with a FW appliance - not taken down - blocking outgoing, the malware is limited e.g. if it's sending otugoing on port 25 to not my smtp server. Or if it's receiving on port 25.
also, a win xp fw is easier to take down and goes down cleanly/quietly. The user suddenly realises that teh win xp FW is down. Bulkier PFWs are not made by MS and have realtime logs, and will be harder to take down cleanly. So by staying up and not going down quietly, it is more resilient to blocking incoming after an attack, signalling a problem, logging the connections.
a techie at home with a xin xp machine and a unix machine. He uses both and has an idiot user / end user on the win xp machine. Techie is willing to buy sophisticated nwtworking equipment (e.g. cisco pix) to practice with, and to use unix methods.
That is probably the same equipment and software to an environment with a hundred end users and a few techies. Just lower scale.
To make that clear: malware, which has administrator's rights, does not need to shutdown filtering software like the Windows-Firewall or a "Personal Firewall" for arbitrary communication.
Only malware, which has not, and only has restricted user's rights, is to be discussed. And for such a malware, it's usually very easy, too, as my PoC codes show.
Nobody needs to shutdown a "Personal Firewall", just ignore it.
Yes. And not a typical environment. But, why not, let's discuss this case.
In this case, I'd filter with the Unix box, because this is much more easy. The Windows box would get filtered network. On the Windows box, I'd perhaps would not give network access at all, at least not for the "idiot user" (if she/he is one), I'd just send a browser throug X11 to the Windows box - no downloads onto the Windows box. And mail I'd provide through an SMTP server and an IMAP server on the Unix box only.
Maybe it would be a good idea to filter out mails on the Unix box already, which are doubtful. If the user can be educated, then maybe attachements can be allowed. But then the user is no idiot any more ;-)
I'd not fear tunneling downloads through the browser, though, if the user is an idiot. But to make sure, I'd configure a restricted user account for her/him.
But really, if the user is called "idiot" and deservedly so, then you'd better buy a Macintosh anyways ;-)
I remove content based on content type, I don't need to know the website, it removes the ability of people to download files unless approved (white listed by file type), active-x, cookies if selected, and bad headers, and then I can block sites that don't provide content type info - what you are talking about is blocking sites, I was talking about blocking content inside sites based on the type of content not the type of website.
I remove attachments by using SMTP Filtering on the email server, the firewall removes them on inbound before they reach the mail server. The software running on the mail server also removes attachments based on type (in and out) and also checks for malware (in and out).
POP is just a transport method, the idea is to filter what the users are exposed too, so, since SMTP is how my users receive email (as we don't allow POP accounts), we can filter the inbound SMTP service at the firewall and with filtering software. We masquerade outbound domain headers at the firewall, but we filter content in emails using the filtering software.
No user has access to OUTBOUND SMTP except through the local (internal) SMTP server.
What FW appliance do you suggest for the filtering?
and do the more advanced ones have their own fans? I have found that with routers, many routers get very hot, and I blame overheating for them - with time - needing to be reset more often, and eventually dying out. I've had that with a DLink, and a Linksys.
I guess that when using a proper router, and a proper firewall, i'd need a plain modem(westell or alcatal ). But these are hard to find in the uk. Would it be bad to use a "home router/modem" with NAT disabled, or in "Bridge Mode"? I've heard that it's technically not really possible to disable NAT on those things. And i've heard that double NAT is bad and causes some kind of problems.
I can't really answer your question until I know what you are protecting.
Normally I suggest a WatchGuard, X700 and above, for clients, but many small shops don't want to spend that amount of money.
You mistake Firewalls with Routers, like the NAT Devices that are designed for residential users. Firewalls, devices that actually are firewalls, are designed for continuous operation and may or may not have fans in their cases. I have a linksys BEFRS41, bought when they still called them Routers, before they started calling them Firewalls, and it works as well as the day I bought it (and I have about 20 other NAT Routers too).
I'm not sure what you're trying to do here.
A Firewall Appliance can be setup in a couple modes, bridge/drop-in or NAT/Routed mode. In my home I have a firewall in NAT mode and then 3 NAT Routers in series for different projects, in one clients location we have a Firewall Appliance and then each classroom has a cheap D-Link NAT Router to isolate it from other classrooms.
Multiple layers of NAT are not a problem to outbound connections when the routers are configured properly. Were you run into problems is when you need to have inbound connections.
On the cheap NAT boxes, I've not seen any in the sub $150 range that you can disable NAT, that's just the way they work.
So, a scenario would be as follows:
INTERNET
ISP DEVICE
YOUR FIREWALL
Your devices on the LAN
If you are using DSL, then you need to determine what type of connection is required, PPOE, PPOA, etc... then look and see if the Firewall Appliance supports that method.
In the USA, I install DSL in Bridge Mode as I don't like the client having to enter user/password to connect. Some ISP's have their "modem" do the authentication and just provide a DHCP address to the user, some require that the user have a PPOE device that does the authentication.
I have 3 or 4 computers. Maybe I will have as many as 10. But It's more that I want to experiment and learn about networking. So for me overkill is fine. Any set up that scales well such that the concept would be true for a larger network.
In the UK, DSL ISPs don't provide "ISP devices", they provide one of those "home router/modems".
My ISP uses PPPoA. With DSL, I wanted to use a dedicated linksys router, but couldn't find a dsl modem in the uk to use with it. They usually just sell "home router/modems". I wouldn't want to string that "home router/modem" + the deciated router together, because then there'd be double NAT - and I would run some servers from time to time. As you mention it creates issues for incoming connections. A similar issue would exist for a firewall appliance. I'd like to use one, but I can't find a DSL modem in the uk. I don't want double NAT.
Other than having you move to Japan or the US, I can't help you there, I don't have any clients in the UK, so we've not had to design solutions for that area.
Double NAT is only a problem for some services that you might provide. What I mean is that you can offer HTTP services through 100 layers of NAT as long as you map it through the devices properly. What you can't do is 100 layers of NAT and expect an outside users to PPTP into the
100th later and have it work properly - most of those cheap NAT routers screw up GRE.
If your ISP provides a Router/Modem device, do you get a fixed IP? If so, or if you could bridge it, you could use any firewall you want without a problem.
If you want to learn firewall devices, they are not cheap, at least not if you want one with lots of features.
A WatchGuard X700 Firewall Appliance retails for about $2000US, a Linksys BEFSR41, which is a NAT router is about $50 new.
I've been using the DFL-700 unit for very small offices that want http content filtering and also web blocking, and also want a real LAN / DMZ (separate networks and rules) and also want a VPN Server end-point service running on it. These units run about $280 US, but I've made them the smallest NAT device that I will install from now on.
1)prevention
2)detection
3)cure to have a good design.
Just concentrating on Prevention is not a full system as no matter what you do 100% security does not exist and prevention cannot be 100%. So you will need to know when this has failed and "detect" it.
Detection is not necessarily needed for passive components. And what do you mean by "cure"?
OK, do you know any useful solution for a network- and/or host-based intrustion detection system adequate for home users? (Actually I know what you will be likely telling, so please cut it out.)
I think it's a weakness (or limiting feature) of this newsgroup that most people posting with problems are "home users" with no more than a few computers, a limited budget and windows xp. And the solutions here are all geared to that. I am also interested in security generally. Many people here have that knowledge, but due to the nature of the newsgroup, that knowledge is rarely presented. Or if it is, it would only ever be in dribs and drabs.
If you want to start a discussion about a specific subject, as long as it fits the groups discussion ideals, post a descriptive topic and people may/will join in the thread.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.