Olympus-OM
[Top] [All Lists]

Re: [OM] [OT] Firewalls and other (mostly Linux related) network securit

Subject: Re: [OM] [OT] Firewalls and other (mostly Linux related) network security questions
From: Sandy Harris <sandyinchina@xxxxxxxxx>
Date: Fri, 17 Jan 2014 17:48:57 -0500
On Fri, Jan 17, 2014 at 10:18 AM, Chuck Norcutt
<chucknorcutt@xxxxxxxxxxxxxxxx> wrote:

> Moose's last post about building a new fire-breathing computer and
> equipping it with the Zone Alarm firewall causes me to ask a question
> that has been on my mind the last couple of weeks.
>
> Independent of OS and real/perceived vulnerabilities do we really need
> software firewalls if our machines are talking to the internet through a
> router?  One of the functions of a router is to hide our real IP
> addresses from the outside world.
>
> (1) Assuming we haven't deliberately established ports for peer-to-peer
> connections (?) are we not safe from outside probing given that we're
> hidden behind the router?

Yes, but with exceptions.

First, there might be an attack on the router. Among the things Snowden
revealed were a number of those from NSA's TAO (Tailored Access)
group. The ones I've read about were for high-end routers used in
corporate & gov't networks. but there may be some for lesser routers
as well.

> (2) If not, what function does the software firewall provide that the
> router doesn't?

It is basically the other way round; a router or other hardware
firewall can do things that software cannot. Still, defense-in-depth
or belt-and-suspenders are good ideas; using both is OK.

> (3) Is the distinction even important now that most security breaches
> are passing through our browsers?  (maybe Apple guys should pay attention?).

Yes.

> Now some other security related questions having to do with Linux
> because, after following "Krebs on Security" recently
> <http://krebsonsecurity.com/> , I've become paranoid about doing banking
> and financial transactions on Windows.  According to Krebs and others
> the most secure way to operate is by using a Linux distribution on Live
> CD.  Since the CD is not writeable the OS cannot be modified.

The downside of that is that neither OS nor browser can get updates,
including security upgrades.

> My wife's
> old Dell laptop is still running XP and needs to be replaced with
> something more modern.  My thought was to repurpose the old laptop as a
> dedicated Linux machine whose only purpose is financial transactions and
> the only websites it ever visits is those of the financial institutions.

I'm a Linux user and trust it more than I would Windows/ Here's an old
post of mine on a foreigners-in-China forum on the differences:
http://raoulschinasaloon.com/index.php?topic=2460.0

The key here, I think, is having a dedicated financial machine.

However, given that. I'm not entirely certain a Linux system is going to
be noticeably more secure than a carefully managed Windows system,
starting by wiping it, re-installing Windows fresh and doing all of
Microsoft's updates.

> But I have a few questions about such a configuration.
> (4) Since a Live CD is not writeable how is configuration data saved
> (such as URL favorites for the browser and other stuff)?  Does that not
> require at least some other small storage device?  How is it selected?
> (5) That question doesn't arise if Linux is installed on a USB memory
> stick or flash card on USB adapter.  That should also improve boot time
> but seems to undo the security of the unwriteable Live CD.

Yes. It would be possible to build a file with the required bookmarks
and include it on the CD, but I doubt that would work well over the
long term.

>  I had
> thought that maybe an SD card could be used with its write protect
> switch set to prevent writing but my understanding of that is that it's
> not really a hardware prevention but a software convention providing no
> real security.  Anyone know for sure?

My understanding is that is hardware, but I could be wrong.

> (6) If the Linux machine is residing on a (mostly) Windows LAN is the
> Linux machine still vulnerable through the LAN?

Some attacks, like getting other machines to monitor what the
Linux box does or sabotage it with bogus network traffic, are
possible, at least in theory. They don't even need Windows;
a Postscript printer is capable of running them. That said, they
do not look likely unless your opponents are both professional
and determined.

If it is a wireless LAN there are other problems. Avoid that if possible.

>  If so, is it possible
> to isolate the Linux machine by installing it behind a second router?

Yes, or just on a different router port.

> If so, how are two routers installed behind a single cable modem?  Can
> one simply install a switch and plug both routers into the switch?

The more usual setup would be one router with a switch either
built into it or placed behind it. Most switches manage the traffic
so one client cannot see things sent to another client. Check
the switch manual and try a web search to see if there are
attacks on the switch, but in most cases a switch should give
adequate isolation.

> (7) Am I overly paranoid?

No.
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz