New Computer? Six Steps to Safer Surfing
A better than average news article helping people keep their new computers secure. It is much easier to prevent your computer getting infected, than it is curing your computer afterwards. http://www.washingtonpost.com/wp-dyn/articles/A9658-2004Dec18.html I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware firewalls. But sometimes, such as dialup modems, software firewalls are the only alternative.
On Sat, 18 Dec 2004 21:14:30 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware firewalls. But sometimes, such as dialup modems, software firewalls are the only alternative.
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling? Quite a few ISPs that I know of tend to hand out dsl routers with, at the most, basic NAT / PAT capablities, and maybe a CD with a 30 day trial versions of an antivirus program, along with other stuff. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling?
How many dialup operators around the world provide hardware firewalls? Or is the modem built into your computer or bought as an add-on card?
On Sat, 18 Dec 2004 22:07:58 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling?
How many dialup operators around the world provide hardware firewalls? Or is the modem built into your computer or bought as an add-on card?
Not a valid comparison. At least some manufacturers make hardware firewalls that are also PPPoE / PPPoA dsl modems. Linksys for example. Several other manufacturers don't do this. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, Dec 19, 2004 at 09:13:29AM +0530, Suresh Ramasubramanian wrote:
On Sat, 18 Dec 2004 22:07:58 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling?
How many dialup operators around the world provide hardware firewalls? Or is the modem built into your computer or bought as an add-on card?
Not a valid comparison.
well, i think the dial angle is important to keep in mind.. while a lot of us have migrated to higher speed links at home, on my street here's the high speed choices: 1) ISDN 2) T1 3) Satellite 4) 22.4k dialup (if lucky) #1 and #2 aren't very likely in a residental location #3 directv and others offer a service, but you're usually natted in the first place, so you're ok. everyone out here has #4. i also talk to a lot of people that don't consider their machine a problem since they're on dial-up. "oh, what harm could they do with my piddly computer on a modem". 22.4k*500 compromised hosts still starts to add up, which is something that doesn't quite sink in with these people. they just don't see any value in patching their system since it would be forever to download them, and they're too lazy to order a CD or such from Microsoft (Thank you for offering the CDs!). I don't know how to reach these people. I've gotten my immediate family to understand to keep their systems patched. Now for the rest of the population that doesn't feel this is important.. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
On Sat, 18 Dec 2004 22:07:58 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling?
How many dialup operators around the world provide hardware firewalls? Or is the modem built into your computer or bought as an add-on card?
Not a valid comparison.
At least some manufacturers make hardware firewalls that are also PPPoE / PPPoA dsl modems. Linksys for example. Several other manufacturers don't do this.
Why isn't a valid comparison? Since Carterphone, you are not required to buy CPE from a telecommunications company in the USA. That includes modems. Cable has different laws, but also has an "open cable equipment" requirement. A consumer can buy a compatible Dialup/DSL/Cable modem from any consumer electronic store. The buzzword you need to look for is "modem" versus "gateway." Gateways generally have both modems and routers, and now firewalls. Modems are just modems. As you point out, you can buy gateways with built-in DSL or Cable modems as well as routing and firewall capabilities such as Motorola, Linksys, D-Link, 2wire, Cisco, etc. Some manufactures, such as Apple AirPort Extreme, also make dialup gateways with dialup modem PPP and firewall capabilities. Its a myth that dialup is "safer" than broadband. Essentially all the major DSL and Cable broadband providers in the USA sell/lease broadband gateways with built-in DSL or Cable modems and firewalls. Looking at the ordering web-sites for several major broadband providers, it appears the most common preferred equipment package is a WiFi home gateway with built-in dsl or cable modem and firewall. Its as simple as calling your favorite broadband provider, placing an order and giving them your credit card number to pay for the equipment. Most broadband providers also offer less expensive modem-only CPE. And, because of Carterphone, people can buy their CPE from other sources. Even if providers only sold CPE with firewalls, consumers could choose to save $50 and buy a modem-only CPE without a firewall from a consumer electronics store. Or are you suggesting we should overturn Carterphone in the USA, and require consumers use only telecommunication carrier provided CPE? Maybe Ma Bell was right after all.
On Sat, 18 Dec 2004 23:45:22 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
Essentially all the major DSL and Cable broadband providers in the USA sell/lease broadband gateways with built-in DSL or Cable modems and firewalls. Looking at the ordering web-sites for several major broadband providers, it appears the most common preferred equipment package is a WiFi home gateway with built-in dsl or cable modem and firewall. Its as simple as calling your favorite broadband provider, placing an order and giving them your credit card number to pay for the equipment.
Well Sean - that's right. However that doesnt seem to be universal. Quoting Jeff Kell -
Both regional cable providers in our area provide only cheap cable modems, and at least the ILEC CO's DSL is also basic modem-like capability, although the ILEC offers a wireless option with a DSL AP (that I haven't examined to see if it's a router or bridge).
I'm not suggesting that Carterphone be overturned. I was wondering how many people were providing reasonably secure gateways as CPE instead of el cheapo modem only CPE as a default. Defaults, especially in this sort of situation, tend to remain that way .. Joe Average with a DSL line and a winxp box to hook up to it just isnt going to bother. But give him a reasonably sane default package like this and he's a bit more protected against stuff that tries to take over his PC, and the internet has to deal with one trojaned PC less. Drops in the bucket and all that ... regards --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
Got (soy) milk? The WaPo writer's take on cookies is ... not mine. Then again, I wrote the cookie portions of the P3P spec and was "inside" the meetings between M$'s IE team circa IE5.5 pre-fcs and the (other) IAB (the word is "Advertizers") and the P3P tech and policy teams. I worked for Engage (statistical user tracking) and compeated with DoubleClick (deterministic user tracking) at the time, so I wouldn't know as much as he does. Walking down the cookie path there is ... name: WebLogicSessionAc2 cont: BFQyXGC69R1Z50JL8ZBuhBubbnR3BzbFzqythwbSKtlS59ZX41Sw!-1332720106!-548373882 host: www.washingtonpost.com path: / type: any type of connection expr: at end of session 616 bits of session state labl: none name: DMID3 cont: 4WuLXH8AAAEAAD40XBYAAABD host: .rsi.washingtonpost.com path: / type: any type of connection 200 bits of persistent state expr: 12/14/24 09:13:45 persistent till 2024 labl: stores identifiable information without any user consent name: sa_cdc_u cont: g00200200000006AB11034667790000794930.0018C61897 host: .surfaid.ihost.com path: /crc type: any type of connection 376 bits of persistent state expr: 01/29/12 18:45:58 persistent till 2012 labl: does not store identifiable information Registration form interposition, collecting email address password us zip code iso3166 id (string form) gender year of birth job title primary responsiblity job industry company size 1st-party marketing click box (default opt out) 3rd-party marketing click box (default opt out) 16 x 1st-party targeted content click box (default opt out) --- first name (optional) last name (optional) street address (optional) street name (optional) apt. number (optional) city (optional) state (optional) 3rd-party (American Express) marketing click box (default opt out) 10 diget telephone number (disclosure noted to AmEx) (optional) 3rd-party (International Living) marketing click box (default opt out) --- in very small font and with gray-on-blue color difference is this: By submitting your registration information, you indicate that you agree to our User Agreement Privacy Policy. these two texts are not displayed by default, each has an anchored link, not a checkbox, that must be manually clicked to display the associated legal agreement. --- I decided I was Vint Cerf and I was CEO of a 50-100 person cluster-phuck in the IT rackets. As good a stuckee as any. And yes, all this good stuff is sent in the clear, over an unencrypted link. More cookies follow: --- name: ASPSESSIONIDSSTSRRQB cont: LPAKIBLBPJJFNFKOCFOEHMAP host: financial.washingtonpost.com path: / type: any type of connection expr: at end of session 208 bits of session state labl: stores identifiable information without any user consent name: test_cookie cont: CheckForPermission host: .doubleclick.net path: / type: any type of connection expr: 12/19/04 10:24:40 labl: stores identifiable information without any user consent name: ru4.28 cont: 1#1106#0#1106=ad-1106-154|1|1103470287%7C1106%7Cad-1106-154%7Cpl-1106-125%7Ccontrol%7C0%7Cpl-1106-125%2526northeast%2526morning%2526noinfo%2526high%25260%2526C3%7C28|null%7Cnull%7Cnull%7Cnull%7Cnull%7Cnull%7Cnoinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%7C0|1103470287# host: .edge.ru4.com path: / type: any type of connection expr: 02/17/05 10:12:14 2408 bits of persistent state labl: stores identifiable information without any user consent At this point the registration page is interposed again, and submitted again, and no more cookies appear to be deposited or replayed and modified, but are there actually only that many cookies??? Snuck in are these additional cookies: name: ACID cont: ee140011034695480036! host: .advertising.com path: / type: any type of connection expr: at end of session 176 bits of session state labl: stores identifiable information without any user consent name: ru4.1106.gts cont: 2 host: edge.ru4.com path: / type: any type of connection expr: 02/17/05 10:13:46 labl: stores identifiable information without any user consent name: 86698181 cont: _41c59bec,0668393370,699393^235460_ host: .servedby.advertising.com path: / type: any type of connection expr: at end of session 288 bits of session state labl: stores identifiable information without any user consent name: SESSIONREM cont: (my wife's pc login@isp, omitted) host: .washingtonpost.com path: / type: any type of connection expr: at end of session labl: none name: DMSEG cont: 9463E8EFE54A1281&F04462&41C4D577&41C6E29B&0&&41C30F4B&5D313C73C487FF2C5853E61C6A470E77 host: .washingtonpost.com path: / type: any type of connection expr: 12/14/24 09:18:57 704 bits of persistent state labl: stores identifiable information without any user consent name: wpniuser cont: (my wife's pc login@isp, omitted) host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 labl: none name: WPATC cont: A=2:D=3:C=2:C=167:E=AEBAD:S=24:S=245:B=24:B=59:B=99:B=100:VS=3 host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 512 bits of persistent state labl: none name: intrusiveAllowed cont: false host: .washingtonpost.com path: / type: any type of connection expr: 12/19/04 10:44:42 labl: none name: UPROF cont: WU9CPTE5NjQrRz1mZW1hbGUrWklQPTA0MTAzK1VUPWV4cGxpY2l0K0M9VW5pdGVkIFN0YXRlcytCPU9USF9KT0IrQj1PVEhfUkVTUCtCPU9USF9JTkQrQj1TSVpFXzE= host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 1040 bits of persistent state labl: none name: UPDATED cont: 1103470451 host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 labl: none name: wp_point cont: true host: .washingtonpost.com path: / type: any type of connection expr: 12/21/04 10:09:40 labl: none name: sauid cont: 3 host: www.washingtonpost.com path: / type: any type of connection expr: 01/01/10 00:00:00 labl: none --- I make that as 18 cookies, 6 3rd-party cookies, 9 without any policy meta data, one with meta data declaration that it "does not store identifiable information" and 8 with meta data declaration that each "stores identifiable information without any user consent", 5 that are session only, and 13 that are persistent, some reasonable (lifetime of ad campaign), some more difficult to defend, commercially (20 year horizon). I counted 1288 bits of state stored for the (flexible definition of) session, and 5,240 bits of persistent state stored. Outside the scope of the P3P spec (and the subject of a real shoot-out at that circa-IE5.5 meeting) was linkage to data obtained by other means (e.g., Axion). All we were able to impose on the doubleclick-esque model was cookes couldn't be both policy A and policy B, the two meta data policy descriptions would have to be encoded on seperate cookies. Now what did the WaPo resident rocket scientist write about cookies? One thing you don't need to worry about on the Web -- contrary to what some security programs suggest -- is browser cookies. These small, inert text files are placed on your computer by most Web sites to customize your use of them; for example, The Post's site uses cookies to store registration info. These site-specific cookies are harmless. Other, "third-party" cookies are set by ad networks to track ad viewership across multiple sites. They also pose no security threat. They do raise some privacy issues, but they can be easily blocked by any new browser without impeding your Web use. In either case, fretting over the nonexistent threat of cookies is a pointless distraction. I'm so relieved. That was just one page view. Time for some soy milk to wash down all those cookies. Eric P.S. I lost the arguement with the rest of the P3P tech team that dropping the last octet in a dotted quad didn't really provide address anonymity.
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
But give him a reasonably sane default package like this and he's a bit more protected against stuff that tries to take over his PC, and the internet has to deal with one trojaned PC less. Drops in the bucket and all that ...
There is a lot of wishful thinking, but security people seem to be very bad about actually testing their theories to see if they are effective. A lot of snake-oil gets sold using the theory it can't hurt. Many Home/SOHO PC's are self-infected by the owners. Network firewalls and anti-virus software are very poor at preventing that. The really scary thing is the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers. What's more interesting is the highest infection rate of all is for homes with laptop/mobile computers. Even when your home broadband modem/gateway has a firewall, when you take your laptop out of the home you lose what little protection you had. Then you bring the infection back inside and infect all your other home computers behind the gateway/firewall. The crunchy outside, soft-chewy inside rule applies to home computers too.
On Sun, Dec 19, 2004 at 05:47:28PM -0500, Sean Donelan wrote:
What's more interesting is the highest infection rate of all is for homes with laptop/mobile computers. Even when your home broadband modem/gateway has a firewall, when you take your laptop out of the home you lose what little protection you had. Then you bring the infection back inside and infect all your other home computers behind the gateway/firewall. The crunchy outside, soft-chewy inside rule applies to home computers too.
Perhaps, then, one should not be so quick to disparage software-based firewalls, resident on the computer itself. After all, there is really no such thing as a "hardware-based" firewall. bugtraq has plenty of reports of software bugs in firewalls resident on dedicated hardware. "Defense in depth" would suggest using both. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
On Sun, 19 Dec 2004 17:47:28 -0500 (EST), Sean Donelan <sean@donelan.com> wrote:
There is a lot of wishful thinking, but security people seem to be very bad about actually testing their theories to see if they are effective. A lot of snake-oil gets sold using the theory it can't hurt.
Many Home/SOHO PC's are self-infected by the owners. Network firewalls and anti-virus software are very poor at preventing that. The really scary thing is the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers.
er, so having no firewall or antivirus software on your home broadband connection with an XP box hooked onto it would be just as safe as an XP box having $software_fw and frontended by $hw_firewall that at least does NAT and a bit of packet filtering on the side? I'd be interested in seeing the study you're quoting .. thanks --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Mon, 20 Dec 2004, Suresh Ramasubramanian wrote:
er, so having no firewall or antivirus software on your home broadband connection with an XP box hooked onto it would be just as safe as an XP box having $software_fw and frontended by $hw_firewall that at least does NAT and a bit of packet filtering on the side?
No, that's not what I said. The infection rate among all computers is abysmal. It just happens to be higher among computers with AV and/or firewalls. AV/Firewalls don't seem to be making people safer from trojans, spyware, adware, etc. So perhaps we need to look for other ways to improve things. Why does it it happen? I don't have the answers. Are AV and firewalls too hard for the average user to install and maintain? Many of them are improperly configured, mis-installed, mis-managed, etc? Does a false sense of protection make things worse? Do people with AV/firewalls engage in riskier behaivor because they think they are protected? Do people without AV/firewalls tend to install less software of all types (good, bad and the ugly)? Do people without AV/firewalls take other protective measures, e.g. disable unused services, patch more frequently, don't use the administrator account, don't use Windows (e.g. Mac, Unix, etc)? Do AV/firewalls miss the infection vector used by trojans, spyware, adware? Commercial AV vendors have only recently started adding other forms of malware protection to their products. Most trojans, spyware and adware is installed by the user. Through social engineering the user is encourage to click on every button. A user managed firewall's effectiveness is limited by the user managing it. Do people buy AV/firewalls after they were already infected, but never properly cure the original infection? Essentially every brand-name computer with a copy of Microsoft Windows sold in the USA includes at least a 90-day AV product. Are there fewer infections during the first 90 days? Is it darwin, and only the strong computers of any type survive. Do computers without AV/firewalls die faster when infected, and are either cured or disappear; while computers with AV/firewalls tend to linger when infected without being cured. It seems to be very difficult to convince people with AV/firewalls that their computer could be infected. They tend to try to deny it much longer.
I'd be interested in seeing the study you're quoting ..
I'd encourage researchers and grad students to look into it. Security vendors are quick to sell new pills, but where are the studies that show their products' safety and effectiveness in the real world? If you are proposing all OEM's or broadband vendors include AV and firewall with their products, show me the study that shows it makes a difference.
Sean Donelan wrote:
On Mon, 20 Dec 2004, Suresh Ramasubramanian wrote: <snip good stuff for space> The infection rate among all computers is abysmal. It just happens to be higher among computers with AV and/or firewalls. AV/Firewalls don't seem to be making people safer from trojans, spyware, adware, etc. So perhaps we need to look for other ways to improve things.
Why does it it happen? I don't have the answers. </lurk>
Hrmm.. So what your suggesting is that once these systems have their "protection" on, they just go about having "safe computing" whenever, and wherever, they want.. without caution, or trepidation. Over and over, -shamelessly-. And this leads, ultimately, to a higher infection rate. I guess we could proselytize "abstinence" from computing, altogether. After all, not computing at ALL, is the only 100% effective method of avoiding infection. But, history shows us that sooner or later, the urge to compute grows -so- strong.. ..we burn with the basic drive.. and, finally, over come with frustration, intrigue, and desire all at once, alas, we give in... we are, after all, only human. Humans do have these intrinsic fundamental needs that cannot safely be ignored. And, from what studies show us, -once we give in-, it is better to -have- protection, than no protection at all, even if that protection isn't 100% perfect, but only high 90's in effectiveness. So, perhaps the moral lesson is to teach -both-. Not abstinence, -apart- from protection... nor protection, without the "rev limiter" of proper prudence.... But, a balance between practicing proper prudence, -and- donning appropriate protective precautions. :P (I would say no pun intended, but.... ;) <lurk>
Are AV and firewalls too hard for the average user to install and maintain? Many of them are improperly configured, mis-installed, mis-managed, etc? Does a false sense of protection make things worse?
Do people with AV/firewalls engage in riskier behaivor because they think they are protected? Do people without AV/firewalls tend to install less software of all types (good, bad and the ugly)? Do people without AV/firewalls take other protective measures, e.g. disable unused services, patch more frequently, don't use the administrator account, don't use Windows (e.g. Mac, Unix, etc)?
Do AV/firewalls miss the infection vector used by trojans, spyware, adware? Commercial AV vendors have only recently started adding other forms of malware protection to their products.
Most trojans, spyware and adware is installed by the user. Through social engineering the user is encourage to click on every button. A user managed firewall's effectiveness is limited by the user managing it.
Do people buy AV/firewalls after they were already infected, but never properly cure the original infection? Essentially every brand-name computer with a copy of Microsoft Windows sold in the USA includes at least a 90-day AV product. Are there fewer infections during the first 90 days?
Is it darwin, and only the strong computers of any type survive. Do computers without AV/firewalls die faster when infected, and are either cured or disappear; while computers with AV/firewalls tend to linger when infected without being cured. It seems to be very difficult to convince people with AV/firewalls that their computer could be infected. They tend to try to deny it much longer.
I'd be interested in seeing the study you're quoting ..
I'd encourage researchers and grad students to look into it.
Security vendors are quick to sell new pills, but where are the studies that show their products' safety and effectiveness in the real world?
If you are proposing all OEM's or broadband vendors include AV and firewall with their products, show me the study that shows it makes a difference.
Sean Donelan wrote:
Security vendors are quick to sell new pills, but where are the studies that show their products' safety and effectiveness in the real world?
It does not make commercial sense to develop cure for something you can treat for decades. The cure has to come from somewhere funded out of unbiased money. And for stating the obvious, the cure has to leave the power to the people, if not, they'll just turn it off. Pete
Sean Donelan wrote:
...the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers.
please, where does this information come from? are you sitting on proof that the Home AV/Security industry is *complete* FUD? :)
What's more interesting is the highest infection rate of all is for homes with laptop/mobile computers.
is that so? please, where does *this* information come from? it might seem intuitively correct, but i'd like to see some numbers and other data to back these claims up. thanks -d
Sean Donelan wrote:
...the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers.
please, where does this information come from? are you sitting on proof that the Home AV/Security industry is *complete* FUD? :)
What's more interesting is the highest infection rate of all is for homes with laptop/mobile computers.
is that so? please, where does *this* information come from? it might seem intuitively correct, but i'd like to see some numbers and other data to back these claims up.
thanks
-d
How 'bout this data: Stupid people get viruses more than smart people. There will always be viruses, there will always be stupid people. What does this have to do with network operations? Are we, as network operators, supposed to protect people (stupid or not) from themselves? -Jerry
On Sunday 19 December 2004 16:47, Sean Donelan wrote:
The really scary thing is the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers.
I am very interested in "where" this informatio is published and how it was obtained.... -- Larry Smith SysAd ECSIS.NET sysad@ecsis.net "We now offer Propel Dial Accelleration" http://www.ecsis.net/pub/propel
<Southpark> I call �shenanigans� . </Southpark> --- Larry Smith <lesmith@ecsis.net> wrote:
On Sunday 19 December 2004 16:47, Sean Donelan wrote:
The really scary thing is the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers. This flies in the face of both logic _AND_ my experience in the field.
After the .bomb exploded I did windows stuff to pay the rent, and there were 4 basic �groupings� of infection routes. (from the viewpoint of the infected box) External, uninvited (unpatched /unfiltered windows box) External invited (laptop from home) Internal intentional download/install (gambling, porn players with ad ware) Internal unintentional download (but all I did was install these extra fonts and smiles, I did not want my machine to become a Spam factory) It is probably a �duh� to most of the readers on this list but ill say it now for those that actually go through the archives to look for their answers before posting to NANOG. Just like in a REAL network (one that serves lots of end customers, and vars) security SHOULD follow a layered approach, and be monitored for compliance. Installing a hardware based firewall is the a good first defense, not using silly programs is another. (i.e. IE) people will for the most part follow the �lazy path� that allows them the most pleasure. In the places that I have installed a hardware filter/firewall I have not seen ANY infections that are related to just the machine �being online�, ALL have been the result of the use asking for these programs to be run, (in one form or another).
I am very interested in "where" this informatio is published and how it was obtained....
As am I. Since the price of a simple nat/filter box has come down to under $100 they should(should as defined by RFC) be installed as a �package� with the cable modem/dsl/modem/net hole. Could you please let us know where you got the supporting data for your theory. I know that the infection rate is high for the PC world, but figuring out the invited vs. uninvited infection rate, is of value to the discussion of end user firewall/filter use. The spam/virus issue won�t go away until those who prepare, propagate and profit, are removed from the matter. Either by, filters on the net, jail time/fines, or blood loss, (perhaps proper application of all options) all the people involved in spreading this malware should be discouraged from doing so. Lets clean up our frends/co-workers pc�s this coming year. When ever I go to someone�s house I'm making sure that their antivirus software is installed and up to date, box is patched, and that they have some sort of hardware based firewall. I�ve already given a few away as x-mas presents this year, and installed them. How about you? "less bitchin, more fixin!" -charles -- "champagne for my real friends, real pain for my sham friends" - ed norton
On 19-dec-04, at 5:45, Sean Donelan wrote:
Some manufactures, such as Apple AirPort Extreme, also make dialup gateways with dialup modem PPP and firewall capabilities.
Actually the Airport Extreme doesn't do firewalling.
Its a myth that dialup is "safer" than broadband.
Well, everything takes longer, including getting infected. :-) But why are we discussing this again, for the 2^56th time? People on this list either know how to do the right thing (with or without a firewall), or are too stubborn to, regardless of having all the relevant information. As for the people who aren't on this list, the majority of them don't care, so let's wait until they start to, and do something that's more useful and more fun in the mean time. And:
NIC manufacturers will start including built-in hardware firewalls.
You're kidding, right? If the NIC filter is easy to configure in software, it's just hardware support for software firewalling which you don't believe in. If the NIC filter isn't easy to configure in software, people can no longer use their unsafe protocols even on LANs, defeating the purpose of these unsafe protocols (conspiracy nuts may believe the purpose of these protocols is their WAN mis-use, of course). -- "Every computer sold in the US is safe by default. It is powered off, disconnected, in a factory sealed box" - Sean Donelan, on NANOG
Iljitsch van Beijnum <iljitsch@muada.com> writes:
On 19-dec-04, at 5:45, Sean Donelan wrote:
Some manufactures, such as Apple AirPort Extreme, also make dialup gateways with dialup modem PPP and firewall capabilities.
Actually the Airport Extreme doesn't do firewalling.
It does PNAT and port forwarding to an inside IP address with remapping. This matches with the vernacular use of the term "firewall". I've not tried to get it to route a subnet; I'm not even sure if it's possible. If you want to be pedantic and completely arbitrary in use of your definitions I suppose you could say that the Airport Extreme fares poorly in the ASTM E119 tests and therefore "doesn't do firewalling". ---Rob
On 19-dec-04, at 16:54, Robert E. Seastrom wrote:
Some manufactures, such as Apple AirPort Extreme, also make dialup gateways with dialup modem PPP and firewall capabilities.
Actually the Airport Extreme doesn't do firewalling.
It does PNAT and port forwarding to an inside IP address with remapping. This matches with the vernacular use of the term "firewall".
If you say so...
I've not tried to get it to route a subnet; I'm not even sure if it's possible.
Not as far as I can tell. But being a base station, it can act as a switch. In this mode, it's completely transparent (unless you count rate limiting multicasts...). And even with NAT there is no way to filter outgoing traffic.
Please,do not compare connections thru PNAT (DSL + Linksys) with dialup. So, this all is incorrect - DSL providers are (in 90% cases) protected from the very beginning by hardware (even if they never hear word FIREWALL) - because of PNAT. ----- Original Message ----- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Sean Donelan" <sean@donelan.com> Cc: <nanog@merit.edu> Sent: Saturday, December 18, 2004 7:43 PM Subject: Re: New Computer? Six Steps to Safer Surfing
On Sat, 18 Dec 2004 22:07:58 -0500 (EST), Sean Donelan <sean@donelan.com>
wrote:
On Sun, 19 Dec 2004, Suresh Ramasubramanian wrote:
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling?
How many dialup operators around the world provide hardware firewalls? Or is the modem built into your computer or bought as an add-on card?
Not a valid comparison.
At least some manufacturers make hardware firewalls that are also PPPoE / PPPoA dsl modems. Linksys for example. Several other manufacturers don't do this.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote:
Just asking .. any idea how many cable / dsl operators around the world - not just in the USA - provide hardware firewalls along with their CPE equipment - or perhaps provide CPE equipment that's capable of firewalling?
Both regional cable providers in our area provide only cheap cable modems, and at least the ILEC CO's DSL is also basic modem-like capability, although the ILEC offers a wireless option with a DSL AP (that I haven't examined to see if it's a router or bridge). At least one of the cable providers provides free virus/firewall software (F-Secure). Don't know of any hardware security offerings bundled or offered. Jeff
On Sat, Dec 18, 2004 at 09:14:30PM -0500, Sean Donelan wrote:
I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware firewalls. But sometimes, such as dialup modems, software firewalls are the only alternative.
Hopefully soon people will start running operating systems, web browsers, and email clients where they have no need for a "personal firewall". (Or, with luck, certain vendors will fix their buggy software) -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
So when the majority of people begin using a different operating system, is there some reason that the majority of virus-writers or other malcontents wouldn't focus on the flaws there? Or are we stuck in this little bubble thinking that unix REALLY is THAT secure? Perhaps it is, but my viewpoint is that it's really shortsighted to make this assumption. Just because it hasn't happened yet doesn't mean that it can't. Wolves go where the sheep are plentiful and less protected. As they get hungry, they'll go other places. :) Just my two cents. Scott -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Matthew S. Hallacy Sent: Sunday, December 19, 2004 7:37 AM To: Sean Donelan; nanog@merit.edu Subject: Re: New Computer? Six Steps to Safer Surfing On Sat, Dec 18, 2004 at 09:14:30PM -0500, Sean Donelan wrote:
I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware
firewalls.
But sometimes, such as dialup modems, software firewalls are the only alternative.
Hopefully soon people will start running operating systems, web browsers, and email clients where they have no need for a "personal firewall". (Or, with luck, certain vendors will fix their buggy software) -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Sun, 19 Dec 2004, Scott Morris wrote:
So when the majority of people begin using a different operating system, is there some reason that the majority of virus-writers or other malcontents wouldn't focus on the flaws there?
Or are we stuck in this little bubble thinking that unix REALLY is THAT secure?
Perhaps it is, but my viewpoint is that it's really shortsighted to make this assumption. Just because it hasn't happened yet doesn't mean that it can't. Wolves go where the sheep are plentiful and less protected. As they
it has happened: iis/sadmin worm 2001-may apache-scalper worm l10n worm morris-sendmail-extravaganza current-ssh-exploit-fun there are others of course... it's not the OS that matters in the long run, it's the administration of that OS (or so it seems to me, admittedly not a sysadmin though, anymore). Sure, initial/default installs might be problematic in one/all OS's, but by and large extended lifetimes on a live/hostile network means patches must be applied. Seems like that doesn't happen by and large. -Chris
On Tue, 21 Dec 2004 06:22:17 +0000 (GMT), Christopher L. Morrow <christopher.morrow@mci.com> wrote:
there are others of course... it's not the OS that matters in the long run, it's the administration of that OS (or so it seems to me, admittedly not a sysadmin though, anymore). Sure, initial/default installs might be problematic in one/all OS's, but by and large extended lifetimes on a live/hostile network means patches must be applied. Seems like that doesn't happen by and large.
[waiting for an OpenVMS user to speak up] Frankly, from an operational perspective, I guess the only way to go is to trust the inside of your network even less than you trust the outside ... and have processes that quickly isolate and block access from / to compromised hosts till they are fixed. Modulo various "100% efficient" solutions that I see advertised, we do need a reliable, and quick reacting, way to do this. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Tue, 21 Dec 2004, Suresh Ramasubramanian wrote:
On Tue, 21 Dec 2004 06:22:17 +0000 (GMT), Christopher L. Morrow <christopher.morrow@mci.com> wrote:
there are others of course... it's not the OS that matters in the long run, it's the administration of that OS (or so it seems to me, admittedly not a sysadmin though, anymore). Sure, initial/default installs might be problematic in one/all OS's, but by and large extended lifetimes on a live/hostile network means patches must be applied. Seems like that doesn't happen by and large.
[waiting for an OpenVMS user to speak up]
Frankly, from an operational perspective, I guess the only way to go is to trust the inside of your network even less than you trust the outside ... and have processes that quickly isolate and block access
This is quite correct... The blocking/isolation is helped if the network is segmented early on, permit that traffic which is 'normal' place some ids-like devices around and correlate logs/reports/incidents to properly react when something goes awry.
from / to compromised hosts till they are fixed.
Modulo various "100% efficient" solutions that I see advertised, we do need a reliable, and quick reacting, way to do this.
I'm not such a fan of the auto-acting devices, I'd rather have a person review the action prior to taking it.... Each security/network person should determine how best to handle that themselves though.
On Tue, 21 Dec 2004 07:09:35 +0000 (GMT), Christopher L. Morrow <christopher.morrow@mci.com> wrote:
I'm not such a fan of the auto-acting devices, I'd rather have a person review the action prior to taking it.... Each security/network person should determine how best to handle that themselves though.
For most large networks with hundreds of thousands of end users (broadband providers, say), the sheer volume of trojaned or otherwise compromised hosts makes automation necessary. This should of course be subject to manual review once the traffic has been cut off.. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Tue, 21 Dec 2004, Suresh Ramasubramanian wrote: : On Tue, 21 Dec 2004 07:09:35 +0000 (GMT), Christopher L. Morrow : <christopher.morrow@mci.com> wrote: : > I'm not such a fan of the auto-acting devices, I'd rather have a person : > review the action prior to taking it.... Each security/network person : > should determine how best to handle that themselves though. : For most large networks with hundreds of thousands of end users : (broadband providers, say), the sheer volume of trojaned or otherwise : compromised hosts makes automation necessary. : : This should of course be subject to manual review once the traffic has : been cut off.. Certain types of infections can be dealt with automatically (to preserve network performance) and other types of infections/compromises don't lend themselves to fully automatic action. For large and small networks, there needs to be a combination of both. Further, the methods used need to be strictly defined in policy and carefully carried out according to the resulting procedures. This keeps everyone consistent in how the network-performance-affecting problems are dealt with, resulting in more efficient troubleshooting and a happier customer base. scott
On Tue, Dec 21, 2004, Christopher L. Morrow wrote:
problematic in one/all OS's, but by and large extended lifetimes on a live/hostile network means patches must be applied. Seems like that doesn't happen by and large.
[waiting for an OpenVMS user to speak up]
You won't need to. ;-)
Frankly, from an operational perspective, I guess the only way to go is to trust the inside of your network even less than you trust the outside ... and have processes that quickly isolate and block access
This is quite correct... The blocking/isolation is helped if the network is segmented early on, permit that traffic which is 'normal' place some ids-like devices around and correlate logs/reports/incidents to properly react when something goes awry.
There's no reason programs running on a host should have full access to your filesystem, network stack (for binding or outgoing connections) without explicitly being granted permission by your users. The trouble is that a lot of the random crap people "install" just say "click yes and yes when asked about installing this software!" which said user will blithely run off and do. Personally, I think trying to stop the software being installed is a lost cause. Its going to get installed no matter how hard you try. What I think vendors should be looking at are solutions to mitigate the effect said software can have /when/ its running. There are personal firewalls available which limit the network access the applications are granted, but they're quite spammy for the average user ("Internet Explorer is trying to connect to www.google.com. is this acceptable?"). Cisco sells a corporate solution similar to this - something profiles your running applications to see which api calls it makes and their parameters, then you lock the machine to only be able to run within this profile. Adrian -- Adrian Chadd "You don't have a TV? Then what's <adrian@creative.net.au> all your furniture pointing at?"
On Tue, Dec 21, 2004 at 12:03:12PM +0530, Suresh Ramasubramanian wrote:
On Tue, 21 Dec 2004 06:22:17 +0000 (GMT), Christopher L. Morrow <christopher.morrow@mci.com> wrote:
there are others of course... it's not the OS that matters in the long run, it's the administration of that OS (or so it seems to me, admittedly not a sysadmin though, anymore). Sure, initial/default installs might be problematic in one/all OS's, but by and large extended lifetimes on a live/hostile network means patches must be applied. Seems like that doesn't happen by and large.
[waiting for an OpenVMS user to speak up]
Frankly, from an operational perspective, I guess the only way to go is to trust the inside of your network even less than you trust the outside ... and have processes that quickly isolate and block access from / to compromised hosts till they are fixed.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
well... i trust both inside and outside roughly the same... the outside, i have to depend on others to do my work for me... the inside is nobodys responsiblity but my own. being a "good" player depends on me doing the "right" things in my own backyard ... thats the only way to have a better neighborhood, when everyone does their part . --bill
On Sun, 19 Dec 2004, Matthew S. Hallacy wrote:
On Sat, Dec 18, 2004 at 09:14:30PM -0500, Sean Donelan wrote:
I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware firewalls. But sometimes, such as dialup modems, software firewalls are the only alternative.
Hopefully soon people will start running operating systems, web browsers, and email clients where they have no need for a "personal firewall".
its a nice dreamworld you live in, but seriously.... 98% of the copmuter using population will use whatever the 'commodity' OS is for their platform, that means windows on intel and OSX on ppc...
(Or, with luck, certain vendors will fix their buggy software)
and Sean will/maybe-has-already pointed out that "unix" (in all it's glorious variations) is no more secure than anything else... as much as it saddens me to say all that it sure seems to be the truth. :( -Chris
On Tue, Dec 21, 2004 at 06:17:42AM +0000, Christopher L. Morrow wrote:
and Sean will/maybe-has-already pointed out that "unix" (in all it's glorious variations) is no more secure than anything else... as much as it saddens me to say all that it sure seems to be the truth. :(
Only if you turn on all the services (running as the root user), then fire up XF86, a web browser, and email client (also running as root). (Yes, I am well aware that you can run software on Windows as restricted userID's. We're talking about the typical desktop though) -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Tue, Dec 21, 2004, Matthew S. Hallacy wrote:
On Tue, Dec 21, 2004 at 06:17:42AM +0000, Christopher L. Morrow wrote:
and Sean will/maybe-has-already pointed out that "unix" (in all it's glorious variations) is no more secure than anything else... as much as it saddens me to say all that it sure seems to be the truth. :(
Only if you turn on all the services (running as the root user), then fire up XF86, a web browser, and email client (also running as root).
No, wrong. Modern botnet type software can run as a non privileged user on most Unixes. It still has enough privilege to cause great harm. Spyware may require a little more privilege to be a bother. You only need to "root" a unix machine if you wish to take it over and 'hide' what you're doing or you want to use it or the information on it as a springboard for further attacks. Last post on this thread, its losing its N meaning. Adrian -- Adrian Chadd "You don't have a TV? Then what's <adrian@creative.net.au> all your furniture pointing at?"
On Tue, Dec 21, 2004 at 09:40:10AM +0000, Adrian Chadd wrote:
No, wrong. Modern botnet type software can run as a non privileged user on most Unixes. It still has enough privilege to cause great harm. Spyware may require a little more privilege to be a bother.
It's not snarfing passwords, it's not using raw sockets, it's not hiding itself on the filesystem, it's not infecting or replacing binaries, it has limited functionality for restarting itself (cron, bash_login?), it's trivial to clean up. Nobody said *nix wasn't vulnerable, it's simply less vulnerable and the level of penetration can be severely limited. In response to the post by Christopher Morrow, the typical *nix desktop (should|is) not running apache, sshd, portmapper, etc. And sendmail is installed listening only on the loopback interface from RedHat 9 onward. The point being, you don't need a firewall. You need to turn off/remove/fix the services that are causing the problem. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
At 09:14 PM 12/18/04 -0500, Sean Donelan wrote:
I wouldn't rely on software firewalls. At the same store you buy your computer, also buy a hardware firewall. Hopefully soon the motherboard and NIC manufacturers will start including built-in hardware firewalls.
I guess my question is: why rely on a firewall at all? Yes, a firewall at ingress to a network will reduce the probability or effectiveness of an attack from "outside" in many cases. But in many cases the infection is from "inside", and in any event something in the network or in the end system at the edge of the network can only really address link and network layer attacks effectively. I personally would far rather presume that the end system is responsible for its own security, and that there are security considerations at every layer. Reduce the incidence and track attacks with network-based tools, but in the final analysis build the applications and stack code to withstand attacks.
In practice, the biggest difference between infected computers and non-infected computers appears to be the age of installed patches. The debate about AV/firewalls is a bit of a red herring. On Mon, 20 Dec 2004, Fred Baker wrote:
I guess my question is: why rely on a firewall at all? Yes, a firewall at ingress to a network will reduce the probability or effectiveness of an attack from "outside" in many cases. But in many cases the infection is from "inside", and in any event something in the network or in the end system at the edge of the network can only really address link and network layer attacks effectively.
Standalone firewalls (network/hardware firewalls) are useful administrative boundaries, but are limited security tools especially in a world of mobile laptops and tunnels. Inside/outside is very blurry for most home users. Almost everything a home user does is "outside" the home network perimeter. The reality appears to be network worms are only one vector for compromising a computer. I'm not sure network worms are even the most common infection vector today. Although I think standalone firewalls are a Maginot Line, I still perform the initial bootstrap and patching of new consumer-grade computers behind a standalone firewall. The options for dialup users are even more limited. However the lack of patching seems to be a bigger problem for dialup users.
I personally would far rather presume that the end system is responsible for its own security, and that there are security considerations at every layer. Reduce the incidence and track attacks with network-based tools, but in the final analysis build the applications and stack code to withstand attacks.
You are almost always safer turning off the service on the host, rather than letting the service run and trying to block access. Trying to figure out all the possible communication channels is very difficult. If you build your own system configuration, by simply not installing or running unnecessary services eliminates both known and unknown vulnerabilities in those services. Some operating systems make it very difficult to discover what is running on the computer or turning off unusused services. Microsoft Windows has a bug in several versions of netstat, so you can't even rely on the vendor's own tools. An infected computer is still infected even if you block some access. Worse, the average user isn't very good at deciding what access to permit or deny. The problem is what do you do when your basic end system is untrustworthy and can not successfully manage its own security?
participants (22)
-
Adrian Chadd
-
Alexei Roudnev
-
Barney Wolff
-
bmanning@vacation.karoshi.com
-
Charles Cala
-
Christopher L. Morrow
-
David Vincent
-
Eric Brunner-Williams in Portland Maine
-
Fred Baker
-
Iljitsch van Beijnum
-
Jared Mauch
-
Jeff Kell
-
Jerry Pasker
-
Larry Smith
-
Matthew S. Hallacy
-
Petri Helenius
-
Richard Irving
-
Robert E. Seastrom
-
Scott Morris
-
Scott Weeks
-
Sean Donelan
-
Suresh Ramasubramanian