Firewalls?

[arkabee]

There are several programs out there that just do port scans to try and get in. A decent router should stop it but I wouldn't rely on it.

Interesting.  I've got three PC's sitting behind a Netgear MR814 at home.  I've questioned the real need to go behind a software firewall as well.

Am I hiding behind the equivalent of a candy-filled toy* here?  Do I really need to 'double-bag' my home junk?

*credit to FJ for that phraseology

i was going to yammer on about hardware based firewalling up there, but then my hand cramped and i realized the audience [that exists in my head] had "fallen asleep" a la the passenger next to guy in Airplane.

ok, first off it's sort of a misnomer to call a NAT box a firewall.  in it's strictest sense, unless you are logging you aren't firewalling.  in the loose sense of trying to keep the "fire" on the other side, NAT boxes are.

NAT is great, and when used correcty, it is wicked hard to counter.  but, if you ask for it, it will let you do anything dumb you want to.

Asherdan, if i find your public IP, and you are behind NAT, and running an un-secured OS like XP with no patches, or linux with all kinds of random unneded services bound, it is no longer Trivial for me to "do bad things to you".  without NAT or firewalling of some sort, "all your boxen are belong to us".

with NAT, however, unless there's a specific exploit for the Firmware your router is running, and unless you have horribly misconfigured your router (such as setting your PC as the "DMZ" point), it is quite difficult (read that as: i'm sure there's a way to, but i don't know of any specific way) to exploit your NAT.

However, if you were to run an application that OPENS a NAt'd connection trhough your router, well, then all bets are off.

the same, however, goes for say running Zone Alarm and clicking "ok" to all the "are you sure" pop-ups.  if an app get's on your system, and you run it and tell your "system" that it is a "good thing", and that app is compromised (read- virus, trojan, malware, etc) then all bets are off.

this is why, even though i'm behind a Nat'd mess right now, i'm running zonealarm.  because, if my NAV software misses an update, or i do something stoopid like open an unknown attachment, etc, the NAT box is going to let the outgoing connections go, because that's what it's _supposed_ to do.

With ZA, though, if i have a rampant app on my system, it _should_ be detected by me, because ZA is going to keep asking me if i want to let "new-random-app.exe" have access to the net.

So, by using both HArdware NAT, and Software Rulesets (ZA in this case) i can be somehwat prudently sure that i'm somehwat secure.

Throw in AV software that i update religiously (set to autoupdate, and updated everytime i turn the PC on in the morning), and Malware Detection Tools (such as Spybots Search and Destroy & ADAware) that i update and scan with, and you have a _reasonably_ secure Personal Computer.

If it's not Personal, though, all i've said is a bunch of BS.

Anyways, the key with "security" is how prudent do you want to be, because in the end, there's _always_ going to be away for your system to be compromised (worst case, search and seizure warrant...).

[arkabee]

Well, I'll be home in a week and I'll try that. We'll see if we have the internet back - we've had nothing but problems with Qwest, so who knows.

you have dsl, your modem, is it an internal modem (a card that was inserted into the computer) or an external modem?

if external, is it USB, or Network-based (network- the cord plug would look like an extra wide phone cord plug, usb- the cord would look nothing like a phone cord plug.)?

[arkabee]

I would highly recommend against using either Windows XP's built-in firewall OR McAfee Firewall - they cause more trouble than they solve.

The best thing to do is to have your Cable/DSL modem go straight into a hardware firewall and then into a network switch.

The entire solution costs about $250, but it's well worth it.

i'm curisous as to where you get the $250 approximation?  are you including the price of a network-based cable/dsl modem?

i've never been a fan of "walmart el-cheapo" stuff, but the "Netwok Everywhere" "brand" at walmart herebouts is simply rebranded Linksys with less support.  a Nat lan to lan router with 4 port hub or switch (can't remember) is ~~ $50 or so.

have them in use at a couple of places, and they are definitely not bad as a SOHO device.

i completely agree, though, that having a network-based modem and a router is generally better solution, especially from a troubleshooting standpoint or making changes to the pc down the line, etc.

[Asherdan]

Thanks for the detail.  I'm feelin' alright about my setup as the only item listed that was not a 'check' is a software firewall.

[jough]

i'm curisous as to where you get the $250 approximation?  are you including the price of a network-based cable/dsl modem?

No.  People usually either rent them month-to-month or buy them upfront - so I'm not including the hardware that they've already purchased in my estimation.

Figure about $50 for a decent 4-port switch, and about $200 for a decent hardware firewall (sometimes you can get a combo firewall/router/switch but I recommend against it).

You could probably get the firewall cheaper, but again, I wouldn't recommend it.

[jough]

If you want to check out your own PC to see if you have open ports or vulnerabilities, check out http://grc.com (and click on "Shields Up!").

You can do all kinds of useful scans and probing from that site, and at least will know if you have ports that are open.

[CortJstr]

There are several programs out there that just do port scans to try and get in. A decent router should stop it but I wouldn't rely on it.

Interesting.  I've got three PC's sitting behind a Netgear MR814 at home.  I've questioned the real need to go behind a software firewall as well.

Am I hiding behind the equivalent of a candy-filled toy* here?  Do I really need to 'double-bag' my home junk?

*credit to FJ for that phraseology

Run Shields Up! as Jough recommended. If you get a perfect score (total stealth) then you're probably okay. Unless you also game online or use any P2P software. Because to use them you have to tell your router to open certain ports no matter what comes through.

A software firewall like ZoneAlarm sets up a 2nd line that makes sure that only the programs you specified can talk and/or listen on those ports. This way eMule can accept traffic on port 4662 but some random virus/worm probing your computer on 4662 will be stopped by ZA.

Oh, and totally run Ad-Aware and Spybot S&D at least monthy. More if you do high risk stuff (like P2P).

[slink]

OK.
Erm, lots of activity here.
BlackIce, as I mentioned above, got in bed with Microsoft. So you can't assume that you can block certain things that MS don't want you to. Which sucks!

As for port tweakage, Zone Alarm pro does let you. The new versions of Pro are actually very good, and I find preferable to hardware firewalls, which by their very nature suck. I was having various problems with freeing up individual ports for certain purposes and found the new version of Pro let me do so, with, well I won't say ease for most people.

Oh, and as for Outlook, since I don't know if this was addressed... It's dangerous too. I don't know how well they fixed problems with it, since well, it's MS, but the preview pane and the lack of real options allow it to selfrun macros through HTML emails. This is not good.
I stuck with Eudora, since it allowed text only email (all you should need, though I'm a utilitarian geek), for years, until switching to Thunderbird recently.
More info may be needed on the Outlook issues, since I knew of this problem a year or so ago, and have just laughed at the idea of using it ever since. And this is Express I am talking about at any rate.

[jough]

Oh, and for the love of god, no matter what e-mail client you use, disable the "preview" pane.  It pretty much just lets scripts run on your computer just by "previewing" the message.

[slink]

It pretty much just lets scripts run on your computer just by "previewing" the message.

And regardless, it's ugly as hell and totally anti-good-UI-practice!
Apparently it was the use of Outlook and the preview pane that caused Valve to let keyloggers at their system and thus free up the possibility of cracking.

But still, the issue with Outlook wasn't fixed like this. It could essentially, at one point at least, have macro scripts run in stealth.

[Choop]

I don't believe Thunderbird's preview pane ("Message pane") allows any scripting to process. By all means, though, only open it when you're focused on a message you believe to be safe to read. And activate the Junk filters, and train them (by marking any junk or virus-looking mail as junk).

[slink]

I don't believe Thunderbird's preview pane ("Message pane") allows any scripting to process.

Indeed, as far as I am aware, it is safe. And it would certainly be an anomaly* on the part of the Moz Foundation to leave such a glaring and obvious error present in their software, particularly when designed from the groundup so recently.


*This of course, does not apply to the slackwristed, assmonkeys at Microsoft.

[andalucia]

Moz Foundation

hehehehe.

[sjlimmer]

Moz Foundation

hehehehe.

Yeah, don't you just love the mental image of Morrissey coding away furiously for the safety of our computers?

</tangent>

[CortJstr]

CortJstr, if you ever come across a copy of Signal 9's PC Conseal, i'd recommend it to you.  it's learning curve is astronomical compared to the point and click of ZA, but it's entirely customizable with a text editor.  on the flip side, it got bought out by McAfee 3-4 years ago or so, and i'm not really sure how well it would operate with the differences in win2k & Xp's network stacks as opposed to nt4/win9x.  i think i remember it running ok on win2k, but can' be sure.

I'd heard that PC Conceal was a god among firewalls but that MacAfee claimed they aquired it to integrate into and improve their own product. But in reality they just wanted the competition gone because the code bases were so different integration was impossible.

This was in Eric Szulczewski's column, the same place the Sygate firewall was recommended and a source of techological and political blatherings that would make James Lileks plead for mercy.