Is complete home security possible?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I recently got hit by a trojan (Kaspersky called it
"Backdoor.Win32.rBot.Gen"). I saw this thing either take over my TFTP
program (or install one of its own). It installed several programs on
my HD to start up with Windows (XP Pro), like "IEXPLOREUP.EXE", and
used them to transfer data out to the net, via TFTP. Exactly what it
was transferring, I have no idea. I have since renamed Windows
TFTP.EXE file, because I don't know why it is even there, if it can be
exploited so easily by hackers. My security before this occurred was
Kerio 2.1 as a firewall (always made sure I got 100% stealth ports on
GRC's "ShieldsUp!" test), Kaspersky (always ensure my definitions are
updated), and for good measure, GIANT AntiSpyware. I have TrojanGuard
on the system, but only use it for scanning, to conserve resources.

Despite all these measures, some mofo still managed to circumvent my
security. I don't know how, but all I know is at one point, my
firewall and virus program stopped loading with Windows. I don't know
if the trojan somehow disabled them, but I know I didn't take them out
of startup. I just wasn't so quick to put them back and next thing you
know... There was a point where I saw Kerio crash before my eyes, and
then it just took itself out of memory and was no longer active. Never
saw it do that before, and again, I don't know if the trojan was
responsible for this.

Which leads me to my question: I have a hi-speed connection, and I'm
thinking of
leaving it on all the time (ease & convenience), rather than just
starting it up whenever I do browsing. For this to happen, I would
want to have bulletproof security to where I'm confident my firewall
is not going to go south on me. I don't know yet whether SP2's
Security Center will protect me from hackers trying to disable my
firewall via trojans. What if I have a backup software firewall in
place in case the first one gives out? Is it possible to acheive a
level of software security to where a home user under XP Pro SP2 can
be confident in leaving a hi-speed connection open without fear of
hackers circumventing the security measures? In other words, WHAT AM I
DOING WRONG HERE??!

Thanks for your opinions.


Re: Is complete home security possible?
On Sat, 05 Feb 2005 12:35:11 -0800, Joe Samangitak wrote:

Quoted text here. Click to load it

If you have a high/speed connection then were talking cable/dsl and that
means you can install a simple NAT Router as the first barrier. With NAT
you are going to be blocking all inbound that you didn't invite and it
works no matter how you screw with the computer.

There are several steps, and here's what I've found that makes most home
users computers secure - if it worked for my mother in-law it can work for
you:

1) Install a router that provides NAT - change the default network address

2) Setup the password on the router for something with 12+ characters,
letters, numbers, upper/lower case.

3) Block outbound ports 135,136,137,138,139,445,1433,1434 (these are
destination port blocks, not local port blocks).

4) Install a quality antivirus program - one that gets frequent updates
and ranks in the top 3 by most corporate users.

5) Setup Windows Updates to install at 3AM every day.

6) Download and install FireFox and ThunderBird - free browser and email
clients.

7) Set Program Access defaults to use FireFox and ThunderBird as the
primary, allow IE to be accessed.

8) Follow MS's suggestions on securing IE and do it - it's a pain to use
in high security mode, but it works.

9) Create a "User" type account and use it instead of an "Administrator"
level account - only use Administrator to install software or to run
programs that won't run as User - do not play with email/web when as
Administrator.

10) Monitor the in/outbound logs from your NAT router - this will tell you
what's going on with the public network connection. If you get a linksys
router you can download WallWatcher for free and it's very clear as to
what's happening with your Internet connection.

11) If you're machine is compromised, get a router with NAT, get behind
it, and then wipe/reinstall your system - while you're get people telling
you that you don't have to go to that extreme, do you know of any way YOU
can be sure that you have a clean machine? I've never signed a document
saying a compromised system was clean unless I wipe/reinstall it, and I
won't either.

--
spam999free@rrohio.com
remove 999 in order to email me



Re: Is complete home security possible?
Quoted text here. Click to load it

I recommend against blocking the last two if running any kind of servers, as
they can be used for legal return traffic, and most NAT home routers won't
see the difference, and block it even when they shouldn't.

Quoted text here. Click to load it

I'd recommend Symantec Norton Antivirus Corporate Edition, except that you
can't buy a single copy -- you have to buy a minimum of 10.  This product
should not be confused with the consumer "Norton Antivirus", which is a
completely different, buggy and bloated product that really only shares the
name.

Quoted text here. Click to load it

I'd recommend Tuesday afternoon PST (adjust for time zone differences), due
to Microsoft only releasing security patches on Tuesday mornings.  Checking
on a Saturday or Monday is a waste of time and bandwidth.  :-)

Quoted text here. Click to load it

Or Mozilla, which is basically the same browser.  Some might like one better
than the other.  I prefer Mozilla for two reasons:  It can handle more
advanced .pac scripts for proxy selection, and it can be pre-loaded.  Others
may have their reasons for using FireFox instead.  :-)

For mail, I can't recommend ThunderBird, as it can't display the email
without parsing and rendering it first (which is the underlying cause of all
the security problems with Outlook Express and Outlook preview panes).
There's plenty of alternatives, of course -- both free and commercial.

Quoted text here. Click to load it

Even when needing ot run programs that won't run as a User, you can usually
create a shortcut to the program and set "Run As".  That's probably safer
than logging in as an Administrator, as you won't have the whole Admin
environment.

Regards,
--
*Art



Re: Is complete home security possible?
On Sat, 05 Feb 2005 16:37:38 -0500, Arthur Hagen wrote:

Quoted text here. Click to load it

If you notice, I said blocking outbound "to destination" ports. Since
those ports are defined as MS SQL Data and Control ports there is no
reason to your computer connect to another system (outside of your
network) listening on them. This is not the same as blocking ports
1433/1434, that indeed might cause problem.

I also block outbound port 2500 and 1026/1027 in those cheap routers -
this means that any port on your local computer can be used but it won't
let it connect to the REMOTE ports listed.

This helps stop the spread of worms/trojans around the net.

--
spam999free@rrohio.com
remove 999 in order to email me



Re: Is complete home security possible?
Quoted text here. Click to load it

I know, but it's still a problem if you run a server.

Outside client connects from 1433 to your port XXXX.
Your server reply from port XXXX to remote port 1433.  *BLOCKED*

Not good, no.

Better NAT devices will see that this is return traffic and allow it despite
the port otherwise being blocked (if return traffic is opened), but a basic
consumer NAT router won't.

Quoted text here. Click to load it

Indeed, but it can also block legal traffic.

Regards,
--
*Art



Re: Is complete home security possible?
On Sat, 05 Feb 2005 19:44:34 -0500, Arthur Hagen wrote:

Quoted text here. Click to load it

No, outside client tries to connect from port XYZ to your port 1433 and if
you forward it inbound then it works just fine.

Inside client tries to connect to outside service listening on their
(remote) port 1433 and is blocked - this means that your local computers
can not connect to the MS SQL port listener service at the REMOTE
COMPUTERS site.

If the remote computer is using 1433/1434 for something listening other
than SQL Server (which should not be directly exposed to the internet
anyway) then you need to get a better service.

Quoted text here. Click to load it

The only thing that should be listening on 1433 is SQL Server, unless your
running some non-standard application. Check the Port lists, 1433 is for
MS SQL server.

Quoted text here. Click to load it

Nope, it does not block outbound normal traffic, except to REPORT
DESTINATION PORTS that are already defined as used by services that should
not be exposed to the internet.


--
spam999free@rrohio.com
remove 999 in order to email me



Re: Is complete home security possible?
Quoted text here. Click to load it

That's a very different situation from what I described.

Quoted text here. Click to load it

Indeed, and that's a very different situation from what I described.

Quoted text here. Click to load it

I think we've had this discussion before.  Say you run a web server on the
*inside*.  The remote client sends off a bunch of requests to your web
server, as follows (keep in mind that the client is remote and the server
local):

Client port 1430 -> server port 80 OK
Server port 80 -> client port 1430 OK
Client port 1431 -> server port 80 OK
Server port 80 -> client port 1431 OK
Client port 1432 -> server port 80 OK
Server port 80 -> client port 1432 OK
Client port 1433 -> server port 80 OK
Server port 80 -> client port 1433 BZZT - DROPPED
Client port 1434 -> server port 80 OK
Server port 80 -> client port 1434 BZZT - DROPPED

Quoted text here. Click to load it

You're thinking of the port as a *listening* port, but it can just as well
be used as a high port for outgoing traffic, in which case it's used for
*return* traffic.  And cheap NAT devices can't block the port while still
allowing it used for outgoing return traffic.

Quoted text here. Click to load it

It blocks outbound *return* traffic.  Since Windows uses incremental high
range ports to connect to remote services, ports 1433 and 1434 usually
*will* get used pretty quickly as the source ports.  That it's two ports in
a row makes it especially bad, since Windows increments by 1.

Regards,
--
*Art



Re: Is complete home security possible?
Arthur Hagen wrote:

Quoted text here. Click to load it


No. You can buy a 5 pack. I see them at fry's all the time ($ 249.00 US).


Re: Is complete home security possible?
On Sat, 05 Feb 2005 16:32:42 -0600, optikl wrote:

Quoted text here. Click to load it

The nice thing about the Corp Edition is that it doesn't expire every year
like Norton AV does. I still have clients running 7.6 that get updates
that I can't convenience to upgrade.

--
spam999free@rrohio.com
remove 999 in order to email me



Re: Is complete home security possible?
Leythos wrote:
Quoted text here. Click to load it

The later versions expire (9.x) - you need a new .slf to continue
getting updates.
E.



Re: Is complete home security possible?
Quoted text here. Click to load it

Yeah, but that's still a tad too pricey for a home user who only needs one
copy.  I really wish they would sell individual licenses, cause it's a
*good* product, unlike the consumer bloatware version.

Regards,
--
*Art



Re: Is complete home security possible?
Arthur Hagen wrote:
Quoted text here. Click to load it

If I may ask here, what's the difference between corp and home Norton
virus? other then no subscription expire?


Re: Is complete home security possible?
On Sat, 05 Feb 2005 17:01:15 -0800, Joe wrote:

Quoted text here. Click to load it

Corporate Edition 9 includes scanning of POP/SMTP, MS Exchange and Notes
connections, has a smaller footprint, seems to be more efficient, and I
can setup a server to manage all the clients from one location - in other
words I can set the properties and the users can't override them.

--
spam999free@rrohio.com
remove 999 in order to email me



Re: Is complete home security possible?
Leythos wrote:
Quoted text here. Click to load it

Thank you for the response Leythos, I appreciate it.

So other then that there's no really difference in features? Bummer.


Re: Is complete home security possible?
Joe wrote:
Quoted text here. Click to load it


What kind of features do you expect from an AV Client application?


Re: Is complete home security possible?
optikl wrote:
Quoted text here. Click to load it

i dunno. i have norton internet security 2005 and like it mostly, just
was curious of the corp had any different features. just curious.


Re: Is complete home security possible?
Joe wrote:

Quoted text here. Click to load it

Nothing apart from the Alert Management Server, Centralised policy +
control, the ability to define both desktop and mobile groups, central
quarantine, Liveupdate Administration, extended reporting and logging.
The groupware edition also does SMTP scanning, message store scanning,
attachment filtering, spam + content blocking, enables you to pull in
blacklists like SORBS etc. Both allow you to deploy clients and servers
from the console. There's also a firewall component for desktops available.
E.


Re: Is complete home security possible?
Quoted text here. Click to load it

Yes, the Corporate Edition also doesn't install more than a dozen different
services, registry Run section triggers and scheduled tasks, like the
consumer version does.  One or two services is all.

You can also check the version of the corporate edition from the outside,
which is quite useful for firewalls that support this -- if a client doesn't
have the latest virus definitions installed, you can block it from accessing
the outside.
But how (I hear you cry) can you download the latest virus definitions if
your firewall blocks you?  Simple -- with the corporate edition, you
normally don't download the updates directly from Symantec to the client,
but from a local liveupdate server on the only computer that needs to fetch
them from the outside.  Less bandwidth wasted, and greater security --
clients can still get the latest downloaded update from the local server
even if the internet connection is down, and there's an audit trail of which
computers have updated and which haven't.

Regards,
--
*Art



Re: Is complete home security possible?
Joe wrote:
Quoted text here. Click to load it

Totally different product. Check out Symantec's web site for a very good
description:

http://www.symantec.com/smallbiz/sav_sbe/index.html


Re: Is complete home security possible?
Arthur Hagen wrote:
Quoted text here. Click to load it

I agree. Actually, I get to use SAV CE for home use, if I wish, based on
licensing permission my company has from Symantec. It is a much more
elegant version than the Symantec Home use version.


Site Timeline