Olympus-OM
[Top] [All Lists]

Re: [OM] [OT] Firewalls and other (mostly Linux related) network securit

Subject: Re: [OM] [OT] Firewalls and other (mostly Linux related) network security questions
From: Chuck Norcutt <chucknorcutt@xxxxxxxxxxxxxxxx>
Date: Fri, 17 Jan 2014 22:24:20 -0500
Thanks, Scott.  I'll cogitate on this one for a while too.  (actually 
probably a double or triple while) since I don't understand half of it.

Chuck Norcutt

On 1/17/2014 7:59 PM, Scott Gomez wrote:
> This  has been an interesting thread. A couple of observations I might add,
> without reference to the specific questions:
>
> My experience, so far, with open sourced (i.e. Linux) and closed source
> products (Windows and Mac) has been that known security vulnerabilities are
> often fixed within hours of being found, as opposed to weeks (Microsoft) or
> months (Apple). Certainly not always true, but definitely more often true,
> in my experience.
>
> You can't save modifications to a Live CD version after creation of the CD.
>
> One of my reasons for choosing Fedora over Ubuntu as my personal flavor of
> Linux OS is the presence of SELinux. Left on (which many people do not, as
> they believe it interferes with "ease of installation" of software later)
> it provides an added layer of security against unauthorized changes. So
> far, since much earlier versions than current, I've not had any issues in
> installing anything I need from Fedora's repositories when using Fedora
> with SELinux fully enabled.
>
> There is a tendency among more novice users of Linux who have come from the
> Windows world to turn off many built-in protections in order to make Linux
> work "more like Windows". This is a seriously bad idea. Better to invest
> some time reading to learn *why* Linux is telling you you can't/shouldn't
> do something, then do it correctly.
>
> There have been a few articles lately about many, many versions from many
> manufacturers of "home routers" being quite easily compromised, as the out
> of the box configuration is insecure. Learn the router.
>
> Inexpensive switches may provide decent port-to-port isolation, but they're
> still all on the same LAN. An inexpensive mid-grade switch or a refurbed or
> used high-end switch provides much better control, and can allow you to
> create your internal network with VLANs to keep routine traffic and
> financial traffic separated. Additionally, many newer switches support
> creation of ACLs (Access Control Lists) that prevent unwanted traffic
> between systems even on the same VLAN.
>
> $0 for a pfSense download plus an old otherwise useless PC with two
> ethernet ports will provide you the ability to handle much better
> firewalling than you can get from a "home router". After installing and
> verifying operation on the default configuration, start by closing nearly
> all ports outbound, and only open what you need. It's very easy to not only
> open the ports you need, but also to restrict different types of traffic to
> only being able to contact specific IPs on the outside. The same is true
> for inbound traffic.
>
> But mostly, I happen to think that simply switching from Windows to
> Linux--and not screwing with the Linux install--will more than handle most
> issues regarding financial transactions on line for most folks. Password
> compromise on the site due to lousy passwords or reused passwords is a far
> more likely occurrance. Password length, for example, provides far better
> password security than complexity of short passwords.
>
> ---
> Scott
>
>
> On Fri, Jan 17, 2014 at 2:48 PM, Sandy Harris <sandyinchina@xxxxxxxxx>wrote:
>
>> On Fri, Jan 17, 2014 at 10:18 AM, Chuck Norcutt
>> <chucknorcutt@xxxxxxxxxxxxxxxx> wrote:
>>
>>> Moose's last post about building a new fire-breathing computer and
>>> equipping it with the Zone Alarm firewall causes me to ask a question
>>> that has been on my mind the last couple of weeks.
>>>
>>> Independent of OS and real/perceived vulnerabilities do we really need
>>> software firewalls if our machines are talking to the internet through a
>>> router?  One of the functions of a router is to hide our real IP
>>> addresses from the outside world.
>>>
>>> (1) Assuming we haven't deliberately established ports for peer-to-peer
>>> connections (?) are we not safe from outside probing given that we're
>>> hidden behind the router?
>>
>> Yes, but with exceptions.
>>
>> First, there might be an attack on the router. Among the things Snowden
>> revealed were a number of those from NSA's TAO (Tailored Access)
>> group. The ones I've read about were for high-end routers used in
>> corporate & gov't networks. but there may be some for lesser routers
>> as well.
>>
>>> (2) If not, what function does the software firewall provide that the
>>> router doesn't?
>>
>> It is basically the other way round; a router or other hardware
>> firewall can do things that software cannot. Still, defense-in-depth
>> or belt-and-suspenders are good ideas; using both is OK.
>>
>>> (3) Is the distinction even important now that most security breaches
>>> are passing through our browsers?  (maybe Apple guys should pay
>> attention?).
>>
>> Yes.
>>
>>> Now some other security related questions having to do with Linux
>>> because, after following "Krebs on Security" recently
>>> <http://krebsonsecurity.com/> , I've become paranoid about doing banking
>>> and financial transactions on Windows.  According to Krebs and others
>>> the most secure way to operate is by using a Linux distribution on Live
>>> CD.  Since the CD is not writeable the OS cannot be modified.
>>
>> The downside of that is that neither OS nor browser can get updates,
>> including security upgrades.
>>
>>> My wife's
>>> old Dell laptop is still running XP and needs to be replaced with
>>> something more modern.  My thought was to repurpose the old laptop as a
>>> dedicated Linux machine whose only purpose is financial transactions and
>>> the only websites it ever visits is those of the financial institutions.
>>
>> I'm a Linux user and trust it more than I would Windows/ Here's an old
>> post of mine on a foreigners-in-China forum on the differences:
>> http://raoulschinasaloon.com/index.php?topic=2460.0
>>
>> The key here, I think, is having a dedicated financial machine.
>>
>> However, given that. I'm not entirely certain a Linux system is going to
>> be noticeably more secure than a carefully managed Windows system,
>> starting by wiping it, re-installing Windows fresh and doing all of
>> Microsoft's updates.
>>
>>> But I have a few questions about such a configuration.
>>> (4) Since a Live CD is not writeable how is configuration data saved
>>> (such as URL favorites for the browser and other stuff)?  Does that not
>>> require at least some other small storage device?  How is it selected?
>>> (5) That question doesn't arise if Linux is installed on a USB memory
>>> stick or flash card on USB adapter.  That should also improve boot time
>>> but seems to undo the security of the unwriteable Live CD.
>>
>> Yes. It would be possible to build a file with the required bookmarks
>> and include it on the CD, but I doubt that would work well over the
>> long term.
>>
>>>   I had
>>> thought that maybe an SD card could be used with its write protect
>>> switch set to prevent writing but my understanding of that is that it's
>>> not really a hardware prevention but a software convention providing no
>>> real security.  Anyone know for sure?
>>
>> My understanding is that is hardware, but I could be wrong.
>>
>>> (6) If the Linux machine is residing on a (mostly) Windows LAN is the
>>> Linux machine still vulnerable through the LAN?
>>
>> Some attacks, like getting other machines to monitor what the
>> Linux box does or sabotage it with bogus network traffic, are
>> possible, at least in theory. They don't even need Windows;
>> a Postscript printer is capable of running them. That said, they
>> do not look likely unless your opponents are both professional
>> and determined.
>>
>> If it is a wireless LAN there are other problems. Avoid that if possible.
>>
>>>   If so, is it possible
>>> to isolate the Linux machine by installing it behind a second router?
>>
>> Yes, or just on a different router port.
>>
>>> If so, how are two routers installed behind a single cable modem?  Can
>>> one simply install a switch and plug both routers into the switch?
>>
>> The more usual setup would be one router with a switch either
>> built into it or placed behind it. Most switches manage the traffic
>> so one client cannot see things sent to another client. Check
>> the switch manual and try a web search to see if there are
>> attacks on the switch, but in most cases a switch should give
>> adequate isolation.
>>
>>> (7) Am I overly paranoid?
>>
>> No.
>> --
>> _________________________________________________________________
>> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>> Themed Olympus Photo Exhibition: http://www.tope.nl/
>>
>>
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz