Re: Suggest firewall for Win98se+ICS(dialup)+NAV

From: Joseph V. Morris (jvmorris@erols.com)
Date: 08/18/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Sun, 18 Aug 2002 11:14:39 -0400

Diane,

Some comments inline below . . . .

"Diane" <diane.acap@mindspring.com> wrote in message
news:ajmkuu$t91$1@slb5.atl.mindspring.net...

. . . .

| For the client, all o/s are Win98se - gateway will be Win98se only
because
| they have an available license. . . . .

Okay, the client (i.e., YOUR client) has Win 98 SE boxes. (No, I'm not
going to waste my breath telling you that you should convince your client
to go out and buy all new boxes capable of running Win 2000 Pro or Win XP
Pro. <g> ) We'll just have to make do with what they've got, right?

. . . .
| > Whatever software firewall you select should be capable of at least
using
| an
| > authorized username and password (STRONG password) in order to ensure
that
| > some random individual doesn't simply go over to the gateway box and
| > either disable the firewall or otherwise change its settings.
|
| In general, I'd agree. In my client's case, don't think there's a big
worry
| about the random. These folks already have a Win98 "file server" (as it
is
| functionality-wise, at least) and are "scared to death" of changing
anything
| on it. . . . .

Well, sometimes fear works. <g> However, it seems that the biggest
vulnerability in a small business environment is from the inside, not the
outside. All it takes is one employee who gets an adverse performance
review, a raise that doesn't live up to his or her expectations, or fails
to get that must-justified promotion (in his or her estimation). Again,
we have to deal with the insecurity of Win 98 SE, as best as possible.
Any disgruntled Win 98 SE user can obviously walk in and install something
from a floppy or ZIP or even a CD-R, but that's sort of risky. It's much
easier (and obscure) to get even by simply dropping the firewall (in
essence) or disabling the AV/AT software. At that point, who's to say it
wasn't simply something that got 'past' the firewall/AV/AT software
somehow? (Guess who gets held responsible in that scenario?) Again, if
you can find free or relatively inexpensive PSF/AV/AT software than can be
password protected (and I believe Biff identifies one possibility below),
then I'd go with it; it's cheap and it may well be worth it.

| For my setup, I guess I 'm the only random individual to worry about.
Son's
| off to college & hubby (another IT-type) knows dinner is in danger if he
| messes with my boxes. <g>

Yes, in the words of the Immortal Comedian, "Man cannot live by bread
alone, . . . he must have peanut butter on it" <g>

. . . .

| > If this is correct, then, yes, you've basically
| > not only just established a crude hardware NAT router, but (perhaps
more
| > to the point) a hardware firewall appliance.
|
| Ooh, you make it sound so up-to-date & impressive. We know it's just
the
| cheapskate's way to use old boxes & o/s licenses <g>

Nah, the cheapskate's solution is a $50 486/33 running WfW 3.11 and
GNATBox Lite!

. . . .

| > However, you _may_wish to maintain the capability to share files and
| > printers between the two 'client' workstations. . . . .

| Peer-to-peer sharing mandantory. Are you suggesting anything here other
| than normal, internal LAN security considerations (because of the ICS
| access?)

First, since we're talking Win 98 SE, I'd suggest the mandatory use of
user accounts (profiles) with customized desktops. This doesn't guarantee
much on Win 98 SE, but it can be configured in a manner that puts the fear
of God into anyone who _might_ be inclined to mess around. (It's possible
to set up Win 98 SE so that a normal business user is more or less
compelled to user a valid username/password to log on. This, of course,
is absolutely no defense against more knowledgeable users, however.
Furthermore, it can be a bit risky.) Now, if you have to 'share' files or
folders on various workstations, you can do a bit of work to ensure _who_
has what _kind_of_ access to which files or folders in the share (and
using the available password protection capability present in Win 98 SE).
Again, this is hardly fool-proof, but it's about the best you can do in
this environment.

. . . .

| Yes, I've been thinking about this. I've felt that my setup would do a
| relatively decent job of keeping out the Klingons banging at the door -
| that's what I am seeking confirmation about. But there's nothing
protecting
| from a LAN-based trojan or new app wanting to phone home.

It has been my experience that, especially in small business environments,
employees have a tendency to install helpful utilities that they have
'discovered' at home on their work machines. They frequently just copy
the downloadable installable from their home machine onto a floppy, ZIP,
or CD-R and bring it in to work and install it. And, unbeknownst to them,
"while they were working", Junior just downloaded this really nifty
file-sharing, 'free' game, Britney Spears poster (or whatever). They
literally 'carry' the infected file (Trojan, Virus, worm, bot, you name
it) into work and install it to facilitate something they normally do.
(For that matter, they may want to get it set up and running and then demo
it to the boss, just to _ensure_ they get a good performance review next
time 'round.) Win 9x workstations are particularly vulnerable to this
type of infection. Game over.

The real problem here is that many small businesses don't have much of an
IS budget; the equipment is not new, the software is not new; and there's
very little money available for buying the 'latest/greatest' of either.
Not to mention they most assuredly don't have professional expertise
on-hand to necessarily do it correctly. Indeed, most small businesses
rely extensively on an unofficial in-house 'computer geek'. And guess
who's always trying out nifty, new shareware/freeware apps -- the 'geek'!
(And usually, they're doing this perfectly sincerely, looking for a free
(or cheap) utility that will improve overall business performance.)

| . . . . NAV can handle
| some of it. But my client's already proved that he (the owner, a very
| bright fellow) can click without the brain being engaged. . . .

Oh, ANYBODY can get sucked in to this! (That's why they call it social
engineering.) That's why you set the firewall/AV/AT software to the
highest level possible and turn off all the "Would you like to ... (commit
suicide)" pop-ups for the average user, and (if at all possible)
password-protect any changes to the configurations for these products.
Incidentally, since you apparently are about to become the designated
security guru, you might also want to look for products that automatically
provide remote e-mail notification of such events.

| . . . . For some reason, I'm not real enthusiastic about
| checking the Norton Firewall. . . . .

Not a big deal (and certainly no apologies necessary). Yes, I use NIS,
since the beginning in fact. Every now and then (quite regularly, in
fact), Symantec does something absolutely stupid; I get totally pissed and
go looking for an alternative -- only to eventually stick with what I've
got. It simply satisfies my own (admittedly subjective) requirements. I
don't proselytize for NIS/NPF; I simply answer technical questions on it
(when I can).

. . . .

| Plan to have NAV on the gateway as well as the workstations.

Any time; my pleasure. Time to take a look at Biff's post. 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.