Olympus-OM
[Top] [All Lists]

Re: [OM] [OT] Firewalls and other (mostly Linux related) network securit

Subject: Re: [OM] [OT] Firewalls and other (mostly Linux related) network security questions
From: Chuck Norcutt <chucknorcutt@xxxxxxxxxxxxxxxx>
Date: Fri, 17 Jan 2014 13:34:39 -0500
Thanks, David.  Lots of great info there and it will take me a good bit 
of time to completely absorb it.  But you combined the answers to 4 & 5. 
  In trying to parse the answers I think the answer to 5 was that you 
weren't sure but suspected (as I stated) that the "write protect" was a 
software convention and not hardware prevention, therefore no real 
security.  But I did not see a direct answer to my question 4 about 
saving configuration data on what is nominally a read only environment. 
  Or did you really answer not to worry much about the normal writeable 
environment (ie; go ahead and use a normal disk) as long as I keep the 
Linux system current and act prudently?

On #6 you said: "I have done the series firewall-router thing for a 
client for use at home,  easy to do, even with DHCP - if your routers 
have the right interfaces and have the right config options." By "series 
firewall-router" do you mean a second router connected downstream to the 
first router?  I had thought of that first but worried it might screw up 
the addressing in some (unknown) way.  How would I know what routers 
have the right interfaces or options?  Or does it mean: if I have to ask 
that question I shouldn't mess with it. :-)

Finally, a new question #8.  What do you think of a Chromebook as a 
secure environment for financial transactions.  Supposedly the Chrome OS 
verifies at boot time that it's configuration has not been altered. 
Does it do enough for me to put up with having Google even further 
embedded in my life?  :-)

Chuck Norcutt


On 1/17/2014 12:07 PM, David Thatcher wrote:
> Chuck, et al,
>
> (note to other listees: again, a sour old networking guy here with lots
> of boring tech bits: skip to my last paragraph to get to the general
> 'good advice'(TM) - likely no better than you'll get from your average
> morning show!).
>
> 1:  in a DHCP and RFC1918 (private address)  environment, with a dynamic
> 'real' address from the ISP (with no 'virtual servers' configured),
> inbound attacks are a very low risk. Bear in mind 3G and some types of
> cable modem connections may get a 'real address' and bypass this
> 'safety'.
>
> 2: We need to define a 'firewall'... in the old days port filters and
> access controls were fine and the function of the firewall. Nowadays,
> however, there is so much malicious crap out there, that our router or
> firewall needs to perform a number of functions:
>   a: protecting itself from compromise from outside attacks (one of the
>      most common vulnerabilites that you never seem to hear about);
>   b: scanning data streams for virus/worm/trojan signatures (see 3);
>   c: looking for -and blocking-  accesses from inside to malware sites)
>   d: looking for -and blocking-  accesses from inside to botnets (almost
>      impossible because of the rate that they are added to the 'net)
> Likely a home router has little smarts and a device touted as a home
> firewall is very basic also, has none of these things and relies on
> security by obscurity!
>
> 3: I think it is. a good firewall will be looking for malicious things
>     in the data stream. Keyloggers are good, but I'd say phishing is
> better!
>
> 4 & 5: hmmm...  keep the systems patched, but there is ALWAYS a risk.
> The OS manufacturers are always on the back foot - making changes
> reactively to discovered threats & the AV/AS people - while much faster
> - can take days to catch up also. Your recent Java warnings are exactly
> the type of thing  I'm talking about. The analogy I like to use when
> talking to my clients is "a big dial with SECURITY at one end of the
> scale and ACCESS on the other". you want security?  then unplug it from
> the network.  you want access?  you'll have to plug it in, but you can
> mitigate the worst issues with some hassle (false positives, access
> problems etc.). The less hassle you want, the more risks you are going
> to face (and for us people with "lesser known" OS's like UNIX,  those
> one-button-mouse people, or Linux, it's not a matter of 'if', but
> 'when'!). Note that this completely ignores the cracker you have annoyed
> somehow, who can get your static IP hit with a 'distributed denial of
> service' (DDOS) attack for a few cents per hour - in this case you need
> a *good* relationship with your ISP). I do not know the answer re how
> good the card write protect is - should be a BIOS function, but I'd bet
> it isn't!
>
> 6: with updates, and not starting any services on the Linux machine,
> the risks are very small, but still non-zero (again, your browser doing
> what you tell it to, is the biggest target)... I have done the series
> firewall-router thing for a client for use at home,  easy to do, even
> with DHCP - if your routers have the right interfaces and have the right
> config options. The "2 routers on the same switch" is less secure and
> likely much harder to do with consumer-grade gear.
>
> 7: Definitely........... NOT! the malware and botware people are getting
> smarter, and more clever every day. They know how to disable and bypass
> software firewalls. Your AV/AS software is only as good as the current
> signature set. Your firewall is only as good as the latest 'reputation
> databases' supplied (our own locally managed in-house product has
> thousands of IPs and domains added every week, never mind the 'big
> boys').
>
> Yeah, I know...  doom and gloom and all that. most people will never be
> caught up in this mess. Many will be.  Keep your OS (whatever it is),
> your browser, and your AV/AS/firewall signatures up to date and you make
> a big start towards minimising the risks. Make sensible decisions about
> websites you visit, and how you respond to the dialog boxes you see.
> Hover over the links in the e-mails and make sure the URL is what it
> says it is. Don't respond to the e-mail out of the blue that says 'I
> love you and want to meet you' or 'I have a million bucks for you'. Hang
> up on the person calling to say you are infected (call your ISP if they
> say they are them, likely they will e-mail you if it's legitimate - and
> the above still applies). Be a little bit paranoid- they ARE out to get
> $ from you somehow!
>
> davidt
>
>
> On Fri, Jan 17, 2014 at 10:18:43AM -0500, Chuck Norcutt wrote:
>> Moose's last post about building a new fire-breathing computer and
>> equipping it with the Zone Alarm firewall causes me to ask a question
>> that has been on my mind the last couple of weeks.
>>
>> Independent of OS and real/perceived vulnerabilities do we really need
>> software firewalls if our machines are talking to the internet through a
>> router?  One of the functions of a router is to hide our real IP
>> addresses from the outside world.
>>
>> (1) Assuming we haven't deliberately established ports for peer-to-peer
>> connections (?) are we not safe from outside probing given that we're
>> hidden behind the router?
>> (2) If not, what function does the software firewall provide that the
>> router doesn't?
>> (3) Is the distinction even important now that most security breaches
>> are passing through our browsers?  (maybe Apple guys should pay attention?).
>>
>> Now some other security related questions having to do with Linux
>> because, after following "Krebs on Security" recently
>> <http://krebsonsecurity.com/> , I've become paranoid about doing banking
>> and financial transactions on Windows.  According to Krebs and others
>> the most secure way to operate is by using a Linux distribution on Live
>> CD.  Since the CD is not writeable the OS cannot be modified.  My wife's
>> old Dell laptop is still running XP and needs to be replaced with
>> something more modern.  My thought was to repurpose the old laptop as a
>> dedicated Linux machine whose only purpose is financial transactions and
>> the only websites it ever visits is those of the financial institutions.
>>
>> But I have a few questions about such a configuration.
>> (4) Since a Live CD is not writeable how is configuration data saved
>> (such as URL favorites for the browser and other stuff)?  Does that not
>> require at least some other small storage device?  How is it selected?
>> (5) That question doesn't arise if Linux is installed on a USB memory
>> stick or flash card on USB adapter.  That should also improve boot time
>> but seems to undo the security of the unwriteable Live CD.  I had
>> thought that maybe an SD card could be used with its write protect
>> switch set to prevent writing but my understanding of that is that it's
>> not really a hardware prevention but a software convention providing no
>> real security.  Anyone know for sure?
>> (6) If the Linux machine is residing on a (mostly) Windows LAN is the
>> Linux machine still vulnerable through the LAN?  If so, is it possible
>> to isolate the Linux machine by installing it behind a second router?
>> If so, how are two routers installed behind a single cable modem?  Can
>> one simply install a switch and plug both routers into the switch?
>> (7) Am I overly paranoid?
>>
>> Thanks for any answers,
>> Chuck Norcutt
>> --
>> _________________________________________________________________
>> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>> Themed Olympus Photo Exhibition: http://www.tope.nl/
>>
>>
>
>
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz