Archived from groups: comp.security.firewalls (
More info?)
S.T. Suikkanen <ei.posti@osoitetta.notvalid> wrote:
> I would be interested especially how to secure Windows 2000 at lowest
> possible system overhead using firewall program and firewall box combo.
For lowest overhead, just use Torsten's script, and switch off any
listening server. This means: no overhead at all. Then you don't need
filtering at all.
http://www.ntsvcfg.de/ntsvcfg_eng.html
Then abandon to use Internet Explorer; just use any other browser.
The problem with Internet Explorer is not that it has security holes -
every browser has this from time to time; OK, Internet Explorer had
unfixed holes for years, this is worst case. But also Mozilla from time
to time are not perfect in security, to say the minimum. The problem is
the ActiveX technology, Internet Explorer uses as the plugin concept.
The problem with this is, that ActiveX / COM is a system wide concept
without any security if a control is running. There is no sandbox concept,
and, once marked "scripting sage", any control in the complete system
is a possible flaw, which can be abused. The unfortunate zone concept
of Internet Explorer was refitted, it's a flub, one could say.
Keep your software up to date. Use Windows-Update, and keep any
other software up to date, which you're using in the Internet.
When you're installing new software, don't forget to use netstat -an
to check, if there are new servers started, you should stop again.
> I already run F-Secure Anti-Virus
> Client Security 5.55 in Windows 2000
It is a good idea to use an AV software regulary. Please keep in mind,
that AV software only works good, if it's malware signatures are bleeding
edge. Unfortunately, the heuristics to detect unkown malware are not
functioning very well.
And keep in mind, that the best AV software is your brain - no-one
wants to make your dick longer, no-one want's to offer pr0n for free
by mail, and no bank sends you login or password request by mail ;-)
Unfortunately, AV software is not reliable - that means, it can help,
it's useful, but you should not bank on it.
And: if you're detecting an infection, please have a look on the type
of malware - if it's loading code through the Internet or if it's
offering access to your box for somebody in the Internet, it's im-
possible to get a clean box again, but with flatten and setup the
system again.
See:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
> containing a software firewall
> (F-Secure Internet Shield). Are there any good sources of tweaking
> instructions to it? I also have run Kerio 2.1.5 in Windows 98SE,
> and have adjusted its behaviour.
I don't know, if you need tweeking a port filter. I don't know, if you
need a port filter at all.
> D-Link DI-604
> Linksys BEFSX41
> ZyXel Prestige 334
> ZyXel Prestige 335
> SMC Barricade 7004VBR
> SMC Barricade Plus BR14VPN
I know the D-Link and the Linksys devices. Both seem to be OK.
If you're using such a router, don't forget to configure it for
filtering. NAT is not enough, because NAT primary is not a security
feature, so usually, the NAT implementations are not secure.
Especially, filter away any packet, which reaches your router at the
outside interface, but has a source IP adress, which seems to be
inside (say: source 0.0.0.0/8, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12 and non-used blocks like 169.254.0.0/16, 192.0.2.0/24 or
192.168.0.0/16, see RFC 3330).
If your router is filtering, perhaps it's not so important any more,
if your box uses a port filter or not ("firewall") or even is offering
servers or not.
And beware of mail attachements ;-) Think about it.
> DI-604 (Rev. B 1.82) seems to require occasional power cutout between
> couple of days, in this network, possibly because it gets confused of
> network overload or some other reason, who knows. It seems not to be
> the most stable choice here.
Hm... had no problems with this device so far. Perhaps another hardware
revision?
Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"