rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY
edit:
January 14th, @04:03PM
| Good enough for me
My NAT router along with a free software firewall backup has never failed me. |
|
johnsea66
Cool Down
Premium
join:2003-01-26
Canada | But it most probably is possible to crack. Any machine is. |
|
rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY
| Im sure it is remotley possible, but very very difficult especially considering that no one would try that hard to get my mp3's and pictures.
Ill give you my IP and i'd love to see you get in 
But really, I feel that for my needs, my solution gives me the best cost/performance ratio.
It cost me about 40 bucks for the NAT router. And the firewall software is free.
And i've never been hacked, and never had any of these worms affect me. |
|
DracoFelis
Premium
join:2003-06-15
| reply to rosco
I personally found this article very misleading, to the point of "crying wolf" (and having just plain FALSE info). While I agree that you don't just put in a "consumer firewall" and expect you are protected from everything out there, they can be a very effective form of defense.
Consider:
1) My SMC Barricade+ (SMC7004FW) does have "stateful packet inspection", as do a number of other "home firewalls". Yet the article claims that this feature is only in "business firewalls".
2) The article claims that "home firewalls" only provide "security though obscurity", but won't actually stop any attacks once someone knows about you. Yet my "home firewall" has protected me from some very serious worms, until I got a chance to patch the Windows box behind it! And I've even tested the firewall by having the "computer security officer" (at my office) "port scan" my box! Sure enough, the ports were blocked from the internet (and the "security officer" has taken classes in "hacking techniques" to better know how to protect against them, so he knows how to check for vulnerable computer systems)!
3) The article claims that home firewalls generally allow "outbound connections" (true), and for "maximum protection" you should start with disallowing everything and only "open up ports" if/when needed (also true). But then the article goes on to say you need a "business firewall" for this protection, which is clearly false! With many "home firewalls" you have the option (if you think the extra security is worth the extra hassle setting things up) to block outbound connections as well! For example, I have my "home firewall" setup to block outbound attempts to use the MicroSoft "filesharing ports", as a way to protect myself against rogue web sites stealing the username and "password hash" for my logged in account! The article seems to claim this isn't possible with a "home firewall"!
4) The article claims that "dial-up users" are reasonably safe from attack (without protection), yet I've seen several cases of dial-up users getting hit by internet worms, often within a few minutes of being connected (especially if/when a virulent worm is currently "on the loose"). While dial-up is slower, and not always on, they are still very vulnerable while they are connected unless they are "protected"! OTOH: My "always on" DSL connection is sitting a lot safer behind it's "home firewall" than any dial-up user!
5) The article mentions that if someone is just using one of these "home firewalls", they are still vulnerable to attacks. I agree with this. One easy example is email based viruses (which will go right past any firewall). But this is also true of "corporate grade" firewalls too! In both cases, anti-virus scanning of your emails is a good idea (and yet the article doesn't make this distinction, and just implies that this is a problem with "home firewalls", vs an inherent limitation of all firewalls)!
All things considered, I have to wonder about the "security experts" that wrote that article! IMHO they either "don't have a clue", or are deliberately "misleading the public" to sell their own "solutions". Either way, I plan to never do business with these turkeys.... |
|
azndude
Zen Master
Premium
join:2001-07-13
AL
| reply to rosco
How do you know for sure? Do you frequently audit your system to detect any security breaches? If so, what method did you utilize? If not, you should. Your information is always at risk, if you have an always-on broadband connection. Remember that.
--
The truth is packed in a cloud of lies... |
|
rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY | I check logs and port-scan myself from work fairly often. |
|
rogue_
I Have A Secret Window
Premium
join:2001-10-17
Lake Hiawatha, NJ
| reply to johnsea66
said by johnsea66  :
But it most probably is possible to crack. Any machine is.
Most probably?
Of course it is, and with ease for the right person. The $100 router and Freebie ZA pale in comparison to the technology used in keeping some high profile gov't sites secure. They get hacked though
--
Bozone (n.): The substance surrounding stupid people that stops bright ideas from penetrating. The bozone layer, unfortunately, shows little sign of breaking down in the near future. |
|
DracoFelis
Premium
join:2003-06-15
| reply to azndude
There is no such thing as perfect security.
said by azndude :
How do you know for sure? Do you frequently audit your system to detect any security breaches? If so, what method did you utilize?
Actually yes. While there is always "more that can be done", I have taken the following steps to check out the protection from my "home firewall":
1) I had the "security officer" at work try connecting to my LAN (from the office), and see if he was able to. As expected, all the TCP/UDP ports were "closed" (blocked at the firewall), except for the couple I opened to allow "PC-Anywhere" to work from the office.
2) I have anti-virus scans every night, and the virus signatures are also updated nightly. There has been no reported "virus attack" on my Windows machine at home.
3) After turning on the outbound "file sharing" port blocks, I attempted to do just that (send data out those ports). Guess what? It didn't arrive at its destination (just as it should not)!
4) After several of the more virulent of the worm attacks (including at least one where I didn't patch until a few days after the outbreak, by which time virtually 100% of the "unprotected machines" on the internet were infected), I looked for the "signs of infection" that the anti-virus companies released (to tell if you had been "hacked"). Guess what? The telltale signs of infection were not present!
5) I keep an eye on the traffic lights, on the ethernet switches in my house. If there was a sudden upsurge in traffic (which would likely occur if I had a machine infected with an internet worm) I would see it. Yet the traffic on my LAN is pretty much what would be expected for our family's use (including being totally "dead" sometimes when we are doing next to nothing on the LAN).
said by azndude :
If not, you should.
Being aware of what is "normal behavior" for your computers, and therefore being able to detect something "wrong" is always a "good idea". However, it may be a little much to expect from a "joe sixpack" computer user.
And, when all is said and done, such diligence (to "watching what is going on") mostly just lets you know "after the fact" if/when your "defenses" have failed. If the defenses are good to begin with, they will still be good when you don't monitor them. OTOH since no defense is "perfect", it never hurts to "pay attention", just in case someone happens to "get past your defenses".
said by azndude :
Your information is always at risk, if you have an always-on broadband connection. Remember that.
Your information is always at risk, period!
Unless you disconnect totally from the outside world (no "dial-up", no using floppies for "sharing data", no nothing), there is always some way that someone could "hack" your computer! You may be able to make it "harder" (by installing security software and/or hardware), and you may also be able to make it easier to detect when someone does succeed (firewall logs, anti-virus, "trip-wire", etc), but there is always risk.
In the end, it's simply a matter of "weighing risks", and taking reasonable actions to mitigate those risks. The "average home user" neither needs, nor can they afford, the "top level" of security on the market. What they need, is "reasonable security", at an affordable price. As someone who has actually looked into computer security issues (and has also done some professional work securing computer systems), I am actually much more comfortable with a "always on" connection protected by a "home firewall", than a "dial up" connection not protected by anything!
In the case of the "always on connection"/"firewall" setup, you are vulnerable to someone finding a way to break and/or bypass your firewall. This can be done, but it's very very difficult (and beyond your average "script kiddie" on the net)! In most cases, the "internet worm" will just "bounce off your firewall", only slightly annoying you (as the attack will still use up some of your internet bandwidth, before it's stopped by your firewall).
OTOH the lowly "dial up" user (without a firewall), is a "sitting duck" every time they connect to the internet. Yet how many times have you heard the (IMHO false) claim that someone is "safe" because they only use "dial-up"? This is not just theory either, as I've known multiple people who have been "hacked" just this way (when they thought they were "safe" because they were "just a dial-up user"). In fact, I once put a firewall in for my dad (who is still on dial-up), and (while testing the setup) noticed an attempt to hack his machine less than 1/2 hour after I installed the system! |
|
jester121
join:2003-08-09
Lake Zurich, IL
 ·ViaTalk
| Oh... you have ports open for PCAnywhere! Excellent. We'll start working on the PCA listener with known vulnerabilities first.
You did restrict inbound access to only your work IP address, right?  |
|
DracoFelis
Premium
join:2003-06-15
| said by jester121 :
You did restrict inbound access to only your work IP address, right?
Of course! That was one of the first things I changed when I opened the PC-Anywhere hole in my firewall! I want to allow me (from the office) to get in, not give anyone on the internet a chance to "knock at my door".
I also have the PC-Anywhere "patched up" (using their "Live Update"), and PC-Anywhere is also setup to require strong encryption and a username/password. And once that is entered, a "hacker" would probably still need to know my desktop password (which isn't easy to guess) to unlock my Win2K desktop (just connecting with PC-Anywhere doesn't give you many rights, until the desktop is also "unlocked"). I'm sure this isn't "fool proof" (given a sophisticated enough "hacker"), but it should stop your average "script kiddie" in their tracks.... |
|
RazorPacket
@verizon.n | reply to DracoFelis
Re: Good enough for me
Your smc will reset with SPI when more then 40IPS hit it with syn/udp. |
|
