Zonealarm / Email

That's basically my thinking, though I am using the free version of ZA. My issue is that this laptop is sometimes out in the wild connecting through insecure wireless sites. (At home and at my office I have WEP and MAC filtering enabled at the router so I am less concerned there) In "the wild" I can take care to never transmit info in the clear (email client required to use SSL) (Always use encrypted pages for "login" anywhere, etc) But basically the only line of defense in that situation is at my net card.

I really don't know that much about what services I can safely shut down. Frankly I'm inclined to 86 anything that I don't need, I can use the memory, but I'm not that educated on these issues. Any thoughts on the original question or my other concerns above?

Thanks, JH

Because Windows firewall does not perform the same job as ZA....

I prefer just shutting down all the extra services rather than using Windows Firewall. Zone Alarm also has many features that WF does not have, namely the ID lock, pop-up blocker, and active spyware monitor.

Nothing is as good as a hardware firewall, or even a router. The only reason I would suggest using WF instead of any other personal firewall is to free up computer resources. But if you get more service for a paid program, there is no reason not to use one.

In conjunction WITH good common-sense security practices, of course.

If you have Windows XP, why aren't you using the Windows firewall and not having such problems?

Yours, VB.

I prefer to have one computer reserved strictly for Internet access and another one not connected to the Internet or any LAN.

Any necessary file transfer takes place via USB drives.

So am I.

;-)

To active spyware monitor:

Usually, it's very difficult for lusers to handle an IDS, and they're failing regulary with acting on information of an IDS. But of course, one could use it, if one knows what to do.

An IDS which runs on the same box as the spyware and even opens windows like active spyware monitor has a design flaw, of course, because like Chippy's autoclicker it's very easy to twit such an ridiculous IDS.

Like an virus scanner, this should be run to search the hard disk offline, not booted from the same system. But I personally think, a virus scanner should be enough, because usually they're recognizing spyware, too.

A pop-up blocker is with every graphical browser which should be mentioned for years now. So this is useless.

First, ID lock is completely useless, if data is send out encoded or even encrypted, but not plain. If I would hack a malware, this would be my idea, of course. So for blocking already running malware on the box ID lock is no solution at all.

ID lock is counterproductive, if one abuses it to remotely find out the protected data. This is, because the idea behind ID lock means totally misunderstanding the basics of data security.

If you want to hide information, you may NOT filter it out of every data stream, because then the MISSING information is the one to hide.

It's easier to purely remotely attack the corresponding feature of Symantec Norton, though, because this just filters out, and you can send all numbers between 0000 and 9999 in hidden fields in a POST for example, and Norton will help you by removing the bank PIN of the user - which you know afterwards.

With Zonealarm's ID lock it's a little bit more tricky, because you have to make many single requests, because by clicking "no" the user blocks one complete transmission.

So ID lock is mainly useless, only a little bit dangerous to have.

As a result I must state, that all what you alleged is completely useless for a security system if not counterproductive.

I really don't understand this. Why are so many people here believing in routers as security devices? Why not just having a differentiated view on them?

Yours, VB.

If you're using Windows, perhaps, then Torsten's script and his homepage could help you:

Yours, VB.

Hmmm, Interesting. So putting on my secure thinking hat . . . Who is Torsten and why should I trust him? I don't really have the technical skills to read his script and see what it's doing, so I need some other way of getting to trust. (First rule of avoiding Trojans: Dont execute anything you dont have good reason to trust.)

Also, I read the page, does it do anything aside from close services similar to what is suggested here:?

Otherwise I may try doing some of this manually

This guy cannot be convinced. Don't bother arguing with him.

The nVidia separate firewall processor on the Assus A8N motherboard is working fine for me. No noticable hit on resource at all, and nothing gets through that I don't want. I believe such processors are the future.

If you want that service. Having set my mail client up right, I do not want email checking. There's a lot of "standard" security stuff I don't want. I use weekly scans with AVAST!, AdAware, SpybotSD, I use the nVidia firewall, and certain stealth methods for email, The Proxomitron proxy for controlling what my web browser does, dont' DL where I shouldn't, don't trust where I don't have to, and I have no problems.

Are those legal?

This defeatist belief is wrong. I know of plenty of cases where the most determined efforts have failed. For instance, one friend runs a small hosting service, and being vehemently anti-spam, caught the notice of a nasty spammer, who certainly had access to all the tricks. For months the spammer hammered him with ddos attacks, degrading his service. If there had been any way to hack through his smoothwall defense, the spammer certainly would have done it.

A proper firewall is exactly that, it stops everything. When it doesn't it is because it is not properly set up, or someone has inadvertently let something through that they shouldn't. "When in doubt, keep it out!" That's the only way to be sure.

A router with a deny table IS a firewall. A simple one, but it does work. A router with a NAT which diverts (and thus stops) all connections from ports not allowed IS a firewall. Again, it is simple, a thumb covering a hole, but it does work, and cannot be spoofed. Firewall software, which sets up port permissions based on what program is using it, or the address that is trying to connect, is more sophisticated, but is not as fool-proof -- it may get fooled by fancy forms of probe. Still, this sort of thing has not worked in quite some time, and is probably a thing of the past.

The real task of security is to prevent hijacking or spywaring of your machine. Any machine can be done like this without adequate security. Then anything can happen, such as theft, interference, degradation, turning the machine into a zombie spewing spam and more worm attacks, anything. Grandma, the least likely to understand how to do active security, needs good passive security most of all. This need not be much, just a proper firewall, turning off "features" (activeX, javascript, etc), getting her a proper browser, news and mail clients, or putting in controls to keep the trouble out. Still, nothing works if she's gonna surf and hit links to DL and install crap just so she can see movies and such.

I never keep anything like passwords or PIN numbers anywhere on my computer. Truely sensitive information should be kept completely offline accessible ONLY to the person sitting at the desk on which the computer sits. This includes passwords as well as PINs, account numbers, etc.

Its been a while since I've read the ZA take on it, but I don't beleive they intend for you to store sensitive data in the ID lock.

There are certain e-mails that come through that mine your browser/email client for your e-mail address, and then sends them back to a clearinghouse.

Putting your e-mail address in the ID lock is a simple way to catch this.

As you said though, if anyone with skill truely wants in on your computer, they will get in. A software firewall will not stop them, nor will a router. Of course, neither will a hardware firewall either.

I did not say they were the same thing. I said "or even a router" meaning that it is much better that having nothing or just the windows firewall enabled.

One should also use some common sense when worrying about security. If you don't have any truely sensitive material on it, you don't need elborate security. Grandma, who only uses her computer to e-mail the kids once in a while, only "needs" enough security to prevent her machine from becoming a zombie to some spammer.

One of the regulars of de.comp.security.misc

You don't need to. Torsten is documenting everything, so you can have a look yourself. The script is just a simple command script, which can be easily read.

Just try.

Torsten now has round about 100.000 users, so it's well tested - but check out yourself.

Good idea. But it is a good idea to read what Torsten is writing here, too. And with doing this you will learn much about Windows and this topic. Maybe, afterwards you're understanding enough to see what's going on.

Torsten is not interested in disabling services. He's interested in disabling anything, which offers a TCP server to the Internet. For some reason, it's needed to disable some programs, too, which are called services in Windows. For some other reason, it's neccessary to configure the Windows kernel to stop other TCP servers.

It's a little bit confusing, that Microsoft calls background programs "services", because this term sometimes is used for servers, too, if they're offering protocols in Layer 5/6.

No problem. Torsten's script bases on a description of Frank Kaune, who described how to manually disable all TCP servers Windows offers.

Unfortunately, this description is available in German language only.

Yours, VB.

Then ID lock is superfluous. Anyway, it is basing on misunderstanding data security at all, and the reason, why cryptotext has to be as close as possible to white noise, looking at the statistical attributes.

To remove something out of every data stream does not hide that information.

This is a misunderstanding in concept.

I don't have this problem, because my MUA does not send what it wants, but what I'm sending intentionally.

This is not the point.

A well configured filtering entity, say an host based packet filter or a filtering router or something like that _can_ eliminate some attack vectors. It will not be possible any more to use network based attacks like worms to break in, if a filtering device is correct.

So a software firewall or a filtering router _can_ help, and _can_ make your computer system much more secure.

Even the filtering system of Zonealarm or Sybase can do this. What I'm critizising is _not_, that Zonealarm or Sybase could not do this, but that they _cannot_ do _anything_ _else_ of the many features they're claiming to have. And that they're even implementing features, which are counterproductive.

So the question I'm asking is not, do we need a filtering entity. Of couse, if home user's box is offering network servers, then she/he _is_ needing a filtering entity before connecting that to the Internet (or she/he should stop their network servers first, then our home user does not need one any more).

But Zonealarm and Sybase (and others) are a bad choice for that, because the Windows-Firewall already does a good job on it, and as an alternative one could just stop the network servers Microsoft starts in the default configuration, perhaps with Torsten's script or with

The "Personal Firewalls" I know all are doing a very bad job, because all of them have additional flaws, nearly all of them (with the exception of Kerio) even are opening additional attack vectors.

So why should one use a "Personal Firewall" at all? It's just not a good idea, if one is using the Windows-Firewall or just not offering network servers.

Yes. Thank you for this sentence ;-)

Yes. And from being an FTPz for kiddy-pr0n. And from being a bot for a distributed attack. And from...

In fact, Grandma has a big problem. Maybe she should buy a Mac ;-)

Yours, VB.

One of the big parcel services in Germany asked me to check their firewall system. They just bought some FW1 on Slowlaris to secure their data center, having a budget of 500k EUR for all that stuff. All was ready made and installed.

They wanted me to do a penetration test on it; I should write an attestation. I asked for a date with the head of security there before starting.

I arrived by train, and moved on to my detination by taxi. I called the taxi driver to drive directly next to the small house of the watchman. I had my hat on, and a big muffler around my neck. Being asked, I mumbled my name. He created a visitor's ID card for me with the name "Brix".

They were not checking, if the visitors are invited or not who are requesting a passport.

I went to the main building. Behind the glass door on the right hand side, I saw some people already waiting at the reception. I was lucky, some extra people even were joining, and with somebody who came out of the door, I entered. I went left.

They were not checking, if visitors have a passport, at least not, if there are already too many people at the reception.

I searched for an open door of one of the offices. I was lucky, and found one without other people in it. And there was a Windows PC with a CDROM in it, connected to the network and even somebody logged in without screensaver password. Good Kevin, this is an easy game to play ;-)

Then I went to the reception and registered with my real name.

In the meeting, I first explained what I did exactly. Then I asked, how many security is between this Windows PC and the Slowlaris servers. The answer was "nothing". I asked, how are the servers secured. I got the answer, that the servers are Slowlaris installed out of the box.

And I got a question, too. The head of security there asked me "what would have been the worst thing, which could have happened"? I answered with a counter question: "What would happen, if I would have had a prepared CD with me, cracked your Slowlaris of your backup system, and exchanged the driver for the tape which is used for the backup to one, which is using hard encryption on the backups, and after six months, is deleting all data on the hard disks together with the key for the tapes?"

He told me "you can do this after two weeks and we're done; we would not know about one single parcel any more".

Yours, VB.

This is a reason, (apart from the ususal reasons of dead tapes, drive's, lazy staff, incorrect data sets etc) is why I have this really annoying habit of dropping in unannounced on clients and doing a backup audit to see if they really can recover from a total disaster. It's amazing the number of people (including business owners) responsible for changing media (or whatever) just don't bother unless you blindside them on a regular basis. E.