General Discussion General discussion on...anything!

Reply
 
Thread Tools Display Modes
  (#21) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-23-2009, 07:15 AM

Quote:
Originally Posted by notladstyle View Post
wow, a windows pc without a firewall at any time in any location is just stupid.
If it's so stupid, feel free to prove it on my computer, like I said, I won't hold anyone responsible for what happens to the software on that computer.

Quote:
I cant think of a reason you would want to disable a firewall regardless of the perceived safety of a location.
I can't think of a reason why people would go skydiving, it's clearly dangerous, no matter how much training they go through and how carefully packed the parachute and the backup parachute are, they're just begging to go splat on a rock.

Quote:
a single compromised computer behind your home network and you will have to wipe & reinstall all of them when they are infected.
And I never denied this, instead I advocate not letting untrusted devices onto the network. And while I agree reinstalling is the best way to get rid of malware, it isn't the only way. For most people, letting an antivirus app remove it is sufficient.

Quote:
as a default, I leave windows firewall on with no exceptions checked. besides gaming, there is no reason to change that setting.
Gaming, and apache, and ftp, and ssh, and vnc, and X11, and RDP, and netcat, and likely some other programs that accept incoming connections that you don't use.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#22) Old
menders menders is offline
Member
 
Posts: 31
Join Date: May 2009
Default 07-23-2009, 11:17 PM

IP source routing is one method that can be used to access a network behind a NAT router.

Source Routing

Software firewalls are a good idea.
Reply With Quote
  (#23) Old
mfruit mfruit is offline
Senior Member
 
Posts: 291
Join Date: Apr 2009
Default 07-24-2009, 12:26 AM

Quote:
Originally Posted by Z4i View Post
Where'd you get that screen capture utility from? >.>
It was Hypersnap.

Quote:
It's easy to not run a firewall when you don't need it, and turn it on only when you need it. So easy that you would have to make a conscious thought and lie to the computer in order to get it wrong. So what's the harm in turning it off when it's appropriate?
Personally I don't feel a performance difference with the firewall on or off so there's no good reason to ever turn it off, IMO.

But obviously everyone uses their machines differently so perhaps some people feel a performance boost from having it off.

In any event, I think your original premise was that you don't need a firewall and I feel that I've present enough scenarios that indicate, for some people, a firewall is still a very good idea.


Dell Mini 9 | 2 GB RAM | 64 GB STEC SSD | 16GB RiData SDHC
Triple Boot: Windows 7 | OSX 10.6 | XP
Reply With Quote
  (#24) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-24-2009, 06:41 AM

Quote:
Originally Posted by mfruit View Post
In any event, I think your original premise was that you don't need a firewall and I feel that I've present enough scenarios that indicate, for some people, a firewall is still a very good idea.
I never said that nobody needed firewalls, only that under certain circumstances (trusted network with NAT), you don't need a firewall. Obviously for the people you specified, you would need one. Except...

Quote:
Originally Posted by menders View Post
IP source routing is one method that can be used to access a network behind a NAT router.

Source Routing

Software firewalls are a good idea.
This is exactly what I was looking for, thanks!


The no-consequences-for-hacking-my-box thing is over now.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#25) Old
unixfool unixfool is offline
Member
 
Posts: 60
Join Date: Feb 2009
Default 07-24-2009, 11:49 PM

Quote:
Originally Posted by Z4i View Post
That wouldn't stop the spread of malware. It would stop it from sending spam maybe, but many ISP's block outbound port 25 (I know mine does) and the kind of malware that won't be stopped by a NAT usually doesn't spread via unsecured ports. What you need then is detection and removal far more than you need a firewall.


I'd like to know more about this, as I have NATted boxes on my network I would like to communicate with without port forwarding. What's the technique called? Also I'd like to mention that my Unix boxes that are behind a NAT have never shown any intrusion attempts without DMZ or ports forwarded in their logs.


My OpenBSD box disagrees.
Depending on the nature of the particular piece of malware, even a FW won't stop it. This is why you layer your security (FW, AV, NAT, whatever). Case in point, many people get infected by clicking on things within e-mail that they shouldn't...same goes for web browsers. It's the application layer that FWs won't protect. Some of the companies that I work with have IPSs on the perimeter AND internally. The reason is that there are always internal threats. While your perimeter is protected, there is still the internal network to worry about. We've seen employees bring in laptops from home that are infected with Blaster and such worms plug into the internal network and that stuff starts spreading internally like wildfire. There's also such things as SQL injection and buffer overflows against perimeter applications that will enable root/admin privileges...from there, you're pretty much in, unless the FW policy is very tight (meaning there are rules that will allow that particular server to only talk to other machine in one or several ways...a tight policy will not allow a web server on a DMZ to communicate inbound, for example). If this type of stuff can exploit an enterprise security device, it can most certainly do the same with a SOHO router.

About your OpenBSD. I know quite a few people that can pop that box real quick. Never just assume that *nix can't be compromised. The code itself is rock solid, but guess what? You can run Apache or squid on OpenBSD. Security of a particular machine is only as good as the application code that is being used on that machine. OpenBSD has same vectors as any other OS flavor. I know. I have several BSD boxes, including an OpenBSD one. I'm also a security consultant that can do packet level analysis. Now, one of the cool things about *nix is that its usually more difficult to compromise compared to Win32/64 OSs since the user accounts have privileges and permissions locked to to where any malware that happens to make it through will only affect that particular user (if that). Another thing is that, by default, the admin account isn't utilized as a regular user account. I don't know if they've fixed that with Vista or Windows 7, but that's a huge deal, IMO, especially for an OS that tends to be buggy as $h1t and is such a target of malware.

Just my .02.


Obsidian Black Dell Mini 9n | gOS v3.1 Gadgets | 1gb RAM | 32gb SSD | 1.3MP camera
Reply With Quote
  (#26) Old
unixfool unixfool is offline
Member
 
Posts: 60
Join Date: Feb 2009
Default 07-25-2009, 12:06 AM

Quote:
Originally Posted by notladstyle View Post
wow, a windows pc without a firewall at any time in any location is just stupid.

I cant think of a reason you would want to disable a firewall regardless of the perceived safety of a location. a single compromised computer behind your home network and you will have to wipe & reinstall all of them when they are infected.

as a default, I leave windows firewall on with no exceptions checked. besides gaming, there is no reason to change that setting.
I definitely agree with you on this. To get cocky is to get owned, IMO.

Now, I ran a colo'd Slackware install for a full year without using iptables. I had full root privileges on this box. I hardened the hell out of the install. The ports I had open had ACLs applied to them via tcpwrappers, SSH was open but I was using SSH key-based authentication and was only allowing certain IPs to the service, and I later added a layer-7 IPS to Apache (modsecurity). Later, I began using denyhosts (active blocking using tcpwrappers). It was a good learning experience and partially a proof-of-concept exercise. I also know that while the upstream router was blocking some things, I was pretty much as open to the world on most ports (I still see the Sagevo worm hammering my recent build, for instance).


Obsidian Black Dell Mini 9n | gOS v3.1 Gadgets | 1gb RAM | 32gb SSD | 1.3MP camera
Reply With Quote
  (#27) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-26-2009, 08:10 PM

Quote:
Originally Posted by unixfool View Post
Depending on the nature of the particular piece of malware, even a FW won't stop it. This is why you layer your security (FW, AV, NAT, whatever). Case in point, many people get infected by clicking on things within e-mail that they shouldn't...same goes for web browsers. It's the application layer that FWs won't protect. Some of the companies that I work with have IPSs on the perimeter AND internally. The reason is that there are always internal threats. While your perimeter is protected, there is still the internal network to worry about. We've seen employees bring in laptops from home that are infected with Blaster and such worms plug into the internal network and that stuff starts spreading internally like wildfire. There's also such things as SQL injection and buffer overflows against perimeter applications that will enable root/admin privileges...from there, you're pretty much in, unless the FW policy is very tight (meaning there are rules that will allow that particular server to only talk to other machine in one or several ways...a tight policy will not allow a web server on a DMZ to communicate inbound, for example). If this type of stuff can exploit an enterprise security device, it can most certainly do the same with a SOHO router.
I don't disagree, but it's a different environment. There's one point of contact with the public internet, and usually a total of zero servers running, and on your home network you get to say who does and does not get to connect to the network. Like I had been saying, if you know that you have some special needs above that, then you go with what you know you need.

Quote:
About your OpenBSD. I know quite a few people that can pop that box real quick.
You don't know anything about what's running on it, what securelevel it's at, where it is, what version, or how it interacts with the other computers on my network, it's going to be hard to "pop" it real quick unless your method is breaking into my place.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#28) Old
unixfool unixfool is offline
Member
 
Posts: 60
Join Date: Feb 2009
Default 07-28-2009, 03:10 AM

Quote:
Originally Posted by Z4i View Post
You don't know anything about what's running on it, what securelevel it's at, where it is, what version, or how it interacts with the other computers on my network, it's going to be hard to "pop" it real quick unless your method is breaking into my place.
You know, being cocky in general about something that someone can't prove (and that you can't prove) leads to nothing but speculation. OpenBSD isn't the end-all-be-all of a security solution. You have no idea how many people install OpenBSD on their machine then claim they are unhackable...how about explaining how you think your box is invulnerable instead of declaring that you're running OpenBSD and how secure it is. Your claims aren't really offering anything to the thread you started.

There ARE people out there whose job it is to crack into machines (They are called penetration testers, which aren't to be confused with vulnerability assessment engineers), no matter the OS, but of course, the first thing they do is find out what OS the target is running and focus on penetrating the machine by any discovered vectors, or system-/application-specific vulnerabilities. It isn't as hard as you're making it out to be, just because you're using OpenBSD. The minute you add either a non-OpenBSD port or a port that has some 0-day vulnerability, your system's integrity is in jeopardy, no matter what you think. The way you're broadcasting about OpenBSD is almost like someone saying they've put 110 octane gas in their car and they think they're gonna run 9 seconds in the quartermile...in Bradley fighting vehicle. Using OpenBSD alone doesn't make your machine hack-proof, and I don't need to know anything about your system to know that.

This isn't nothing personal and I hope you don't take it that way, but for some reason, your initial and subsequent posts read to me as a bit condescending, which is probably why you got so many responses that weren't the focus of your actual question. It doesn't bother me, really, but when you put yourself out there like that, you should expect different views of thought and not be so harsh in your responses.


Obsidian Black Dell Mini 9n | gOS v3.1 Gadgets | 1gb RAM | 32gb SSD | 1.3MP camera
Reply With Quote
  (#29) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-28-2009, 09:40 AM

Much of the harshness was likely frustration at people telling me I'm wrong but not being able to reason why convincingly or answer my question directly (e.g. giving examples that I had explicitly said 'if this is true then you do need a firewall' as reasons why I need a firewall, or identifying potential attacks that firewalls can't stop as why I'd need a firewall), because while I wasn't consciously trying to be harsh, I was consciously frustrated.

And OpenBSD is currently my firewall (been working on it, that's why I was thinking about firewalls when I made the thread, also part of my network restructure that I was planning anyways). At least it's firewalling my sub-NAT. pf is pure OpenBSD, not a port, and my use of OpenBSD was primarily "My OpenBSD box doesn't need a firewall" because firewalls do not need firewalls. I don't have it running anything else, still trying to make sure my firewall configuration doesn't mess with all the applications I use. It's not 'cause of security, mostly just for my own education. Which is also why I made this thread, 'cause I wanted to learn why NAT wasn't good enough. It's kinda hard to google and get relevant results unless you already know what you're looking for.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
Reply

« Asus EEE 1005HA | Need outlet Coupon »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Copyright © 2008-2016 MyDellMini.com.