If you'd rather rely on running a configuration script (it'd be instructive to post one that you feel works for peer review) and hope you have interactive control of the system in time while it boots in order to turn off these services, and rely on the remaining OS's TCPIP stack to be bulletproof, that's your choice.
Others (myself included) would be a lot more comfortable with the more robust layered defense approach of filtering inbound network traffic at the perimeter with a separate device.
As you know, but conveniently omit from teh discussion, every home gateway seems to implement NAT in addition to stateful packet inspection ingress filtering.
No, they do not limit outbound access at all, so once an internal host is compromised, they don't do anything for ya.
Coal miners didn't "need" canaries in their mines, but they made the work environment a bit easier to abandon and remediate when/if the canaries keeled over.
Please, regale us of your contrarian reasoning for this.
It's actually something I think is a decent approach, so long as one reviews the list to make sure nothing untoward is going on.
The typical collusion that one can trigger NAT states from the client side without compromising the host due to bad protocol parsers, header injection, command injection,Java or Flash, it's once anything a clear statement against NAT.
Which is about the description of a host-based intrusion detection system. Indeed, that's what virus scanners might be good for, but that's clearly distinct from protection or necessity.
Well, let's see... aside from breaking DNS, breaking DNS caching, slowing down the system, and the trivial fact that the HOSTS file is not writable for any user, it faces three big disadvantages:
quite some application use SOCKOPT_NO_HOSTS, which totally voids the effect
it interferes with all application for any user on the machine, not the just the ones where it's needed
it's the most inefficient and furtile way to do filtering by hostname. It doesn't provide any wildcards, RegExps or just hostname collation, and the "bad guys" trivially circumvent it with wildcards in the own DNS servers, allowing them to use randomly generated subdomains like "dsjklasjkhdbasajkghdkgsajhdgjhsagdjhg.malware.org", which surely no sane list of hostnames could ever address.
Oh well, that's another big disadvantage...
Well, just that the analogy doesn't hold. The output of the typical "anti-spyware" crap is absolutely useless, both in sense of false positives and false negatives.
Sorry, but if it shows me 50+ string warnings on a perfectly clean system, and some of these even turn out to be implemented security configurations, it's obviously broken. If it tries to write 5000+ CLSID entries into HKLM, fails due to missing permissions, and then suggests to try again over and over, it's so obviously broken. If it shows an empty GUI due to expecting a non-guaranteed DLL, it's horribly broken. And that's really just the tip of the ice berg.
> and hope you have interactive control of the system in time while it boots > in order to turn off these services,
Hm? First you turn of the services, then you plug in the jack and configure the connection.
Others, including myself, have downloaded the patches on another machine and transferred them to the potentially vulnerable machine via LAN, removable media, etc. to install them without having a connection to the internet.
One wonders if there might be some underlying reason for Sebastian G. (and others, most, surprisingly, with .de domains) to promote that users leave their computers open to most access while on the net.
Perhaps it's that this would make their "job" much easier. But, that is just speculation.
On the other hand, maybe they are just militant linux advocates and have already taught their grandmothers the intricasies of Linux security administration and just don't understand why your grandmother can't learn too -- or just get off the net.
He does not say so. He never said you should leave computers open to access. But there is little benefit relying on additional hardware or software to achieve something which you could achieve simply by closing whatever would be open.
A software firewall adds a lot of complexity, code lines (containing bugs), configuration issues (which user is really able to configure a software firewall correctly) to a computer.
A NAT router adds additional in regard to complexity and does not add reliable security due to various shortcomings in NAT which are inevitable.
And all that to cover up some open ports which you could simply close by turning off unnecessary services? Stopping unnecessary services reduces complexity. The computer runs less code. Thus there are less bugs. And without software firewall the computers runs definitively much faster. And you can run the computer very well directly connected to the internet. Without open ports there is nothing someone from the internet could connect to. And you don't have to filter ICMP pings and other messages to achieve 'pseudo stealth'.
But, well, most people seem to prefer to put fat stupid security guards in front of their unlocked doors instead of simply locking the door. It seems to be easier to buy a guard then to learn how to lock the door which must be terribly complicated to learn and people don't want to learn about security that's why they rely on the stupid guard which is fooled so quickly.
Well, wait until terrorists effectively use hacked computers of the average ignorant computer user for communication and other purposes and the U.S. will introduce mandatory computer user license tests before you are allowed to use a PC or the internet and will force the rest of the world to do the same. Have a computer hacked to spread child p*rn is not so important. But the war on terror will justify everything... ;-)
Am Tue, 15 Jan 2008 17:29:51 -0800 schrieb Jaap Hilversum:
No, the statement is: "You are not safer with a flashbox in your background" or better with the words of Bruce Schneier "Security is a process not a product". It has nothing to do with linux, unix or windows is safer, even with a self made solution you are not totally safe but there is nobody who tells you that. Companies which sell the fancy flashboxes tell that crap and the most peoples believe them by clicking the anti hacker option in his router at the same time with this click the brain is out of order because the already clicked in the anti hacker button. I guess you know what I mean.
And yet we know, at least any of us that have been around for any real length of time, that users are not going to close those ports, services, secure their machines - they treat their computers like can-openers, they just blindly use them as they shipped.
A NAT Router (1:MANY) provides a level of protection that all unsecured machines can benefit from and requires no understanding or changing of the OS - and it works with ALL OS platforms.
. . Everybody in power does the same thing. How many liberal politicians endorse the banning of books from school libraries that don't match their current world-view? (And I'm not talking about p*rn)
Am Wed, 16 Jan 2008 12:06:23 -0600 schrieb Ryan P.:
Unfortunately you're totally right, in the past the burned the books here. Lets see what the future brings. But I actually doesn't like the phrase like: 'in the evil US they do that and these', it's the same thing around the world. Like you say everybody in power... (but is has nothing to do with flashboxes ;) cheers
On the home computer, I'm sadly urged to run Windows XP. On my own machine, I run OpenBSD. On the machines I'm administrating, we have Windows 2000, Windows XP, Debian Linux, FreeBSD, Solaris.
Hm... not at all? Since there's no necessity, the clients are all well secured.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.