'Real' Security?Pointing at consumer firewalls and laughing ( old news - 04:00PM Wednesday Jan 14 2004) tags: security"You're never really secure enough" is the message sent by many security vendors, one of the many industries that often rely on FUD to sell products. According to CyberGuard's VP Paul Henry, consumers shouldn't trust entry-level firewall hardware and software because they provide a "false sense of security". "Router/NAT boxes only have security by obscurity," says Henry in this TechNewsWorld report. "They provide only a one-way block. NAT boxes show closed ports, but they don't prevent outbound connections through ports 80 or 25." Henry argues a real firewall should deny outbound access attempts unless explicitly allowed. His and other executive assertions from the article are picked apart and deconstructed by members of our security forum. No matter what your protection of choice, security's natural enemy is and always has been cluelessness first and foremost. The article unsurprisingly notes that forgetting to change default router passwords remains one of the most common mistakes made casual users trying to secure their home networks.
Related:- Friday Evening Links
- VoIP Vulnerabilities Being Exposed Today
- Monday Morning Links
- Tuesday Morning Links
- Tuesday Evening Links
- Wednesday Evening Links
- Thursday Evening Links
- Monday Evening Links
|
page: 1 · 2  |
 
rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY
edit:
January 14th, @04:03PM
| Good enough for me My NAT router along with a free software firewall backup has never failed me. | |
|  | 
johnsea66
Cool Down
Premium
join:2003-01-26
Canada | Re: Good enough for me But it most probably is possible to crack. Any machine is. | |
| | |
rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY
| Re: Good enough for me Im sure it is remotley possible, but very very difficult especially considering that no one would try that hard to get my mp3's and pictures.
Ill give you my IP and i'd love to see you get in 
But really, I feel that for my needs, my solution gives me the best cost/performance ratio.
It cost me about 40 bucks for the NAT router. And the firewall software is free.
And i've never been hacked, and never had any of these worms affect me. | |
| | | | | 
DracoFelis
Premium
join:2003-06-15
| I personally found this article very misleading, to the point of "crying wolf" (and having just plain FALSE info). While I agree that you don't just put in a "consumer firewall" and expect you are protected from everything out there, they can be a very effective form of defense.
Consider:
1) My SMC Barricade+ (SMC7004FW) does have "stateful packet inspection", as do a number of other "home firewalls". Yet the article claims that this feature is only in "business firewalls".
2) The article claims that "home firewalls" only provide "security though obscurity", but won't actually stop any attacks once someone knows about you. Yet my "home firewall" has protected me from some very serious worms, until I got a chance to patch the Windows box behind it! And I've even tested the firewall by having the "computer security officer" (at my office) "port scan" my box! Sure enough, the ports were blocked from the internet (and the "security officer" has taken classes in "hacking techniques" to better know how to protect against them, so he knows how to check for vulnerable computer systems)!
3) The article claims that home firewalls generally allow "outbound connections" (true), and for "maximum protection" you should start with disallowing everything and only "open up ports" if/when needed (also true). But then the article goes on to say you need a "business firewall" for this protection, which is clearly false! With many "home firewalls" you have the option (if you think the extra security is worth the extra hassle setting things up) to block outbound connections as well! For example, I have my "home firewall" setup to block outbound attempts to use the MicroSoft "filesharing ports", as a way to protect myself against rogue web sites stealing the username and "password hash" for my logged in account! The article seems to claim this isn't possible with a "home firewall"!
4) The article claims that "dial-up users" are reasonably safe from attack (without protection), yet I've seen several cases of dial-up users getting hit by internet worms, often within a few minutes of being connected (especially if/when a virulent worm is currently "on the loose"). While dial-up is slower, and not always on, they are still very vulnerable while they are connected unless they are "protected"! OTOH: My "always on" DSL connection is sitting a lot safer behind it's "home firewall" than any dial-up user!
5) The article mentions that if someone is just using one of these "home firewalls", they are still vulnerable to attacks. I agree with this. One easy example is email based viruses (which will go right past any firewall). But this is also true of "corporate grade" firewalls too! In both cases, anti-virus scanning of your emails is a good idea (and yet the article doesn't make this distinction, and just implies that this is a problem with "home firewalls", vs an inherent limitation of all firewalls)!
All things considered, I have to wonder about the "security experts" that wrote that article! IMHO they either "don't have a clue", or are deliberately "misleading the public" to sell their own "solutions". Either way, I plan to never do business with these turkeys.... | |
| | | 
RazorPacket
@verizon.n | Re: Good enough for me Your smc will reset with SPI when more then 40IPS hit it with syn/udp. | |
| | 
azndude
Zen Master
Premium
join:2001-07-13
AL
| How do you know for sure? Do you frequently audit your system to detect any security breaches? If so, what method did you utilize? If not, you should. Your information is always at risk, if you have an always-on broadband connection. Remember that.
--
The truth is packed in a cloud of lies... | |
| | |
rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY | Re: Good enough for me I check logs and port-scan myself from work fairly often. | |
| | |
DracoFelis
Premium
join:2003-06-15
| There is no such thing as perfect security. said by azndude  :
How do you know for sure? Do you frequently audit your system to detect any security breaches? If so, what method did you utilize?
Actually yes. While there is always "more that can be done", I have taken the following steps to check out the protection from my "home firewall":
1) I had the "security officer" at work try connecting to my LAN (from the office), and see if he was able to. As expected, all the TCP/UDP ports were "closed" (blocked at the firewall), except for the couple I opened to allow "PC-Anywhere" to work from the office.
2) I have anti-virus scans every night, and the virus signatures are also updated nightly. There has been no reported "virus attack" on my Windows machine at home.
3) After turning on the outbound "file sharing" port blocks, I attempted to do just that (send data out those ports). Guess what? It didn't arrive at its destination (just as it should not)!
4) After several of the more virulent of the worm attacks (including at least one where I didn't patch until a few days after the outbreak, by which time virtually 100% of the "unprotected machines" on the internet were infected), I looked for the "signs of infection" that the anti-virus companies released (to tell if you had been "hacked"). Guess what? The telltale signs of infection were not present!
5) I keep an eye on the traffic lights, on the ethernet switches in my house. If there was a sudden upsurge in traffic (which would likely occur if I had a machine infected with an internet worm) I would see it. Yet the traffic on my LAN is pretty much what would be expected for our family's use (including being totally "dead" sometimes when we are doing next to nothing on the LAN).
said by azndude :
If not, you should.
Being aware of what is "normal behavior" for your computers, and therefore being able to detect something "wrong" is always a "good idea". However, it may be a little much to expect from a "joe sixpack" computer user.
And, when all is said and done, such diligence (to "watching what is going on") mostly just lets you know "after the fact" if/when your "defenses" have failed. If the defenses are good to begin with, they will still be good when you don't monitor them. OTOH since no defense is "perfect", it never hurts to "pay attention", just in case someone happens to "get past your defenses".
said by azndude :
Your information is always at risk, if you have an always-on broadband connection. Remember that.
Your information is always at risk, period!
Unless you disconnect totally from the outside world (no "dial-up", no using floppies for "sharing data", no nothing), there is always some way that someone could "hack" your computer! You may be able to make it "harder" (by installing security software and/or hardware), and you may also be able to make it easier to detect when someone does succeed (firewall logs, anti-virus, "trip-wire", etc), but there is always risk.
In the end, it's simply a matter of "weighing risks", and taking reasonable actions to mitigate those risks. The "average home user" neither needs, nor can they afford, the "top level" of security on the market. What they need, is "reasonable security", at an affordable price. As someone who has actually looked into computer security issues (and has also done some professional work securing computer systems), I am actually much more comfortable with a "always on" connection protected by a "home firewall", than a "dial up" connection not protected by anything!
In the case of the "always on connection"/"firewall" setup, you are vulnerable to someone finding a way to break and/or bypass your firewall. This can be done, but it's very very difficult (and beyond your average "script kiddie" on the net)! In most cases, the "internet worm" will just "bounce off your firewall", only slightly annoying you (as the attack will still use up some of your internet bandwidth, before it's stopped by your firewall).
OTOH the lowly "dial up" user (without a firewall), is a "sitting duck" every time they connect to the internet. Yet how many times have you heard the (IMHO false) claim that someone is "safe" because they only use "dial-up"? This is not just theory either, as I've known multiple people who have been "hacked" just this way (when they thought they were "safe" because they were "just a dial-up user"). In fact, I once put a firewall in for my dad (who is still on dial-up), and (while testing the setup) noticed an attempt to hack his machine less than 1/2 hour after I installed the system! | |
| | | | jester121
join:2003-08-09
Lake Zurich, IL
 ·ViaTalk
| Re: There is no such thing as perfect security. Oh... you have ports open for PCAnywhere! Excellent. We'll start working on the PCA listener with known vulnerabilities first.
You did restrict inbound access to only your work IP address, right?  | |
| | | | |
DracoFelis
Premium
join:2003-06-15
| Re: There is no such thing as perfect security. said by jester121 :
You did restrict inbound access to only your work IP address, right?
Of course! That was one of the first things I changed when I opened the PC-Anywhere hole in my firewall! I want to allow me (from the office) to get in, not give anyone on the internet a chance to "knock at my door".
I also have the PC-Anywhere "patched up" (using their "Live Update"), and PC-Anywhere is also setup to require strong encryption and a username/password. And once that is entered, a "hacker" would probably still need to know my desktop password (which isn't easy to guess) to unlock my Win2K desktop (just connecting with PC-Anywhere doesn't give you many rights, until the desktop is also "unlocked"). I'm sure this isn't "fool proof" (given a sophisticated enough "hacker"), but it should stop your average "script kiddie" in their tracks.... | |
| | | 
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Mission Viejo, CA
clubs:
| Re: A day late and a dollar short, bud said by g0nepostal :
A company vice president should not use FUD to sell their products and instead point out the advantages of using it either in place of or addition to other security methods such as NAT.
In most instances for most products, FUD is ultimately the entire sales pitch because it works better than any other sales tactic.
--
MoveOn.org -DigitalConsumer.org - FTCR.org - Privacy.org - Adbusters.org - Eff.com - Democraticmedia.org - HealthPrivacy.org - Hacktivismo.com - ClearChannelSucks.org - Epic.org - ArnoldWatch.org | |
| 
TheChosenOne
I Will Bring Balance
join:2003-08-17
Deep River, CT
| Scare Tactics and Marketing Ploys Um... blocking OUTBOUND port 80? Wouldn't that basically render the NAT box useless for most people who don't know what they're doing? CyberGuard is just trying to sell more of their own firewalls. It's nothing but a scare tactic and a marketing ploy all rolled into one. | |
| 
Transmaster
Onward Through The Fog
join:2001-06-20
Cheyenne, WY
edit:
January 14th, @06:08PM
| Hmmmm If you are running in stealth mode with invisible ports
who is going to find you if they can't ping anything, if you can't be found the hacker is going to look for a easier target and there sure is enough of them.
--
Remember when hacking a loogy
it comes not so much from the lungs but from the soul. | |
| | 
preskool69
join:2003-03-07
Tulsa, OK | Re: Hmmmm what r u talkin about, running in stealth mode with invisble ports on what kind of magical router. Too bad there wasnt such a thing it would make us network techs work alot easier | |
| | | wtansill
Ncc1701
join:2000-10-10
Falls Church, VA
| Re: Hmmmm I run an SMC Barricade NAT box/router along with a software firewall and anti-virus software. I regularly visit Gibson Research, as well as DSL Reports and have my machine scanned. Periodically I visit other sites that offer scanning services as well. To date every one of them has essentially told me that if I hadn't provided an initial IP address for them to test, they would never have found me -- all of my ports are identified as "Stealth mode", non-pingable, and invisible to port-scanning bad guys...
--
That which does not kill me merely prolongs the agony. | |
| | | |
Transmaster
Onward Through The Fog
join:2001-06-20
Cheyenne, WY
| Re: Hmmmm said by wtansill :
I run an SMC Barricade NAT box/router along with a software firewall and anti-virus software. I regularly visit Gibson Research, as well as DSL Reports and have my machine scanned. Periodically I visit other sites that offer scanning services as well. To date every one of them has essentially told me that if I hadn't provided an initial IP address for them to test, they would never have found me -- all of my ports are identified as "Stealth mode", non-pingable, and invisible to port-scanning bad guys...
This is exactly what I was referring to.
--
Remember when hacking a loogy it comes not so much from the lungs but from the soul. | |
| | | | | 
bear73
Metnav... Fly The Unfriendly Skies
Premium
join:2001-06-09
Grand Forks Afb, ND
 ·Midcontinent Commu..
| Re: Hmmmm Actually, a short while back there was a pretty heated debate in the Security Forum on wether "to Stealth or not to Stealth"... The argument for was exactly as you are saying...If you don't see me then you can't find me. But the other camp insists that if they are looking at you then they already know you are there. In which case, what are you hiding? Perhaps I should look to see if there's anything useful. Whereas if all the doors are locked (closed) then there is nothing special for a random port scan. If you are specifically targeted, then they will get through eventually.
And think on this, if you use the internet, then you do have at least A FEW ports that are not stealthed. Like 39, 80, 119. And forget it if you run any servers, like gaming for example.
--
If ya gotta go, Go with a SMILE! | |
| 
mod bait
Premium
join:2001-06-11
Rochester, NY |  How original...
Someone selling security products is telling us that we're not secure enough. Gee whiz, that's never happened before.
Better get underneath a bridge; the sky is falling. I hope I don't break my jaw by yawning too vigorously. | |
| |
GenBlood
@attbi.com
| Re: How original... I read the information and there is some truth to it.
Devices like Linksys and Dlink that does NAT and that
act like switches might be a weak link. There is alot
of good products out now that can protect your home
network. You can setup a linux box with two nics and
configure a firewall with iptables and rules. You can
download a GPL app like Smoothwall and IPCop an
setup a firewall with a older PC and a few old nic
cards hanging around. If you have a friend that knows
about linux and firewalls. You can have him config it
for you and install it. If it is setup correctly he
can monitor it and have it email you and himself if
something happens...
What I'm saying is people need to take more interest
in it and learn what firewalls our and how to properly
use them. | |
| | |
mod bait
Premium
join:2001-06-11
Rochester, NY
edit:
January 14th, @11:24PM
| Re: How original... Security is never "good enough". Funny how what I've been doing for years has continued to work though.
Plenty of inexpensive, consumer-grade routers feature SPI. And the article fails to elaborate on why software firewalls are so (supposedly) useless.
Big on claims, short on content. | |
| | |
bear73
Metnav... Fly The Unfriendly Skies
Premium
join:2001-06-09
Grand Forks Afb, ND
·Midcontinent Commu..
edit:
January 14th, @07:38PM
| FYI, I have a Linksys and it does do SPI. it also will block all ports unless I specifically un-block them. I'm not saying it's the best, but it's not half bad. And alot better than someone running just straight NAT as I did for a while.
AND, it doesn't require a degree in LINUX or an UberGeek friend that does do Linux. And while were on it, I hope you trust your friend that set up your Linux router. My reccomendation to anyone is to know what your machine can do and how to operate it. That much I wholehartedly agree with you on. But Linux is not newbie friendly.
--
If ya gotta go, Go with a SMILE! | |
| | | |
mod bait
Premium
join:2001-06-11
Rochester, NY | Re: How original... Yeah, my D-Link DI-714P+ and Netgear FM114P both use SPI. I understand them. I don't understand Linux. I'll stick with my routers. | |
| | | | iashkenes
join:2002-02-10
Nokesville, VA
| "I have a Linksys and it does do SPI. it also will block all ports unless I specifically un-block them".....
Windoze 2K does the exact same thing..... | |
| | | | |
mod bait
Premium
join:2001-06-11
Rochester, NY | Re: How original... Good point (WinXP has it, too). That's not SPI though. | |
| | | wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH
| said by GenBlood:
I read the information and there is some truth to it.
Devices like Linksys and Dlink that does NAT and that
act like switches might be a weak link. There is alot
of good products out now that can protect your home
network. You can setup a linux box with two nics and
configure a firewall with iptables and rules. You can
download a GPL app like Smoothwall and IPCop an
setup a firewall with a older PC and a few old nic
cards hanging around. If you have a friend that knows
about linux and firewalls. You can have him config it
for you and install it. If it is setup correctly he
can monitor it and have it email you and himself if
something happens...
What I'm saying is people need to take more interest
in it and learn what firewalls our and how to properly
use them.
There is absolutely no truth to it at all. I sure hope that your firewall, which operates at Layer 4, does not work the same as your switch, which operates at layer 2. Home firewalls / gateways will filter at layer 4 no differently commercial firewalls. The big difference is when you get into header filtering, custom protocol filtering, and other advanced options that high end firewalls offer. Most of which is useless to the home user.
Setting up a linux box explicitly as a firewall is a waste of money anymore. Back in 1996, it definately had it's place.
puritan | |
| 
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
 ·SONIC.NET
| "You're never really secure enough" "but 99.44% of home user's aren't secure at all"
rather than attempt to "scare" people who have actually bothered to install some kind of firewall, how about making basic software firewalls integral to every home system, and enabled out of the box?
If 99% of the boxes on the net were at this "false sense of security" level, we'd not have nearly as much worm traffic, would we? | |
| | 
72276539
Premium
join:2001-01-19
Atlanta, GA
| Re: "You're never really secure enough" said by JohnInSJ :
"but 99.44% of home user's aren't secure at all"
rather than attempt to "scare" people who have actually bothered to install some kind of firewall, how about making basic software firewalls integral to every home system, and enabled out of the box?
If 99% of the boxes on the net were at this "false sense of security" level, we'd not have nearly as much worm traffic, would we?
Ummm, this has been tried already and Microsoft got ripped a new arsehole about it.... so why should anyone bother putting a firewall on a system people will just disable.
Worm traffic would not be bad if people didn't open outlook messages with dangerous attachments and keep their systems updated.
--
some people believe in astrology others believe in technology some people believe in all those -ologies but i believe in swordfish | |
| | | wtansill
Ncc1701
join:2000-10-10
Falls Church, VA
| Re: "You're never really secure enough" said by 72276539 :
Ummm, this has been tried already and Microsoft got ripped a new arsehole about it.... so why should anyone bother putting a firewall on a system people will just disable.
Worm traffic would not be bad if people didn't open outlook messages with dangerous attachments and keep their systems updated.
I must not have gotten the memo -- could you please point to any info on M$ being ripped a new one for including firewall software?
--
That which does not kill me merely prolongs the agony. | |
| | | | 
boogi man
join:2001-11-13
Jacksonville, FL
clubs: | Re: "You're never really secure enough" I take it you don't remember the release of XP M$ enabled the firewall out of the box and was all kinda torn up about it due to the configuration if i remember correctly it wouldn't allow any traffic at all so they switched it off. | |
| |
72276539
Premium
join:2001-01-19
Atlanta, GA
| I ain't gonna search these forums.... but there are plenty of people who have ripped MS for including a firewall that wasn't enough or didn't work right or whatever.
--
some people believe in astrology others believe in technology some people believe in all those -ologies but i believe in swordfish | |
| | | 
Jeremy341
Bye
Premium
join:2000-01-06
localhost | Re: "You're never really secure enough" People bitched because Microsoft's firewall didn't have outbound protection. But it did exactly what it was designed to do, and it did it very well. For SP2, Microsoft has added outbound protection as well. It's also on by default. | |
| |
72276539
Premium
join:2001-01-19
Atlanta, GA | You dont remember correctly. | |
| dardin
join:2002-11-19
Tucson, AZ
| kind of a pointless article I mean, everyone knows NOTHING is 100% secure. Nothing! The biggest security risk will always be the human factor. You can have the most secure network in the world but all it takes is one dumbass on the network downloading viruses/trojans, opening email attachments of viruses/trojans, hooking up a laptop to the network that is infected with a worm and the list goes on. | |
| |
See 15 replies to this post | |
The Beer
I Love It When A Plan Comes Together
Premium
join:2001-07-24
Omaha, NE
clubs:
·ViaTalk
| Yes and we should all have IDS systems Ok either put the security on the side of the ISP or shut up!
If someone spends $99.99 to protect their home computer that should be enough, either Micro$oft or the ISP's need to get to work.
If a security venodor has that to say about a home product, then they have work to do. | |
| |
See 8 replies to this post | |
iashkenes
join:2002-02-10
Nokesville, VA
|  Really, just how safe are we.
What is this telling all of us? I did not advertise my IP, post a 'catch me if you can' banner, and yet, I was bombarded with attacks of all sorts. This tells me that, for the 3 years I have been running a high speed - always on connection, I have been bombarded just as regularly, but did not know it.
This really has enlightened me as to the fact that those who are NOT monitoring their own systems, haven't a clue as to how often they are being scanned.
So, now the question remains, why wasn't I broken into before with all of these intrusion/denial attempts? I think its because I have been fortunate enough to be scanned by only half rate hackers. True hackers would have no problem doing an invasion/denial of service of some kind. Of course, I have nothing to offer the 'big boys', and the junior hacks just haven't been that lucky (after all, they are just in it for the thrill).
Bottom line, everyone is vulnerable, and if you keep something you can't afford to lose on your network, you probably will at some point.
My suggestion of course is for everyone to run a firewall, and have the means (hardware/software/knowledge) to monitor it, and keep your defenses up....Do I sound paranoid to you, or just prudent... you decide. | |
| | 
KAD Imaging
Sansei Goju-Ryu Karate Do
Premium
join:2002-09-21
Hialeah, FL
·AT&T Southeast
| Re: Really, just how safe are we. said by iashkenes :
Last weekend, I removed my Linksys router/switch from my dsl modem I hooked up directly to my linux box, in one eth card and out the other. Of course I put up a linux firewall and I installed snort (in alert mode), and just watched the logs and IPs' grow...
What is this telling all of us? I did not advertise my IP, post a 'catch me if you can' banner, and yet, I was bombarded with attacks of all sorts. This tells me that, for the 3 years I have been running a high speed - always on connection, I have been bombarded just as regularly, but did not know it.
This really has enlightened me as to the fact that those who are NOT monitoring their own systems, haven't a clue as to how often they are being scanned.
So, now the question remains, why wasn't I broken into before with all of these intrusion/denial attempts? I think its because I have been fortunate enough to be scanned by only half rate hackers. True hackers would have no problem doing an invasion/denial of service of some kind. Of course, I have nothing to offer the 'big boys', and the junior hacks just haven't been that lucky (after all, they are just in it for the thrill).
Bottom line, everyone is vulnerable, and if you keep something you can't afford to lose on your network, you probably will at some point.
My suggestion of course is for everyone to run a firewall, and have the means (hardware/software/knowledge) to monitor it, and keep your defenses up....Do I sound paranoid to you, or just prudent... you decide.
Well with services like "My Net Watchman" you wouldn't have to be on top of your net logging. I do have my router setup to forward repeat intrusion attempts to me in email so I can see what's going on.
NAT and ZoneAlarm should be more than enough for anyone. (provided they do not "permit" everything in ZA!)
--
-The Cobra
"Heh, your broadband style is good grasshopper....but not good enough. Watch my Bellsouth style..."
1180K download 218K upload (BS FastAccess 1.5M/256K @ 19,000ft!) | |
| | wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH
| said by iashkenes :
So, now the question remains, why wasn't I broken into before with all of these intrusion/denial attempts? I think its because I have been fortunate enough to be scanned by only half rate hackers. True hackers would have no problem doing an invasion/denial of service of some kind. Of course, I have nothing to offer the 'big boys', and the junior hacks just haven't been that lucky (after all, they are just in it for the thrill).
Bottom line, everyone is vulnerable, and if you keep something you can't afford to lose on your network, you probably will at some point.
My suggestion of course is for everyone to run a firewall, and have the means (hardware/software/knowledge) to monitor it, and keep your defenses up....Do I sound paranoid to you, or just prudent... you decide.
You sound deluded. Just exactly what do you have to offer anyone, let alone the "big boys". And who are these "big boys" anyway? And what thrill would the "junior hacks" get by slowing up your DSL connection? They really would have no clue if they even affected you in any way. Most of your "junior hacks", or script kiddies, are simply out to fire and forget stupid attacks. A common misconception about hackers is that they give a rats butt about attacking the majority of internet users. Real hackers are trying to pull one over on targets of interest that will get some public attention. Not your home DSL account.
puritan | |
| 
kfolsom
Where the fit hits the shan
Premium
join:2003-01-31
Yucaipa, CA
·Verizon west (ex G..
| Every Scan to which I submit my computer comes up "Stealth" or "Closed"...
I have a Microsoft MN-500 (don't laugh-over one year with no problems) and Zone Alarm Pro, along with AVG Pro Antivirus. My router discards pings, so obscurity is my first line of defense.
I have never had an out-going packet that I didn't expect or want. I have never had an incoming connection that I didn't want. (To my knowledge-I would have detected the results of such by now)
*note* I don't use "Messengers" or other stuff like that but I do use EchoLink(Ham VoIP). My router gracefully handles the port openings, and my soft firewall is configured properly so that it's closed when I'm not actually using it.
I don't buy from fear-mongers.
--
I once accidentally spilled spot remover on my dog and he disappeared. You know what I hate? Indian Givers... No, I take that back. »www.folsomtech.com | |
| 
Supafly
Premium
join:2000-07-15
Lancaster, CA
| This guy is a security expert? Pfffft.... SPI is nice, but it doesn't really add much to the functionality that NAT already brings to the table. My router has SPI along with outgoing protection, this guy is an idiot.
said by The Article:
"A real firewall, he suggested, should deny all outbound access unless explicitly allowed.
What a crock, if you block all outgoing ports on a firewall, you'll lose all connectivity to the internet because you won't be able to send any request for information, which in turn will not open any incoming ports for the data to go through.
Zone Alarm is an excellent solution, but it does not provide any protection for anyone else on the network that doesn't have it installed. I understand that it wasn't designed to do so, but the next best solution would be for consumer level routers to become aware of network activity on the software layer, think Zone Alarm on the router.
If a piece of software requests access to the Internet, the router will intercept it and send a notification to the computer asking if they want to allow it. That's the next step in consumer security in my opinion, there's no way around the dumb user, social engineering is and will always be the most widely used way to hack and attack. | |
| 
C3
Oh Hallah
join:2002-11-12
Los Angeles, CA
·RoadRunner Cable
·Charter Pipeline
edit:
January 14th, @08:26PM
| Why? I don't pretend to know much about security and ports (more than I need to at least), but why would you want outbound connections through port 80 blocked? How are you supposed to view web pages then? That goes same for other ports as well (ftp, smtp, pop3, imap, https, etc.).
EDIT: BTW, I don't trust software firewalls as much as hardware, because for software firewalls to block something, that means whatever it is trying to intrude, is at your computer (even though it is being blocked). Hardware firewalls will block it before it reaches your computer. However software is good to use as a secondary form of security. These are just my feelings. | |
| 
warlock56
Premium
join:2002-07-31
Arlington, TX
| Complete BS (from a home user perspective) You know what? Go ahead and believe all that Hollywood overhyped drama if you want. Me, whenever I see that I'm getting hacked into, I'll just reach over and unplug the network cable.
--
1. Peace through superior firepower 2. Condoleeza Rice for 2008 President | |
| | Turbonuim
join:2003-02-14
Los Angeles, CA | Re: Complete BS (from a home user perspective) pull the plug???.. explain that to a multi million dollar company who doesnt want and will not want to hear, ijust pulled the plug.. do that at home.. but that will nevery fly at work. | |
| | jconnell
join:2002-06-04
Newark, DE | So your going to know when the attack is happening so you can pull the plug right then? Don't think so... | |
| xrandy5
join:2002-11-22
Santa Cruz, CA |  Which Router?
but which router is the hardware equivilent?
and..how ugly is it to simply run ZA with no hardware firewall.? | |
| | | 
bpx
join:2003-01-25
Saint Augustine, FL | Security 101 It all boils down to, you can have the best software and hardware firewall out there, but if you dont know how to use it, you are vunerable. | |
| | 
winky
Turn Left At The Moon
join:2001-02-11
Saint Louis, MO
| Re: Security 101:BINGO! A cracker's best friend is an uneducated user.
An uneducated user is a "security" company's best sales lead.
I had a client that had previously been told by a "consultant" that any twelve year old kid could get by a common linksys router. ( a seemingly common "sales tool") Fortunately, the client was able to provide a connection outside his lan and told him to have at it. The guy fumbled around at the dos prompt a while and finally gave up. I wish I could have been there! When it comes to security there are no absolutes but lots of possibilities. I explained his vulnerabilities and sold him a pix (with the options for his needs) I keep track of things for them and nobody looses any sleep, including me. If you don't fit the solution to the situation you're not doing anybody any favors.
--
NEGATIVE...I am a meat popsicle. | |
| JimF
join:2003-06-15
Allentown, PA
| No firewall needed Actually, no firewall at all is needed if you are not running any servers. The simplest way is to not install any. Conversely, if you do install a trojan, neither a hardware firewall nor a software firewall is going to stop the latest backdoor programs from calling out.
I was amused by the comment in the cited article:
"A NAT box doesn't broadcast your machine's IP address, so it's a little hidden,... But NAT boxes don't protect you once a hacker finds your open connection."
Utter nonsense, if you are not opening a port to a server.
Having said that, a hardware firewall is not a bad idea to protect you from unpatched vulnerabilities. You can be infected with Blaster in less than 30 seconds from the time you connect to the Internet if your Windows system is not patched. But you need to apply all the patches in any case. | |
| 
Delta 46
Premium
join:2003-03-08
USA
edit:
January 16th, @12:11AM
| Firewalls overrated The need for a firewall by the average broadband home user is so overrated it is would be hard to overrate the touted need.
Most users, especially those with a dynamic IP, could get by fine without a firewall.
Is any type of firewall better than no firewall? Yes. Does that mean it is a really highly needed item? No.
If I had a static IP instead of a dynamic one I would post my IP here and challenge anyone to get by my home software firewall. my computer would die of old age before anyone would be successful in hacking me.
FUD is right. | |
|
SomerZ
@pipex.com
| So how exactly does this work in the real world? Real world scenario:
I'm reasonably computer literate. I can't program professionally, but I can do a dab hand at most end-user tasks, I can install, backup and manage my WinXP PC, I'm on DSL, I've put the latest Zone Alarm on with AVG, and configured their options reasonably well. This is the limits of my capabilities at present.
Zone alarm worries me - too often some anonymous part of the Windows OS (eg "application layer gateway") seems to be asking to access the internet, and I dont know what program is trying to use it, or if thats always legitimate, or not. Since I'm running a whole load of internet-accessing programs, its impossible to tell what program is making the request, or why.
So I decided to try a different firewall for a bit. I tried some of the better known software firewalls. I dont want to name names, because this post isnt about pros and cons "which one to use", its the princiople of it all.
I gave up.
Rules upon rules, none of which I understand. Port mapping to run mIRC DCC, which I vaguely understand, but cant configure mIRC and wouldnt have a clue how to configure a proper firewall. I looked at this plethora of information (I was using Tiny firewall at this point having tried to understand 4 others) and just gave up.
It seems that to use a professional firewall requires specialist knowledge. I'm back on Zone Alarm. I dont know if Im secure or not. What I do know is,. I dont have a choice. I just dont have the technical understanding or ability to learn how to manage any of the others I tried. I know which programs are allowed on the net, but ports, rules, packets, protocols... god knows, they all use different ones, and I spent a month trying to understand it all.
If I can't (and although I'm an amateur I am likely to be far more skilled than 60% of computer end-users) what hope have the majority of us got?
Analogy: imagine that to run an anti virus program, you bought the basic engine, and some basic heuristics rules, and then had to fine tune the heuristics rules yourself.
Never mind the ciscos and pix and smc and stateful packet inspection. If you cant use it, you cant configure it, you dont understand it... then these are pointless to argue over except for knowledgeable professionals.
Comments on the real world scenario, for people who dont have the time, or capability, to get a qualification in understanding rules ports protocols and the net connections used by each and every program on the net.
(Typical programs include ICQ, mirc, trillian, Yahoo IM, emule, skype, MS windows, file sharing, internet connection sharing, email, winows media encoder, http, https, ftp, game clients, livejournal clients, winamp cddb clients, norton liveupdate, remote desktop, remote assistance, ... you get the idea... like how many users are going to know what settings to use for all the programs out there?)
So.....
What exactly is best practice for everyday folk who wish to be responsible and ensure their machines are safe, and who either don't understand, cant understand, or feel they dont want to have to study and understand any of this at a technical level? | |
|
|
|
