Chuck, et al,
(note to other listees: again, a sour old networking guy here with lots
of boring tech bits: skip to my last paragraph to get to the general
'good advice'(TM) - likely no better than you'll get from your average
morning show!).
1: in a DHCP and RFC1918 (private address) environment, with a dynamic
'real' address from the ISP (with no 'virtual servers' configured),
inbound attacks are a very low risk. Bear in mind 3G and some types of
cable modem connections may get a 'real address' and bypass this
'safety'.
2: We need to define a 'firewall'... in the old days port filters and
access controls were fine and the function of the firewall. Nowadays,
however, there is so much malicious crap out there, that our router or
firewall needs to perform a number of functions:
a: protecting itself from compromise from outside attacks (one of the
most common vulnerabilites that you never seem to hear about);
b: scanning data streams for virus/worm/trojan signatures (see 3);
c: looking for -and blocking- accesses from inside to malware sites)
d: looking for -and blocking- accesses from inside to botnets (almost
impossible because of the rate that they are added to the 'net)
Likely a home router has little smarts and a device touted as a home
firewall is very basic also, has none of these things and relies on
security by obscurity!
3: I think it is. a good firewall will be looking for malicious things
in the data stream. Keyloggers are good, but I'd say phishing is
better!
4 & 5: hmmm... keep the systems patched, but there is ALWAYS a risk.
The OS manufacturers are always on the back foot - making changes
reactively to discovered threats & the AV/AS people - while much faster
- can take days to catch up also. Your recent Java warnings are exactly
the type of thing I'm talking about. The analogy I like to use when
talking to my clients is "a big dial with SECURITY at one end of the
scale and ACCESS on the other". you want security? then unplug it from
the network. you want access? you'll have to plug it in, but you can
mitigate the worst issues with some hassle (false positives, access
problems etc.). The less hassle you want, the more risks you are going
to face (and for us people with "lesser known" OS's like UNIX, those
one-button-mouse people, or Linux, it's not a matter of 'if', but
'when'!). Note that this completely ignores the cracker you have annoyed
somehow, who can get your static IP hit with a 'distributed denial of
service' (DDOS) attack for a few cents per hour - in this case you need
a *good* relationship with your ISP). I do not know the answer re how
good the card write protect is - should be a BIOS function, but I'd bet
it isn't!
6: with updates, and not starting any services on the Linux machine,
the risks are very small, but still non-zero (again, your browser doing
what you tell it to, is the biggest target)... I have done the series
firewall-router thing for a client for use at home, easy to do, even
with DHCP - if your routers have the right interfaces and have the right
config options. The "2 routers on the same switch" is less secure and
likely much harder to do with consumer-grade gear.
7: Definitely........... NOT! the malware and botware people are getting
smarter, and more clever every day. They know how to disable and bypass
software firewalls. Your AV/AS software is only as good as the current
signature set. Your firewall is only as good as the latest 'reputation
databases' supplied (our own locally managed in-house product has
thousands of IPs and domains added every week, never mind the 'big
boys').
Yeah, I know... doom and gloom and all that. most people will never be
caught up in this mess. Many will be. Keep your OS (whatever it is),
your browser, and your AV/AS/firewall signatures up to date and you make
a big start towards minimising the risks. Make sensible decisions about
websites you visit, and how you respond to the dialog boxes you see.
Hover over the links in the e-mails and make sure the URL is what it
says it is. Don't respond to the e-mail out of the blue that says 'I
love you and want to meet you' or 'I have a million bucks for you'. Hang
up on the person calling to say you are infected (call your ISP if they
say they are them, likely they will e-mail you if it's legitimate - and
the above still applies). Be a little bit paranoid- they ARE out to get
$ from you somehow!
davidt
On Fri, Jan 17, 2014 at 10:18:43AM -0500, Chuck Norcutt wrote:
> Moose's last post about building a new fire-breathing computer and
> equipping it with the Zone Alarm firewall causes me to ask a question
> that has been on my mind the last couple of weeks.
>
> Independent of OS and real/perceived vulnerabilities do we really need
> software firewalls if our machines are talking to the internet through a
> router? One of the functions of a router is to hide our real IP
> addresses from the outside world.
>
> (1) Assuming we haven't deliberately established ports for peer-to-peer
> connections (?) are we not safe from outside probing given that we're
> hidden behind the router?
> (2) If not, what function does the software firewall provide that the
> router doesn't?
> (3) Is the distinction even important now that most security breaches
> are passing through our browsers? (maybe Apple guys should pay attention?).
>
> Now some other security related questions having to do with Linux
> because, after following "Krebs on Security" recently
> <http://krebsonsecurity.com/> , I've become paranoid about doing banking
> and financial transactions on Windows. According to Krebs and others
> the most secure way to operate is by using a Linux distribution on Live
> CD. Since the CD is not writeable the OS cannot be modified. My wife's
> old Dell laptop is still running XP and needs to be replaced with
> something more modern. My thought was to repurpose the old laptop as a
> dedicated Linux machine whose only purpose is financial transactions and
> the only websites it ever visits is those of the financial institutions.
>
> But I have a few questions about such a configuration.
> (4) Since a Live CD is not writeable how is configuration data saved
> (such as URL favorites for the browser and other stuff)? Does that not
> require at least some other small storage device? How is it selected?
> (5) That question doesn't arise if Linux is installed on a USB memory
> stick or flash card on USB adapter. That should also improve boot time
> but seems to undo the security of the unwriteable Live CD. I had
> thought that maybe an SD card could be used with its write protect
> switch set to prevent writing but my understanding of that is that it's
> not really a hardware prevention but a software convention providing no
> real security. Anyone know for sure?
> (6) If the Linux machine is residing on a (mostly) Windows LAN is the
> Linux machine still vulnerable through the LAN? If so, is it possible
> to isolate the Linux machine by installing it behind a second router?
> If so, how are two routers installed behind a single cable modem? Can
> one simply install a switch and plug both routers into the switch?
> (7) Am I overly paranoid?
>
> Thanks for any answers,
> Chuck Norcutt
> --
> _________________________________________________________________
> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
> Themed Olympus Photo Exhibition: http://www.tope.nl/
>
>
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|