Re: Windows xp security

Sebastian Gottschalk wrote:
Winged wrote:


A firewall is necessary on both Linux and Winx systems, if nothing else
to protect us from ourselves.


A firewall can't protect you from yourself.

Oh, but it can. I have made mistakes in configuration files in Linux that made the system wide open (yes, I make mistakes) but I was not exposed because of the firewall configuration. Computer security is not relying on any single layer to keep you secure but multiple layers that must be crossed before communication occurs.


If you have multiple client nodes, then
then clients should be firewalled as well as the subnet entry point.


Wrong point. Host security involves client configuration with is
supposed host-based packet filtering at the client level obsolete.
However, you might do so anyway, but please don't call it a firewall as
it is none.
Hrrmmm packet filtering is a non-stateful method of firewall. Many routers are used as a non-stateful firewall to wall communications.


99% (your number)of the time the AV isn't needed. It's that 1% that
kills the computer.


A virus scanner doesn't protect your computer. However, it can be a
useful host-based intrusion detection system.

Hrrmm I see a number of our clients on a daily basis receive viruses of many flavors and see where the AV software prevented execution. The ones the AV stops are usually non issues however its the ones they don't catch that worry me.

Even if one is knowledgeable, running without AV
can be dangerous.


I wonder why I'm doing since years...

Because you rely on you yourself and you. In most networks, people with varying degrees of expertise and habits operate. There have been a number of threats through the years that only required a user to be net connected.

I have been working with computers since the late 70s. I have never seen an invulnerable connected computer. I have had unknown vulnerabilities exploited even on hardened machines. (Remembers a 3270 terminal application where hitting escape right after a page down dropped user to root prompt (shudders).




It is simple enough to place a virus in a VM isolated
from the core system to examine and even run the to see the critters
behavior.


No. A virus could detect the presence of a VM and change its behaviour.
You should never, even after examination, run any untrusted code outside
a sandbox.

A virus could, I just have never seen one. While I have corrupted the VM I have never had one jump out of the VM environment. No argument that an isolated device is best, but I have always been able to find what I needed inside the VM. You are right it is not best practice, but it is expedient until some critter proves me wrong then I will waste an hour to recover. Running inside VMs is useful as you can examine its full network communication in a constrained environment. As long as my core system file checksums continue to match I can be reasonably assured the virus didn't get out of the VM.


With exploits being discovered daily it is not enough to be
knowledgeable. A hardened system is far more resistant to exploit.


Rightout I'm still bragging about my Firefox configuration that made it
invulnerable against almost any (read: except 1) security problem
discovered since version 0.8.

Interesting, I too have been running Firefox since the .8 days and am aware of several vulnerabilities where the flaw was related to Java or Windows where simply viewing an image could compromise the system. http://secunia.com/product/4227/ indicate several vulnerabilities that could compromise a system some were actively being exploited before a patch was released. Note: I do not critisize Firefox configuration I just consider nothing "invulnerable". Yes, you could possibly set firefox to do no Java scripting or Java apps and not display images but those power point charts on the web might be hard to view. In the business world I can not control another IT shops requirement to access web apps. Worse. most plug-ins do not allow you to constrain what site has communication access to the plug-in. In my opinion this is a serious security flaw in both Firefox and IE.

In my world, sometimes I can't just say no to what is required to do business. One of the thing I like about the Symantec product is I can restrict what ports and addresses a specific piece of software is allowed to communicate with for example the mail client can only communicate with the mail server etc. With plugin's I lose that control.

Yes I could create a specific profile to do specific business to control plug-in activity but getting 4000+ users to use them properly....sigh

I am a Firefox fan and user however there are some business requirements that firefox does not meet.



Simple thing: Not running any untrusted executables eliminates the most
important attack vector

I concur running untrusted executables is bad practice but it is not the only exploit vectors being used in todays environment. I can lock a system down so the it is highly resistant to compromise however in doing so I reduce the systems usability.

Security is a balancing act of usability versus security. We could eliminate the need for firewalls and antivirus however the device might not perform all the functions we desire or have requirements to use. Every network capable piece of software you use expands the window of vulnerability. Maybe someday they will let me be God instead of a minor demigod and I can fix this really I can....

While it is true AV and firewalls do impact performance somewhat, to
most modern systems it has negligible impact.


LOL


If you want NAV to not process communications with a trusted site simply
put it in the trusted zone.


Why should one want to do so? Exploits are trivial to encode.
hrrmm yup must be trivial, I see folks all over the world trying new exploits daily using every conceivable vector.


And what is the "trusted zone" anyway? My firefox only knows a
domain->policy-mapping. Nah, you don't want to misuse IE as a webbrowser.

Ah I was referring to the trusted host portion of NAF where the Symantec Firewall/AV clients ignores(passes) all communication with the trusted host. Under the network portion of the firewall "Trusted" host communications pass without processing and the "Restricted" site I/O is dropped (blocked).



People who run without protection get AIDs...same thing happens to
computers.


Yet another bad comparison. To get it right, your condom would have some
holes to express how reliable the protection is: Unreliable, and in case
of doubt it fails miserably.
Nods yup they fail sometimes too...miserably.

Winged


.

Relevant Pages

  • Re: Logs and how to read them
    ... Since this machine is a firewall for our ... Your firewall configuration should block ... this type of communication. ... > a google what should have I googled for? ...
    (Fedora)
  • Re: Windows xp security
    ... A firewall can't protect you from yourself. ... I have made mistakes in configuration files in Linux ... Java is not a part of Firefox and in my configuration it's disabled by ...
    (alt.computer.security)
  • Checkpoint Smart Client issues for Pocket PC
    ... I can not establish wireless VPN connection for Checkpoint Smart ... firewall. ... "Error: Communication with site ... I have exact same configuration for my Gateway for both devices. ...
    (microsoft.public.pocketpc.developer)
  • Checkpoint Smart Client issues for Pocket PC
    ... I can not establish wireless VPN connection for Checkpoint Smart ... firewall. ... "Error: Communication with site ... I have exact same configuration for my Gateway for both devices. ...
    (microsoft.public.pocketpc.wireless)
  • Draytek Vigor 2600 firewall configuration.
    ... I have a Vigor 2600 and try to configure the firewall wich come ... with subnet 255.255.255.0. ... is that the communication is not block from firewall however. ... >From this fact I suppose my configuration is not so good as I think. ...
    (comp.security.firewalls)