Re: Pro-active Security Software?

From: David P. Donahue (ddonahue_at_ccs.neu.edu)
Date: 08/06/03 

Date: Tue, 5 Aug 2003 20:53:39 -0400

> Try ipcop, as near a firewall-in-a-box as you can get. And free.
> Ultimately, you will need to deal with iptables, which is not too hard.
> There are good, basic tutorials, as well as various HOW-TOs which should
> exist in any Linux distribution.

Looks pretty good, I'll check it out. Thanks :)
As you can probably guess from my posts, out-of-the-box security is a big
plus here. I'd like something that's pretty secure from the get-go and I
can play around with it and learn it while I use it.

> Iptables can use PIDs, so it is possible to designate Linux applications
> which should have Internet access. TCP/IP does not carry details of the
> originating program, so this only works on the machine which is running
> iptables. To further protect the interior Linux network machines,
> iptables running on those machines should be told which programs are
> authorised to connect to Internet hosts.

I'll definitely take advantage of such a feature on the Linux firewall that
I make. The internal machines will be considerably more open than it so
they can actually be used :) But, of course, the more I learn how to do on
the firewall to tighten it up, the more I can configure the internal
machines to be more secure without being too invasive.

> This is more of a problem with Windows, so much so that several (free
> for non-commercial use) 'personal' firewalls exist. ZoneAlarm and Kerio
> are two names to google for, and there are others. With these, there is
> an operational mode and a training mode: in the latter you tell the
> firewall which applications can connect, possibly to which Internet
> hosts. These firewalls have commercial equivalents which allow more
> precise control. I have an ancient program called AtGuard which allows
> quite precise control, and I believe Norton Firewall is a latter-day
> version of this.

Personal firewalls on the internal machines may be a bit drastic. I've used
them before with our client at work and they really tend to get in the way
of normal usage. Sure, one would argue that they're more secure... but so
is just unplugging the machine :) I'll test a few and see if I like any of
them, but for the most part I have a policy of not trusting the Windows
machines as far as I can throw them. Some network services will be
available to them, and those services will be closely monitored and logged.

> I'm afraid that the biggest security improvement to Windows is not to
> use either Internet Explorer or Outlook/Outlook Express. Unfortunately
> many Windows users are unable to survive without them, but there are
> alternatives. Opera and Mozilla are two browsers/email clients available
> on Windows and Linux., which are generally not stupid enough to execute
> downloaded programs in emails or Web pages. A few Web sites will not
> work with anything but IE, but you must decide where the
> security/functionality tradeoff is set.

I'm afraid getting rid of IE and Outlook isn't an option for the users in
question. I am no exception. This falls back to the idea of not really
trusting the Windows machines on the network. I'll do my best to keep
everything on them patched, but that's about as far as it can go. I've
found ways to prevent IE from executing code I don't want it to, but I'm
afraid the little prompts are just too much for the other users and they'd
rather just let websites have their way on the local computer :) The
security/functionality tradeoff has to lean towards functionality in those
cases, so my goal is to keep the surrounding network as secure as possible
to compensate.

Relevant Pages

  • Re: Remote telnet through firewall failing
    ... >> I have not found internet telnet to be the worst of the various security ... I was amazed that after months on the internet (directly to ... no firewall) there was no discernible problems. ... have over 250,000 BSD machines for their hosting services. ...
    (comp.unix.sco.misc)
  • linux - iptable firewall DNS question
    ... When my firewall is active, i am unable to use name solving features from my ... iptables -P INPUT ACCEPT ... # $ipnet -> adresse ip de l'interface connectée à internet ... echo ACCES AU FIREWALL DEPUIS LOCAL ...
    (comp.security.firewalls)
  • Re: My computers cant see each other on the net
    ... Perhaps you might consider connecting to the internet through one of the PCs ... connected and you can disable the firewall on the PC that isn't connected ... > enabled on both machines, plus the firewall within the Belkin Router. ...
    (microsoft.public.windowsxp.network_web)
  • iptables leaves 80/tcp `open ...why?
    ... a linux firewall protects the DMZ & internal lan from the Internet. ... I only wish 22/tcp (SSH) to be allowed into the firewall itself, ... iptables -N bad-if ...
    (comp.os.linux.security)
  • Re: Firewall issues with setting up vsftp server
    ... the iptables are the defaults provided with FC3. ... >internet, just turn off the firewalling on the NIC which is connected ... >actually trust it) turn off the firewall on your server completely. ... I might also add that your comments above about using dual NICS, ...
    (Fedora)