Is complete home security possible?

Joe, I want to thank you for writing in here. You're story is kinda heart felt for me cus I am also interested in your question being answered. I don't have any problems, but am curious to see peoples answers for you.

I personally have a hardware router and in that alone am protected enough I never worry or have problems. We run windows xp pro here and sp1 or 2, doesn't matter. We've never had a virus unless we downloaded something from a bad web site or email thing. That's only happened maybe

1 or 2 times in our lifetime of using the net on our cable modem durring the last 5 years.

I leave my cable modem on 24/7 and never have security issues. You should be able to do the same. DSL or Cable doesn't matter. Have a hardware router and you should be fine so long as no one there goes to sites and downloads stuff that might be infected or open email attachments etc.

I personally have a SonicWALL TZ150. I just got it a couple days ago. I got it for the IDP, Virus and Content filtering. IDP is intrusion prevention which looks for trojians, worms etc and p2p stuff, etc. The virus feature looks at all incomming email and web and ftp transfers for code that might be a virus and it blocks it from comming in. All this done at the gateway/router. You still should have virus software, but to me it's not as needed as without this type of router. It's still good to have tho.

Joe

No. You can buy a 5 pack. I see them at fry's all the time ($ 249.00 US).

I recommend against blocking the last two if running any kind of servers, as they can be used for legal return traffic, and most NAT home routers won't see the difference, and block it even when they shouldn't.

I'd recommend Symantec Norton Antivirus Corporate Edition, except that you can't buy a single copy -- you have to buy a minimum of 10. This product should not be confused with the consumer "Norton Antivirus", which is a completely different, buggy and bloated product that really only shares the name.

I'd recommend Tuesday afternoon PST (adjust for time zone differences), due to Microsoft only releasing security patches on Tuesday mornings. Checking on a Saturday or Monday is a waste of time and bandwidth. :-)

Or Mozilla, which is basically the same browser. Some might like one better than the other. I prefer Mozilla for two reasons: It can handle more advanced .pac scripts for proxy selection, and it can be pre-loaded. Others may have their reasons for using FireFox instead. :-)

For mail, I can't recommend ThunderBird, as it can't display the email without parsing and rendering it first (which is the underlying cause of all the security problems with Outlook Express and Outlook preview panes). There's plenty of alternatives, of course -- both free and commercial.

Even when needing ot run programs that won't run as a User, you can usually create a shortcut to the program and set "Run As". That's probably safer than logging in as an Administrator, as you won't have the whole Admin environment.

Regards,

If I may ask here, what's the difference between corp and home Norton virus? other then no subscription expire?

Thank you for the response Leythos, I appreciate it.

So other then that there's no really difference in features? Bummer.

I know, but it's still a problem if you run a server.

Outside client connects from 1433 to your port XXXX. Your server reply from port XXXX to remote port 1433. *BLOCKED*

Not good, no.

Better NAT devices will see that this is return traffic and allow it despite the port otherwise being blocked (if return traffic is opened), but a basic consumer NAT router won't.

Indeed, but it can also block legal traffic.

Regards,

Yeah, but that's still a tad too pricey for a home user who only needs one copy. I really wish they would sell individual licenses, cause it's a

*good* product, unlike the consumer bloatware version.

Regards,

If you have a high/speed connection then were talking cable/dsl and that means you can install a simple NAT Router as the first barrier. With NAT you are going to be blocking all inbound that you didn't invite and it works no matter how you screw with the computer.

There are several steps, and here's what I've found that makes most home users computers secure - if it worked for my mother in-law it can work for you:

1) Install a router that provides NAT - change the default network address 2) Setup the password on the router for something with 12+ characters, letters, numbers, upper/lower case. 3) Block outbound ports 135,136,137,138,139,445,1433,1434 (these are destination port blocks, not local port blocks). 4) Install a quality antivirus program - one that gets frequent updates and ranks in the top 3 by most corporate users. 5) Setup Windows Updates to install at 3AM every day.

6) Download and install FireFox and ThunderBird - free browser and email clients.

7) Set Program Access defaults to use FireFox and ThunderBird as the primary, allow IE to be accessed.

8) Follow MS's suggestions on securing IE and do it - it's a pain to use in high security mode, but it works.

9) Create a "User" type account and use it instead of an "Administrator" level account - only use Administrator to install software or to run programs that won't run as User - do not play with email/web when as Administrator.

10) Monitor the in/outbound logs from your NAT router - this will tell you what's going on with the public network connection. If you get a linksys router you can download WallWatcher for free and it's very clear as to what's happening with your Internet connection.

11) If you're machine is compromised, get a router with NAT, get behind it, and then wipe/reinstall your system - while you're get people telling you that you don't have to go to that extreme, do you know of any way YOU can be sure that you have a clean machine? I've never signed a document saying a compromised system was clean unless I wipe/reinstall it, and I won't either.

If you press F8 the preview pane will open/close

-max

My opinion is that if you are responsible for your own computer (at home) then it is essential to know what is actually in your computer and whether or not it should be there. Software firewalls aren't going to help with this as you have discovered. Virus scanners are not a complete solution either but do install one and make sure it automatically gets updates. Assuming you don't want to change to a more secure operating system then it is essential to be aware of what is in your system so that you can immediately spot a compromised system. This is one reason why I keep recommending use of this

with another site which will analyze the log for you this tool doesn't cover all possible places where malware could exist but it is a good start.

Since you are running XP pro SP2 you should not be running as administrator for general purpose use. Set up a user account for that.

It is also a good idea to use an external firewall box rather than running the PC with a public IP address.

There are many other things you can do but I've just noticed them in Leythos's reply so no need to repeat it.

Leythos also points out that if your computer does get compromised then it should be wiped and reinstalled (from behind NAT). I agree with this. If you get malware in your computer then you cannot know what it has left behind even if you remove it.

Jason

i dunno. i have norton internet security 2005 and like it mostly, just was curious of the corp had any different features. just curious.

If you notice, I said blocking outbound "to destination" ports. Since those ports are defined as MS SQL Data and Control ports there is no reason to your computer connect to another system (outside of your network) listening on them. This is not the same as blocking ports

1433/1434, that indeed might cause problem.

I also block outbound port 2500 and 1026/1027 in those cheap routers - this means that any port on your local computer can be used but it won't let it connect to the REMOTE ports listed.

This helps stop the spread of worms/trojans around the net.

I agree. Actually, I get to use SAV CE for home use, if I wish, based on licensing permission my company has from Symantec. It is a much more elegant version than the Symantec Home use version.

Totally different product. Check out Symantec's web site for a very good description:

What kind of features do you expect from an AV Client application?

If its that bad, you will have to WIPE OUT AND REINSTALL Windows. One good practice is to reinstall Windows every month. I have an image for each of the hard disks from North Ghost, and I ghost the machines once a month to get rid of any malware, viruses, trojans, worms, etc, that might be there. You would need a second hard disk to do this.

1433 and 1434 should also be blocked to prevent Kazaa from being used on your network. Kazaa uses port 80, and ports 1000-5300

The thing is that the major antivirus makers want you to pay a subscription fee now. Avast is free for home use, and no subscription fee, and it will scan everything on your PC that goes in or out of your network.

The best way is to have it search for and download updates every time the machine is booted.

If you wamt to use Usenet, you will need Outlook Express installed.

If you are a gamer, some computer games will only run in administrator mode. Flight Simulator does this I know. If I log in under anything other than an administrator level account, I will an error message on FS98, FS2002, and FS2004, sayying that I need to be an administrator to use the program, and I have heard of a lot of other games having this problem.

No argument there. I have a clean disk image made from Norton Ghost, and I regularly ghost my machines once a month. You should regulrly ghost your machines once a month. In another newsgroup, one guy called my crazy for regularly ghosting my machines to get rid of any malware, but it is the only way to be sure nothing bad is lurking inside your machine. Where I went to college, they had a program they ran daily before closing the labs for the night which restored the machines to a specific configuration and got rid of any software that any students may have installed during the day, as well as any viruses and the like that may have come in.

Unfortunately, 1433 and 1434 MUST be blocked, to stop Kazaa. That is in the range of ports that Kazaa ueses. If 1433 and 1434 are open, the anyone on your network can use Kazaa.

Two words;

SUBSCRIPTION FEES

Avast is much better, because its free for home use, and no subscrption fees.

You don't need outlook express for usenet, in fact that's a security hole right there. if you download binaries from newsgroups then use newsbin pro

or if you use text groups only, then use thunderbird which is free and fairly good. not the best, not even close i am sure, but it't easy to use and free and more secure then outlook express in my opinion.