Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Software Hardware

How Are You Protecting Your Computers? 193

Posted by Cliff from the what-steps-are-you-taking dept.
b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"
This discussion has been archived. No new comments can be posted.

How Are You Protecting Your Computers? More

How Are You Protecting Your Computers?

Comments Filter:

  • If I told you... (Score:5, Funny)

    by Tim_F ( 12524 ) on Saturday October 02, 2004 @02:41AM (#10411676)
    The slashdot editors would have all the information they'd need to hack me...

  • I'm using (Score:3, Insightful)

    by Trikenstein ( 571493 ) on Saturday October 02, 2004 @02:45AM (#10411690)
    D-Lonk DI-604 router, Zone Alarm personal, Norton AV 2K2. When I install XP, I disconnect the computer from the network, install XP, and SP1, Zone Alarm, Norton AV, then reconnect to network and patch up.

  • The obvious... (Score:2, Insightful)

    by zyche ( 784345 )
    OpenBSD/pf.

    • Re:The obvious... (Score:3, Insightful)

      by hdw ( 564237 )
      Amen to that.
      Two junkboxes, an SS10/30 that happened to have a quad-ethernet and a P200 with 4 cheap PCI NICs.
      Both with OpenBSD with pf, pfsync and carp.
      Wlan AP connected to DMZ allowing only IpSec traffic.
      Internal server with samba/nfs, Clamd and Squid.
      All internal boxes get their virus scanned mail from the server, all http access thru squid (with filtering for annoying ads and crap).
      All MS boxes also have updated Norton Antivirus and of course Firefox/Thunderbird.

      And Daddy gets a good nights slee
  • And when not that, Mac OS X.

    You didn't specify it, but I assume you are referring to Windows. A question worth asking is whether whatever it is that has you running Windows is worth the hassle of worrying about virii/worms/etc.
    • "A question worth asking is whether whatever it is that has you running Windows is worth the hassle of worrying about virii/worms/etc."

      Seeing as how Linux has its share of it too, it's not all that clear that hassle would suddenly disappear. Add, on top of that, jumping through all the hoops of setting up Linux and finding alternative software that does what he needs, assuming such software exists. (note: I don't mean for that to sound like an attack on Linux, but not everybody can just suddenly switch
      • it's not all that clear that hassle would suddenly disappear

        I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post). If you mean all systems have the potential for being cracked, then sure. But that doesn't tell anything near the whole story. If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls

        • Re:vmlinuz (Score:4, Interesting)

          by NanoGator ( 522640 ) on Saturday October 02, 2004 @04:40AM (#10412025) Homepage Journal
          "I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post)."

          I apologize if I have misinterpreted your meaning, but your post does read that way.

          "If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall)."

          I left out OSX only because he cannot install OSX on a Windows machine.

          As for the odds being low, that doesn't really help, does it? You still have to regularly install updates to Linux and the apps you run on top of it, Mozilla for example. I found this out myself. Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.

          "So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!"

          My only real point is that you have to be vigilant either way. It's a question of whether or not it's 'worth the fuss'. Interestingly enough, Windows' highly publicized insecurity has lead to some interesting developments such as auto-updating virus protection and Windows Update itself. If Linux doesn't have these, it needs them, especially when it reaches enough users for worms etc to really be an issue.

          I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

          • Re:vmlinuz (Score:4, Informative)

            by node 3 ( 115640 ) on Saturday October 02, 2004 @06:09AM (#10412244)
            I apologize if I have misinterpreted your meaning, but your post does read that way.

            No problem. If you re-read my original post you'll see it's more of how you read it than how I said it (I imagine you read it through slashdot-colored glasses, as it were).

            I left out OSX only because he cannot install OSX on a Windows machine.

            But presumably it is an option available to him. Cost is an issue he'll have to weigh for himself if he deems it worthwhile. I was just offering two options that work for me.

            Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted.

            The guy doesn't sound like he's interested in running a web server. There are plenty of ways to make an apache install insecure. Again, to make a fair comparison, it's easier to crack IIS than it is Apache. That you got 0wn3d doesn't detract from my point. I never said Linux was uncrackable, I said it's more secure (by a large margin).

            My only real point is that you have to be vigilant either way.

            This is the "what do you mean by that realm". 'Vigilant' is a term that is subjective. Under Debian, 'vigilant' means running apt/aptitude/dselect (whichever is your choice) and telling it to update your system. Under Mac OS X, 'vigilant' means clicking "install" when Software Update pops up. Under Windows, 'vigilant' is far more involved.

            Subjectively you can say both require 'vigilance', but they are not equal. You are repeating the confusion of a Windows apologist. When a Linux advocate (yeah, sometimes they are rabid too), claims that Windows is less secure, the Windows apologist will say Linux has security holes too. But when you look closely, you'll see a world of difference. Both a glass of water, and a handfull of rattle snakes can kill you, but one is far safer than the other.

            It's far easier to crack a Windows computer than a Linux computer by a wide margin.

            It's a question of whether or not it's 'worth the fuss'.

            Which is what I said in my original post.

            I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

            Then Linux isn't for you. I never said it was for everyone. I suggested he consider it (maybe he has, maybe he hasn't, I have no way to know, but both Linux and Mac OS X are viable alternatives and worth considering).
            1. I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

              I agree and understand what you say including this part -- My only real point is that you have to be vigilant either way. Whatever system I set up -- Windows

          • If you idle on any large network - and I'd gather PTP would apply here, but my experience is limited to IRC - your box will be hacked or hacking attempts will be made. I have had linux exploited and had the honor of having a previous version of OpenBSD rooted dispite being reasonably locked down, got me via the SSH bug. Since been upgraded and patched, but I don't like doing that frequently - hence OpenBSD.

            The attack and compromise was almost immediately noticed via the display I have on my firewall and lo
  • No, nothing's perfect - but OS/X on my AlBook is pretty damn close. ;>

  • Not doing dumb things... (Score:5, Insightful)

    by Spoing ( 152917 ) on Saturday October 02, 2004 @02:48AM (#10411703) Homepage
    ...keeping my systems as simple as possible (from apps to services) and following my own advice on firewalls (see signature).

    If you add complexity to deal with complexity you are introducing additional vectors for even more security problems. (One example: trusting that a virus detector is working because it says 'everything is fine'...only to find out later that the last virus through disabled the virus detector so it would always report 'everything is fine'.)

    • Yep. That's about the atitude I take with my home PC too. Actually I admit it was your signature that contributed a bit.

      FC1. Firestarter to cover the basics of firewalling. But anything not needed is turned off where possible. Don't even have sshd running at the moment as I don't need to access remotely, so why bother giving anyone else a chance. Same with Samba. When the laptop ain't on the LAN the main PC doesn't run Samba. Browsing via Firefox - usual safety settings. E-mail via Thunderbird - read sett

  • a la carte (Score:4, Informative)

    by Down8 ( 223459 ) <Down8@yahoo.COUGARcom minus cat> on Saturday October 02, 2004 @03:10AM (#10411786) Homepage
    AVG AntiVirus. (Free)

    Windows Firewall (XP Pro). (~Free)

    Aerielink (Soyo) router. (~$60, incl. USB-WiFi used by other computer)

    Before the router I ran Tiny Personal Firewall (now Kerio PF), and loved it (free and better than Zonealarm or BlackICE, for my needs). Also had Norton AV for a while, but it was just 'eh', and isn't free.

    -bZj

  • Home setup (Score:5, Interesting)

    by consolidatedbord ( 689996 ) <<brandon> <at> <ihashacks.com>> on Saturday October 02, 2004 @03:12AM (#10411793) Homepage Journal
    Yes, it's a bit of damn overkill for a home setup, but you can never be too safe. :)

    -cable modem->linux 2.4 kernel router running iptables
    -norton antivirus corporate edition
    -Microsoft Software Update Services for the Windows boxes
    -iptables for the Linux boxes
    -ntop and snort for traffic monitoring
    -I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
    -various other utilities to monitor tcp/ip traffic
    -good old fashioned obsessive tailing of logfiles along with vgrep
    :)

    • Re:Home setup (Score:3, Interesting)

      by LordDartan ( 8373 )
      Concerning using tail on log files. I read at one time that it's possible (maybe even easy??) to put an exploit in a log file (you know what gets logged with httpd, so it's easy to get what you want in a log file) that causes an overflow and for the exploit to run. I don't remember where I read that, but ever since, I just use less and hit > to go to the end of the file.

      • Re:Home setup (Score:3, Interesting)

        by Kronovohr ( 145646 )

        I think what you're referring to is the return of the ANSI bomb -- there have been several patches to programs such as less and vim to prevent this from occurring, but your recollection is correct; you can place certain control sequences in output messages (I'd imagine a wide-open syslog would be relatively simple) that, when displayed via certain terminals and/or certain programs, could cause command execution with the privileges of the user.

        Here [linux.org] is the result of some quick googling on the subject.

      • Re:Home setup (Score:3, Informative)

        by Spoing ( 152917 )
        1. Concerning using tail on log files. I read at one time that it's possible (maybe even easy??) to put an exploit in a log file (you know what gets logged with httpd, so it's easy to get what you want in a log file) that causes an overflow and for the exploit to run. I don't remember where I read that, but ever since, I just use less and hit > to go to the end of the file.

        Using strings ...

        1. tail -f /path/and/name/of/logfile | strings | less

          /usr/sbin/tcpdump eth0 | strings | less

        ... should elimin

        • Ha! I once thought of changing my user agent for my browser to some mean javascript so if someone uses a browser-based log viewer to view their httpd logs, they'll run my script. Never got around to doing it though - I'm not really that mean.

  • Not much (Score:3, Interesting)

    by dtfinch ( 661405 ) * on Saturday October 02, 2004 @03:13AM (#10411799) Journal
    I have a 5 port d-link router set up as a NAT, the cheapest I could find. After purchase I set the password and upgraded the firmware. That's the extent of my firewalling.

    Most of my email and browsing is done in Mozilla. Never got infected through Internet Explorer or Outlook Express though. I have a Linux PC and a Windows XP PC running side by side. I don't use antivirus software and I don't get viruses or spyware.

    • Re:Not much (Score:5, Insightful)

      by skinfitz ( 564041 ) on Saturday October 02, 2004 @03:41AM (#10411866) Journal
      ...Never got infected through Internet Explorer or Outlook Express though. I don't use antivirus software and I don't get viruses or spyware.

      Forgive me for pointing out the obvious, but how do you know?

      Absolutely nothing you have there would prevent the latest GDI exploit from running code of attackers choice on your Windows box by you doing nothing more complicated than viewing an image.

      • Re:Not much (Score:2, Informative)

        by strikethree ( 811449 )
        "Forgive me for pointing out the obvious, but how do you know?"

        People are always asking this question but I have never seen anyone answer... so I will.

        If a virus/worm/whatever is going to be doing anything interesting, it MUST use resources. If you are always monitoring your resource usage, you WILL (eventually anyways) notice the new/different/extreme resource usage. Blinking lights (hard drive, router, etc), sounds, resource meters, firewalls that report activity, are all things that can alert you to ma
        • spybot search and destroy is also an invaluable tool. Realize that resource utilization will let you know that you're an active spam zombie, but it won't let you know that you've got a keylogger unless you're extremely paranoid... the resource usage is too low to register above normal OS components chatting. Trojaned utilities and browser exploits will of course also fail to register with your methodology.
      • I do the same thing as that guy, and I know I've never had a virus because I hit a free online scanner once a month or so.
        • I am in the same boat as the parent and great-grandparent.

          If you keep a close watch on your system it would be obvious when a new process shows up on the list*. I keep task manager running at all times and like to monitor memory usage, total processes, CPU usage, etc. Other good tools are Process Explorer and TCPView (sysinternals.com). I use Privoxy and so all web activity is shown in the console, as well as the tray icon animation.

          But besides that I hit up the trend micro virus scan every 3 to 6 mont

  • The setup... (Score:3, Informative)

    by BrynM ( 217883 ) * on Saturday October 02, 2004 @03:18AM (#10411815) Homepage Journal
    Smoothwall [smoothwall.org] firewall installed on an old AMD 333 sysem, DHCP running on an internal box (also running other services), internal DNS and some network trickery. AVG [grisoft.com], Sygate [sygate.com] Personal Firewall and strict Active Directory/Group Policy [microsoft.com] (or at least as much as possible using non-M$ methodology) control on every Win32 box. Various brands, but the same ingredients for the two Linux boxen. SSH [openssh.org] and VNC [tightvnc.com] on everything. Lots of dirty looks, nagging and ever increasing restrictions for more... mischevious users.

    I don't have a chance to dig up links for these, but diagnostic tools are a must if you really want to lock stuff down. First, generate and read logfiles whenever possible. Check things out with nmap, tcpdump, ActivePorts, Look@Lan, Kiwi syslog Daemon, Portlistener XP, Bazooka Spyware Utility, Spybot Search and Destroy, Socketlock ... the list goes on. Generally try any tool you can and you'll get a feel for what is actually to your tastes and useful.

    • Why TightVNC? Other questions. (Score:4, Interesting)

      by Futurepower(R) ( 558542 ) on Saturday October 02, 2004 @08:41AM (#10412551) Homepage

      Many questions:

      Why did you choose TightVNC? Why not RealVNC [realvnc.com], UltraVNC [sourceforge.net], or TridiaVNC [tridiavnc.com]?

      Is it better to pay for VNC software, like Tridia VNC Pro [tridiavncpro.com] or Radmin [radmin.com]? Which software has video resolution scaling of the remote desktop?

      What security is best? Is it good to use a VPN for secure access, or is SSH better? What Windows SSH server do you use?

      What VPN hardware is best? We bought a NetGear FVS318 hardware firewall/router/VPN for a customer, and discovered that the remote administration password is openly transmitted. We found that logging out in the remote administration menu didn't always actually log out. We found Javascript errors. With the 2.4 firmware, more than one client can be logged in at the same time. That situation, two clients at the same time, would give an error message with the 2.3 firmware, so things seem to be going backward in some ways, in firmware that is already shaky. Our experience with Netgear technical support is that it is very limited. On the telephone we got someone in Tamil Nadu, India, who was allowed to practice for a short time with Netgear equipment, but who doesn't any longer have access to actual equipment. The online tech support just gave error messages. Not only that, but Fry's and Netgear arranged a rebate trick. They have a very long rebate receipt, and ask you to enter your address both at the top and at the bottom. If you don't enter it at the bottom, they deny your rebate.

  • K.I.S.S. - always been and always will be best (Score:5, Insightful)

    by mabu ( 178417 ) on Saturday October 02, 2004 @03:24AM (#10411830)
    It's amusing that people focus on the latest-and-greatest security software, which IMO is more counterproductive than it is productive.

    You get a whiz-bang anti-virus/firewall system set up and what does it do? Give you a false sense of security so you can feel more confident about engaging in irresponsible computer use. The problem is almost every piece of security software out there has at one point or another been vulnerable, so you're flirting with disaster.

    I think no matter how many advances we have in this area, the basic rules of security will always apply:

    1. Limit Accessibility.

    99% of security issues are inside jobs. Limit physical access to your resources. Don't put any sensitive data on a machine that anyone else has access to that you don't want public. Use encryption, multi-wipe free space and turn off your machine when you're not using it.

    Some people don't want to hear this but it needs to be said: DON'T USE WIRELESS if you're worried about security. No matter what precautions you're taking, by going Wireless you dramatically lower the integrity of your personal security PERIOD. It's one thing to use wireless on the road, but you should limit the sensitive information on your laptop in the first place because it's mobile, but it's really just plain lazy and irresponsible to run wireless in a permanent installation like your home if there is any practical way to avoid doing so.

    I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.

    Remember the first commandment: True security is more dependent upon reducing access points than it is implementing protection of access points.

    2. Disable ALL non-critical services. Don't run anything except what you need on your PC. Close all unused ports; remove all services and extra features and plug-ins that aren't needed. The fewer systems, the fewer points of vulnerability.

    3. Keep all software fully-patched and up to date.

    4. If possible, never use the "industry standard" software if it's not the most secure solution available. Dump IE and Outlook and switch to Firefox and Eudora.

    5. TEXT ONLY E-MAIL... This, after #1 is IMO the biggest threat of them all. The added superficial benefit of html-email is not worth the security liabilities that come along with it. If you want to use html e-mail, I'd recommend a second, sandboxed account for that.

    6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.

    7. After you've taken care of 1-6, then and only then should you consider anti-virus/spyware and related software to be a useful addition.

    • I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.

      Explain to me how a properly configured IPSEC setup is less secure then a wired setup.

      [ As for the original question, I'm protecting my computers through iptables on the server (running debian stable), and the samba shares are scanned with f-prot weekly. Each desktop machine runs their o

      • Re:K.I.S.S. - always been and always will be best (Score:4, Interesting)

        by CaptainCheese ( 724779 ) on Saturday October 02, 2004 @05:55AM (#10412222) Journal
        IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

        You are comparatively safe with IPsec, however this is just because five people down the block don't know what it is, making them a softer target.

        Anyone who really wants in to a cable based LAN has to find a place to jack in, and you're fitting a metaphorical socket to your front door.

        Of course, any external networking connections are inherently insecure compared to none - physical security is the best security layer, But I doubt many /. readers are using that policy.

        • IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

          Er, almost anything can be dictionary-attacked or brute-forced attacked. Given enough time, the ability to ignore the death of the universe, and a to

          • just pointing out security by obscurity (and that's all an RSA key is; those ridiculously long time-to-crack estimates are getting smaller every day...if a more efficient prime factoring method turns up it'll all be useless) is not as good as when it's combined physical security.

            kinda the diffenence between storing treasure in a safe and storing it safe in your private estate replete with motivated guys in machine gun nests...

            • Re:K.I.S.S. - always been and always will be best (Score:5, Insightful)

              by Hast ( 24833 ) on Saturday October 02, 2004 @09:22AM (#10412663)
              No, the statement that RSA is somehow "security through obscurity" is just plain incorrect.

              STO is when you use unpublished methods and rely on the attacker not bothering to try to reverse-engineer your system as a method of protection. Examples are using XOR and similar cyphers in obfucated ways to hide the details.

              So far RSA has not been compromised. Until such a time using RSA in open and peer reviewed protocols (remember that RSA etc are only a small part of the big security system) is in no way "Security Through Obscurity", it is in fact Best Practices (tm) and that is pretty fucking far from STO! And if a really good way to factor into primes comes up then you CHANGE the encryption scheme!

              Most people have a grasp of just how many combinations there exist in a 2^1024 key. As far as we know the number of atoms in the universe (including dark matter and such) is on the order of 2^200. Now in RSA and other asymmetrical systems not all keys can be used, but still I'm willing to guestimate that a typical 2^1024 key has way more than 2^1000 valid keys (I can't be bothered to do a real estimate, and that's probably way to small).

              Now consider that the Universe is Pretty Damned Big, yet the number of valid keys completely dwarfs that. It is hard to put into words just how completely unlikely you are to brute-force an RSA key (or any other key for that matter). Just imagine all the absurd unlikely events EVER happening to you in the same microsecond. Then multiply that by about 50 billion times and you'll still be ways off, but you'll get the idea.

              In short, you are not going to brute force a key which is even 2^256, it's just not happening.

              If you are that worried about someone tapping into your wireless systems do you also ensure that all your electronics is protected from people snooping on your electric signals? Or do you wear sunglasses and gloves all the time to protect you from someone trying to get a copy of your iris/retina or finger prints? That's a lot more likely than someone breaking your encrypted wireless communication.

              Besides I'd rather have my precious data under my desk in encrypted form than in some bunker with a bunch of morons with explosives. No way to be sure what they end up shooting at when they are drunk and bored.
              • So far RSA has not been compromised.

                That's an assumption, of course. However, if a way to compromise it ever leaked out in public, I doubt you or I would have to worry about Joe Hacker giving us a hard time, given the number of far more juicy targets that also use RSA...

              • If you're so sure relying on RSA (or indeed any private password system) is not security by obscurity, just post your machine IPs, root passwords and RSA private keys here on slashdot and we'll see how quick you get rooted. Can you spot where the security by obscurity lies?

                Your straw man is interesting, but attacking my throwaway "buried treasure" metaphor instead of my actual point that it's better to deny any external point of access at all is pretty darn lazy.
                • You really have no idea how public key encryption systems work, do you? Your desire for me to to publish my IP, root passwords and RSA keys suggest that. Or are you trying to be clever and suggesting that if I don't provide the root password and IP then I'm somehow using "security through obscurity" and thus you somehow win?

                  Really, read up on cryptography (I bet there are some articles on Wikipedia, if not I may have to write some just for you) and get back to me when you can have a relevant conversation.
                  • Okay, one piece at a time:

                    You really have no idea how public key encryption systems work, do you?

                    Why, yes I do. I even understand the mathematical principals behind it. If you'd read my other posts you'd know it. In fact you [slashdot.org] even seem to think XOR style bit rotation is less secure than RSA. You do not seem to know that One-time Pad [wikipedia.org] is the undisputed king of cryptography and is unbreakable if executed correctly. Who's the guy who doesn't know his stuff about cryptography here?

                    Or are you trying to be cl
                • ...if he gives you his root password and ip address he'll have been rooted, moron.

        • IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

          Er, almost anything can be dictionary-attacked or brute-forced attacked. Given enough time, the ability to ignore the death of the universe, and a to

    • This is not my idea of KISS and I don't agree with most of your points.

      Point 5 is downright idiotic. HTML is not executable by it self and unless you use a very old version of outlook (in which case you are asking for trouble), any javascript, vbscript or whatever will not be executed. Most virus mails are formatted as plaintext btw. The virus is almost always an attachment.

      Wireless is not very secure out of the box but you can lock it down pretty effectively. I'd say the whole point of wireless is to 'in
      • While I agree with your comments, there is one that I think you should strongly reconsider.
        1. 6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.
        1. Point 6 is not necessary as long as you use a firewall.

        #6 is actually the most important one; it's part of paramiter defense and lan design (router/VLAN level not server level).

        The job of a

      • Point 5 is downright idiotic. HTML is not executable by it self and unless you use a very old version of outlook (in which case you are asking for trouble), any javascript, vbscript or whatever will not be executed. Most virus mails are formatted as plaintext btw. The virus is almost always an attachment.

        On a security level, html-email is LESS SECURE. That is a fact. I'm not talking specifically about executable issues, but actually, you're wrong about that too, with the recent vulnerability discovered

    • Re:K.I.S.S. - always been and always will be best (Score:5, Informative)

      by bushidocoder ( 550265 ) on Saturday October 02, 2004 @10:48AM (#10413064) Homepage
      Gonna have to call you out on wireless networks. Wireless networks are bad iff you don't know how to configure them right. 802.11g with WPA with preshared public keys is pretty safe. Can it be cracked? Yes. But then again, so can SSL, SSH, PGP and every other encrypted data you throw out there in due time.

      The key to proper wireless setup is to associate different levels of trust between the wired and unwired components. Require WPA. Most household wireless routers allow you to specify a physical address list for visiting assets - do not allow unregistered MAC addresses to join your network. Have the wired network use a different subnet than your wireless network, so that the IPSecurity policies on your wired boxes can be set to prohibit access to the wireless agents on your house. Also, some routers let you set firewall rules between your wired and wireless subnets.

      Audit everything. Everything. Disk space is cheap.

      Also, run a packet sniffer on your wireless network. I once had a Netgear wireless router that would broadcast packets wired computers had sent it to route to the public internet across the wireless network - it had no concept of how to route correctly. If that's happening, throw that PoS away and get a real router.

      Can this be compromised? Yes, but it requires breaking through various levels of real, cryptographically enforced security. Remember that only one part of information security is denying access to intruders because at the end of the day, the most locked down boxes plugged into a network can still be hacked. You must be constantly vigilant to detect intruders as they attempt access, you must have a recovery plan if you are compromised (everyone needs AV software and an individual firewall on each computer behind the NAT firewall), and must be sufficiently auditted that you can trace access attempts back to the source. Watch your wireless traffic - with this type of security, in the very very remote chance you are compromised, its going to take a long while. Is someone trying a variety of network attacks on your wireless network? If so, I've got good news - rule out that its not someone in a car outside, and you can pinpoint it pretty quick down to a neighbor. Talk to them if you think its their 16 year old punk teen, call the police, leave a note on their door with a picture of Sauron's eye saying they need to be more sneaky, whatever.
    • Great list. I agree with everything except '99% of security issues are inside jobs'.

      All the reports I've read have pegged it at a 50/50 split...though I'd guess it is more like 80 inside / 20 outside (corporate) and 20 inside / 80 outside (home use). Not that we're making up statistics, though!

    • 6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.
      Bollocks. Packet filtering *is* essential. Hiding the machine on a private IP behind a NAT isn't. NATing has nothing to do with the security matter, other than when you're on a private IP space, you're *forced* to filter packets.

      • See my related reply to someone else here. [slashdot.org]

        Keep in mind that this isn't a 'use NAT'/'do not use NAT' issue. The issue is LAN design and security hardening at the router level. If using public and private addresses makes sense -- and NAT is only an example of this public/private split -- you should use public and private addresses. Otherwise, don't.

        That said, using public/private address schemes can be quite handy is that you can rely on other software and hardware to be partially configured before yo

        • You are making the all too common confusion between packet filtering at your LAN border, and NATing private IPs behind a public one. I'll try another approach to get you thinking. If the concept of private IP did not exist, would we be less secure? Apart from the fact that a NAT box automagically introduces a default denial of access policy, I don't think we would be any less secure. Having a public IP won't introduce any kind of limitations on which traffic you want to accept.
            1. You are making the all too common confusion between packet filtering at your LAN border, and NATing private IPs behind a public one.

            Not at all! I consider both sides to be hostile. Having only public addresses complicates things unnecessarily; the network should be highly segmented at the routers anyway. Splitting the local lan using private addresses keeps things a slight bit simpler.

            1. If the concept of private IP did not exist, would we be less secure? Apart from the fact that a NAT box automagic
  • m0n0wall
    kerio pf4
    nod32
    adawareSE

  • Tin Foil and DuctTape (Score:5, Funny)

    by Sean Johnson ( 66456 ) on Saturday October 02, 2004 @03:57AM (#10411903)
    I completely covered my PC with it. There`s no airlow, but at least it`s safe. I also sprinkled some holy water on it for good measure. Those Nazis will never get to my PC now.
  • First of all, I'm in Linux about 95% of the time. So I have no need of AV. I use a simple iptables firewall script for network protection.

    The other 5% of my time is spent playing games. My machine duel boots into WinXP. I don't use WinXP for checking mail, and I use Firefox if I do any browsing. I don't download executables from questionable sites, therefore have no need for AV.
    I use the internal WinXP firewall for network protection.

  • Hmm (Score:5, Funny)

    by Vokbain ( 657712 ) * on Saturday October 02, 2004 @04:47AM (#10412043) Homepage
    I bought a Macintosh ^_^
    • Yeah, I was thinking that.

      "What security software do you use?"

      "It's this great product from Apple."

      "Apple? Really? What's it called?"

      "Mac OS X."

      Seriously, OS X with all the security options turned on (almost all of which, I note, are on by default out of the box) is more secure than any reasonable install of Windows with all the latest'n'greatest third-party stuff. If you must use x86 hardware, then any decent Linux distro may take a little longer to configure for security than OS X does ... but it
  • No, honest.

    A bit of iptables, a superior and safer web browser, intelligent email clients.

    I stopped worrying about viruses and being owned some time ago.

  • Old PC running Devil-Linux boot CD-ROM .. (Score:4, Interesting)

    by torpor ( 458 ) <ibisum AT gmail DOT com> on Saturday October 02, 2004 @05:03AM (#10412079) Homepage Journal
    .. which also doubles as my Squid proxy/cache and DNS machine ..

    Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat ...
  • I don't do much work that I consider to be sensitive, but when I do, I use a machine with no connections. If anything goes onto or comes off that machine, it does it via the CD writer.

    Apart from that, I do my web browsing on a Mac running OS9 - security through obsolesence is greatly underrated!
    • I don't know if you're talking about sensitive as in "biological weapons plans" or sensitive as in "personal finance data," but there's a solution that would allow you to keep the convenience of networking but not expose it to the Internet. (This assumesy ou're running Windows.)

      Install IPX/SPX or NetBEUI on both machines. Keep TCP/IP on the non-sensitive machine, but have no TCP/IP stack installed on the sensitive machine, and use IPX/SPX or NetBEUI for networking betwixt them.

      For added obscurity points, yo

  • UPS (Score:2)

    by TheLink ( 130905 )
    I use a UPS to protect my computers + network.

    One of which runs FreeBSD and is set up as a firewall. Since FreeBSD is already "dying" perhaps the hackers won't bother to get too familiar with it ;).

    I use AVG, but it's more to prevent accidents (e.g. oops slipped and clicked the wrong thing) than anything.
  • I have a D-link 707P router and use Debian for my desktop, so I'm not too worried about viruses.

    The only traffic allowed past the router is incoming port 22.
  • ... and hide the key!

  • truly wonderful firewall (Score:5, Interesting)

    by nusratt ( 751548 ) on Saturday October 02, 2004 @10:17AM (#10412898) Journal
    -- Agnitum.com's "Outpost" firewall, with all kinds of free plug-ins which let me control -- on a PER-DOMAIN basis -- things like scripts, activeX, java, referrers, etc. Also controls those things separately for http vs mail vs news.
    Tried it on trial, liked it so much I paid for it. :o

    -- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.

    -- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.

    -- SpyBot, AdAware
  • Believe it or not, up till a few months ago, nothing. No firewall, no AV, nothing. I turned off HTML viewing in Outlook as well as the preview pane & used Opera instead of IE. Three months ago I got a wireless router (WRT54G Linksys, for my laptop), which apparently adds a level of security, but I really don't think it's necessary.

    For the people who think that windows isn't secured: I've ran WinXP since its inception unprotected and haven't caught *anything* (I run adaware and a free online virus c

    • er...I don't use antivirus or anything either, but I do insist on a firewall (external or otherwise) for when using Windows XP. I have gotten infected (a few minutes after a clean install), so I think the firewall is necessary, as there is not much you can do to prevent exploits.

      OTOH, antivirus software and ad-aware is mostly useless. You *can* prevent virii from being installed (don't install them, stupid!) and you can prevent adware from being installed (again, don't install them, stupid!). There's r

  • Cheap NAT (Score:3, Insightful)

    by lkaos ( 187507 ) <anthony@codemonk ... s minus math_god> on Saturday October 02, 2004 @12:12PM (#10413525) Homepage Journal
    I have a Linksys wireless switch behind my cable modem. My main Linux server is set up as a DMZ host. This server was built via Gentoo and the only services running that are exposed is ssh and Apache2.

    I've not had an issue in the 2 years I've had this setup. I don't have problems with email worms and such because well all my machines run Linux :-)

    I've got a similiar setup for my parents and they've had minimal problems running all Windows. They've had some spyware issues lately because of some bad downloading but what can you do.
  • I see some crazy setups here on this thread. Really, NAT, AV software, and regular software updates are all you need. If you're not on Windows, you could probably even drop the AV stuff. Hell, you can probably drop the AV stuff even if you're ON Windows, as long as you're not installing shady software.

    * 8-port Linksys Router/Firewall

    Only a few incoming ports are opened - basically the ports needed for Soulseek and Bittorrent. If you're NAT'd behind a hardware firewall/router that blocks incoming conne

  • Layers (Score:2)

    by a9db0 ( 31053 )
    Linksys router/firewall is the first line, with only three devices hooked to it: VoIP, web server(Linux/apache), and Linux Firewall. Inside linux firewall is dnscache/dhcp/samba server. Adservers filtered by Squid and large hosts file providing misdirection. No mail server or local mail storage - use a web based email provider. Sensitive data is stored on Novell IPX box. Workstations have resonable firewalls and AV. Only one WinXP box - wife's work laptop with AV and Zone.

    It doesn't have to be perfec
  • FreeBSD 4.10 firewall (IPFW). Soon to be upgraded to 5.3 with pf. Blocks the majority of worms and snooping skr1p7 k1dd13 h4X0rZ.

    No antivirus software - it's a waste of valuable resources. If you have half a brain you won't get infected (stop downloading and running everything just because a window popped up in your browser saying to).

    If a machine DOES get infected the ONLY solution I accept is to wipe the damn thing out and start over from an empty disk -- No sense taking the chance that some other vi

  • I have a medium to large sized home network of 6 computers. Most of them are Mandrake Linux 10.0 only. One is dual boot (W2K and Mandrake Linux) and one is W2K only.

    I use Netgear router and set it up to block everything form outside, except the ports I need (www, ftp, ssh). It also does not respond to pings.

    On Windows, I use only Open Source or Free software. FireFox for browsing, Thunderbird for email, OpenOffice, Grisoft AVG for antivirus, and Adaware. I also use Yahoo and MSN messengers (not using

  • Most of my network runs Debian, so worms and viruses aren't too much of an issue. There is a Debian firewall up and running at the network edge, and all incoming mail is filtered by the mail server running spamassassin, clamav and exim for any viruses, thus protecting any Windows machines that collect mail from it. If needed, at home, AVG provides runtime virus protection for the Windows machines, and Norton AV Corp provides it at work. One day clamwin will support on-access scanning, which means I'll proba
  • Via 800mhx ITX machine running IPCOP (customized)
    Squid & Dansguardian
    Norton Corp AV 8
    All automatic updates engaged (of couse I still need to visit each machine to click of on the EULA for SP2)
    System policies limiting installations and setting changes
    File permissions set to prevent the public from Writing and Executing in the same place.
    About 60 public access machines at 8 different recreation centers on DSL internet.

    Almost perfect...

    SD
  • Linksys router (I have all incoming ports routed to my *nix boxes, so the Win 98/XP boxes are largely secured). Symantec/Norton on various computers. Remote Help turned off. Spyware S&D and AdAware. Hid IE and Outlook, installed Firefox/Thunderbird. Unfortunately, some of the family still uses AOL for email, and that uses IE :(. So, for that reason, and in case anyone finds IE, I put it on High security (no ActiveX, no Java[Script], no cookies etc).

    I run Spybot & AdAware about once/week, an
  • WinXP Pro: AVG Free set to autoupdate and scan, Spybot S&D, also autoupdating and scanning, Windows Update set to auto download, but ask to install. SP2 Firewall turned on (I tested it and found it to be good enough that I stopped using ZoneAlarm)

    FC2: Update regularly, no services available outside of LAN except testing webserver that is on port 8000 to bypass school's incoming traffic filter, test server only known fo a select few.
  • I have an old 486 running Coyote Linux that sits as a firewall between my LAN (a mix of Linux, OS X, and Win98 boxes). SpamAssassin on the mail server handles most of the UCE.

    I don't have any anti-virus software. I have some simple procmail rules that delete messages with all but the most innocuous attachments, and the Win98 box isn't used for mail or web browsing (just some a few old Win apps and testing my own web sites on IE), so the only impact viruses have on my systems is that the mail-borne ones

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close