Re: firewall opinions
From: Leythos (void_at_nowhere.lan)
Date: 02/21/05
- Next message: nut62001: "Re: CD-RW disappears."
- Previous message: Crusty \(-: Old B_at_stard :-\): "Re: Nominations still being accepted for the MSMVPHOS!"
- In reply to: JW: "Re: firewall opinions"
- Next in thread: JW: "Re: firewall opinions"
- Reply: JW: "Re: firewall opinions"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Feb 2005 15:47:10 GMT
On Mon, 21 Feb 2005 04:18:34 +0000, JW wrote:
>
> thanks again Leythos. always good to hear from you, since you are
> always a valuable contributor. no dispute or disagreement with anything
> you said. what is unfortunate is that 99.99% of the average PC users in
> the world will never read anything that you or i write here.
Yea, it's really to bad that not only will they never read it, but they
will never understand that there are serious security problems with their
default configured machines. Even worse, once they do get compromised the
first time, they won't learn anything from it, and their repaired machine
will still not be secured.
> 99.99% of the average PC users in the world will acquire something for
> PC security (whether it is hardware or software), and do little more
> than plug it in and walk away, like a microwave oven. they have no
> desire to spend hours reading instructions about how to tweak and
> configure the firewall (hardware or software) to stop every conceivable
> intruder/intrusion. that's why the best hardware firewall in the
> world will always be less than adequate in the hands of 99.99% of
> average PC users in the world. this is exactly why 99.99% of average
> users in the world need Both a software and a hardware firewall.
Let me give you an example of a Sorority that we manage. When they
residents started this year, only one was a returning resident, all the
others were new residents. The ones that came from the Dorms at the Univ
to the house were the most infected of all of them. The next worst were
the ones that had been living in apartments with other students - with one
exception, two of them had been sharing an internet connection in a house
where they had a simple Linksys router - they had spyware but not serious
problems.
As part of our overall solution we installed a Linksys BEFSX41 router (NAT
box) between the ISP's DSL modem and their 48 port switch for the house.
We also installed a Windows 2000 Server running IIS (to allow remote
access to the router logs) and WallWatcher, and VNC on a non-default port
and with a nasty password.
With this configuration, and with the residents using email from the Univ,
they have all managed to remain virus free, spyware free, and safe without
using any personal firewalls. How do I know, I can see it in the router
logs. It was funny, I noticed the traffic go from 8mb per day to around
30mb once and tracked it back to a resident that had installed Kazza,
which is a violation of the AUP, and it took a simple BLOCK of her IP in
the router to stop it, and then a call to get her to remove it, and it was
all resolved again.
Oh, we installed AVG and FireFox for all sysetms, and AVG has been updated
to AVG7. Any machine that was running McCrappy (McCaffy) had it replaced
with AVG or Norton AV (if they could afford NAV).
Now, one other thing, I block outbound 135,136,137,138,139,445, 1433/1434,
1026,1027 to those destination ports. The only inbound is the IIS (and
it's locked down and requires a user/password) and the VNC on non-default
port.
So, with almost 6 months of running time and 40+ residents, I would hazard
a guess that the router is able to do about 99% of the protection they
need.
> as if the above were not convincing enough, hardware firewalls are
> inherently clueless to stop the vulnerability described by Gibson
> Research Corp in their LeakTest documentation at www.grc.com. This
> leaves over 99% of average PC users in the world vulnerable, who go
> surfing the "wild wild web" logged in with Administrator privileges.
Actually, LeakTest a scare tactic, a good one, but a scare tactic - much
like vendors calling routers with NAT firewalls (which they are not). A
real firewall should be configured to block most of what leaktest will
attempt - about the only outbound traffic that should be exposed is 25,
80, 110, 443, 53 for people that use external mail servers and SOHO
devices or cheap routers.
It should also be noted that a personal firewall application running on
your typical users computer won't protect them either as most of them will
permit an application to access the internet without even knowing what
that application is or is doing.
> Does the fault lie with the uneducated user? Of course. this is
> precisely why over 99% of average PC users in the world need Both a
> hardware and a software firewall.
Sure, it likes with the User, but, like sheep, there are simple things
that ISP's can do to protect them. Almost every ISP's cable/dsl modem has
the ability to provide NAT and block unsolicited inbound traffic - if they
would just install them in this mode as default it would eliminate a lot
of issues with users computers. Allowing a user, without question, to
request that NAT be disabled would be necessary too.
I guess what we have to figure out is how a user that can't be protected
by a hardware appliance is going to be protected from their own ignorance
when running a PFW - since they are more likely to get compromised by
misconfiguring the PFW I don't know where to begin with them.
> farewell for now. as always, it is has been a benefit and pleasure to
> cross paths with you again. i always see something new or different,
> when i hear back from you. have a nice weekend.
It's been great chatting with you too - look forward to your reply. Have a
great week.
-- spam999free@rrohio.com remove 999 in order to email me
- Next message: nut62001: "Re: CD-RW disappears."
- Previous message: Crusty \(-: Old B_at_stard :-\): "Re: Nominations still being accepted for the MSMVPHOS!"
- In reply to: JW: "Re: firewall opinions"
- Next in thread: JW: "Re: firewall opinions"
- Reply: JW: "Re: firewall opinions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
