Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Are You Protecting Your Computers?

Cliff posted more than 8 years ago | from the what-steps-are-you-taking dept.

Security 193

b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"

cancel ×

193 comments

Sorry! There are no comments related to the filter you selected.

If I told you... (5, Funny)

Tim_F (12524) | more than 8 years ago | (#10411676)

The slashdot editors would have all the information they'd need to hack me...

I'm using (3, Insightful)

Trikenstein (571493) | more than 8 years ago | (#10411690)

D-Lonk DI-604 router, Zone Alarm personal, Norton AV 2K2. When I install XP, I disconnect the computer from the network, install XP, and SP1, Zone Alarm, Norton AV, then reconnect to network and patch up.

Re:I'm using (1)

Trikenstein (571493) | more than 8 years ago | (#10411699)

err, D-Link

gotta remember to preview, (mutter, mutter, mutter)

Re:I'm using (0)

Anonymous Coward | more than 8 years ago | (#10411741)

Goddamn. The things people do to run Windows...

It makes me glad I use Linux.

Ok, fine, I'll bite... (5, Insightful)

MachDelta (704883) | more than 8 years ago | (#10411884)

Goddamn. The things people do to run Windows... It makes me glad I use Linux.
Oh come on, lets not be hypocritical here. I seriously doubt anyone can say they've done a fresh install of *distro-of-choice* and not spent some time tweaking things to get their system into a fully usable state.
Everyone does it, and just because one person has to install a firewall and another person has to hunt down drivers doesn't make either person superior to the other. Yeah I know, this is slashdot, where "Windows sux and Linux rulez", but if we're going to be asking serious questions we might as well be giving serious answers.

Myself, I use KPF [kerio.com] and AVG [grisoft.com] , with AdAware [lavasoftusa.com] on the side. Fortunatly, these three programs don't have much to do, thanks to Firefox [mozilla.org] and my cheap yet trusty DI-604 [dlink.com] router. I'm actually going to be putting together a box for my parents this weekend too, so i've been busy loading up my USB flash drive with some of the aforementioned programs, and other first boot goodies. And if i'm lucky, my parents will turn over custody of their old computer (an aging P3-500) to me, which I hope to turn into my very first Linux box to muck around on. Then i'll get to experience the numerous pains-in-the-ass of both worlds! Should be fun. :)

Re:Ok, fine, I'll bite... (0)

Anonymous Coward | more than 8 years ago | (#10411997)

First:
Yeah I know, this is slashdot, where "Windows sux and Linux rulez", but if we're going to be asking serious questions we might as well be giving serious answers.

Then later:

if i'm lucky, my parents will turn over custody of their old computer (an aging P3-500) to me, which I hope to turn into my very first Linux box to muck around on.

Nothing to see here folks, that says everything we need to know.

Re:Ok, fine, I'll bite... (1)

cs02rm0 (654673) | more than 8 years ago | (#10412002)

KPF, AVG and AdAware are going to suck a lot more system resources than the handful of IPTables rules I've got setup.

No, that doesn't make either person superior to the other, I'd say it does make the OS superior though.

Re:Ok, fine, I'll bite... (1)

karnal (22275) | more than 8 years ago | (#10413681)

But those handful of IPTables rules won't keep someone on the inside from making your machine useless.

Of course, from a home user perspective, I used to not even keep AV software on my local machine. Always could have another machine scan it in case of an issue, and a clean wipe would follow if something was found.

Nowadays, I keep AVG on my machine, because I'm hooked up to two other houses via a VPN. It's not that I don't trust the other guys, however I don't have any clue as to what they could be plugging in (or their roomates etc)....

Personal firewalls do seem a bit overkill for me, however. Again, that might be because I can get my machine back into a "gaming state" within 2 hours..... it's a loss of time, but I've never had to do it because of outside forces.

OpenBSD (2, Interesting)

missing000 (602285) | more than 8 years ago | (#10412696)

While no OS is good enough to ignore security issues on, OpenBSD [openbsd.org] comes damn close. You couple it with a good firewall policy and the chance of someone getting inside the default install is virtualy nil.

If you're loading up a USB flash drive... (2, Informative)

Exocet (3998) | more than 8 years ago | (#10413285)

Check out what I've got on my flash drive: http://exocet.ca/phpwiki/BradsTools

It's not a lot of drivers and such. More oriented to useful utils that can come in handy in a pinch. It's stuff that I tend to use fairly frequently and don't like to be without.

Re:Ok, fine, I'll bite... (1)

bhtooefr (649901) | more than 8 years ago | (#10413572)

Avast for me (it seems to work better than AVG), and I used SPF for a while. I might try KPF, but I won't use ZoneAlarm again, that's for sure. SPF isn't TOO bad, but it REALLY didn't like having two versions of Opera, and SP2 didn't like it too much. I'm running WF right now, but I don't trust it much.

Re:Ok, fine, I'll bite... (2, Interesting)

Penis_Envy (62993) | more than 8 years ago | (#10413585)

I have to respond. The parent was correct. It's amazing seeing what people do to run windows, and what I've had to do in the past.

You say you seriously doubt anyone has done a fresh install of distro-of-choice and not spent time tweaking things to get the system fully usable. Then you go on to say you're hoping to build your first linux box.

I think you'll be pleasantly surprised, depending on what distro you choose. Someone below mentioned OpenBSD [openbsd.org] , and that's a good recommendation. I think you'll find that a fair amount of the unix-y environments start you off at a solid base, and allow you to build up. This is in contrast to whenever I have the (in my opinion, of course) displeasure of dealing with a windows install, where I have to tear down and build up.

No, not all distro's are the same. Sometimes they have annoying services listening on all interfaces, like cups or lprd. That's one of the reasons why OpenBSD is nice. It starts you off with a good base from which to build up. I have recently switched to the excellent ubuntu [ubuntu.org] distrobution from debian sarge. I am pleasantly surprised by the fact that very few services are listening by default, so there's really not all that much to do to "secure" the box (at least from a basic point of view). In fact, when I installed ubuntu over debian, I kept my old home directory, so there was no tweaking to get my desktop how I want it. I guess you could do the same with windows, but it's a pain to mess around with the registry to point to a different location/drive for user's home folders. All I have to do is mount the old volume as /home and it works fine.

Not only that, but the installation of new software is tremendously easier for the unix-y domain, at least debian, where apt-get is very good at solving your problems. No cds to look for, no keys to look for, makes it all very easy. So I think you're making a kind of incorrect blanket statement based on your experience with windows (it seems).

That said, I prefer the old tiny [tinysoftware.com] personal firewall, but only the old version (2 or 3?) as the new one doesn't have as nice an interface. It seems to barf a fair amount when installed on XP, so I'm actually shying away from that these days. You didn't say which version of windows you're using. I've been using the virus scanner from etrust, free to valid microsoft users: ezarmor [my-etrust.com] . It seems to work okay, and it's free. It also includes a firewall of sorts, but I don't recall being very impressed, so I installed tpf again. AV gets rather expensive, rather quickly. I purchased the symantec AV/Firewall suite for something like $50. As always, there's a linux NAT box protecting it all, allowing easy port forwarding. I've also used the linksys [linksys.com] wrt54g [linksys.com] and it seems to work okay. It's available pretty cheaply now, and allowed me to reduce the number of crud that clutters up the gf's apartment.

Anyway, I wish you luck with your new linux box, and I think (once you get used to it) you'll find it pleasantly surprising.

The obvious... (2, Insightful)

zyche (784345) | more than 8 years ago | (#10411692)

OpenBSD/pf.

Re:The obvious... (2, Insightful)

hdw (564237) | more than 8 years ago | (#10412133)

Amen to that.
Two junkboxes, an SS10/30 that happened to have a quad-ethernet and a P200 with 4 cheap PCI NICs.
Both with OpenBSD with pf, pfsync and carp.
Wlan AP connected to DMZ allowing only IpSec traffic.
Internal server with samba/nfs, Clamd and Squid.
All internal boxes get their virus scanned mail from the server, all http access thru squid (with filtering for annoying ads and crap).
All MS boxes also have updated Norton Antivirus and of course Firefox/Thunderbird.

And Daddy gets a good nights sleep, every night :)
// hdw

Re:The obvious... (1)

l0rd (52169) | more than 8 years ago | (#10412368)

Amen. Why protect yourself with a woven quilt when you can coccoon yourself in a fortress.

OpenBSD/pf as firewall with mcafee/firefox loaded on all clients. Also mcafee antivirus on all windows boxes. All mail on freebsd box, trough spam assasin and delivered to clients via imap.

All outward connections via encrypted protocols wherever possible, mail fetched via ssh tunnel.

Like I always like to say : More crypto, more crypto, more crypto ;)

Re:The obvious... (1)

Triumph The Insult C (586706) | more than 8 years ago | (#10414882)

move your mx to openbsd and then you can join those of us using the built-in spamd(8) =)

greylisting. mmmm!

vmlinuz (1)

node 3 (115640) | more than 8 years ago | (#10411697)

And when not that, Mac OS X.

You didn't specify it, but I assume you are referring to Windows. A question worth asking is whether whatever it is that has you running Windows is worth the hassle of worrying about virii/worms/etc.

Re:vmlinuz (1)

NanoGator (522640) | more than 8 years ago | (#10411840)

"A question worth asking is whether whatever it is that has you running Windows is worth the hassle of worrying about virii/worms/etc."

Seeing as how Linux has its share of it too, it's not all that clear that hassle would suddenly disappear. Add, on top of that, jumping through all the hoops of setting up Linux and finding alternative software that does what he needs, assuming such software exists. (note: I don't mean for that to sound like an attack on Linux, but not everybody can just suddenly switch without losing something. I can't because of a particular app I use daily.)

Re:vmlinuz (1)

node 3 (115640) | more than 8 years ago | (#10411946)

it's not all that clear that hassle would suddenly disappear

I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post). If you mean all systems have the potential for being cracked, then sure. But that doesn't tell anything near the whole story. If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall).

So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!

Re:vmlinuz (3, Interesting)

NanoGator (522640) | more than 8 years ago | (#10412025)

"I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post)."

I apologize if I have misinterpreted your meaning, but your post does read that way.

"If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall)."

I left out OSX only because he cannot install OSX on a Windows machine.

As for the odds being low, that doesn't really help, does it? You still have to regularly install updates to Linux and the apps you run on top of it, Mozilla for example. I found this out myself. Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.

"So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!"

My only real point is that you have to be vigilant either way. It's a question of whether or not it's 'worth the fuss'. Interestingly enough, Windows' highly publicized insecurity has lead to some interesting developments such as auto-updating virus protection and Windows Update itself. If Linux doesn't have these, it needs them, especially when it reaches enough users for worms etc to really be an issue.

I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

Re:vmlinuz (1, Funny)

Anonymous Coward | more than 8 years ago | (#10412033)

Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.

Bwahahahaha! This information will be used against you in a future troll.

Re:vmlinuz (1)

NanoGator (522640) | more than 8 years ago | (#10412088)

"Bwahahahaha! This information will be used against you in a future troll."

Hehe. Look forward to it.

Re:vmlinuz (3, Informative)

node 3 (115640) | more than 8 years ago | (#10412244)

I apologize if I have misinterpreted your meaning, but your post does read that way.

No problem. If you re-read my original post you'll see it's more of how you read it than how I said it (I imagine you read it through slashdot-colored glasses, as it were).

I left out OSX only because he cannot install OSX on a Windows machine.

But presumably it is an option available to him. Cost is an issue he'll have to weigh for himself if he deems it worthwhile. I was just offering two options that work for me.

Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted.

The guy doesn't sound like he's interested in running a web server. There are plenty of ways to make an apache install insecure. Again, to make a fair comparison, it's easier to crack IIS than it is Apache. That you got 0wn3d doesn't detract from my point. I never said Linux was uncrackable, I said it's more secure (by a large margin).

My only real point is that you have to be vigilant either way.

This is the "what do you mean by that realm". 'Vigilant' is a term that is subjective. Under Debian, 'vigilant' means running apt/aptitude/dselect (whichever is your choice) and telling it to update your system. Under Mac OS X, 'vigilant' means clicking "install" when Software Update pops up. Under Windows, 'vigilant' is far more involved.

Subjectively you can say both require 'vigilance', but they are not equal. You are repeating the confusion of a Windows apologist. When a Linux advocate (yeah, sometimes they are rabid too), claims that Windows is less secure, the Windows apologist will say Linux has security holes too. But when you look closely, you'll see a world of difference. Both a glass of water, and a handfull of rattle snakes can kill you, but one is far safer than the other.

It's far easier to crack a Windows computer than a Linux computer by a wide margin.

It's a question of whether or not it's 'worth the fuss'.

Which is what I said in my original post.

I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

Then Linux isn't for you. I never said it was for everyone. I suggested he consider it (maybe he has, maybe he hasn't, I have no way to know, but both Linux and Mac OS X are viable alternatives and worth considering).

Re:vmlinuz (1)

SirTalon42 (751509) | more than 8 years ago | (#10413602)

Don't forget that APT runs on RPM based distros too (like my FC 2 box), also FC 2 (1 too?) has a yum service setup by default that will auto update the system (if you enable it that is)

Also there is RedHat Up2date for redhat based distros... so my 1 computer has THREE brain dead easy ways of updating all installed software... how easy!

Re:vmlinuz (1)

Spoing (152917) | more than 8 years ago | (#10413892)

  1. I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

    I agree and understand what you say including this part -- My only real point is that you have to be vigilant either way. Whatever system I set up -- Windows or any *nix variety -- the rules are basically the same; keep it simple (remove everything that is not necessary) and check your work (nessus and nmap for external scans...other tools for the less important local scans). Automate what you can.

    As a comparison, it took me 3 days solid to figure out Windows XP gaps and holes and plug them -- even after having experience with all versions of Windows in the past and securing everything from W98 through the NT/2000 line. Now I can secure a system in about a day with no tools. I spent weeks learning Linux security, though I can secure Linux in a matter of a couple hours with no tools.

    I've found that Windows is as difficult to secure completely as any *nix system; by default more moles are poking up on the Windows systems and need to be whacked down.

Re:vmlinuz (0)

Anonymous Coward | more than 8 years ago | (#10414870)

"Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance."

No offense, but then you are a fool who should not touch any sort of computer as an administrator, ever.

It is people like you who are the cause for all the ill we have on the Internet - worms, virusses, and spam. It is YOUR fault.

I hope the company deducted the damage you caused from your salary.

Locked-down OS/X does it for me. (1)

Mordant (138460) | more than 8 years ago | (#10411701)

No, nothing's perfect - but OS/X on my AlBook is pretty damn close. ;>

Not doing dumb things... (4, Insightful)

Spoing (152917) | more than 8 years ago | (#10411703)

...keeping my systems as simple as possible (from apps to services) and following my own advice on firewalls (see signature).

If you add complexity to deal with complexity you are introducing additional vectors for even more security problems. (One example: trusting that a virus detector is working because it says 'everything is fine'...only to find out later that the last virus through disabled the virus detector so it would always report 'everything is fine'.)

Not much. (1, Interesting)

Anonymous Coward | more than 8 years ago | (#10411721)

I don't bother with a software firewall. They're pretty pointless, as long as you have a hardware firewall.

All of my machines are behind a Linksys WRT54G. The windows machines have Spybot, Adaware and Norton installed on them.

Never had a problem. Ever.

Re:Not much. (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#10411762)

Never had a problem. Ever.

Sorry, that's because I could never figure out you were running a WRT54G.

It all makes sense now...

Re:Not much. (2, Insightful)

WhiteBandit (185659) | more than 8 years ago | (#10411794)

Software firewalls do a good job of monitoring outgoing connections, especially when it comes to setting permissions on what programs can access the internet.

Hardware firewalls are slightly more cumbersome when trying to set this up, as most only allow you to filter outgoing connections by ports.

Re:Not much. (1, Insightful)

Anonymous Coward | more than 8 years ago | (#10412074)

But why do I care to monitor outgoing connections? The hardware firewall prevents unwanted incoming requests. I don't care about outgoing requests unless they're initiated by spyware. By keeping spyware and viruses off of my system, I don't have to worry about that.

Besides, most software firewalls do not thoroughly prevent unwanted outgoing connections. It's simple to slip something by the stack.

Re:Not much. (1)

Hast (24833) | more than 8 years ago | (#10412442)

I guess it depends a lot on if you begin by hardening a system and then consider it "clean". While it is true that a secure system shouldn't have any programs "dialing home" I'm not sure I would trust it in the long run.

If we're talking your own box, sure. Because I know that if I fuck up that badly then I can deal with it. When people ask me for advice I ensure that their connection is locked on both ways. It saves me troubles down the road.

It's quite true that personal firewalls (which I think is a better term than software firewalls) which run on the computer they are supposed to protect have severe limitations. Their main function as I see it is to protect the users from their own stupidity and script kiddies. Not for determined hackers.

Re:Not much. (1)

Penis_Envy (62993) | more than 8 years ago | (#10413625)

This is one reason why I liked tiny personal firewall (the older, simpler version), which allowed/allows you to specify what was allowed to get out of your box, per application. It kept hashes of the exe's, so you would know when the exe was modified, and could react appropriately depending on whether you'd recently upgraded or not.

I would imagine it depends on how you want to do the job, and/or how secure you want to be. I don't trust windows boxes much, or rather, I don't trust users much, and managing outgoing traffic allows better control of what users are doing with machines.

Re:Not much. (1)

0x0d0a (568518) | more than 8 years ago | (#10412400)

*Personal* firewalls are pointless as security against remote attacks (the ones where you run one program to "protect" one computer). They're sold by the same scaremongers that sell AV software, and have traditionally opened more holes (via non-robust analysis code) than they've solved. If you're using something like that, you're blowing CPU cycles and RAM without gaining much. Tighten up a computer by removing broken and insecure daemons and properly configuring the remaining ones, not by adding in more software into the mix that purports to "secure" your computer.

Firewall/NAT for net enabled installs (1)

venomkid (624425) | more than 8 years ago | (#10411768)

I use Norton's flavor of the year with Zonealarm and the good sense not to open every email attachment.

And I always have a computer between me and the Internet with a firewall or NAT so that I can install new boxen in peace.

You forgot the web browser (Firefox) (1)

venomkid (624425) | more than 8 years ago | (#10411777)

As browsing itself gets more and more perilous, a sound web browser is becoming as important as firewalls/AV software.

I use and recommend Firefox.

Re:You forgot the web browser (Firefox) (3, Insightful)

going_the_2Rpi_way (818355) | more than 8 years ago | (#10411819)

Hmmm... I don't know about this. You either want to run scripts or not. You either want to use plug-ins and accept cookies or you don't. Any browser that's configured to do those things will be somewhat insecure. You probably make yourself less of a target by using relatively eccentric browsers, but, if subjected to the same scrutiny as the more popular ones, are they any more secure? The real question is where does the lack of functionality outweight the lack of security/privacy? Do we all go back to Lynx?

Re:You forgot the web browser (Firefox) (3, Interesting)

venomkid (624425) | more than 8 years ago | (#10411833)

Well, you could go so far as to say (correctly) that by inviting any data into your computer, you're less secure. Even by plugging in a network cable and letting it sit there you're less secure.

"Scripts or not" doesn't help when something like the recent GDI debacle occurs.

The trick is in finding a balance that keeps you safe enough from attack but open enough to do what you want to do.

So far, considering how fast they put out updates and how many exploits the leading browser has, I think Firefox does a pretty good job of this.

Re: black or white (1)

nusratt (751548) | more than 8 years ago | (#10412966)

"You either want to run scripts or not. You either want to use plug-ins and accept cookies or you don't."

Not true for me, depends a lot on the site.
Fortunately, Agnitum.com "Outpost" fw lets me control ALL those things on a per-site basis.

a la carte (4, Informative)

Down8 (223459) | more than 8 years ago | (#10411786)

AVG AntiVirus. (Free)

Windows Firewall (XP Pro). (~Free)

Aerielink (Soyo) router. (~$60, incl. USB-WiFi used by other computer)

Before the router I ran Tiny Personal Firewall (now Kerio PF), and loved it (free and better than Zonealarm or BlackICE, for my needs). Also had Norton AV for a while, but it was just 'eh', and isn't free.

-bZj

Home setup (5, Interesting)

consolidatedbord (689996) | more than 8 years ago | (#10411793)

Yes, it's a bit of damn overkill for a home setup, but you can never be too safe. :)

-cable modem->linux 2.4 kernel router running iptables
-norton antivirus corporate edition
-Microsoft Software Update Services for the Windows boxes
-iptables for the Linux boxes
-ntop and snort for traffic monitoring
-I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
-various other utilities to monitor tcp/ip traffic
-good old fashioned obsessive tailing of logfiles along with vgrep
:)

Re:Home setup (2, Interesting)

LordDartan (8373) | more than 8 years ago | (#10412909)

Concerning using tail on log files. I read at one time that it's possible (maybe even easy??) to put an exploit in a log file (you know what gets logged with httpd, so it's easy to get what you want in a log file) that causes an overflow and for the exploit to run. I don't remember where I read that, but ever since, I just use less and hit > to go to the end of the file.

Re:Home setup (2, Interesting)

Kronovohr (145646) | more than 8 years ago | (#10413672)

I think what you're referring to is the return of the ANSI bomb -- there have been several patches to programs such as less and vim to prevent this from occurring, but your recollection is correct; you can place certain control sequences in output messages (I'd imagine a wide-open syslog would be relatively simple) that, when displayed via certain terminals and/or certain programs, could cause command execution with the privileges of the user.

Here [linux.org] is the result of some quick googling on the subject.

Not much (2, Interesting)

dtfinch (661405) | more than 8 years ago | (#10411799)

I have a 5 port d-link router set up as a NAT, the cheapest I could find. After purchase I set the password and upgraded the firmware. That's the extent of my firewalling.

Most of my email and browsing is done in Mozilla. Never got infected through Internet Explorer or Outlook Express though. I have a Linux PC and a Windows XP PC running side by side. I don't use antivirus software and I don't get viruses or spyware.

Re:Not much (4, Insightful)

skinfitz (564041) | more than 8 years ago | (#10411866)

...Never got infected through Internet Explorer or Outlook Express though. I don't use antivirus software and I don't get viruses or spyware.

Forgive me for pointing out the obvious, but how do you know?

Absolutely nothing you have there would prevent the latest GDI exploit from running code of attackers choice on your Windows box by you doing nothing more complicated than viewing an image.

Windows Update? (0)

Anonymous Coward | more than 8 years ago | (#10412213)

Absolutely nothing you have there would prevent the latest GDI exploit from running code of attackers choice on your Windows box by you doing nothing more complicated than viewing an image.


Keeping software updated is probably the most important thing anyone can do.

Re:Not much (2, Informative)

strikethree (811449) | more than 8 years ago | (#10412377)

"Forgive me for pointing out the obvious, but how do you know?"

People are always asking this question but I have never seen anyone answer... so I will.

If a virus/worm/whatever is going to be doing anything interesting, it MUST use resources. If you are always monitoring your resource usage, you WILL (eventually anyways) notice the new/different/extreme resource usage. Blinking lights (hard drive, router, etc), sounds, resource meters, firewalls that report activity, are all things that can alert you to malicious code. Antivirus software can be useful, but it is not the only way to detect a virus.

strike

Re:Not much (1)

WhatAmIDoingHere (742870) | more than 8 years ago | (#10414046)

I do the same thing as that guy, and I know I've never had a virus because I hit a free online scanner once a month or so.

The setup... (2, Informative)

BrynM (217883) | more than 8 years ago | (#10411815)

Smoothwall [smoothwall.org] firewall installed on an old AMD 333 sysem, DHCP running on an internal box (also running other services), internal DNS and some network trickery. AVG [grisoft.com] , Sygate [sygate.com] Personal Firewall and strict Active Directory/Group Policy [microsoft.com] (or at least as much as possible using non-M$ methodology) control on every Win32 box. Various brands, but the same ingredients for the two Linux boxen. SSH [openssh.org] and VNC [tightvnc.com] on everything. Lots of dirty looks, nagging and ever increasing restrictions for more... mischevious users.

I don't have a chance to dig up links for these, but diagnostic tools are a must if you really want to lock stuff down. First, generate and read logfiles whenever possible. Check things out with nmap, tcpdump, ActivePorts, Look@Lan, Kiwi syslog Daemon, Portlistener XP, Bazooka Spyware Utility, Spybot Search and Destroy, Socketlock ... the list goes on. Generally try any tool you can and you'll get a feel for what is actually to your tastes and useful.

Why TightVNC? Other questions. (3, Interesting)

Futurepower(R) (558542) | more than 8 years ago | (#10412551)


Many questions:

Why did you choose TightVNC? Why not RealVNC [realvnc.com] , UltraVNC [sourceforge.net] , or TridiaVNC [tridiavnc.com] ?

Is it better to pay for VNC software, like Tridia VNC Pro [tridiavncpro.com] or Radmin [radmin.com] ? Which software has video resolution scaling of the remote desktop?

What security is best? Is it good to use a VPN for secure access, or is SSH better? What Windows SSH server do you use?

What VPN hardware is best? We bought a NetGear FVS318 hardware firewall/router/VPN for a customer, and discovered that the remote administration password is openly transmitted. We found that logging out in the remote administration menu didn't always actually log out. We found Javascript errors. With the 2.4 firmware, more than one client can be logged in at the same time. That situation, two clients at the same time, would give an error message with the 2.3 firmware, so things seem to be going backward in some ways, in firmware that is already shaky. Our experience with Netgear technical support is that it is very limited. On the telephone we got someone in Tamil Nadu, India, who was allowed to practice for a short time with Netgear equipment, but who doesn't any longer have access to actual equipment. The online tech support just gave error messages. Not only that, but Fry's and Netgear arranged a rebate trick. They have a very long rebate receipt, and ask you to enter your address both at the top and at the bottom. If you don't enter it at the bottom, they deny your rebate.

K.I.S.S. - always been and always will be best (4, Insightful)

mabu (178417) | more than 8 years ago | (#10411830)

It's amusing that people focus on the latest-and-greatest security software, which IMO is more counterproductive than it is productive.

You get a whiz-bang anti-virus/firewall system set up and what does it do? Give you a false sense of security so you can feel more confident about engaging in irresponsible computer use. The problem is almost every piece of security software out there has at one point or another been vulnerable, so you're flirting with disaster.

I think no matter how many advances we have in this area, the basic rules of security will always apply:

1. Limit Accessibility.

99% of security issues are inside jobs. Limit physical access to your resources. Don't put any sensitive data on a machine that anyone else has access to that you don't want public. Use encryption, multi-wipe free space and turn off your machine when you're not using it.

Some people don't want to hear this but it needs to be said: DON'T USE WIRELESS if you're worried about security. No matter what precautions you're taking, by going Wireless you dramatically lower the integrity of your personal security PERIOD. It's one thing to use wireless on the road, but you should limit the sensitive information on your laptop in the first place because it's mobile, but it's really just plain lazy and irresponsible to run wireless in a permanent installation like your home if there is any practical way to avoid doing so.

I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.

Remember the first commandment: True security is more dependent upon reducing access points than it is implementing protection of access points.

2. Disable ALL non-critical services. Don't run anything except what you need on your PC. Close all unused ports; remove all services and extra features and plug-ins that aren't needed. The fewer systems, the fewer points of vulnerability.

3. Keep all software fully-patched and up to date.

4. If possible, never use the "industry standard" software if it's not the most secure solution available. Dump IE and Outlook and switch to Firefox and Eudora.

5. TEXT ONLY E-MAIL... This, after #1 is IMO the biggest threat of them all. The added superficial benefit of html-email is not worth the security liabilities that come along with it. If you want to use html e-mail, I'd recommend a second, sandboxed account for that.

6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.

7. After you've taken care of 1-6, then and only then should you consider anti-virus/spyware and related software to be a useful addition.

Re:K.I.S.S. - always been and always will be best (2, Insightful)

dasunt (249686) | more than 8 years ago | (#10411912)

I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.

Explain to me how a properly configured IPSEC setup is less secure then a wired setup.

[ As for the original question, I'm protecting my computers through iptables on the server (running debian stable), and the samba shares are scanned with f-prot weekly. Each desktop machine runs their own antivirus, and I don't use IE or Outlook/OE. Updates are applied very often. ]

Re:K.I.S.S. - always been and always will be best (3, Interesting)

CaptainCheese (724779) | more than 8 years ago | (#10412222)

IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

You are comparatively safe with IPsec, however this is just because five people down the block don't know what it is, making them a softer target.

Anyone who really wants in to a cable based LAN has to find a place to jack in, and you're fitting a metaphorical socket to your front door.

Of course, any external networking connections are inherently insecure compared to none - physical security is the best security layer, But I doubt many /. readers are using that policy.

Re:K.I.S.S. - always been and always will be best (2, Insightful)

dasunt (249686) | more than 8 years ago | (#10412297)

IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

Er, almost anything can be dictionary-attacked or brute-forced attacked. Given enough time, the ability to ignore the death of the universe, and a ton of processing power, the attack may even be successful. It took distributed.net only 1,757 days to crack a 64-bit RSA key, using the resources of an estimated one-third of a million people. At their peak rate, they could have found a solution by 790 days (with a 50% chance of it being found in 395 days). That was using the computing power equivalent to over 45 thousand Athlon 2GHz machines.

That was with a 64-bit key. A 128 bit key would be 18446744073709551616 times harder to crack. ( Of course, IPSEC uses different cyphers, with different-bit lenghts, which means that the time would probably vary to break an IPSEC key. )

Its possible to set up IPSEC to encrypt a VPN between two machines, and deny any machine not using IPSEC from connecting.

Such a wireless setup is going to be pretty damn secure. If an organization is going to take the time to crack you, the IPSEC VPN is not the place they are going to start.

Just my $.02

PS: Perhaps you were thinking of WEP...

Re:K.I.S.S. - always been and always will be best (1)

CaptainCheese (724779) | more than 8 years ago | (#10412347)

just pointing out security by obscurity (and that's all an RSA key is; those ridiculously long time-to-crack estimates are getting smaller every day...if a more efficient prime factoring method turns up it'll all be useless) is not as good as when it's combined physical security.

kinda the diffenence between storing treasure in a safe and storing it safe in your private estate replete with motivated guys in machine gun nests...

Re:K.I.S.S. - always been and always will be best (4, Insightful)

Hast (24833) | more than 8 years ago | (#10412663)

No, the statement that RSA is somehow "security through obscurity" is just plain incorrect.

STO is when you use unpublished methods and rely on the attacker not bothering to try to reverse-engineer your system as a method of protection. Examples are using XOR and similar cyphers in obfucated ways to hide the details.

So far RSA has not been compromised. Until such a time using RSA in open and peer reviewed protocols (remember that RSA etc are only a small part of the big security system) is in no way "Security Through Obscurity", it is in fact Best Practices (tm) and that is pretty fucking far from STO! And if a really good way to factor into primes comes up then you CHANGE the encryption scheme!

Most people have a grasp of just how many combinations there exist in a 2^1024 key. As far as we know the number of atoms in the universe (including dark matter and such) is on the order of 2^200. Now in RSA and other asymmetrical systems not all keys can be used, but still I'm willing to guestimate that a typical 2^1024 key has way more than 2^1000 valid keys (I can't be bothered to do a real estimate, and that's probably way to small).

Now consider that the Universe is Pretty Damned Big, yet the number of valid keys completely dwarfs that. It is hard to put into words just how completely unlikely you are to brute-force an RSA key (or any other key for that matter). Just imagine all the absurd unlikely events EVER happening to you in the same microsecond. Then multiply that by about 50 billion times and you'll still be ways off, but you'll get the idea.

In short, you are not going to brute force a key which is even 2^256, it's just not happening.

If you are that worried about someone tapping into your wireless systems do you also ensure that all your electronics is protected from people snooping on your electric signals? Or do you wear sunglasses and gloves all the time to protect you from someone trying to get a copy of your iris/retina or finger prints? That's a lot more likely than someone breaking your encrypted wireless communication.

Besides I'd rather have my precious data under my desk in encrypted form than in some bunker with a bunch of morons with explosives. No way to be sure what they end up shooting at when they are drunk and bored.

RSA is far less obscure than physical security (0)

Anonymous Coward | more than 8 years ago | (#10414169)

just pointing out security by obscurity (and that's all an RSA key is; those ridiculously long time-to-crack estimates are getting smaller every day...if a more efficient prime factoring method turns up it'll all be useless) is not as good as when it's combined physical security.

You've actually got it backwards. RSA is an extremely high profile and well understood target that's survived twenty years worth of attacks from hundreds of the brightest security researchers in the world. Your physical security by comparison is an infinitesimally obscure target that would crumble in an instant if subjected to the same intensity of attack from the same group of people.

You can call RSA whatever else you want, but the last thing in the world that applies to RSA is "obscurity." When it comes to network security, I feel more confident trusting the cryptographic security of RSA than the physical security of network cables. After all, only one of the two has withstood the best efforts of hundreds of top security researchers for twenty years, and it ain't the one you think.

Re:K.I.S.S. - always been and always will be best (0)

Anonymous Coward | more than 8 years ago | (#10412329)


"...physical security is the best security layer, But I doubt many /. readers are using that policy."

1 Yale and two 5-lever mortice locks on the steel-reinforced front door, inlay bolts and three high security hinges. Double glazing with two locks, smash sensors linked to main building alarm. Pressure pads, passive IR, + laser and audio protecting human sized entrways. Fibre optic cabling for all network connections except EAL4+ firewall connecting to my internet connection. Covert CCTV providing full exterior coverage (AXIS Network cameras) - all images timestamped and copied real-time to offsite storage over encrypted link. Exterior of property surrounding by prickly bushes.

Plus one German Shepherd, ex-RAF guard dog.

Re:K.I.S.S. - always been and always will be best (1)

dasunt (249686) | more than 8 years ago | (#10412335)

IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

Er, almost anything can be dictionary-attacked or brute-forced attacked. Given enough time, the ability to ignore the death of the universe, and a ton of processing power, the attack may even be successful. It took distributed.net only 1,757 days to crack a 64-bit RSA key, using the resources of an estimated one-third of a million people. At their peak rate, they could have found a solution by 790 days (with a 50% chance of it being found in 395 days). That was using the computing power equivalent to over 45 thousand Athlon XP 2GHz machines.

That was with a 64-bit key. A 128 bit key would be 18446744073709551616 times harder to crack. ( Of course, IPSEC uses different cyphers, with different-bit lenghts, which means that the time would probably vary to break an IPSEC key. )

Its possible to set up IPSEC to encrypt a VPN between two machines, and deny any machine not using IPSEC from connecting.

Such a wireless setup is going to be pretty damn secure. If an organization is going to take the time to crack you, the IPSEC VPN is not the place they are going to start.

Just my $.02

PS: Perhaps you were thinking of WEP...

Re:K.I.S.S. - always been and always will be best (1)

lynk (85290) | more than 8 years ago | (#10414159)

The way I treat wireless everywhere I've deployed it is that it's as secure as the internet, therefore you only get access to the VPN server.

In one way it's safer than the internet as people would have to be physically close (and places are usually covered by CCTV) but in another it's more dangerous as they'd have more bandwidth wirelessly and be less likely to be noticed downloading vast amounts of data.

Come to think of it as we only give access to the VPN server via wireless it's in fact more "secure" as via the internet you have access to our SMTP, HTTP, HTTPS, DNS etc...

Re:K.I.S.S. - always been and always will be best (1)

jilles (20976) | more than 8 years ago | (#10412954)

This is not my idea of KISS and I don't agree with most of your points.

Point 5 is downright idiotic. HTML is not executable by it self and unless you use a very old version of outlook (in which case you are asking for trouble), any javascript, vbscript or whatever will not be executed. Most virus mails are formatted as plaintext btw. The virus is almost always an attachment.

Wireless is not very secure out of the box but you can lock it down pretty effectively. I'd say the whole point of wireless is to 'introduce additional ways your system/data can be accessed'.

Point 2 is nice for performance but a good firewall takes care of security equally well.

Point 3 is a no brainer.

Point 4 is what everybody seems to be saying these days. If you keep your software up to date you are reasonably safe however.

Point 6 is not necessary as long as you use a firewall.

I tackle security in a more pragmatic fashion. I don't like removing features for security reasons. The key is to be conscious of what is running on your PC and to keep that under control. I ran without a firewall (not even NAT) & virusscanners throughout all the major virus and worms outbreaks over the past few years. None of them affected me because I knew how to configure outlook, shutdown services, etc. It's really that simple.

These days I use thunderbird (because I like its features) and I find that the winxp sp2 firewall is unobtrusive enough that I can tolerate it running in the background. I still don't have a virusscanner for performance reasons. This is small but calculated risk. I'm aware of several open ports on my machine but that's because I installed software which needs those ports to function. Again this is a calculated risk, the bottom line is that those ports are open because I want them open.

I can afford to do this because I know what I'm doing. Ordinary users should rely on firewalls, virusscanners and spyware checkers to stay safe.

Re:K.I.S.S. - always been and always will be best (1)

Spoing (152917) | more than 8 years ago | (#10414036)

While I agree with your comments, there is one that I think you should strongly reconsider.

  1. 6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.

  1. Point 6 is not necessary as long as you use a firewall.

#6 is actually the most important one; it's part of paramiter defense and lan design (router/VLAN level not server level).

The job of a firewall isn't to block ports -- hell, unplug the cable if you want to block ports -- the job of a firewall is to allow access.

If the systems don't absolutely require access to the internet or any other bubble (VLAN primarily) not allowing access by default is a much simpler solution and can lower the load on your firewall (if firewalls are even needed where they are currently deployed).

Re:K.I.S.S. - always been and always will be best (5, Informative)

bushidocoder (550265) | more than 8 years ago | (#10413064)

Gonna have to call you out on wireless networks. Wireless networks are bad iff you don't know how to configure them right. 802.11g with WPA with preshared public keys is pretty safe. Can it be cracked? Yes. But then again, so can SSL, SSH, PGP and every other encrypted data you throw out there in due time.

The key to proper wireless setup is to associate different levels of trust between the wired and unwired components. Require WPA. Most household wireless routers allow you to specify a physical address list for visiting assets - do not allow unregistered MAC addresses to join your network. Have the wired network use a different subnet than your wireless network, so that the IPSecurity policies on your wired boxes can be set to prohibit access to the wireless agents on your house. Also, some routers let you set firewall rules between your wired and wireless subnets.

Audit everything. Everything. Disk space is cheap.

Also, run a packet sniffer on your wireless network. I once had a Netgear wireless router that would broadcast packets wired computers had sent it to route to the public internet across the wireless network - it had no concept of how to route correctly. If that's happening, throw that PoS away and get a real router.

Can this be compromised? Yes, but it requires breaking through various levels of real, cryptographically enforced security. Remember that only one part of information security is denying access to intruders because at the end of the day, the most locked down boxes plugged into a network can still be hacked. You must be constantly vigilant to detect intruders as they attempt access, you must have a recovery plan if you are compromised (everyone needs AV software and an individual firewall on each computer behind the NAT firewall), and must be sufficiently auditted that you can trace access attempts back to the source. Watch your wireless traffic - with this type of security, in the very very remote chance you are compromised, its going to take a long while. Is someone trying a variety of network attacks on your wireless network? If so, I've got good news - rule out that its not someone in a car outside, and you can pinpoint it pretty quick down to a neighbor. Talk to them if you think its their 16 year old punk teen, call the police, leave a note on their door with a picture of Sauron's eye saying they need to be more sneaky, whatever.

Re:K.I.S.S. - always been and always will be best (1)

Spoing (152917) | more than 8 years ago | (#10413656)

Great list. I agree with everything except '99% of security issues are inside jobs'.

All the reports I've read have pegged it at a 50/50 split...though I'd guess it is more like 80 inside / 20 outside (corporate) and 20 inside / 80 outside (home use). Not that we're making up statistics, though!

i use (0, Offtopic)

00420 (706558) | more than 8 years ago | (#10411834)

ipkungfu

m0n0wall for perimeter (1)

kayen_telva (676872) | more than 8 years ago | (#10411835)

m0n0wall
kerio pf4
nod32
adawareSE

My List (1)

maop (309499) | more than 8 years ago | (#10411854)

I haven't really customized my firewalls. All the software I use is free.

Win2k: AVG [grisoft.com] , Ad-Aware [download.com] , SpyBot - Search and Destroy [safer-networking.org] , Spyware Blaster [javacoolsoftware.com]

Linux: nada

Tin Foil and DuctTape (5, Funny)

Sean Johnson (66456) | more than 8 years ago | (#10411903)

I completely covered my PC with it. There`s no airlow, but at least it`s safe. I also sprinkled some holy water on it for good measure. Those Nazis will never get to my PC now.

simple: (1, Insightful)

Anonymous Coward | more than 8 years ago | (#10411908)

GNU/Linux

openbsd/pf (1)

Triumph The Insult C (586706) | more than 8 years ago | (#10411909)

on a soekris [soekris.com] net4801 + vpn1401, and an 802.11b mini-pci from netgate [netgate.com]

pf does ingress and egress filtering

all wireless is accomplished via ipsec. after packets are decrypted, they too are filtered

My setup (1)

kagaku (774787) | more than 8 years ago | (#10412007)

My network consists of a windows machine and two linux boxen, all behind a FreeBSD router. The windows box (my main machine) has absolutely no firewall, antivirus, or spyware protection. I use this little known thing called common sense. Using common sense, and other software such as Firefox, Thunderbird, and other assorted non-Microsoft/vulnerable stuff, I have remained virus free for as long as I can remember.

Common sense saves money, and computer resources. It's a shame more people don't know how to use it.

Re:My setup (1)

Chess_the_cat (653159) | more than 8 years ago | (#10413372)

I guarantee if you were to run Ad-Aware right now it wouldn't come up empty handed.

my complete rig (1)

golgotha007 (62687) | more than 8 years ago | (#10412034)

First of all, I'm in Linux about 95% of the time. So I have no need of AV. I use a simple iptables firewall script for network protection.

The other 5% of my time is spent playing games. My machine duel boots into WinXP. I don't use WinXP for checking mail, and I use Firefox if I do any browsing. I don't download executables from questionable sites, therefore have no need for AV.
I use the internal WinXP firewall for network protection.

Hmm (5, Funny)

Vokbain (657712) | more than 8 years ago | (#10412043)

I bought a Macintosh ^_^

Linux. (1)

jotaeleemeese (303437) | more than 8 years ago | (#10412050)

No, honest.

A bit of iptables, a superior and safer web browser, intelligent email clients.

I stopped worrying about viruses and being owned some time ago.

None! (1)

jgartin (177959) | more than 8 years ago | (#10412075)

I'm running WinME, and I'm not running any AV or firewall software. It sucks up too many resources. You just have to be careful about what you download. Using Firefox instead of IE helps, too.

Re: WinME (0)

Anonymous Coward | more than 8 years ago | (#10412282)

wtf @ WinME? seriously....wtf?

Old PC running Devil-Linux boot CD-ROM .. (4, Interesting)

torpor (458) | more than 8 years ago | (#10412079)

.. which also doubles as my Squid proxy/cache and DNS machine ..

Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat ...

home office setup (0)

Anonymous Coward | more than 8 years ago | (#10412125)

Here's my setup:

Soekris small-form-factor communications computer running FreeBSD from a read-only CF card. Ethernet #1 goes to the internet. Ethernet #2 goes via a crossover cable to a mini-itx server running Gentoo (bastion host). Ethernet #3 goes to my LAN (2 Macs and another Gentoo, plus yet another soekris which is a firewall for an Airport base station which serves 2 more macs.. lots of paranoid firewalling on that one).

The soekris has NO ports open to the outside except SSH (which only allows connections from certain hosts) However, it forwards web and mail to the bastion host.

The bastion host is firewalled at the Soekris so it cannot make any outgoing connections except to outside SMTP ports. So if a hacker breaks into it, he can't do much. Tripwire runs nightly on there as well. It does the gentoo sync, etc., from the inside Linux box which gets the data off the internet.

I've never used any anti-virus program since I first started using computers (Unix, then Mac) in the 80's. I've never used Windows except briefly in college.

I read my email in Mutt and browse with OmniWeb (I don't use Mozilla or Firefox, etc., because I don't think they are any more secure than IE).

So, that is a little intense for a home LAN, but I get paid to set stuff up like this so I tend to "practice" there.

Procedure, Not Programs (1)

NewStarRising (580196) | more than 8 years ago | (#10412185)

The title of the question gets it right ... but then the summary does not.

Security is not Programs. Security is a procedure.
Part of this procedure can utilise programs , but these will be of no use if your procedure is not adequate.

Set up your box securely, configure access-rights, etc and use AV/firewall programs where appropriate for your situation.

Relying upon programs to be your security is not effective.

I took the ethernet card out (1)

Andy_R (114137) | more than 8 years ago | (#10412278)

I don't do much work that I consider to be sensitive, but when I do, I use a machine with no connections. If anything goes onto or comes off that machine, it does it via the CD writer.

Apart from that, I do my web browsing on a Mac running OS9 - security through obsolesence is greatly underrated!

Re:I took the ethernet card out (2, Funny)

base3 (539820) | more than 8 years ago | (#10412555)

I don't know if you're talking about sensitive as in "biological weapons plans" or sensitive as in "personal finance data," but there's a solution that would allow you to keep the convenience of networking but not expose it to the Internet. (This assumesy ou're running Windows.)

Install IPX/SPX or NetBEUI on both machines. Keep TCP/IP on the non-sensitive machine, but have no TCP/IP stack installed on the sensitive machine, and use IPX/SPX or NetBEUI for networking betwixt them.

For added obscurity points, you could use something like Banyan Vines or LANtastic.

Firewall, Firefox, Fire MS (1)

angrykeyboarder (791722) | more than 8 years ago | (#10412323)

(well "Fire" MS Internet Explorer and Outlook, that is).

We've got a router with a built in firewall. on top of that we have ZoneAlarm on both computers on the network.

As stated previously, we run Firefox (not IE). Oh and Norton AntiVirus which hasn't found any virus/Trojan activity in ages (thanks in part to ridding myself of IE and Outlook). I have it set to to auto-update AV definitions.

That and I'm careful and just don't get that much "junk" (i.e. infected emails).

I only download from reputable sites.

Re:Firewall, Firefox, Fire MS (0)

Anonymous Coward | more than 8 years ago | (#10412896)

I only download from reputable sites.

Because the hackers leave them alone, right? *cough savannah compromise* *cough debian*

Works for me . . . (1)

Thompsy (761687) | more than 8 years ago | (#10412337)

I have a hardware firewall built into my switch/router (Linksys BEFDSR41W)

On my 2 windows boxes there is Zonealarm (the free one) and
AVG ANtivirus (also free) and of course i use firefox as my browser of choice.

On my linux boxes i have iptables for network protection.
I also run a few things like tripwire and snort along with chkrootkit just to be sure

---
Andrew T

UPS (1)

TheLink (130905) | more than 8 years ago | (#10412357)

I use a UPS to protect my computers + network.

One of which runs FreeBSD and is set up as a firewall. Since FreeBSD is already "dying" perhaps the hackers won't bother to get too familiar with it ;).

I use AVG, but it's more to prevent accidents (e.g. oops slipped and clicked the wrong thing) than anything.

By Refusing to install windows (0)

Anonymous Coward | more than 8 years ago | (#10412425)

By Refusing to install windows

watch your process list. (1)

Leonig Mig (695104) | more than 8 years ago | (#10412503)

if you click on CPU under process list it orders the processes by CPU usage. if you have a virus or a worm it will alway float on the top

apart from firefox and the latest windows patches that method does the job of a firewall for me, and without throwing all my system resources and cash as x amount of commericial security apps.

I don't use too much. (1)

Blackknight (25168) | more than 8 years ago | (#10412654)

I have a D-link 707P router and use Debian for my desktop, so I'm not too worried about viruses.

The only traffic allowed past the router is incoming port 22.

Protection. (1)

saintlupus (227599) | more than 8 years ago | (#10412721)

For software protection, I run OpenBSD on the only machine accessible through my router.

For physical protection, that OpenBSD box is an elderly PPro that's wedged behind a desk in my attic. On the off chance that someone breaks into my house, I doubt they'll bother moving furniture to steal an old beater machine; since I keep all of my important data on there, I could easily replace everything that's more obvious without too much trouble.

--saint

I use Linux. :D (1)

kosmosik (654958) | more than 8 years ago | (#10412768)

Well you assumed that computer == Windows?

I use Linux only but here you also do things to protect. But things you mentioned (FW, AV) are the basis. You have lots of other issues with security. I personally (despite of keeping patched and well configured systems) use only secure protocols (with encryption), use proactive security like patched kernels (MAC, stack controll etc.), intrusion detection system, honeypots and so on...

For my friends with Windows I usualy install:

ADAware PE (free)
AVAst HE (free)
Windows built in FW
Set Automatic Updates on

It usualy helps to keep the system running.

Lock the doors ... (1)

scruffy (29773) | more than 8 years ago | (#10412878)

... and hide the key!

truly wonderful firewall (4, Interesting)

nusratt (751548) | more than 8 years ago | (#10412898)

-- Agnitum.com's "Outpost" firewall, with all kinds of free plug-ins which let me control -- on a PER-DOMAIN basis -- things like scripts, activeX, java, referrers, etc. Also controls those things separately for http vs mail vs news.
Tried it on trial, liked it so much I paid for it. :o

-- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.

-- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.

-- SpyBot, AdAware

Minimal security (1)

Txiasaeia (581598) | more than 8 years ago | (#10413091)

Believe it or not, up till a few months ago, nothing. No firewall, no AV, nothing. I turned off HTML viewing in Outlook as well as the preview pane & used Opera instead of IE. Three months ago I got a wireless router (WRT54G Linksys, for my laptop), which apparently adds a level of security, but I really don't think it's necessary.

For the people who think that windows isn't secured: I've ran WinXP since its inception unprotected and haven't caught *anything* (I run adaware and a free online virus checker once every couple of months).

Cheap NAT (2, Insightful)

lkaos (187507) | more than 8 years ago | (#10413525)

I have a Linksys wireless switch behind my cable modem. My main Linux server is set up as a DMZ host. This server was built via Gentoo and the only services running that are exposed is ssh and Apache2.

I've not had an issue in the 2 years I've had this setup. I don't have problems with email worms and such because well all my machines run Linux :-)

I've got a similiar setup for my parents and they've had minimal problems running all Windows. They've had some spyware issues lately because of some bad downloading but what can you do.

Common-sense (1)

X3J11 (791922) | more than 8 years ago | (#10413542)

My best firewall/AV is common-sense. If it looks suspicious, and even if it doesn't, avoid it.

I haven't (knock on wood) had a virus for 12 years now. Not since DOS 6.2, and even then it was just one of those annoying ones that would write itself to the MBR and floppy boot sectors, eating up RAM until it overwrote something important to DOS and the machine would lock.

I use a router (MN-100, Microsoft =[) as a firewall, with everything but for a tiny selection of ports blocked. All programs I use that are configurable wrt what ports they use are fed through what's forwarded to my machine. I don't bother with XP's built-in firewall, and ZoneAlarm had a nasty habit of hard-locking my machine whenever I tried to run any games online (it would lock before giving me the option to allow the game access to the 'net).

On the software side, I have AVG (free'ish), and a2 Free for "Malware", but I rarely run either as it's just not necessary.

What troubles me is the number of machines hitting my computer trying to exploit IIS. Way back I was running Apache, watching my logfile expand at an alarming rate as people tried to gain access to CMD.EXE for whatever nefarious purposes.

My setup... (1)

John_Booty (149925) | more than 8 years ago | (#10414050)

I see some crazy setups here on this thread. Really, NAT, AV software, and regular software updates are all you need. If you're not on Windows, you could probably even drop the AV stuff. Hell, you can probably drop the AV stuff even if you're ON Windows, as long as you're not installing shady software.

* 8-port Linksys Router/Firewall

Only a few incoming ports are opened - basically the ports needed for Soulseek and Bittorrent. If you're NAT'd behind a hardware firewall/router that blocks incoming connection requests before they even hit your PCs.... not a lot can happen to you aside from installing viruses yourself.

* Norton AV on each Windows PC

This is probably unnecessary, as long as you're not downloading shady warezs and shit, but... why not be safe, right?

* Firefox/Thunderbird

I know there have been a few security adviseries for these, but if you stick to these and don't download shady executable software that comes with Gator-type stuff, your spyware worries are basically nil. I do periodically do a scan with Spybot or Ad-Aware but.... thanks to Firefox they never return anything.

FBI notice in MOTD (0)

Anonymous Coward | more than 8 years ago | (#10414127)

If you would be so kind as to mod this up, that would kick ass.

One thing that hasn't been mentioned here is a good MOTD.

I have a MOTD informing law enforcement that my system contains privileged attorney-client information, which it does.

In theory, my MOTD puts them on notice that if they are picking through the contents of my hard drive, they should be doing it with my attorney present, deciding what can and cannot be read.

IANAL. I don't know if the theory holds water. It does give me a higher expectation of privacy than I would otherwise have, and I know courts have regarded the expectation of privacy as a deciding factor in some cases.

Mostly with Common Sense (1)

rts008 (812749) | more than 8 years ago | (#10414252)

NAT on router, Avast (free!)AV, AdAware and SpyBot S&D,Tiny Personal Firewall, and Firefox on boxes. I had many problems before switching to Firefox, but since then almost none. Don't use Outlook(never have).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>