Re: Is complete home security possible?

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 02/09/05 

Date: Wed, 09 Feb 2005 13:18:38 -0600

In article <pan.2005.02.09.00.39.34.557626@nowhere.lan>, Leythos wrote:

>Yea, a great many were people that had no clue, but I hardly blame that on
>MS or anyone except the users.

There were a lot of home users who didn't know they had any servers
installed - but did, and had them in default (read 'wide open') unprotected
mode. A lot of *nix users are unaware they are running services too. For
example, what does '/bin/netstat -tupan' show on that FC3 box? Don't show
me (the netstat man page explains what's what), but did you realize those
were running?

>Windows doesn't install SQL server in any variant by default, not MSDE,
>etc... You have to install something like Office Development tools or
>Visual Studio (or VS.Net) or any of the development platform tools.

I dunno - I loose track of which worm exploited which hole. I was thinking
that Slammer was also exploiting a "gee, users might need this, so let's
install it by default" setup in ordinary windoze installs, but trying to
search through a data base to find that is a lost cause.

>The point goes back to firewalls and security - none of it would have
>happened if a simple firewall policy was put in place. SQL data ports do
>not need to be exposed to the Internet for data to be shared - they can
>use a VPN or a IP:IP rule, but to expose it to everyone is just plain
>stupid.

You know that - I know that - I think most of the people _here_ know that.
But configuring a firewall that works takes two or three brain cells, and
it seems that few people using computers have those.

>The same goes for about any service - as an example, I block almost 100
>subnets from accessing our network (mostly foreign countries) and it's
>made a big difference in our FTP/HTTP/SMTP traffic connections/attempts
>at exploits,

We're tightening things down a bit further. We just got a new net block,
and are moving all of our public IPs into that block (DNS, web, mail
and FTP). The rest of our blocks are not being reset to refuse all
non-related connections inbound. So far, so good. On the public block,
we've always had a pretty Draconian set of firewall rules.

>it's just not a complex thing - limit your exposed surface, protect it,
>make sure you're patched, and make sure you can detect a problem...

You do have to have an understanding of what networking principals
are. We were seeing tons of Messager spam attempts - even though none
of our systems run any variety of windoze. While the firewall blocks
non-related inbound, UDP is usually a one shot deal (yes, for us it's
normally DNS replies, easily filtered), but we've gone a step further.
Source port numbers are normally chosen as 'the next available' starting
at 1024. We're running port translation outbound such that should a system
source a packet from (example) 1024-1100/udp, the firewall translates it
to an available number above that range. This means there can't BE any
valid response to ports 1024-1100/udp. Then, the firewall simply drops
any incoming UDP to those ports.

>For home users, which is where this started, it's fairly simple to secure
>a Windows based platform, but they have to seek the answer first, then
>want it bad enough to do the steps.....

One has to question why it's a problem in the first place. OpenBSD has an
excellent reputation for security (because the code is audited to extremely
high standards), but part of the reputation is because out of the box, it
offers ZERO services, even if you installed everything. Their philosophy is
that if you want to offer services you have to RTFM to find out how, and
that includes even enabling the service in the first place. This philosophy
is spilling over into the other BSDs and Linux. Do you _really_ expect that
this could work with any version of windoze? No, because

>There are the terminally incapable, the terminally ignorant, and the
>terminally stupid, and then there are the rest of us :)

and we're in the minority.

        Old guy

Relevant Pages

  • Re: Trend SMB 3.0 Issues
    ... Officescan communication between client/server uses some ports, ... On one client machine - if you have the client installed, ... > click in a group - click add - and successfully install remotely. ... > sounds like XP firewall. ...
    (microsoft.public.windows.server.sbs)
  • Re: Trend SMB 3.0 Issues
    ... >> or it's name (specified during install). ... If I go directly to the site via IE (Server ... >> sounds like XP firewall. ... Look for blocked packets on the ports trend ...
    (microsoft.public.windows.server.sbs)
  • Re: Service Pack 1 & 2
    ... but enable to install because of service pack 2. ... >> I recently reinstalled Windows XP home on a new hard disk because the ... >> I tried to install service pack 1 but was rejected from doing so. ... > Why you should use a computer firewall.. ...
    (microsoft.public.windowsupdate)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: Firewall newbie under attack
    ... If you haven't installed a firewall from the beginning of setting your ... >> If you aren't clear on ports, get a good book on TCP/IP. ... those who install firewalls see this initially. ... > everybody from Pacific Bell Internet Services to Macy's scanning my ports. ...
    (comp.security.firewalls)