alientrap-forum-archives

[divVerent]

Still, if you don't use network shares, the XP firewall is what you might want to activate anyway. It doesn't claim to be able to do things it can't, all it does is filter incoming connections (and ask if a program wants to become a server, like DarkPlaces). BTW, it seems to play nice with Nexuiz - its window becomes active, you click allow or reject, and you can make the Nexuiz window active again easily.

[The mysterious Mr. 4m]

Joe likes to click exes and he will do that anyway. Thats what antivirus software is for. It should warn about any mallicious files. All of you are right about what you said but should Joe surf the web without any firewall at all?

[divVerent]

Joe likes to click exes and he will do that anyway. Thats what antivirus software is for. It should warn about any mallicious files. All of you are right about what you said but should Joe surf the web without any firewall at all?

He shouldn't run a web browser that can run EXEs after a wrong click.

Actually, it's better if Joe User fears viruses and thinks twice about clicking some EXE than if he feels protected by his Norton and clicks on anything. Of course, some of them will never learn - these shouldn't be using a computer at all, but rather something more easy to use (I claim there is NO SINGLE OS for computers that is easy enough to use for Joe User - not even Windows and OS X). Or they shall get punished with Windows ME. With Norton Antivirus so it gets slower.

[old_codger]

1. The firewall should run on dedicated hardware, so an attacker who successfully exploits the firewall doesn't have immediate access to your data. When you can't do that, run it on an UNIMPORTANT server. That is, if you have one - neither file, mail, print nor web servers are "unimportant enough" for that...
2. If the firewall runs on another OS than your servers, an attacker who successfully exploited a flaw in the firewall OS can't use the same exploit to get access to your servers. This is the main advantage of "hardware firewalls", as you call them (although they DO run in software...). A dedicated Linux router firewalling a Windows network has the same advantage, but firewalling a Linux network with another Linux box won't protect you from attackers exploiting kernel flaws from the outside if there are any. But since nobody runs servers on Cisco's IOS...

The problem is that the best security policy is often difficult to implement and creates problems for the the users. A few years ago I tried to write a simplified document which would fit the requirements of many small businesses and, trust me... it's difficult.

This was before ADSL became widely available in the UK so part of the security was based on the fact that the system was only connected to the internet for relatively short periods. I should have set up DNS 'split-brained' but that was beyond the scope of the project. I also ended up running Samba on the firewall machine which is definitely NOT a good idea. The alternative would have been to have run it on another machine but then it would have meant sense to run all the other services such as DNS, mail, (pop and smtp), and then routing and DNS becomes more complicated.

I think anyone who's connected to the internet, even home users, should definitely spend a few pounds/dollars/euros/whatever on a hardware router if they're connected by broadband. I bought a creative labs one on ebay for £2.76. That's about 4 dollars/euros.

Even the simplest of these now do mac filtering, port forwarding, intrusion detection, etc., vital for a protected network. However they can also address map, set up a DMZ, etc., for those situations where this is necessary. I bought one for my daughter for about £35 pounds and that included a USB wireless adaptor.

However, personally I think that having any kind of firewall, hardware or firewall, is almost worthless if the individual doesn't carry out best practice in their computer usage. These include all the things already mentioned but the importance of keeping your operating system patched can't be overstated.

Anyone, if anyone's interested the document I produced is still online at http://www.itosn.com

It's a bit old now but many of the things it mentions are still relevant today. and... it's FREE! I didn't go through all aspects of securing a system for the reasons I've given and, let's be honest, I'm in the business... if I go around telling people ALL the secrets what do they need me for?

I keep meaning to update it to the latest versions of opensuse 10.0, (my current op. sys.), but there's other things to do, like earn a living, y'know!