I have been doing some research on creating a good defense system for my home system. It seems the best strategy is something called "layered defense" or "Defense in Depth". Love to hear your thoughts as to what makes for a good layered defense.
As for me, I am taking one recommendation. To get a Internet Security suite - Trend Micro's PC Cillan 2005, use Zone Alarm for the firewall and some good spyware busting apps. Love to know how I can maximize this and better understand why this is being recommended; as opposed to just buying a single suite.
You're right on one item. The buck starts and ends with me, the user. That is why I posted this thread. I want to get a better understanding of how to go about building a good solid defense.
Hardware Firewall - My system is already operating behind a NAT enabled router. I did a port scan via Shields Up! and know the Hardware Firewall is active and on total stealth.
Software Firewall - Due to problems with NIS 2004 & NAV 2005, I am using Windows Firewall until I find a different firewall. As I am looking to use different vendor's products, how well does Zone Alarm Firewall 5.5 (free version) work with Trend's Internet Security suite?
It has been suggested in an issue of PC World, to use Zone's Firewall with Trend's PC Cillan 2005 suite. Why would this be such a good strategy? Here is the link to the PC World article that I'm talking about:
formatting link
Anti-Virus - Trend's AV has been the most recommended.
Anti-Spyware - Just how useful is it to use multiple spyware & adware detection & removal tools? I'm using M$ Anti-Spyware and Spybot S&D. Will be looking to use Lavasoft's Ad Aware.
I happen to be a fan of keeping Windows fully up to date. The same goes for my AV app.
As it is, I make it a point to limit my use of IE. I primarily use Netscape 7.x. :-) Heard about Firefox, how is it doing?
Please note, I am more acquainted with NIS and the way Symantec integrated everything. I may well be adding features to the firewall that really belongs to another app. Hence the difficulty I'm having with understanding this mixing of apps from different vendors; as opposed to just getting Trend's PC Cillan 2005 and being done with it.
The problem with not running as the administer account in win xp is you can not install programs. not as a limited user i don't think. i will always run as an administer in that my account Joe has admin rights. It's an administer account so i can install programs etc. no problems ever. however I know what I'm doing for the most part in security and what's on my pc and what to use and not to use, plus i have a sonicwall firewall appliance with it's gateway AV, content filtering and IPS running. Also I've got an AV app installed on the pc too. Plus windows updates, I always do that and alays make sure the AV is fully updated as well as I use Firefox for www browsing unless I need to use IE, and I use Thunderbird for email and text newsgroups like this group, then yahoo web mail for web mail. All in all I think I do a fine job here. So I don't see the problem with running in win xp as a user who is an admin since at least for me I've never had issues and running as a limited user you can't install anything i don't think.
Not good enough really. Do you block all outbound connections by default and only open up the outbound ports you need? Does the NAT box do stateful inspection? Most consumer NAT boxes are IMO garbage.
A reasonable defense strategy for a home Windows user (which I assume you are) might include the following.
An external firewall box. A virus scanner which gets updates and scans files automatically. A web browser other than Internet Explorer. Frequent use of Windows Update. Your own knowledge of what is in your computer and why it's there and what it is doing. Your own ability to configure the system in a secure manner. This includes not running everything with administrator privileges. A system analysis tool to help you find out what is in your computer. Adware/Spyware detection/removal tools.
Your own knowledge is the most important thing. If you don't know what is in your computer and how and why it is talking to the Internet then it is unlikely that you can secure your computer. You can't secure a computer simply by adding more and more security software.
snipped-for-privacy@comcast.net wrote in news:1108570943.771302.157310 @f14g2000cwb.googlegroups.com:
Layered defense? The buck stops with you the Human element in the grand scheme of things and it doesn't stop anywhere else. You can install all of the (save me software) in the world on the computer, but if you the Human element invokes the compromise, no software on the computer is going to save you from you. That's the bottom line.
snipped-for-privacy@comcast.net wrote in news:1108582098.036677.230040 @g14g2000cwa.googlegroups.com:
If it doesn't meet the specs in the link, then it's not a appliance with a FW.
formatting link
However, I have nothing against a simple NAT router with FW like features to stop inbound threats, since that's all it can do.
formatting link
Well, if you implement a FW appliance, then you won't need it.
You can run all of it every hour on the hour if you want. There is so much of the crap ware out there that you can run one every .5 hours if you want to clean *cookies*. That's all that carp is really doing IMHO is cleaning *cookies* off the machine.
There is nothing wrong with good AV.
There is nothing wrong with that either. I also use Firefox as my default browser mainly for the pre-cautionary measure of clinking on unknown links. But I also use IE as much as I use Firefox and never had a problem with IE in the first place but what the heck why throw caution to the wind. ;-)
I harden the NT based O/S to attack a little bit. I took Outlook or OE out of its sending and receiving emails on start-up and on timed bases and use Mailwasher to view and delete unwanted emails at the ISP POP3 Server. Emails don't reach the machine unless I want them to reach the machine when I pull them to it.
I use Ad-Aware once in a blue Moon just on GP to delete *cookies* off of the machine and run a good AV on a routine basis.
I use the tools in the link like Active Ports to look for myself and see what's happening. I put a short-cut for Active Ports in the Start folder so I can see what's happening at boot and logon. I would rather use those kinds of tools and I look for myself instead of some kind of (saves all detection crutch software) telling me this that or the other that can be easily defeated.
formatting link
The buck stops with me in the so called *Layered Defense*. ;-)
What command switch are you talking about? I haven't bought Trend's ISS, as I'm waiting a bit. How does Trend's ISS behave with the anti-spyware apps like Ad Aware, Sybot S&D and M$ Anti-Spyware? I already know to uninstall McAfee's AV before installing Trend's.
Ordinarily, I would agree that a good quality Hardware firewall ( a router with NAT) is a must.
As it happens, I have no control over the router since it belongs to my landlord. I'm renting a room in his house. Since he is an IT professional (System Engineer) and actually knows his stuff, I'm sure the router is fine.
A router that provides NAT IS NOT A FIREWALL let along a Quality Hardware Firewall. A router like the Linksys/D-Link/Netgear that do NAT are just routers. Sure, they make nice first layer defense devices, but they are not firewalls.
I've seen people posting about land-lords providing connections before, in almost every case the LL has been snooping on the renters connection. A typical router will provide real-time logs that can show EVERY place you've visited on the Net, you need to be aware of that.
Also, you can install your own router and that means that the LL can't get into your PC across the network. If you password your BIOS and your desktop and always lock the computer when you leave, then the LL can get into it without your permission.
Internet security suites are generally bloated apps that take a huge footprint in terms of memory and speed reduction. They are also a single point of failure. By themselves they are mostly a waste of time, apart from the AV service. 1 well written worm/virus and you are toast.
Think about what the threats are, think about the vectors, think about how to stop them on more than one level so if one part of the defense fails, another can still perform.
If a 0-day email borne virus somes out, will you be affected by it?
A favourite config of mine for home users is a NAT/SPI based router, An IPCop 1.4 box with content filtering (Cop+), spam filtering (POPFile) installed as addons. If the rules are set right, you can block access to most threat based sites or p*rn etc. You can even block file extensions from .exe to .mp3 etc. You can also set an admin station (or group of) which bypass the rules for testing purposes.
On the PC use a good AV package such as Symantec or Grisoft and Spybot or spysweeper for protection.
A configurable personal firewall is the next step, although I don't use PFW's the way the are marketed to be. The job of a PFW (IMHO) is to:
- define allowed sites/scripts: e.g. allow Javascript/popups on defined sites e.g. cisco.netacad.net and deny on all others by default.
- define what apps can talk on what port i.e. mail clients can talk on ports 25 and 110, but not 80, 800, 8080 etc.
- Filter email attachments i.e. strip or rename any email attachment with certain attachments such as exe, cpl etc.
- Catch (i.e. log) traffic in userspace in order to fine tune rules for the content filter. Outpost and ZA Pro are quite good for this purpose.
Not using IE for general browsing is also a good idea at the moment. IE is still required for some sites such as windowsupdate and certain banks.
At the end of the day it's the end user or person that configures and maintains the setup that defines whether or not you remain secure. As both Duane Jason mentioned, knowledge and education of what and why is the fundamental factor in this.
A workable setup....
NAT/SPI Router - a connector which stops most unsolicited inbound, very cheap and easy to setup.
...connects to...
IPCop 1.4 - firewalling, IDS, Content filtering, blacklists, logging, proxy with optional authentication, spam filtering, download/upload content blocking, seperate DMZ and wireless networks, all of which is configurable. Free for home use, 89 euros for Dansguardian for commercial use.
....connects to... (via Switch)
User PC's running Antivirus Anispyware - (tho somewhat redundant with content filtering) PFW for defining application communications and attachment filtering
The only downside of this is that blocking .exe, javascript, msi downloads stops windows update from working. In a commercial environment this doesn't matter as users can't install anything and it's handled by SUS or whatever anyway. You can get around this by creating two configs: one that allows the needed extension downloads and one that doesn't. Back up both configs and import as needed when doing an update session, then revert to full blocking.
If you don't have a spare box for an admin station, you can get a USB drive and boot an OS from it with a different config. Or use virtual PC/VMWare.
Total cost is about $350 for the router, old box to run IPCop on, av package, adware package and PFW. A commercial unit with similar capabilities will cost around $4k.
This is similar to the config I used when on dialup (tho without the router naturally). Never had a problem.
Takes about 3 hours from go to whoa to setup. And that includes downloading the ISO image. E.
Spysweeper will not install or run as USER. You are forced to run and cruz the web in Admin, mode. Nice program , piss poor design on the above !!!!!!!!!!!!! PC mag, didnt even test for USER mode Login , compatiblity !, on Spysweep
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.