Thanks, Sandy. I'll cogitate on this one too.
Chuck Norcutt
On 1/17/2014 5:48 PM, Sandy Harris wrote:
> On Fri, Jan 17, 2014 at 10:18 AM, Chuck Norcutt
> <chucknorcutt@xxxxxxxxxxxxxxxx> wrote:
>
>> Moose's last post about building a new fire-breathing computer and
>> equipping it with the Zone Alarm firewall causes me to ask a question
>> that has been on my mind the last couple of weeks.
>>
>> Independent of OS and real/perceived vulnerabilities do we really need
>> software firewalls if our machines are talking to the internet through a
>> router? One of the functions of a router is to hide our real IP
>> addresses from the outside world.
>>
>> (1) Assuming we haven't deliberately established ports for peer-to-peer
>> connections (?) are we not safe from outside probing given that we're
>> hidden behind the router?
>
> Yes, but with exceptions.
>
> First, there might be an attack on the router. Among the things Snowden
> revealed were a number of those from NSA's TAO (Tailored Access)
> group. The ones I've read about were for high-end routers used in
> corporate & gov't networks. but there may be some for lesser routers
> as well.
>
>> (2) If not, what function does the software firewall provide that the
>> router doesn't?
>
> It is basically the other way round; a router or other hardware
> firewall can do things that software cannot. Still, defense-in-depth
> or belt-and-suspenders are good ideas; using both is OK.
>
>> (3) Is the distinction even important now that most security breaches
>> are passing through our browsers? (maybe Apple guys should pay attention?).
>
> Yes.
>
>> Now some other security related questions having to do with Linux
>> because, after following "Krebs on Security" recently
>> <http://krebsonsecurity.com/> , I've become paranoid about doing banking
>> and financial transactions on Windows. According to Krebs and others
>> the most secure way to operate is by using a Linux distribution on Live
>> CD. Since the CD is not writeable the OS cannot be modified.
>
> The downside of that is that neither OS nor browser can get updates,
> including security upgrades.
>
>> My wife's
>> old Dell laptop is still running XP and needs to be replaced with
>> something more modern. My thought was to repurpose the old laptop as a
>> dedicated Linux machine whose only purpose is financial transactions and
>> the only websites it ever visits is those of the financial institutions.
>
> I'm a Linux user and trust it more than I would Windows/ Here's an old
> post of mine on a foreigners-in-China forum on the differences:
> http://raoulschinasaloon.com/index.php?topic=2460.0
>
> The key here, I think, is having a dedicated financial machine.
>
> However, given that. I'm not entirely certain a Linux system is going to
> be noticeably more secure than a carefully managed Windows system,
> starting by wiping it, re-installing Windows fresh and doing all of
> Microsoft's updates.
>
>> But I have a few questions about such a configuration.
>> (4) Since a Live CD is not writeable how is configuration data saved
>> (such as URL favorites for the browser and other stuff)? Does that not
>> require at least some other small storage device? How is it selected?
>> (5) That question doesn't arise if Linux is installed on a USB memory
>> stick or flash card on USB adapter. That should also improve boot time
>> but seems to undo the security of the unwriteable Live CD.
>
> Yes. It would be possible to build a file with the required bookmarks
> and include it on the CD, but I doubt that would work well over the
> long term.
>
>> I had
>> thought that maybe an SD card could be used with its write protect
>> switch set to prevent writing but my understanding of that is that it's
>> not really a hardware prevention but a software convention providing no
>> real security. Anyone know for sure?
>
> My understanding is that is hardware, but I could be wrong.
>
>> (6) If the Linux machine is residing on a (mostly) Windows LAN is the
>> Linux machine still vulnerable through the LAN?
>
> Some attacks, like getting other machines to monitor what the
> Linux box does or sabotage it with bogus network traffic, are
> possible, at least in theory. They don't even need Windows;
> a Postscript printer is capable of running them. That said, they
> do not look likely unless your opponents are both professional
> and determined.
>
> If it is a wireless LAN there are other problems. Avoid that if possible.
>
>> If so, is it possible
>> to isolate the Linux machine by installing it behind a second router?
>
> Yes, or just on a different router port.
>
>> If so, how are two routers installed behind a single cable modem? Can
>> one simply install a switch and plug both routers into the switch?
>
> The more usual setup would be one router with a switch either
> built into it or placed behind it. Most switches manage the traffic
> so one client cannot see things sent to another client. Check
> the switch manual and try a web search to see if there are
> attacks on the switch, but in most cases a switch should give
> adequate isolation.
>
>> (7) Am I overly paranoid?
>
> No.
>
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|