Olympus-OM
[Top] [All Lists]

Re: [OM] [OT] Firewalls and other (mostly Linux related) network securit

Subject: Re: [OM] [OT] Firewalls and other (mostly Linux related) network security questions
From: Chuck Norcutt <chucknorcutt@xxxxxxxxxxxxxxxx>
Date: Sat, 18 Jan 2014 11:59:36 -0500
And just when I thought I was maybe beginning to understand... :-)

Chuck Norcutt


On 1/18/2014 10:26 AM, Piers Hemy wrote:
> Not understanding half of it is neither unusual, nor a problem. What *is* a
> problem is getting each half mixed up, such that the bit you actually don't
> understand is in fact the bit you thought you did understand.
>
> In my experience.
>
> :-)
>
> Piers
>
> -----Original Message-----
> From: Chuck Norcutt [mailto:chucknorcutt@xxxxxxxxxxxxxxxx]
> Sent: 18 January 2014 03:24
> To: Olympus Camera Discussion
> Subject: Re: [OM] [OT] Firewalls and other (mostly Linux related) network
> security questions
>
> Thanks, Scott.  I'll cogitate on this one for a while too.  (actually
> probably a double or triple while) since I don't understand half of it.
>
> Chuck Norcutt
>
> On 1/17/2014 7:59 PM, Scott Gomez wrote:
>> This  has been an interesting thread. A couple of observations I might
>> add, without reference to the specific questions:
>>
>> My experience, so far, with open sourced (i.e. Linux) and closed
>> source products (Windows and Mac) has been that known security
>> vulnerabilities are often fixed within hours of being found, as
>> opposed to weeks (Microsoft) or months (Apple). Certainly not always
>> true, but definitely more often true, in my experience.
>>
>> You can't save modifications to a Live CD version after creation of the
> CD.
>>
>> One of my reasons for choosing Fedora over Ubuntu as my personal
>> flavor of Linux OS is the presence of SELinux. Left on (which many
>> people do not, as they believe it interferes with "ease of
>> installation" of software later) it provides an added layer of
>> security against unauthorized changes. So far, since much earlier
>> versions than current, I've not had any issues in installing anything
>> I need from Fedora's repositories when using Fedora with SELinux fully
> enabled.
>>
>> There is a tendency among more novice users of Linux who have come
>> from the Windows world to turn off many built-in protections in order
>> to make Linux work "more like Windows". This is a seriously bad idea.
>> Better to invest some time reading to learn *why* Linux is telling you
>> you can't/shouldn't do something, then do it correctly.
>>
>> There have been a few articles lately about many, many versions from
>> many manufacturers of "home routers" being quite easily compromised,
>> as the out of the box configuration is insecure. Learn the router.
>>
>> Inexpensive switches may provide decent port-to-port isolation, but
>> they're still all on the same LAN. An inexpensive mid-grade switch or
>> a refurbed or used high-end switch provides much better control, and
>> can allow you to create your internal network with VLANs to keep
>> routine traffic and financial traffic separated. Additionally, many
>> newer switches support creation of ACLs (Access Control Lists) that
>> prevent unwanted traffic between systems even on the same VLAN.
>>
>> $0 for a pfSense download plus an old otherwise useless PC with two
>> ethernet ports will provide you the ability to handle much better
>> firewalling than you can get from a "home router". After installing
>> and verifying operation on the default configuration, start by closing
>> nearly all ports outbound, and only open what you need. It's very easy
>> to not only open the ports you need, but also to restrict different
>> types of traffic to only being able to contact specific IPs on the
>> outside. The same is true for inbound traffic.
>>
>> But mostly, I happen to think that simply switching from Windows to
>> Linux--and not screwing with the Linux install--will more than handle
>> most issues regarding financial transactions on line for most folks.
>> Password compromise on the site due to lousy passwords or reused
>> passwords is a far more likely occurrance. Password length, for
>> example, provides far better password security than complexity of short
> passwords.
>>
>> ---
>> Scott
>>
>>
>> On Fri, Jan 17, 2014 at 2:48 PM, Sandy Harris
> <sandyinchina@xxxxxxxxx>wrote:
>>
>>> On Fri, Jan 17, 2014 at 10:18 AM, Chuck Norcutt
>>> <chucknorcutt@xxxxxxxxxxxxxxxx> wrote:
>>>
>>>> Moose's last post about building a new fire-breathing computer and
>>>> equipping it with the Zone Alarm firewall causes me to ask a
>>>> question that has been on my mind the last couple of weeks.
>>>>
>>>> Independent of OS and real/perceived vulnerabilities do we really
>>>> need software firewalls if our machines are talking to the internet
>>>> through a router?  One of the functions of a router is to hide our
>>>> real IP addresses from the outside world.
>>>>
>>>> (1) Assuming we haven't deliberately established ports for
>>>> peer-to-peer connections (?) are we not safe from outside probing
>>>> given that we're hidden behind the router?
>>>
>>> Yes, but with exceptions.
>>>
>>> First, there might be an attack on the router. Among the things
>>> Snowden revealed were a number of those from NSA's TAO (Tailored
>>> Access) group. The ones I've read about were for high-end routers
>>> used in corporate & gov't networks. but there may be some for lesser
>>> routers as well.
>>>
>>>> (2) If not, what function does the software firewall provide that
>>>> the router doesn't?
>>>
>>> It is basically the other way round; a router or other hardware
>>> firewall can do things that software cannot. Still, defense-in-depth
>>> or belt-and-suspenders are good ideas; using both is OK.
>>>
>>>> (3) Is the distinction even important now that most security
>>>> breaches are passing through our browsers?  (maybe Apple guys should
>>>> pay
>>> attention?).
>>>
>>> Yes.
>>>
>>>> Now some other security related questions having to do with Linux
>>>> because, after following "Krebs on Security" recently
>>>> <http://krebsonsecurity.com/> , I've become paranoid about doing
>>>> banking and financial transactions on Windows.  According to Krebs
>>>> and others the most secure way to operate is by using a Linux
>>>> distribution on Live CD.  Since the CD is not writeable the OS cannot be
> modified.
>>>
>>> The downside of that is that neither OS nor browser can get updates,
>>> including security upgrades.
>>>
>>>> My wife's
>>>> old Dell laptop is still running XP and needs to be replaced with
>>>> something more modern.  My thought was to repurpose the old laptop
>>>> as a dedicated Linux machine whose only purpose is financial
>>>> transactions and the only websites it ever visits is those of the
> financial institutions.
>>>
>>> I'm a Linux user and trust it more than I would Windows/ Here's an
>>> old post of mine on a foreigners-in-China forum on the differences:
>>> http://raoulschinasaloon.com/index.php?topic=2460.0
>>>
>>> The key here, I think, is having a dedicated financial machine.
>>>
>>> However, given that. I'm not entirely certain a Linux system is going
>>> to be noticeably more secure than a carefully managed Windows system,
>>> starting by wiping it, re-installing Windows fresh and doing all of
>>> Microsoft's updates.
>>>
>>>> But I have a few questions about such a configuration.
>>>> (4) Since a Live CD is not writeable how is configuration data saved
>>>> (such as URL favorites for the browser and other stuff)?  Does that
>>>> not require at least some other small storage device?  How is it
> selected?
>>>> (5) That question doesn't arise if Linux is installed on a USB
>>>> memory stick or flash card on USB adapter.  That should also improve
>>>> boot time but seems to undo the security of the unwriteable Live CD.
>>>
>>> Yes. It would be possible to build a file with the required bookmarks
>>> and include it on the CD, but I doubt that would work well over the
>>> long term.
>>>
>>>>    I had
>>>> thought that maybe an SD card could be used with its write protect
>>>> switch set to prevent writing but my understanding of that is that
>>>> it's not really a hardware prevention but a software convention
>>>> providing no real security.  Anyone know for sure?
>>>
>>> My understanding is that is hardware, but I could be wrong.
>>>
>>>> (6) If the Linux machine is residing on a (mostly) Windows LAN is
>>>> the Linux machine still vulnerable through the LAN?
>>>
>>> Some attacks, like getting other machines to monitor what the Linux
>>> box does or sabotage it with bogus network traffic, are possible, at
>>> least in theory. They don't even need Windows; a Postscript printer
>>> is capable of running them. That said, they do not look likely unless
>>> your opponents are both professional and determined.
>>>
>>> If it is a wireless LAN there are other problems. Avoid that if possible.
>>>
>>>>    If so, is it possible
>>>> to isolate the Linux machine by installing it behind a second router?
>>>
>>> Yes, or just on a different router port.
>>>
>>>> If so, how are two routers installed behind a single cable modem?
>>>> Can one simply install a switch and plug both routers into the switch?
>>>
>>> The more usual setup would be one router with a switch either built
>>> into it or placed behind it. Most switches manage the traffic so one
>>> client cannot see things sent to another client. Check the switch
>>> manual and try a web search to see if there are attacks on the
>>> switch, but in most cases a switch should give adequate isolation.
>>>
>>>> (7) Am I overly paranoid?
>>>
>>> No.
>>> --
>>> _________________________________________________________________
>>> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>>> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>>> Themed Olympus Photo Exhibition: http://www.tope.nl/
>>>
>>>
> --
> _________________________________________________________________
> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
> Themed Olympus Photo Exhibition: http://www.tope.nl/
>
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz