Sign in with
Sign up | Sign in
Your question

Which Firewall?

Last response: in Networking
Share
Anonymous
a b 8 Security
June 2, 2004 7:49:32 AM

Archived from groups: comp.security.firewalls (More info?)

I am interested to know which type of firewall is adequate for a home
PC, I have been recommended to use either Norton Personal Firewall
2004 or McAfee Personal Firewall, are these appropriate or can anybody
recommend suitable alternatives.

Thanks for any help.

Neil

More about : firewall

Anonymous
a b 8 Security
June 2, 2004 5:54:58 PM

Archived from groups: comp.security.firewalls (More info?)

Neil Mort wrote:

> I am interested to know which type of firewall is adequate for a home
> PC,

Simply configure your system properly and you don't need any suspisious
third party so called 'firewall' software.

http://www.ntsvcfg.de/ntsvcfg_eng.html

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 5:54:59 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9kf6j$3o9$1@news.shlink.de>, wolfgang@shconnect.de says...
> Neil Mort wrote:
>
> > I am interested to know which type of firewall is adequate for a home
> > PC,
>
> Simply configure your system properly and you don't need any suspisious
> third party so called 'firewall' software.
>
> http://www.ntsvcfg.de/ntsvcfg_eng.html

Which doesn't happen in the real world for most users - most of them can
barely follow instructions let alone configure their machines to work
properly.

Anyone with a home PC should get a border device, a NAT router, and then
run quality Anti-Virus software on their machine. These two things alone
will prevent more problems that most of the other solutions combined.

One more thing, if you set the internet explorer "Internet" security
settings to HIGH you are less likely to have problems while browsing
sites that may contain malicious code. Setting the security setting for
the internet zone to HIGH has it's own issues, but it's easy to work
with.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Related resources
June 2, 2004 5:54:59 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9kf6j$3o9$1@news.shlink.de...
> Neil Mort wrote:
>
> > I am interested to know which type of firewall is adequate for a home
> > PC,
>
> Simply configure your system properly and you don't need any suspisious
> third party so called 'firewall' software.

I'm sorry but that is complete bollocks. The vast majority of computers
users can hardly configure their computers to print let alone configure the
operating system to make it secure. Even if they could they would be unable
to maintain it in the correct state.

Your advice is bad, wrong and downright unhelpful.

If you think your system really is secure, post your public IP address :-)
Anonymous
a b 8 Security
June 2, 2004 6:25:10 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 2 Jun 2004 13:54:57 +0100, "Mike" <nospam@notherematey.com> wrote:


>> Simply configure your system properly and you don't need any suspisious
>> third party so called 'firewall' software.
>
>I'm sorry but that is complete bollocks.

You're being charitable Mike.

>The vast majority of computers
>users can hardly configure their computers to print let alone configure the
>operating system to make it secure. Even if they could they would be unable
>to maintain it in the correct state.

Quite, to assume that they would just 'know' how to lock down a system
properly is nonsense.

>
>Your advice is bad, wrong and downright unhelpful.


Quite, his assertions in

Message-ID: <c9kin6$480$1@news.shlink.de>


w.r.t the sage advice of implementing defence in depth using a dedicated
router and host based measures are utterly ridiculous.


greg


>
--
"vying with Platt for the largest gap
between capability and self perception"
Anonymous
a b 8 Security
June 2, 2004 6:34:58 PM

Archived from groups: comp.security.firewalls (More info?)

"Mike" <nospam@notherematey.com> wrote in
news:c9kin1$c81$1@thorium.cix.co.uk:

>
> "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
> news:c9kf6j$3o9$1@news.shlink.de...
>> Neil Mort wrote:
>>
>> > I am interested to know which type of firewall is adequate for a
>> > home PC,
>>
>> Simply configure your system properly and you don't need any
>> suspisious third party so called 'firewall' software.
>
> I'm sorry but that is complete bollocks. The vast majority of
> computers users can hardly configure their computers to print let
> alone configure the operating system to make it secure. Even if they
> could they would be unable to maintain it in the correct state.
>
> Your advice is bad, wrong and downright unhelpful.


I work in customer support and can confirm that! Not only do most
users not know how to configure their computers for security, so many
of them don't want to learn how to get "under the hood" and do anything
but use the program(s) they purchase! They complain "you don't need to
know how to repair your car in order to drive, why should you need to
know how to <name just about anything necessary to update, configure,
etc> your computer to use it?"

Ppfflllt is what I'd like to say to them!

Sherry
Anonymous
a b 8 Security
June 2, 2004 6:43:37 PM

Archived from groups: comp.security.firewalls (More info?)

Neil Mort wrote:
> I am interested to know which type of firewall is adequate for a home
> PC, I have been recommended to use either Norton Personal Firewall
> 2004 or McAfee Personal Firewall, are these appropriate or can anybody
> recommend suitable alternatives.
>
> Thanks for any help.
>
> Neil

Despite what the others are arguing about. It is wise to configure a
firewall for your system. You have doubtless spent a good deal of time
and money on it.

I assume here that you are focusing on a host-base software solution, So
I will answer that question, and ALSO suggest that you look at getting a
hardware firewall too. The principle for doing so is sound and ancient,
defence-in-depth. If you were to have only a single line of defence then
once it is comprimised so are your assets. Two or more levels of
defence, perferably of different technologies will provide additional
levels of protection. On my home systems I run a hardware firewall AND
different software firewalls on different systems.

I use ZoneAlarm, but and very impressed with sygate. ZoneAlarm does a
good job byt the sygate systems seems to be more configurable and
responsive. Both are good tools.

Personally I don't like the Norton products anymore. If you were to try
to uninstall them it is likely that the uninstall will mess up the
entire system and not work correctly in the first place. Granted this
experience comes from my use of Norton Anti-Virus. But, I happened
multiple times, over many years, and on many systems. This is enough of
a reason for me to avoid Norton labeled products.

I would also suggest strongly that you enhance your 'defence-in-depth'
with other tools, like Antivirus, Spyware tools and refrain from using
MS IE and outlook.

Good luck
bk
Anonymous
a b 8 Security
June 2, 2004 6:55:02 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> Anyone with a home PC should get a border device, a NAT router,

Unneccessary, as long as the sytem does not offer any services.

> and then run quality Anti-Virus software on their machine.

What for? To realize that this 'quality Anti-Virus software' will either
produce false positives and that a certain period exists, during which the
system is vulnerable due to the fact, that the scanner lacks the virus
pattern?

> These two things alone
> will prevent more problems that most of the other solutions combined.

One thing prevents them all: a secure configuration of the OS and a skilled
user.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 6:55:03 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9kin6$480$1@news.shlink.de>, wolfgang@shconnect.de says...
> Leythos wrote:
>
> > Anyone with a home PC should get a border device, a NAT router,
>
> Unneccessary, as long as the sytem does not offer any services.

If you feel that your advice is sound, then post a link that clearly
shows how to "fully secure" a Windows 98, Windows XP Home and Windows XP
Professional system against all viruses and exploits.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 2, 2004 7:18:01 PM

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

>> Simply configure your system properly and you don't need any suspisious
>> third party so called 'firewall' software.
>
> I'm sorry but that is complete bollocks.

It is not.

> The vast majority of computers
> users can hardly configure their computers to print let alone configure
> the operating system to make it secure.

The place for complaining about that is the manufacturer of the OS in
question.

> Even if they could they would be
> unable to maintain it in the correct state.

see above.

> Your advice is bad, wrong and downright unhelpful.

You can't secure a system by adding code. Esspecially you can't secure a
system by adding code from third party vendors if you don't have access to
the kernel sources. Mode code means more complexity, thus more
possibilities for errors.

> If you think your system really is secure, post your public IP address :-)

Have you ever looked into the headers of my postings?

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 7:24:49 PM

Archived from groups: comp.security.firewalls (More info?)

Neil Mort wrote:
> I am interested to know which type of firewall is adequate for a home
> PC, I have been recommended to use either Norton Personal Firewall
> 2004 or McAfee Personal Firewall, are these appropriate or can anybody
> recommend suitable alternatives.
>
> Thanks for any help.
>
> Neil

software based firewalls are garbage IMO.
Take a look at the hardware based alternatives.
Can't go wrong with either soinicwall, watchguard or cisco PIX series.

-Sean Weintz

--
Copyright 2004 T. Sean Weintz
This post may be copied freely without
the express permission of T. Sean Weintz.
T. Sean Weintz could care less.
T. Sean Weintz is in no way responsible for
the accuracy of any information contained in
any usenet postings claiming to be from
T. Sean Weintz. Users reading postings from
T. Sean Weintz do so at their own risk.
T. Sean Weintz will in no way be liable for
premature hair loss, divorce, insanity,
world hunger, or any other adverse relults
that may arise from reading any usenet
posting attributed to T. Sean Weintz

ALSO - FWIW, The following WHOIS Record is years out of date:
Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
Sean Weintz
462 Sixth Street , #A
Brooklyn, NY 11215
June 2, 2004 7:31:36 PM

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

>
> "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
> news:c9kf6j$3o9$1@news.shlink.de...
>> Neil Mort wrote:
>>
>> > I am interested to know which type of firewall is adequate for a home
>> > PC,
>>
>> Simply configure your system properly and you don't need any suspisious
>> third party so called 'firewall' software.
>
> I'm sorry but that is complete bollocks. The vast majority of computers
> users can hardly configure their computers to print let alone configure
> the operating system to make it secure. Even if they could they would be
> unable to maintain it in the correct state.

You most definitely should not be sorry. Politeness is fine but there are
limits...

> Your advice is bad, wrong and downright unhelpful.

I second that.
--
Mailman
June 2, 2004 7:38:03 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> In article <c9kf6j$3o9$1@news.shlink.de>, wolfgang@shconnect.de says...
>> Neil Mort wrote:
>>
>> > I am interested to know which type of firewall is adequate for a home
>> > PC,
>>
>> Simply configure your system properly and you don't need any suspisious
>> third party so called 'firewall' software.
>>
>> http://www.ntsvcfg.de/ntsvcfg_eng.html
>
> Which doesn't happen in the real world for most users - most of them can
> barely follow instructions let alone configure their machines to work
> properly.

True.

> Anyone with a home PC should get a border device, a NAT router, and then
> run quality Anti-Virus software on their machine. These two things alone
> will prevent more problems that most of the other solutions combined.

False. Most (home) users do not need a high-end separate device - a good
software firewall (both Kerio and ZA are free and seem to do a reasonably
good job) is sufficient to keep out various worms and prevent most attacks
against known weaknesses. In any case if you use XP do not rely on the
built-in firewall - it will keep out bad stuff, but not alert you to things
already on your machine.

Good AV is important but not enough. Anti-spyware is at least as important.

> One more thing, if you set the internet explorer "Internet" security
> settings to HIGH you are less likely to have problems while browsing
> sites that may contain malicious code. Setting the security setting for
> the internet zone to HIGH has it's own issues, but it's easy to work
> with.

Good advice. In any case disable ActiveX (assuming you use IE - which is a
BAD idea). Java is optional.
--
Mailman
June 2, 2004 7:51:27 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9kk29$4dr$1@news.shlink.de...
> Mike wrote:
>
> >> Simply configure your system properly and you don't need any suspisious
> >> third party so called 'firewall' software.
> >
> > I'm sorry but that is complete bollocks.
>
> It is not.
>
> > The vast majority of computers
> > users can hardly configure their computers to print let alone configure
> > the operating system to make it secure.
>
> The place for complaining about that is the manufacturer of the OS in
> question.
>
> > Even if they could they would be
> > unable to maintain it in the correct state.
>
> see above.
>
> > Your advice is bad, wrong and downright unhelpful.
>
> You can't secure a system by adding code. Esspecially you can't secure a
> system by adding code from third party vendors if you don't have access to
> the kernel sources. Mode code means more complexity, thus more
> possibilities for errors.
>
> > If you think your system really is secure, post your public IP address
:-)
>
> Have you ever looked into the headers of my postings?

I'm not sure what you are trying to say...

Is it "Organization: SHLINK Internet Service" and I should be impressed
because you are from an ISP? If you are from an ISP you should know better.

Or is it "NNTP-Posting-Host: fw0.shlink.de" because you have hidden your ip
address? Which resolves to :

;; ANSWER SECTION:
fw0.shlink.de. 3600 IN A 212.60.1.4

telnet 212.60.1.4 25
Trying 212.60.1.4...
Connected to fw0.shlink.de (212.60.1.4).
Escape character is '^]'.
220 fw0.shlink.de (RBL/SPF) ESMTP

But wait! fw0? Could that be a firewall?? Firewall 0?? Nah! You couldn't
possibly be advocating users not to use a firewall while using one
yourself??

If you don't advocate firewalls, what are you doing in this group?

Your methods may well be correct and acceptable to you, but in the context
of the original poster who started by asking wether he needed a firewall and
was by inference a newbie, telling him to dig into the guts of his operating
system without even finding out what OS he had is; bad, wrong, stupid,
irresponsible and unhelpful.

EOT
Anonymous
a b 8 Security
June 2, 2004 8:24:11 PM

Archived from groups: comp.security.firewalls (More info?)

Greg Hennessy wrote:

> w.r.t the sage advice of implementing defence in depth using a dedicated
> router and host based measures are utterly ridiculous.

Well, I could get angry about that, but I keep calm ...

Of course there is nothing wrong with 'defence in depth' and several 'lines
of defense', if done properly and operated by skilled staff. However
telling unskilled users simply to 'set up a NAT device' has hardly anything
to to with 'defense in depth'. Several people giving this advice over and
over again do not get tired claiming that most users are unskilled and
therefore connot set up their systems properly. May I kindly ask those
people how these unskilled users can operate a proper 'defense in depth'
setup? If those users are unskilled (I have no doubt that many of them are
....) they will neither be able to read or understand the logs nor draw (the
right) conclusions from the logs.

Adding complexity to a system is never the solution when complexity itself
is the problem.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 8:24:12 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9knub$4uf$1@news.shlink.de>, wolfgang@shconnect.de says...
> Greg Hennessy wrote:
>
> > w.r.t the sage advice of implementing defence in depth using a dedicated
> > router and host based measures are utterly ridiculous.
>
> Well, I could get angry about that, but I keep calm ...
>
> Of course there is nothing wrong with 'defence in depth' and several 'lines
> of defense', if done properly and operated by skilled staff. However
> telling unskilled users simply to 'set up a NAT device' has hardly anything
> to to with 'defense in depth'. Several people giving this advice over and
> over again do not get tired claiming that most users are unskilled and
> therefore connot set up their systems properly. May I kindly ask those
> people how these unskilled users can operate a proper 'defense in depth'
> setup? If those users are unskilled (I have no doubt that many of them are
> ...) they will neither be able to read or understand the logs nor draw (the
> right) conclusions from the logs.
>
> Adding complexity to a system is never the solution when complexity itself
> is the problem.

There is no complexity when adding a router with NAT to the system -
most of them are unbox, connect, reboot, forget.

As with your comments, there is no way that simple users are going to be
able to secure their machines without "simple, clear" instructions.
Since most users can't even look for the instructions, don't run Windows
Update, don't really do anything, getting them a NAT device and quality
AV software is the next best thing to securing their system.

I don't expect users to be able to setup their systems correctly, and
you don't either, at least not based on any clear instructions you've
posted. A user will do as little as possible (or less).

The lady down the street from my house had a PC for several years, she
asked about Road Runner and I told her that she should ask them to
enable NAT or purchase a NAT device from the local computer store BEFORE
she got RR installed. Her PC is a Dell system that came configured and
ready to use with XP Home Edition. She didn't do anything, installed RR,
and was calling me within a couple days as her computer was constantly
shutting-down each time it booted. Needless to say, she didn't get the
Router, didn't get the AV software, and the McCrappy AV software on her
machine was never registered so it was not updating and didn't detect
the virus..... Do you really expect someone like that person to "stop
services" or even know what a service is?

When you post a clear and concise set of instructions that a typical
user (like Tracker) could follow, and then see that every home user is
provided it and follows it, I'll believe that your idea is sound.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 2, 2004 8:37:21 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> It's in the details - and most users don't know the details. That's why
> a NAT device and AV software are so important.

If they lack knowledge they will not be able to operate the additional
device/s or software as well.

If complexity is the problem making a setup more complex is _not_ the
solution.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 8:37:22 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9kon2$4uf$3@news.shlink.de>, wolfgang@shconnect.de says...
> Leythos wrote:
>
> > It's in the details - and most users don't know the details. That's why
> > a NAT device and AV software are so important.
>
> If they lack knowledge they will not be able to operate the additional
> device/s or software as well.
>
> If complexity is the problem making a setup more complex is _not_ the
> solution.

Um, I don't thing you read the instructions that I posted - Open Box,
Connect Cables, Turn on Power, Reboot computer. Done. Easier than
installing a lightbulb.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 2, 2004 8:57:36 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> When you post a clear and concise set of instructions that a typical
> user (like Tracker)

Come on, though I admit that many users are more or less unskilled,
comparing them with Tracker is insulting.

> could follow, and then see that every home user is
> provided it and follows it, I'll believe that your idea is sound.

http://www.ntsvcfg.de/ntsvcfg_eng.html

seems simple enough to me.

Add :
1. Use good passwords for _all_ acounts
2. Never work as administrator unless for sofwtare installation and system
maintainance tasks. Actually I can't do anything about the fact that the
vendor of the most widespread operating systems delivers versions of their
software that allow blank passwords for accounts with administrator
rights), so could you plaese discuss those topics with Mr. Gates ;-)

3. and a few more lines what alternative software to use instead of the well
known virus/worm spreading tools like Outbreak.


and that is it.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 8:57:37 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9kpt0$56r$1@news.shlink.de>, wolfgang@shconnect.de says...
> Leythos wrote:
>
> > When you post a clear and concise set of instructions that a typical
> > user (like Tracker)
>
> Come on, though I admit that many users are more or less unskilled,
> comparing them with Tracker is insulting.
>
> > could follow, and then see that every home user is
> > provided it and follows it, I'll believe that your idea is sound.
>
> http://www.ntsvcfg.de/ntsvcfg_eng.html

Nice site, but there is one problem with it (as quoted from the site):

Blaster/RPC-Patch:
Important: don't connect your W2K/XP-PC to the WWW before the RPC patch
was installed and the security hole in RPC-service (Remote Procedure
Call, Port 135) was closed. Download this patch on a non-comprommised or
non-affected system (i.e. Knoppix or Unix/Linux):
=>http://support.microsoft.com/?kbid=824146
Which RPC-patch still missed or if it was installed correctly:
http://support.microsoft.com/?kbid=827363 and
http://www.pcwelt.de/downloads/system/system-utilities/...


It clearly stats not to connect the computer to the internet until
"Downloading" the patch - how are home users going to do that?

If the users were sitting behind a router with NAT they would not have a
problem being connected, downloading the updates, and staying uninfected
during the process.

So, we're back to NAT and AV being the best method to implement at home
users networks and then getting them to harden their machines second.

The one thing the site you posted doesn't cover well is users that have
a laptop and a workstation that want to share files and such between
their systems - if we followed your idea, they would be hooked to the
internet via a switch and two public IP, and hacked in a minute.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 2, 2004 9:33:22 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:


>> If they lack knowledge they will not be able to operate the additional
>> device/s or software as well.
>>
>> If complexity is the problem making a setup more complex is _not_ the
>> solution.
>
> Um, I don't thing you read the instructions that I posted - Open Box,
> Connect Cables, Turn on Power, Reboot computer. Done. Easier than
> installing a lightbulb.

And this has what effect? OK, assuming that the NAT implementation of the
device is functioning correctly (there has been quite some buggy firmware
in those devices around) this strategy should prohibit all external
connection attempts. No doubt that this is an important thing to have it is
but nothing more than a system offering no services.

And that is all that the NAT device running default configuration will do.
Nothing more, nothing less. Operating an 'in depth security system' means a
bit more, you know, I know, the unskilled user doesn't, that is the point.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 2, 2004 10:17:28 PM

Archived from groups: comp.security.firewalls (More info?)

On 2 Jun 2004 03:49:32 -0700, neil_shetland@hotmail.com (Neil Mort)
wrote:
>
>I am interested to know which type of firewall is adequate for a home
>PC, I have been recommended to use either Norton Personal Firewall
>2004 or McAfee Personal Firewall, are these appropriate or can anybody
>recommend suitable alternatives.
>

Buy a hardware firewall. It will allow you to connect as many PC's as
you want to share the same Internet connection while providing true
firewalling services.

http://shopping.nowthor.com/0760559110178.html
June 2, 2004 10:17:46 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9kpt0$56r$1@news.shlink.de...
> Leythos wrote:
>
> > When you post a clear and concise set of instructions that a typical
> > user (like Tracker)
>
> Come on, though I admit that many users are more or less unskilled,
> comparing them with Tracker is insulting.
>
> > could follow, and then see that every home user is
> > provided it and follows it, I'll believe that your idea is sound.
>
> http://www.ntsvcfg.de/ntsvcfg_eng.html
>
> seems simple enough to me.
>
> Add :
> 1. Use good passwords for _all_ acounts
> 2. Never work as administrator unless for sofwtare installation and system
> maintainance tasks. Actually I can't do anything about the fact that the
> vendor of the most widespread operating systems delivers versions of their
> software that allow blank passwords for accounts with administrator
> rights), so could you plaese discuss those topics with Mr. Gates ;-)

More bollocks and misinformation. It is possible to have a blank root
password in *nix. Stupid, but possible.

Baseline. A badly configured system, regardless of the OS involved is a
badly configured system.

In addition you have amplified the point that you cannot trust users to
correctly configure their own computers. As Leythos has pointed out several
times and you seem to be unable to comprehend, with at least a NAT router,
insecure admin passwords are less of a problem and the solution requires
zero user input.


> 3. and a few more lines what alternative software to use instead of the
well
> known virus/worm spreading tools like Outbreak.

So what client should the corporate user use to connect to Exchange server?

Your view of the world is so narrow.
Anonymous
a b 8 Security
June 3, 2004 12:03:00 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Leythos <void@nowhere.com> wrote:
>> non-affected system (i.e. Knoppix or Unix/Linux):
> It clearly stats not to connect the computer to the internet until
> "Downloading" the patch - how are home users going to do that?

Knoppix is an excellent piece of software, directly running from a cd.
Have a look at it.

Greetings,
Jens
June 3, 2004 12:40:24 AM

Archived from groups: comp.security.firewalls (More info?)

Wolfgang is quite correct. Please a DOS 6.2 machine on the net
with no services running and guess what ... no problems

this is the base theory for any hardware firewall. take the OS
make sure all services are stopped then add the right IP / kernel
rules to allow forwarding / blocking / inspection etc.

However To answer the original Question. For you home box I suggest
ZoneAlarm Pro ... easy to install, your systems knowledge does not need
to be fantastic and it does the job well. Also better idea to get a
hardware solution which will give a more effective protection overall

Cheers

Graham


On Wed, 02 Jun 2004 13:54:58 +0200, Wolfgang Kueter wrote:

> Neil Mort wrote:
>
>> I am interested to know which type of firewall is adequate for a home
>> PC,
>
> Simply configure your system properly and you don't need any suspisious
> third party so called 'firewall' software.
>
> http://www.ntsvcfg.de/ntsvcfg_eng.html
>
> Wolfgang
Anonymous
a b 8 Security
June 3, 2004 12:40:25 AM

Archived from groups: comp.security.firewalls (More info?)

Graham wrote:
> Wolfgang is quite correct. Please a DOS 6.2 machine on the net
> with no services running and guess what ... no problems

What about the situation where the is a vulnerability in the OS itself?
In the TCP stack, or the kernel. It does happen, buffer overruns or
jumping into a stack loaded w/ opcodes (shell coding). Then there are
various DoS attacks that don't even attempt to gain entry, just to
render your system/network useless.

Then there are man-in-the-middle attacks on open, outgoing connections.
A firewall may or may not help in this situation tho.

Clearly there does not have to be a service open/active to be
vulnerable, and a firewall (one or more) can help to mitigate many of
the effects of these attacks.

bk
Anonymous
a b 8 Security
June 3, 2004 1:01:39 AM

Archived from groups: comp.security.firewalls (More info?)

In article <10bsac28cmoo83@corp.supernews.com>, sean@snerts-r-us.org
says...
> -Sean Weintz

Usenet standards for Sig's is 4 lines - your sig is WAY longer than 4
lines. Please trim it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 3, 2004 1:05:10 AM

Archived from groups: comp.security.firewalls (More info?)

In article <pan.2004.06.02.08.15.32.766527@removethis.thebayleys.com>,
graham@removethis.thebayleys.com says...
> Wolfgang is quite correct. Please a DOS 6.2 machine on the net
> with no services running and guess what ... no problems

And therein lies the flaw - any OS that connects to the internet and
provides users with any ability to do anything on the internet is going
to be open to flaws and security issues. There isn't a single installed
OS, with applications, that is completely free of security issues.

Now, with that being said, for your typical home users, a $40 router to
protect their investment and resources is about as cheap and fool-proof
as it gets.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 3, 2004 1:05:14 AM

Archived from groups: comp.security.firewalls (More info?)

On 2 Jun 2004 03:49:32 -0700, Neil Mort wrote:

>I am interested to know which type of firewall is adequate for a home
>PC, I have been recommended to use either Norton Personal Firewall
>2004 or McAfee Personal Firewall, are these appropriate or can anybody
>recommend suitable alternatives.

I use ZoneAlarm Pro Ver 4.5.594.000 there is also a free version.
ZA Ver 5 has just been released and has received a mixed reception.
http://download.zonelabs.com/bin/free/information/znalm...
--

Chris Bee
Anonymous
a b 8 Security
June 3, 2004 1:05:15 AM

Archived from groups: comp.security.firewalls (More info?)

Bumblebee wrote:
^^^^^^^^^

Who?

> I use ZoneAlarm Pro [...]

I don't. And you don't need either. But besides obtaining a real name you
need to read: http://www.ntsvcfg.de/ntsvcfg_eng.html

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
June 3, 2004 1:05:16 AM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9kfbh$3o9$2@news.shlink.de...
> Bumblebee wrote:
> ^^^^^^^^^
>
> Who?
>
> > I use ZoneAlarm Pro [...]
>
> I don't. And you don't need either. But besides obtaining a real name you

Why do you think there is a problem with him using that name? Its not
unusual or wrong.
Anyone who posts to newsgroups with a real email address in their headers
gets all the spam they deserve.
Anonymous
a b 8 Security
June 3, 2004 5:42:40 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 02 Jun 2004 15:24:49 -0400, "T. Sean Weintz"
<sean@snerts-r-us.org> wrote:
>
>Can't go wrong with either soinicwall, watchguard or cisco PIX series.
>

Or, let me add, a ZyXEL ZyWALL, which is both Firewall and IPsec
ICSA-certified.

http://shopping.nowthor.com/0760559110178.html
June 3, 2004 6:14:11 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 02 Jun 2004 19:15:41 -0700, Purl Gurl <purlgurl@purlgurl.net> wrote:

>Chuck wrote:
<SNIP>

>> Windows is insecure
>
>Unix is insecure.
>Linux is insecure.
>BSD is insecure.
>MAC is insecure.

They're all insecure, because the internet infrastructure designed years ago is
insecure. Nobody then imagined how innovative the bad guys would be in using
the internet, and computers in general, to their advantage. So they can make
money from us.

And as soon as *nix et al gain market share, so will the spyware, viruses, and
other attacks on those systems.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Anonymous
a b 8 Security
June 3, 2004 6:16:15 AM

Archived from groups: comp.security.firewalls (More info?)

In article <40BE89CD.479A37AD@purlgurl.net>, purlgurl@purlgurl.net
says...
> You only enjoy that security you create and maintain. Even
> then, all bets are off, thanks to Murphy.

And the entire point in this thread is that Users = Murphy.

Another story form my recent past: While I was out of state installing a
network, my mother inlaw got a Dell (Good for her). I asked her to leave
it in the box until I got back (1 week). Her son (Mac user, 40+,
somewhat technical) installed the system directly on her Road Runner
cable connection.

In the one weeks time I was gone her machine was infected with 380+
different spyware apps, and more than 40 virus's/trojans. Needless to
say, they didn't do anything other than turn it on, get through the
basic startup config, and start using it. This is your classic user,
your classic level of users on home systems.

Had they installed the Linksys router they would have been a LOT better
off and I would not have had to wipe/reinstall from scratch. I installed
XP Prof, NAV 2004, Spybot Search & Destroy, set the "Internet" zone to
"HIGH" and the Trusted Zone to medium, then showed her how to add
trusted sites to the trusted zone. I also installed her Office XP and
Outlook XP. She's been running for a couple months now and not one
problem.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 3, 2004 6:16:16 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> Purl Gurl wrote:

(snipped)

> > You only enjoy that security you create and maintain. Even
> > then, all bets are off, thanks to Murphy.

> And the entire point in this thread is that Users = Murphy.

"Little pink houses for you and me."


> In the one weeks time I was gone her machine was infected with 380+
> different spyware apps, and more than 40 virus's/trojans.

That's all? She was lucky.


> Had they installed the Linksys router

Isn't it amazing how much security is added by a router?

We use a programmable Linksys for our servers and are
very pleased, exceptionally pleased. Nothing like
forwarding jerks to La La Land.

Yes, the real problem is us, the Murphy people. Most of
our problems are not based in ignorance nor in being naive.

Most of our problems, here and out there, are based upon
our good nature, based upon our trusting nature. Almost
all of us are decent respectful people who treat others
well, and inherently view others as decent moral people.

In walks the internet and the world wide web, just a short
couple of decades back. Our internet is safe haven for those
who would do all of us harm. No need to exemplify this, we
all know of the extreme dangers presented by the net.

Our "Murphy" is being good and decent people, perhaps even
endearingly innocent. This prides almost all of us.


Purl Gurl
Anonymous
a b 8 Security
June 3, 2004 6:16:17 AM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> Leythos wrote:
> > Purl Gurl wrote:

(snipped)

> > In the one weeks time I was gone her machine was infected with 380+
> > different spyware apps, and more than 40 virus's/trojans.

> That's all? She was lucky.

For those readers interesting in statistical graphs, you may
visit our family server here,

http://www.purlgurl.net/attacks.html/

On that page you will discover nice graphical charts of actual
attacks on our server, all serious and currently averaging
forty to fifty per day. This is not quite an accurate picture,
for two reasons. The first is obvious; our graphs group and
display only the top percentage attacks. Results for May 25
well displays another reason for our graphs not being accurate.

If you look at our last graph, you will note on May 25 the
number of attacks spiked to over two-hundred per day, which
is realistic. As a test of our firmware firewall, on May 25
I set our external firewall to not firewall at all, set it
to be a simple transparent gateway, then noted how many "hacks"
were passed through without our firmware firewall. This afforded
a good test and affirms our firewall works well.

Our logging system only logs those hacks which pass through
our external firewall, so our graphical charts are truly
well below what is really happening.

Keep in mind, these are only those hack attempts coming
in on our static ip address. For a true picture, consider
how many "internet connections" are out there, at any
given moment. All connections suffer hack attempts, all.

For June 1, yesterday, you will note a slight increase in
problems. This is a result of a group of sociopathic types
over in the comp.lang.perl.misc newsgroup, being frustrated
by our sudden rotation and randomizing our security measures.
A select few of those people are very well known personae
within the Perl Community and a couple from Apache Dot Org,
one even runs a dot gov site offering services to a certain
state government, secure services. Here he is trying to
harass our family, in a very childish manner.

I should take down his dot gov site, except local mapping
for his dot gov site includes the Department of Justice,
who are people to fear; you do NOT mess with Uncle Sam.

So, for the "newbies" out there reading this article, never
dismiss a need for security. You are in danger.

If you cannot access our site, do not take this personally.
You may, however, blame this on some of the hateful people
over in comp.lang.perl.misc newsgroup. I have relaxed our
security features for tonight so most can access and view.

Yes, I clearly hold a grudge and am clearly grinding an axe,
as you will should you suffer the same, as did Leythos'
wife's mother, another innocent victim of the net.


Purl Gurl
Anonymous
a b 8 Security
June 3, 2004 6:16:18 AM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> Purl Gurl wrote:
> > Leythos wrote:
> > > Purl Gurl wrote:

(snipped)

> For those readers interesting in statistical graphs, you may
> visit our family server here,

> http://www.purlgurl.net/attacks.html/

> On that page you will discover nice graphical charts of actual
> attacks on our server,

To add some offbeat interest for this newsgroup, previously
in another article, I write of randomizing security methods
to prevent profiling of security systems.

For our last chart, bottom chart, you can "see" results of
a program which randomizes responses to selected events.

Look directly aboves dates May 28, May 29 on through to
May 31 date, literally directly above those dates on
the graph. You are actually looking at effects of our
security rotation. Then comes June 1 which reflects a
serious increase in attempts, by cooperative actions
by many. This increase is a graph of their frustration
and of attempting new methods; they are trying to figure
out what the Hades is going on.

This is nice. Randomizing manipulates them into trying
different techniques, which are logged and reviewed;
they afford me an ability to collect data, on them.

I write "they" and do claim a cooperative effort.

A short partial snippet of data collected,

ShowLetter?MsgId=6432_6633_3451_1052_65_0_17113_-1_0&YY=26695&inc=25

A mistake made there, a big mistake. Those involved in a cooperative
effort to harass our family, provided me with just the data I needed
to black hat an email account and extract evidence of just such; an
overt cooperative effort by a select group I know well.

Now they know with their routinely monitoring newsgroups for
my postings. Will they make this type of mistake again? Yes.

Perhaps, in time, I will submit my data to law enforcement,
as I have done in the past to some of them. Most embarrassing
for some to have a detective knock upon their front door or
to phone you and ask questions which heighten anxiety.

Previously I wrote of Murphy. He does not always work against
those of us, almost all of us, who are good and decent people.
Quite the opposite, Murphy more often works against those who
are less than good and decent; Bad Karma.

Again, security is that which you create and maintain. Security
is not purely software based; it is more often based upon your
personal ability to think like a fox.


Purl Gurl
Anonymous
a b 8 Security
June 3, 2004 9:38:49 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 02 Jun 2004 13:57:37 +0200, Wolfgang Kueter wrote:

>Bumblebee wrote:
>^^^^^^^^^
>
>Who?

Bumblebee <chris_bee@privacy.invalid>

>> I use ZoneAlarm Pro [...]
>
>I don't. And you don't need either. But besides obtaining a real name you
>need to read: http://www.ntsvcfg.de/ntsvcfg_eng.html

I don't need to read the above link and you're welcome to disagree
with me. I gave what I believed to be good advice to another person
who was asking about firewalls. Using a firewall certainly won't cause
any damage whereas being without a firewall *could* result in damage.

Advising someone *not* to use a firewall borders on being malicious
advice IMHO. Not that it's any of your business Wolfgang but I did use
my real name, Chris Bee. I acquired the nickname "Bumblebee" over 50
years ago, virtually on the first day I started going to Kindergarten
prior to attending Primary School.
--

Chris Bee
June 3, 2004 12:43:07 PM

Archived from groups: comp.security.firewalls (More info?)

"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrncbs5ik.e38.jh@churrasco.bofh.de...
> Hi,
>
> Leythos <void@nowhere.com> wrote:
> >> non-affected system (i.e. Knoppix or Unix/Linux):
> > It clearly stats not to connect the computer to the internet until
> > "Downloading" the patch - how are home users going to do that?
>
> Knoppix is an excellent piece of software, directly running from a cd.
> Have a look at it.

You are missing the point. How many home users will have Knoppix lying
about? And if they didn't, how would they download a copy without connecting
their only pc to the internet? And then, how many confronted with a non
Microsoft interface would know what to do to download the patch etc. etc.
etc.

The alternate is a NAT router and a quick trip to Windows update. Easy and
foolproof(ish)
Anonymous
a b 8 Security
June 3, 2004 12:49:03 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 2 Jun 2004 15:51:27 +0100, Mike wrote:

[snip]

> I'm not sure what you are trying to say...
>
> Is it "Organization: SHLINK Internet Service" and I should be impressed
> because you are from an ISP? If you are from an ISP you should know better.

I have a feeling you are deliberately misunderstanding what Wolfgang is
trying to communicate.

> Or is it "NNTP-Posting-Host: fw0.shlink.de" because you have hidden your ip
> address? Which resolves to :
>
> ;; ANSWER SECTION:
> fw0.shlink.de. 3600 IN A 212.60.1.4

Nothing hidden about that address? Or do you mean it is hidden
because it resolves to a DNS name? If so, I have successfully
hidden all my IP addresses :) 

> telnet 212.60.1.4 25
> Trying 212.60.1.4...
> Connected to fw0.shlink.de (212.60.1.4).
> Escape character is '^]'.
> 220 fw0.shlink.de (RBL/SPF) ESMTP
>
> But wait! fw0? Could that be a firewall?? Firewall 0?? Nah! You couldn't
> possibly be advocating users not to use a firewall while using one
> yourself??
>
> If you don't advocate firewalls, what are you doing in this group?

This group is for discussion, not advocating. Try reading Wolfgangs
posts again.

The point he is trying to make is that while adding a NAT device might
cure the symptom of a vulnerable system (by adding more code,
statistically introducing more bugs, to solve the problem caused by
too much code in the first place), it does not solve the real problem
which is insecure systems. Securing those systems will be a much
better solution, and what we all should be advocating unless we have
another agenda than to make the Internet a more secure place. At
least that is how I interpret it.

Firewall vendors/resellers will not necessarily tell you this, because
their agenda is making money.

I really dislike the 'add a NAT device' "solution", but with a) todays
wide-spread use of insecure operating systems and default settings,
even if the new versions are much better than previous ones the old
ones are still widely used in production environments and homes, b)
the complexity of operating systems with which even computer science
graduates struggle, and c) most peoples belief that computers are easy
to use and maintain compared to other technical equipment (you probably
wouldn't service your brand new car yourself, or even your TV unless
you have a special interest or knowledge), I can see the need for an
immidiate way of treating those symptoms. But the long term goal
should still be securing the _systems_. If you disagree, I really
hope you don't work in this industry.

> Your methods may well be correct and acceptable to you, but in the context
> of the original poster who started by asking wether he needed a firewall and
> was by inference a newbie, telling him to dig into the guts of his operating
> system without even finding out what OS he had is; bad, wrong, stupid,
> irresponsible and unhelpful.

IIRC the URL to the hints on how to configure Windows securely was
mentioned, but I must admit I did not follow entire thread. However,
that does not invalidate my comments to the above.

When people are interested enough to ask if they really do need a
firewall, the correct answer in my not so humble opinion is "it
depends", followed by a more in-depth explanation preferably contained
in a FAQ. The 'newbie' is free to stop reading, or ask more
questions if it is too much/little information.

(and I don't expect anyone to be impressed by the "university of .."
in my headers - it has nothing to do with my opinions here, I'm just
an ex-employee)


- Eirik
--
New and exciting signature!
Anonymous
a b 8 Security
June 3, 2004 2:06:34 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> In the one weeks time I was gone her machine was infected with 380+
> different spyware apps, and more than 40 virus's/trojans.

'It was infected' sounds like hat this didn't require end user interaction.
I doubt that.

> Needless to
> say, they didn't do anything other than turn it on, get through the
> basic startup config, and start using it.

Does 'using a system' include 'installation of malware'?

> This is your classic user,
> your classic level of users on home systems.

Most filtering devices placed in front of a box do not prevent installing
malware by the user himself.

> Had they installed the Linksys router they would have been a LOT better
> off and I would not have had to wipe/reinstall from scratch.

You would since the router does not prevent the installation of malware.

> I installed XP Prof, NAV 2004, Spybot Search & Destroy, set the "Internet"
zone to
> "HIGH" and the Trusted Zone to medium, then showed her how to add
> trusted sites to the trusted zone. I also installed her Office XP and
> Outlook XP. She's been running for a couple months now and not one
> problem.

Well, some time ago I reinstalled an infected win2000 workstation of a quite
unskilled user. I patched the installation, switched off all services, set
user and access rights strict using good passwords, configured IE properly,
told the user that he must not log in as adminsitrator unless for
maintainance tasks. No problems with the machine.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 3, 2004 2:10:45 PM

Archived from groups: comp.security.firewalls (More info?)

Bob Kryger wrote:

> What about the situation where the is a vulnerability in the OS itself?
> In the TCP stack, or the kernel.

OK, that is a valid argument but it refers to any filtering device as well.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 3, 2004 2:10:46 PM

Archived from groups: comp.security.firewalls (More info?)

Wolfgang Kueter wrote:
> Bob Kryger wrote:
>
>
>>What about the situation where the is a vulnerability in the OS itself?
>>In the TCP stack, or the kernel.
>
>
> OK, that is a valid argument but it refers to any filtering device as well.

Exactly, and that lead to the security concept of 'defense-in-depth'

[from another post]
The principle for doing so is sound and ancient, defense-in-depth. If
you were to have only a single line of defense then once it is
compromised so are your assets. Two or more levels of defense,
preferably of different technologies will provide additional levels of
protection. On my home systems I run a hardware firewall AND different
software firewalls on different systems.

Basically one line of defense is not enough. You assertion of a well run
system, may be considered, one good line of defense. It is, but its not
sufficient, in today's Internet, especially for newbies. Like it or not,
we sometimes have to be pragmatic.

bk
June 3, 2004 3:06:18 PM

Archived from groups: comp.security.firewalls (More info?)

"Eirik Seim" <eirik@mi.uib.no> wrote in message
news:slrncbtp53.1hu.eirik@kain.mi.uib.no...
> On Wed, 2 Jun 2004 15:51:27 +0100, Mike wrote:
>
> [snip]
>
> > I'm not sure what you are trying to say...
> >
> > Is it "Organization: SHLINK Internet Service" and I should be impressed
> > because you are from an ISP? If you are from an ISP you should know
better.
>
> I have a feeling you are deliberately misunderstanding what Wolfgang is
> trying to communicate.

Enlighten me because it has passed right over my head without even parting
my hair.

> > Or is it "NNTP-Posting-Host: fw0.shlink.de" because you have hidden
your ip
> > address? Which resolves to :
> >
> > ;; ANSWER SECTION:
> > fw0.shlink.de. 3600 IN A 212.60.1.4
>
> Nothing hidden about that address? Or do you mean it is hidden
> because it resolves to a DNS name? If so, I have successfully
> hidden all my IP addresses :) 

>
> > telnet 212.60.1.4 25
> > Trying 212.60.1.4...
> > Connected to fw0.shlink.de (212.60.1.4).
> > Escape character is '^]'.
> > 220 fw0.shlink.de (RBL/SPF) ESMTP
> >
> > But wait! fw0? Could that be a firewall?? Firewall 0?? Nah! You
couldn't
> > possibly be advocating users not to use a firewall while using one
> > yourself??
> >
> > If you don't advocate firewalls, what are you doing in this group?
>
> This group is for discussion, not advocating. Try reading Wolfgangs
> posts again.

I have and they are still full of dangerous, unhelpful and unusable advice
for the newbie asking the original question.
Anonymous
a b 8 Security
June 3, 2004 3:08:10 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9mm69$ek0$1@news.shlink.de>, wolfgang@shconnect.de says...
> Well, some time ago I reinstalled an infected win2000 workstation of a quite
> unskilled user. I patched the installation, switched off all services, set
> user and access rights strict using good passwords, configured IE properly,
> told the user that he must not log in as adminsitrator unless for
> maintainance tasks. No problems with the machine.

WG, don't get me wrong, I know how to secure a Windows 2000/XP machine
and what services to allow, but, for most home users it's not going to
help.

By the time a home user gets fully booted up for the first time, they
already have the ethernet connection connected to the PC. Since they
don't have the instructions on how to secure it, they browse around the
internet looking for instructions - provided they even know they need to
secure it - and find various answers. About 10 minutes later their
system, if Windows XP tells them they have updates to install and they
do (after about 4 reboots from service pack installs), they have a
machine that is reasonably patched - total estimated time online before
being patched 1 hour. Now, they remembered that they didn't secure their
machine, so they start searching again, find a couple malicious sites,
get nice things installed since they look like links to the information
they wanted (but were really scripts). Since they didn't update their
Anti-Virus software it doesn't detect the web scripts and the trojans
make it in. After about an hour they find enough information to stop
some services - total time online 2 hours now.....

During their 2 hours, provided they even know that they need to secure
their machine, they've been subjected to any number of hacks/exploits
and have a compromised box.

Now, do the same thing with them sitting behind a NAT router. Sure, the
malicious sites are not prevented, but the inbound traffic during the
first hour that they are doing updates is. Who knows, they may find the
answers without hitting a malicious site and during that second hour the
NAT router will still be protecting them. Also, after reading enough,
they call Dell and ask about AV products, the learn that they have to
register McCrappy before it will update, they do and get the updates -
still not hacked and now all updates are in place.

Now, lets take the typical user - gets PC, connects to internet
directly, doesn't do anything to secure machine. We know this type, it's
their machine that keeps probing our machines to "reach out an touch
us".

Now take the typical user - get a PC, connects to the router, doesn't do
anything, plays around, oops - sees the Windows Update ICON flashing
ignores it. At least this machine is protected from being attacked by
unknown systems/users. Sure, the PC can be compromised by the user, but
it's more likely to be compromised if the user is connected directly.

If ISP's would just enable NAT by default on their cable/dsl modems most
users would have a fighting chance while they get updates/patched.

You stick with your services method, I'll stick with my NAT / AV (as
well as other) methods and we'll see if you can say that you've never
had a machine under your control that's been compromised in 20+ years.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 3, 2004 3:08:20 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9mm69$ek0$1@news.shlink.de...
> Leythos wrote:
>
> > In the one weeks time I was gone her machine was infected with 380+
> > different spyware apps, and more than 40 virus's/trojans.
>
> 'It was infected' sounds like hat this didn't require end user
interaction.
> I doubt that.
>
> > Needless to
> > say, they didn't do anything other than turn it on, get through the
> > basic startup config, and start using it.
>
> Does 'using a system' include 'installation of malware'?
>
> > This is your classic user,
> > your classic level of users on home systems.
>
> Most filtering devices placed in front of a box do not prevent installing
> malware by the user himself.
>
> > Had they installed the Linksys router they would have been a LOT better
> > off and I would not have had to wipe/reinstall from scratch.
>
> You would since the router does not prevent the installation of malware.
>
> > I installed XP Prof, NAV 2004, Spybot Search & Destroy, set the
"Internet"
> zone to
> > "HIGH" and the Trusted Zone to medium, then showed her how to add
> > trusted sites to the trusted zone. I also installed her Office XP and
> > Outlook XP. She's been running for a couple months now and not one
> > problem.
>
> Well, some time ago I reinstalled an infected win2000 workstation of a
quite
> unskilled user. I patched the installation, switched off all services, set
> user and access rights strict using good passwords, configured IE
properly,
> told the user that he must not log in as adminsitrator unless for
> maintainance tasks. No problems with the machine.

Yet......... Its just a matter of time.
Anonymous
a b 8 Security
June 3, 2004 3:15:12 PM

Archived from groups: comp.security.firewalls (More info?)

In article <slrncbtp53.1hu.eirik@kain.mi.uib.no>, eirik@mi.uib.no
says...
> The point he is trying to make is that while adding a NAT device might
> cure the symptom of a vulnerable system (by adding more code,
> statistically introducing more bugs, to solve the problem caused by
> too much code in the first place), it does not solve the real problem
> which is insecure systems. Securing those systems will be a much
> better solution, and what we all should be advocating unless we have
> another agenda than to make the Internet a more secure place. At
> least that is how I interpret it.

That's the point we're all trying to make - securing the systems is the
best method. Problem is that the systems are NOT secured BEFORE the
connect to the internet in most users worlds. NAT is the first part of
the solution, it gives the users a chance to run updates/patches BEFORE
they get hacked and while they (if they even know about it) learn to
secure their machines (which most will never learn about).

NAT devices don't introduce any "bugs" into the system - sure, they play
heck with IRC DCC's and some peer-to-peer apps, but most people don't
need to move files that way anyway. Most home users don't know about IRC
or P2P apps, and by the time they do, they are compromised anyway.

What you have to consider is the ORDER in which things happen - New PC,
connect to net, infected, too late, reinstall, infected, too late....
Buys router/NAT, reinstall, updates, av's, doing good now, searches on
how to secure IE and Outlook, runs well for a while, searches on how to
secure PC, does some things... Runs well for long time.... New Virus,
opens email attachment (av software and Outlook won't let them open it),
still running good....


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 3, 2004 4:15:01 PM

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

> Yet......... Its just a matter of time.

Hardly any difference to the time that Leythos needed. And I needed far less
code.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 3, 2004 4:19:11 PM

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

> I have and they are still full of dangerous, unhelpful and unusable advice
> for the newbie asking the original question.

Well, the times when I got angry about trolls like you that believe their
claims to be a proof have long gone. So may I kindly ask you to give
technical reasons for for claims?

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
a b 8 Security
June 3, 2004 4:19:12 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9mtuv$fk2$2@news.shlink.de>, wolfgang@shconnect.de says...
> Mike wrote:
>
> > I have and they are still full of dangerous, unhelpful and unusable advice
> > for the newbie asking the original question.
>
> Well, the times when I got angry about trolls like you that believe their
> claims to be a proof have long gone. So may I kindly ask you to give
> technical reasons for for claims?

WG, I know you didn't ask me, but, the problem with your advice is that
it was in response to a question to what appears to be a slightly above
average typical home users and did not include specifics related to his
OS.

Without providing specifics to secure a users OS/apps, your advice
leaves their machine fully open to compromise since there is no clear
way for the machine to be secured. At least with NAT and AV software
they have hope that it will be more secure than leaving some services
exposed or even worse, finding some previously unknown hole in the OS
that lets someone take over their system.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
!