I'll bite... (Score:2, Interesting)
You say you seriously doubt anyone has done a fresh install of distro-of-choice and not spent time tweaking things to get the system fully usable. Then you go on to say you're hoping to build your first linux box.
I think you'll be pleasantly surprised, depending on what distro you choose. Someone below mentioned OpenBSD [openbsd.org], and that's a good recommendation. I think you'll fin
compromised in seconds (Score:2)
Yes, but generally once you've done an fresh install of *distro-of-choice* you at least have the chance to get it on the network before it is hacked to death. Windows XP's basic install has gotten so far out in terms of security that a fresh XP install is generally compromised within *seconds* o
The obvious... (Score:2, Insightful)
Re:The obvious... (Score:3, Insightful)
Two junkboxes, an SS10/30 that happened to have a quad-ethernet and a P200 with 4 cheap PCI NICs.
Both with OpenBSD with pf, pfsync and carp.
Wlan AP connected to DMZ allowing only IpSec traffic.
Internal server with samba/nfs, Clamd and Squid.
All internal boxes get their virus scanned mail from the server, all http access thru squid (with filtering for annoying ads and crap).
All MS boxes also have updated Norton Antivirus and of course Firefox/Thunderbird.
And Daddy gets a good nights slee
vmlinuz (Score:2)
You didn't specify it, but I assume you are referring to Windows. A question worth asking is whether whatever it is that has you running Windows is worth the hassle of worrying about virii/worms/etc.
Re:vmlinuz (Score:2)
Seeing as how Linux has its share of it too, it's not all that clear that hassle would suddenly disappear. Add, on top of that, jumping through all the hoops of setting up Linux and finding alternative software that does what he needs, assuming such software exists. (note: I don't mean for that to sound like an attack on Linux, but not everybody can just suddenly switch
Re:vmlinuz (Score:2)
I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post). If you mean all systems have the potential for being cracked, then sure. But that doesn't tell anything near the whole story. If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls
Re:vmlinuz (Score:4, Interesting)
I apologize if I have misinterpreted your meaning, but your post does read that way.
"If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall)."
I left out OSX only because he cannot install OSX on a Windows machine.
As for the odds being low, that doesn't really help, does it? You still have to regularly install updates to Linux and the apps you run on top of it, Mozilla for example. I found this out myself. Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.
"So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!"
My only real point is that you have to be vigilant either way. It's a question of whether or not it's 'worth the fuss'. Interestingly enough, Windows' highly publicized insecurity has lead to some interesting developments such as auto-updating virus protection and Windows Update itself. If Linux doesn't have these, it needs them, especially when it reaches enough users for worms etc to really be an issue.
I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.
Re:vmlinuz (Score:4, Informative)
No problem. If you re-read my original post you'll see it's more of how you read it than how I said it (I imagine you read it through slashdot-colored glasses, as it were).
I left out OSX only because he cannot install OSX on a Windows machine.
But presumably it is an option available to him. Cost is an issue he'll have to weigh for himself if he deems it worthwhile. I was just offering two options that work for me.
Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted.
The guy doesn't sound like he's interested in running a web server. There are plenty of ways to make an apache install insecure. Again, to make a fair comparison, it's easier to crack IIS than it is Apache. That you got 0wn3d doesn't detract from my point. I never said Linux was uncrackable, I said it's more secure (by a large margin).
My only real point is that you have to be vigilant either way.
This is the "what do you mean by that realm". 'Vigilant' is a term that is subjective. Under Debian, 'vigilant' means running apt/aptitude/dselect (whichever is your choice) and telling it to update your system. Under Mac OS X, 'vigilant' means clicking "install" when Software Update pops up. Under Windows, 'vigilant' is far more involved.
Subjectively you can say both require 'vigilance', but they are not equal. You are repeating the confusion of a Windows apologist. When a Linux advocate (yeah, sometimes they are rabid too), claims that Windows is less secure, the Windows apologist will say Linux has security holes too. But when you look closely, you'll see a world of difference. Both a glass of water, and a handfull of rattle snakes can kill you, but one is far safer than the other.
It's far easier to crack a Windows computer than a Linux computer by a wide margin.
It's a question of whether or not it's 'worth the fuss'.
Which is what I said in my original post.
I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.
Then Linux isn't for you. I never said it was for everyone. I suggested he consider it (maybe he has, maybe he hasn't, I have no way to know, but both Linux and Mac OS X are viable alternatives and worth considering).
Re:vmlinuz (Score:2)
I agree and understand what you say including this part -- My only real point is that you have to be vigilant either way. Whatever system I set up -- Windows
Linux / BSD box + IRC network = hacked (Score:2)
The attack and compromise was almost immediately noticed via the display I have on my firewall and lo
Re:vmlinuz (Score:2)
Hardly a scientific deduction. My Windows server lasted 2 years without any exploits/intrusions etc.
"It is people like you who are the cause for all the ill we have on the Internet - worms, virusses, and spam. It is YOUR fault."
Really? So who's second place then? The guy who wrote a defect into Linux, or the guy who wrote the worm?
"I hope the company deducted the damage you caused from your s
Locked-down OS/X does it for me. (Score:2)
Not doing dumb things... (Score:5, Insightful)
If you add complexity to deal with complexity you are introducing additional vectors for even more security problems. (One example: trusting that a virus detector is working because it says 'everything is fine'...only to find out later that the last virus through disabled the virus detector so it would always report 'everything is fine'.)
Re:Not doing dumb things... (Score:2)
Yep. That's about the atitude I take with my home PC too. Actually I admit it was your signature that contributed a bit.
FC1. Firestarter to cover the basics of firewalling. But anything not needed is turned off where possible. Don't even have sshd running at the moment as I don't need to access remotely, so why bother giving anyone else a chance. Same with Samba. When the laptop ain't on the LAN the main PC doesn't run Samba. Browsing via Firefox - usual safety settings. E-mail via Thunderbird - read sett
a la carte (Score:4, Informative)
Windows Firewall (XP Pro). (~Free)
Aerielink (Soyo) router. (~$60, incl. USB-WiFi used by other computer)
Before the router I ran Tiny Personal Firewall (now Kerio PF), and loved it (free and better than Zonealarm or BlackICE, for my needs). Also had Norton AV for a while, but it was just 'eh', and isn't free.
-bZj
Home setup (Score:5, Interesting)
-cable modem->linux 2.4 kernel router running iptables
-norton antivirus corporate edition
-Microsoft Software Update Services for the Windows boxes
-iptables for the Linux boxes
-ntop and snort for traffic monitoring
-I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
-various other utilities to monitor tcp/ip traffic
-good old fashioned obsessive tailing of logfiles along with vgrep
Re:Home setup (Score:3, Interesting)
Re:Home setup (Score:3, Interesting)
I think what you're referring to is the return of the ANSI bomb -- there have been several patches to programs such as less and vim to prevent this from occurring, but your recollection is correct; you can place certain control sequences in output messages (I'd imagine a wide-open syslog would be relatively simple) that, when displayed via certain terminals and/or certain programs, could cause command execution with the privileges of the user.
Here [linux.org] is the result of some quick googling on the subject.
Re:Home setup (Score:3, Informative)
Using strings ...
... should elimin
Re:Home setup (Score:2)
Not much (Score:3, Interesting)
Most of my email and browsing is done in Mozilla. Never got infected through Internet Explorer or Outlook Express though. I have a Linux PC and a Windows XP PC running side by side. I don't use antivirus software and I don't get viruses or spyware.
Re:Not much (Score:5, Insightful)
Forgive me for pointing out the obvious, but how do you know?
Absolutely nothing you have there would prevent the latest GDI exploit from running code of attackers choice on your Windows box by you doing nothing more complicated than viewing an image.
Re:Not much (Score:2, Informative)
People are always asking this question but I have never seen anyone answer... so I will.
If a virus/worm/whatever is going to be doing anything interesting, it MUST use resources. If you are always monitoring your resource usage, you WILL (eventually anyways) notice the new/different/extreme resource usage. Blinking lights (hard drive, router, etc), sounds, resource meters, firewalls that report activity, are all things that can alert you to ma
Re:Not much (Score:2)
Re:Not much (Score:2)
Re:Not much (Score:2)
If you keep a close watch on your system it would be obvious when a new process shows up on the list*. I keep task manager running at all times and like to monitor memory usage, total processes, CPU usage, etc. Other good tools are Process Explorer and TCPView (sysinternals.com). I use Privoxy and so all web activity is shown in the console, as well as the tray icon animation.
But besides that I hit up the trend micro virus scan every 3 to 6 mont
The setup... (Score:3, Informative)
I don't have a chance to dig up links for these, but diagnostic tools are a must if you really want to lock stuff down. First, generate and read logfiles whenever possible. Check things out with nmap, tcpdump, ActivePorts, Look@Lan, Kiwi syslog Daemon, Portlistener XP, Bazooka Spyware Utility, Spybot Search and Destroy, Socketlock ... the list goes on. Generally try any tool you can and you'll get a feel for what is actually to your tastes and useful.
Why TightVNC? Other questions. (Score:4, Interesting)
Many questions:
Why did you choose TightVNC? Why not RealVNC [realvnc.com], UltraVNC [sourceforge.net], or TridiaVNC [tridiavnc.com]?
Is it better to pay for VNC software, like Tridia VNC Pro [tridiavncpro.com] or Radmin [radmin.com]? Which software has video resolution scaling of the remote desktop?
What security is best? Is it good to use a VPN for secure access, or is SSH better? What Windows SSH server do you use?
What VPN hardware is best? We bought a NetGear FVS318 hardware firewall/router/VPN for a customer, and discovered that the remote administration password is openly transmitted. We found that logging out in the remote administration menu didn't always actually log out. We found Javascript errors. With the 2.4 firmware, more than one client can be logged in at the same time. That situation, two clients at the same time, would give an error message with the 2.3 firmware, so things seem to be going backward in some ways, in firmware that is already shaky. Our experience with Netgear technical support is that it is very limited. On the telephone we got someone in Tamil Nadu, India, who was allowed to practice for a short time with Netgear equipment, but who doesn't any longer have access to actual equipment. The online tech support just gave error messages. Not only that, but Fry's and Netgear arranged a rebate trick. They have a very long rebate receipt, and ask you to enter your address both at the top and at the bottom. If you don't enter it at the bottom, they deny your rebate.
K.I.S.S. - always been and always will be best (Score:5, Insightful)
You get a whiz-bang anti-virus/firewall system set up and what does it do? Give you a false sense of security so you can feel more confident about engaging in irresponsible computer use. The problem is almost every piece of security software out there has at one point or another been vulnerable, so you're flirting with disaster.
I think no matter how many advances we have in this area, the basic rules of security will always apply:
1. Limit Accessibility.
99% of security issues are inside jobs. Limit physical access to your resources. Don't put any sensitive data on a machine that anyone else has access to that you don't want public. Use encryption, multi-wipe free space and turn off your machine when you're not using it.
Some people don't want to hear this but it needs to be said: DON'T USE WIRELESS if you're worried about security. No matter what precautions you're taking, by going Wireless you dramatically lower the integrity of your personal security PERIOD. It's one thing to use wireless on the road, but you should limit the sensitive information on your laptop in the first place because it's mobile, but it's really just plain lazy and irresponsible to run wireless in a permanent installation like your home if there is any practical way to avoid doing so.
I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.
Remember the first commandment: True security is more dependent upon reducing access points than it is implementing protection of access points.
2. Disable ALL non-critical services. Don't run anything except what you need on your PC. Close all unused ports; remove all services and extra features and plug-ins that aren't needed. The fewer systems, the fewer points of vulnerability.
3. Keep all software fully-patched and up to date.
4. If possible, never use the "industry standard" software if it's not the most secure solution available. Dump IE and Outlook and switch to Firefox and Eudora.
5. TEXT ONLY E-MAIL... This, after #1 is IMO the biggest threat of them all. The added superficial benefit of html-email is not worth the security liabilities that come along with it. If you want to use html e-mail, I'd recommend a second, sandboxed account for that.
6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.
7. After you've taken care of 1-6, then and only then should you consider anti-virus/spyware and related software to be a useful addition.
Re:K.I.S.S. - always been and always will be best (Score:3, Insightful)
I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.
Explain to me how a properly configured IPSEC setup is less secure then a wired setup.
[ As for the original question, I'm protecting my computers through iptables on the server (running debian stable), and the samba shares are scanned with f-prot weekly. Each desktop machine runs their o
Re:K.I.S.S. - always been and always will be best (Score:4, Interesting)
You are comparatively safe with IPsec, however this is just because five people down the block don't know what it is, making them a softer target.
Anyone who really wants in to a cable based LAN has to find a place to jack in, and you're fitting a metaphorical socket to your front door.
Of course, any external networking connections are inherently insecure compared to none - physical security is the best security layer, But I doubt many
Re:K.I.S.S. - always been and always will be best (Score:3, Insightful)
IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.
Er, almost anything can be dictionary-attacked or brute-forced attacked. Given enough time, the ability to ignore the death of the universe, and a to
Re:K.I.S.S. - always been and always will be best (Score:2)
kinda the diffenence between storing treasure in a safe and storing it safe in your private estate replete with motivated guys in machine gun nests...
Re:K.I.S.S. - always been and always will be best (Score:5, Insightful)
STO is when you use unpublished methods and rely on the attacker not bothering to try to reverse-engineer your system as a method of protection. Examples are using XOR and similar cyphers in obfucated ways to hide the details.
So far RSA has not been compromised. Until such a time using RSA in open and peer reviewed protocols (remember that RSA etc are only a small part of the big security system) is in no way "Security Through Obscurity", it is in fact Best Practices (tm) and that is pretty fucking far from STO! And if a really good way to factor into primes comes up then you CHANGE the encryption scheme!
Most people have a grasp of just how many combinations there exist in a 2^1024 key. As far as we know the number of atoms in the universe (including dark matter and such) is on the order of 2^200. Now in RSA and other asymmetrical systems not all keys can be used, but still I'm willing to guestimate that a typical 2^1024 key has way more than 2^1000 valid keys (I can't be bothered to do a real estimate, and that's probably way to small).
Now consider that the Universe is Pretty Damned Big, yet the number of valid keys completely dwarfs that. It is hard to put into words just how completely unlikely you are to brute-force an RSA key (or any other key for that matter). Just imagine all the absurd unlikely events EVER happening to you in the same microsecond. Then multiply that by about 50 billion times and you'll still be ways off, but you'll get the idea.
In short, you are not going to brute force a key which is even 2^256, it's just not happening.
If you are that worried about someone tapping into your wireless systems do you also ensure that all your electronics is protected from people snooping on your electric signals? Or do you wear sunglasses and gloves all the time to protect you from someone trying to get a copy of your iris/retina or finger prints? That's a lot more likely than someone breaking your encrypted wireless communication.
Besides I'd rather have my precious data under my desk in encrypted form than in some bunker with a bunch of morons with explosives. No way to be sure what they end up shooting at when they are drunk and bored.
Re:K.I.S.S. - always been and always will be best (Score:2)
That's an assumption, of course. However, if a way to compromise it ever leaked out in public, I doubt you or I would have to worry about Joe Hacker giving us a hard time, given the number of far more juicy targets that also use RSA...
Re:K.I.S.S. - always been and always will be best (Score:2)
Your straw man is interesting, but attacking my throwaway "buried treasure" metaphor instead of my actual point that it's better to deny any external point of access at all is pretty darn lazy.
Re:K.I.S.S. - always been and always will be best (Score:2)
Really, read up on cryptography (I bet there are some articles on Wikipedia, if not I may have to write some just for you) and get back to me when you can have a relevant conversation.
Re:K.I.S.S. - always been and always will be best (Score:2)
You really have no idea how public key encryption systems work, do you?
Why, yes I do. I even understand the mathematical principals behind it. If you'd read my other posts you'd know it. In fact you [slashdot.org] even seem to think XOR style bit rotation is less secure than RSA. You do not seem to know that One-time Pad [wikipedia.org] is the undisputed king of cryptography and is unbreakable if executed correctly. Who's the guy who doesn't know his stuff about cryptography here?
Or are you trying to be cl
By definition... (Score:2)
Re:By definition... (Score:2)
Re:RSA is far less obscure than physical security (Score:2)
Yes, the mechanism by which RSA works is very well known. It is based on integers calculated using extremely high primes.
But you miss the point.
If the two particular high primes become known, factoring your public and private keys becomes very fast and easy. the obscurity is in those primes and your keys not the encryption and decryption algorithms. Incidentally it's physical security that protects those keys.
I repeat security
Re:RSA is far less obscure than physical security (Score:4, Insightful)
Cryptography is obfuscation
Yes, but "security through obscurity" is a technical term of art. It's either ignorant or disingenuous to use English-language definitions to define a technical term when that term is clearly used in context. Yes, the private key in an RSA implementation must be "obscure" in the English sense for the system to be at all secure.
But, as wikipedia puts it (you can read more there):
"In cryptography, the reverse of security by obscurity is Kerckhoffs' principle from the late 1880s, which states that system designers should assume that the entire design of a security system is known to all attackers, with the exception of the cryptographic key"
This is supported by how this term is used in practice by experts in the field.
The key principle of systems described by "security through obscurity" is that the _design_ of the system (algorithms, etc) is hidden.
The key to non-security-by-obscurity systems is that the design of the system is public so that it can be publically audited and the assertion that "it's secure when used with any key that satisfies condition X" is well-vetted (X is usually: "Product of 2 large primes", in some algorithms it may be "Never reused" or "not a Weak Key" for some rigorous definition of weak key, in some algorithms other ). It's also usually key that there is a good objective test for condition X, such that implementors have a high degree of confidence that not only is their crypto implementation basically sound but that the keys they implement are believed to be secure as well.
More generally, in non-keyed systems it's not considered reliant on "security through obscurity" if the system architecture as a whole is well-vetted and the conditions that are prerequisites to security are documented and objectively testable via some well-vetted method.
Of course, you probably already new that and were trying to change the accepted definition by arguing against the OP based on an idiosyncratic (within the context) definition.
(Of course, whether or not a system relies on security through obscurity is kind of a spectrum; very few systems are completely non-STO and very few are completely STO.)
I congratulate you. (Score:3)
I will admit that I have taken "security by obscurity" to it's logical literal extreme here, which is indeed an ideosyncracy of mine. It's not that I'm particularly trolling - It was originally because someone disagreed with my assertion that RSA was not secure in an absolute sense, which I (still) believe is utter tripe.
In fact it
Re:RSA is far less obscure than physical security (Score:2)
I'm not. Are you, Mr Anonymous Coward?
This ridiculous challenge has nothing to do with wireless security and you know it.
That's correct. It is entirely to do with your assertion that RSA has no obscure elements. It has, so deal with it.
I challenge you to provide all the above information for your wired network.
No, because I don't assert that there are no obscure elements to RSA.
Re:K.I.S.S. - always been and always will be best (Score:2)
IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.
Er, almost anything can be dictionary-attacked or brute-forced attacked. Given enough time, the ability to ignore the death of the universe, and a to
Re:K.I.S.S. - always been and always will be best (Score:2)
You need three. One dog can be despatched (eg sleeping pills wrapped in bacon), two dogs maybe, but three is too hard to deal with.
Re:K.I.S.S. - always been and always will be best (Score:2)
Point 5 is downright idiotic. HTML is not executable by it self and unless you use a very old version of outlook (in which case you are asking for trouble), any javascript, vbscript or whatever will not be executed. Most virus mails are formatted as plaintext btw. The virus is almost always an attachment.
Wireless is not very secure out of the box but you can lock it down pretty effectively. I'd say the whole point of wireless is to 'in
Re:K.I.S.S. - always been and always will be best (Score:2)
#6 is actually the most important one; it's part of paramiter defense and lan design (router/VLAN level not server level).
The job of a
Re:K.I.S.S. - always been and always will be best (Score:2)
On a security level, html-email is LESS SECURE. That is a fact. I'm not talking specifically about executable issues, but actually, you're wrong about that too, with the recent vulnerability discovered
Re:K.I.S.S. - always been and always will be best (Score:5, Informative)
The key to proper wireless setup is to associate different levels of trust between the wired and unwired components. Require WPA. Most household wireless routers allow you to specify a physical address list for visiting assets - do not allow unregistered MAC addresses to join your network. Have the wired network use a different subnet than your wireless network, so that the IPSecurity policies on your wired boxes can be set to prohibit access to the wireless agents on your house. Also, some routers let you set firewall rules between your wired and wireless subnets.
Audit everything. Everything. Disk space is cheap.
Also, run a packet sniffer on your wireless network. I once had a Netgear wireless router that would broadcast packets wired computers had sent it to route to the public internet across the wireless network - it had no concept of how to route correctly. If that's happening, throw that PoS away and get a real router.
Can this be compromised? Yes, but it requires breaking through various levels of real, cryptographically enforced security. Remember that only one part of information security is denying access to intruders because at the end of the day, the most locked down boxes plugged into a network can still be hacked. You must be constantly vigilant to detect intruders as they attempt access, you must have a recovery plan if you are compromised (everyone needs AV software and an individual firewall on each computer behind the NAT firewall), and must be sufficiently auditted that you can trace access attempts back to the source. Watch your wireless traffic - with this type of security, in the very very remote chance you are compromised, its going to take a long while. Is someone trying a variety of network attacks on your wireless network? If so, I've got good news - rule out that its not someone in a car outside, and you can pinpoint it pretty quick down to a neighbor. Talk to them if you think its their 16 year old punk teen, call the police, leave a note on their door with a picture of Sauron's eye saying they need to be more sneaky, whatever.
Re:K.I.S.S. - always been and always will be best (Score:2)
All the reports I've read have pegged it at a 50/50 split...though I'd guess it is more like 80 inside / 20 outside (corporate) and 20 inside / 80 outside (home use). Not that we're making up statistics, though!
Re:K.I.S.S. - always been and always will be best (Score:2)
Re:K.I.S.S. - always been and always will be best (Score:2)
Keep in mind that this isn't a 'use NAT'/'do not use NAT' issue. The issue is LAN design and security hardening at the router level. If using public and private addresses makes sense -- and NAT is only an example of this public/private split -- you should use public and private addresses. Otherwise, don't.
That said, using public/private address schemes can be quite handy is that you can rely on other software and hardware to be partially configured before yo
Re:K.I.S.S. - always been and always will be best (Score:2)
Re:K.I.S.S. - always been and always will be best (Score:2)
Not at all! I consider both sides to be hostile. Having only public addresses complicates things unnecessarily; the network should be highly segmented at the routers anyway. Splitting the local lan using private addresses keeps things a slight bit simpler.
m0n0wall for perimeter (Score:2)
kerio pf4
nod32
adawareSE
Tin Foil and DuctTape (Score:5, Funny)
my complete rig (Score:2)
The other 5% of my time is spent playing games. My machine duel boots into WinXP. I don't use WinXP for checking mail, and I use Firefox if I do any browsing. I don't download executables from questionable sites, therefore have no need for AV.
I use the internal WinXP firewall for network protection.
Hmm (Score:5, Funny)
Re:Hmm (Score:2)
"What security software do you use?"
"It's this great product from Apple."
"Apple? Really? What's it called?"
"Mac OS X."
Seriously, OS X with all the security options turned on (almost all of which, I note, are on by default out of the box) is more secure than any reasonable install of Windows with all the latest'n'greatest third-party stuff. If you must use x86 hardware, then any decent Linux distro may take a little longer to configure for security than OS X does
Linux. (Score:2)
A bit of iptables, a superior and safer web browser, intelligent email clients.
I stopped worrying about viruses and being owned some time ago.
Old PC running Devil-Linux boot CD-ROM .. (Score:4, Interesting)
Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat
I took the ethernet card out (Score:2)
Apart from that, I do my web browsing on a Mac running OS9 - security through obsolesence is greatly underrated!
Re:I took the ethernet card out (Score:3, Funny)
Install IPX/SPX or NetBEUI on both machines. Keep TCP/IP on the non-sensitive machine, but have no TCP/IP stack installed on the sensitive machine, and use IPX/SPX or NetBEUI for networking betwixt them.
For added obscurity points, yo
UPS (Score:2)
One of which runs FreeBSD and is set up as a firewall. Since FreeBSD is already "dying" perhaps the hackers won't bother to get too familiar with it
I use AVG, but it's more to prevent accidents (e.g. oops slipped and clicked the wrong thing) than anything.
I don't use too much. (Score:2)
The only traffic allowed past the router is incoming port 22.
Lock the doors ... (Score:2)
truly wonderful firewall (Score:5, Interesting)
Tried it on trial, liked it so much I paid for it.
-- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.
-- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.
-- SpyBot, AdAware
Re:truly wonderful firewall (Score:2)
well, that's the difference between "seems" and "does".
Wouldn't have been my first choice if not free.
What else has your experience/research shown?
Alternatives?
Minimal security (Score:2)
For the people who think that windows isn't secured: I've ran WinXP since its inception unprotected and haven't caught *anything* (I run adaware and a free online virus c
Re:Minimal security (Score:2)
OTOH, antivirus software and ad-aware is mostly useless. You *can* prevent virii from being installed (don't install them, stupid!) and you can prevent adware from being installed (again, don't install them, stupid!). There's r
Re:Minimal security (Score:2)
But, that depends on what "that" is. If you say "Doctor, it hurts when I hit my hand with a hammer", it is reasonable to say, "Well, don't do that".
Or, "Doctor, I get sick when I eat spoiled food." "Well, don't do that."
Cheap NAT (Score:3, Insightful)
I've not had an issue in the 2 years I've had this setup. I don't have problems with email worms and such because well all my machines run Linux
I've got a similiar setup for my parents and they've had minimal problems running all Windows. They've had some spyware issues lately because of some bad downloading but what can you do.
My setup... (Score:2)
* 8-port Linksys Router/Firewall
Only a few incoming ports are opened - basically the ports needed for Soulseek and Bittorrent. If you're NAT'd behind a hardware firewall/router that blocks incoming conne
Layers (Score:2)
It doesn't have to be perfec
pfft, PUH-LEEZE! (Score:2)
No antivirus software - it's a waste of valuable resources. If you have half a brain you won't get infected (stop downloading and running everything just because a window popped up in your browser saying to).
If a machine DOES get infected the ONLY solution I accept is to wipe the damn thing out and start over from an empty disk -- No sense taking the chance that some other vi
Keep it simple and secure (Score:2)
I have a medium to large sized home network of 6 computers. Most of them are Mandrake Linux 10.0 only. One is dual boot (W2K and Mandrake Linux) and one is W2K only.
I use Netgear router and set it up to block everything form outside, except the ports I need (www, ftp, ssh). It also does not respond to pings.
On Windows, I use only Open Source or Free software. FireFox for browsing, Thunderbird for email, OpenOffice, Grisoft AVG for antivirus, and Adaware. I also use Yahoo and MSN messengers (not using
Debian all the way :-) (Score:2)
My work rigs (Public Access Labs) (Score:2)
Squid & Dansguardian
Norton Corp AV 8
All automatic updates engaged (of couse I still need to visit each machine to click of on the EULA for SP2)
System policies limiting installations and setting changes
File permissions set to prevent the public from Writing and Executing in the same place.
About 60 public access machines at 8 different recreation centers on DSL internet.
Almost perfect...
SD
My list (Score:2)
I run Spybot & AdAware about once/week, an
Simple... (Score:2)
FC2: Update regularly, no services available outside of LAN except testing webserver that is on port 8000 to bypass school's incoming traffic filter, test server only known fo a select few.
I don't use anti-virus. (Score:2)
I don't have any anti-virus software. I have some simple procmail rules that delete messages with all but the most innocuous attachments, and the Win98 box isn't used for mail or web browsing (just some a few old Win apps and testing my own web sites on IE), so the only impact viruses have on my systems is that the mail-borne ones
Re:Not much. (Score:3, Insightful)
Hardware firewalls are slightly more cumbersome when trying to set this up, as most only allow you to filter outgoing connections by ports.
Re:Not much. (Score:2)
Re:You forgot the web browser (Firefox) (Score:3, Insightful)
Re:You forgot the web browser (Firefox) (Score:3, Interesting)
"Scripts or not" doesn't help when something like the recent GDI debacle occurs.
The trick is in finding a balance that keeps you safe enough from attack but open enough to do what you want to do.
So far, considering how fast they put out updates and how many exploits the leading browser has, I think Firefox does a
Re: black or white (Score:2)
Not true for me, depends a lot on the site.
Fortunately, Agnitum.com "Outpost" fw lets me control ALL those things on a per-site basis.
Re:My setup (Score:2)
ZoneAlarm, ADSL, hardware firewalls question (Score:2)
Like many others here it seems, I run AVG, ZoneAlarm, Ad-Aware and Spybot on my WinXP box, and use Firefox and Thunderbird. However, I recently hooked up ADSL through my ISP-supplied Binatone 4-port ADSL modem/router, and now I have concerns. My system used to be invisible c/o ZoneAlarm, but now I've got a fixed IP and this wonderful connection hardware that advertises its existence to anyone who cares to ask, and even leaves the FTP port open to the outside world!
Of course I've changed the password on th