Internet gateway

Discussion in 'Linux Networking' started by eeh, Nov 14, 2005.

  1. eeh

    James Knott Guest

    http://www.groklaw.net/article.php?story=20051113164717817

    Still trust MS?
    See above.
     
    James Knott, Nov 15, 2005
    #21
    1. Advertisements

  2. eeh

    James Knott Guest

    I posted an interesting link in another message. Please read that article
    and them come back here.

    MS has on many occasions not bothered to fix a problem or told customers to
    upgrade(?) to the "latest and greatest" version of their product.
     
    James Knott, Nov 15, 2005
    #22
    1. Advertisements

  3. eeh

    James Knott Guest

    Well, if crappy performance won't make users think again, I suppose security
    risks won't either. I've just started supporting a large customer that's
    running Windows. One of the things that the help desk people have to do,
    is determine how long a computer has been up, when a user calls with a
    problem. If it's been running a week, the first thing they're expected to
    do, is reboot. I have never heard of that being a fix in Linux, Unix,
    Netware or OS/2. My firewall never gets rebooted, unless I'm doing
    something that requires rebooting. The only software change that requires
    that, is replacing the kernel. My previous firewall ran continuously for
    over two years, before I shut it down, when I replaced it with my current
    FW.

    Maintenance costs are much higher for Windows, particularly when you factor
    in lost productivity. Yet people are so used to the problems it brings,
    that they have no concept of reliable computing. I have worked with
    minicomputers, Netware, OS/2 and Linux, in addition to most versions of
    Windows. I can tell you from plenty of experience that Windows is not a
    stable or reliable OS. I can tell you from that experience that Windows
    will often get so fscked up through usage, that a reinstall is necessary.
    I have never seen that with any other OS I've worked with.
     
    James Knott, Nov 15, 2005
    #23
  4. eeh

    ynotssor Guest

    UYA (Understatement of the Year Award)
     
    ynotssor, Nov 15, 2005
    #24
  5. eeh

    ge0rge Guest

    I think the discussion has moved away from my initial query which was
    .... what is the benefit of running a firewall on 'most windows machines
    where there is no servers and the machine is probably not connected to
    any network except for the connection to the ISP'? My point (if I was
    even trying to make one) was that a good anti-virus and
    antispam/anti-adware are just as effective and adequate for ordinary users.
    My challenge (more of a query really) was for a cogent and well argued
    explanation - What is the need for a firewall? as I don't think it adds
    any extra security to such 'commonly configured' machines except to give
    a false sense of security and a feel-good factor to be able to say when
    the OS fails '...fancy that! This virus was really powerful. It broke
    my machine even when it was protetcted by a firewall'.

    As an aside, I feel I am being put/pushed in a position to defend MS ...
    as if I had said what a wonderful OS it was. I don't think my saying I
    trust MS should be taken out of context. What I meant by that is I trust
    MS to take measures insofar that it will try to remedy the defects in
    its products when bad publicity is causing harm to its reputation (OK
    below zero in some circles!) and affecting its sales figures. Whether
    such measure includes the proverbial solution - upgrade to the latest
    and greatest version - is irrelevant. I hear this from other companies
    as well ... IBM, Novell, Sun including RedHat, SuSE and Mandriva. So I
    will share my sceptical laugh equally amongst all vendors.
     
    ge0rge, Nov 15, 2005
    #25
  6. maybe not _your_ machine, but most windows PCs; read on:

    http://www.techweb.com/wire/security/54201306

    Not surprisingly, Windows XP SP1 sans third-party firewall had the
    poorest showing.

    "In some instances, someone had taken complete control of the machine in
    as little as 30 seconds," said Marcus Colombano, a partner with
    AvanteGarde, and, along with former hacker Kevin Mitnick, a
    co-investigator in the experiment. "The average was just four minutes.
    Think about that. Plug in a new PC--and many are still sold with Windows
    XP SP1--to a DSL line, go get a cup of coffee, and come back to find
    your machine has been taken over."
     
    johnny bobby bee, Nov 15, 2005
    #26
  7. Try running 'netstat -a -n' from a dosbox in XP. Any mention of 0.0.0.0
    means it listens to internet addresses as well.
    Fixing symptoms instead of problems, aren't we?
    M$ has some ports open (default) which accept connections from the
    internet. Without a firewall someone can zombify your computer right
    under your nose. Applications or server-software aside, these "services"
    run regardless.
    It *is* a 'must-have', not becoming one.
    This is because up until about two years ago, M$ totally disregarded
    anything to do with default security. With this I mean that a new and
    clean installation of a M$ OS is default insecure and open to attack.

    For example M$ uses some services that make it possibly for windoze
    computers on the network to "talk" to one another. But these services
    aren't protected by keys or something like passwords. They don't even
    have to be on the same subnet. Hence I could "talk" to your machine if I
    know your IP-address, even if you have a different ISP. Are you
    beginning to see the picture now?
     
    Stefan Hartsuiker, Nov 16, 2005
    #27
  8. eeh

    ge0rge Guest

    Stefan Hartsuiker wrote:
    ....
    No. Please demonstrate. Talk to my machine and lets see... even using my
    windows machine to post this to let you get at my IP. This may sounds
    like a goad but it's because I have not heard a good argument yet except
    you will be sorry. As I said, apart from a normal install and up-to-date
    (as far as MS is concerned) security patches applied, there are no
    servers running on this machine. Now, tell me what you gonna do and how
    and I will tell you if you have succeeded. I am willing to learn a
    valuable lesson but I am unwilling to be frightened into using something
    without a sound, logical explanation and demonstrable steps.
     
    ge0rge, Nov 16, 2005
    #28
  9. eeh

    ge0rge Guest

    I believe my windows machine is just as vulnerable as any machine
    exposed to the Internet What I don't buy is that a machine which is not
    running any servers is gonna be better protected with a firewall.
    Exactly what is the firewall protecting? Not viruses unless you have one
    of these expensive applications firewalls doing stateful inspection and
    the data stream are scanned continually by antivirus software. Even
    then new or variants of viruses get in. Your firewall does not protect
    you against viruses in email, attachement macros, nor protect you from
    spam or adware due to vulnerability in your browser. It is not its job.
    Your run-of-the-mill firewall is simply gonna block all ports except the
    ones you open. But if there is nothing listening at these ports, what is
    the firewall for? maybe listening for the ping of death?
    You simply cannot talk or infect a machine that won't respond.

    It is far better to educate people how viruses, worms and trojans are
    caught by indiscriminate clicking on links and attachments and
    responding naively to social engineering tricks which allow their
    computer to be compromised. Relying on a firewall is good if you know
    what it is there for, what it is doing and most important what else you
    need to do. Relying blindly on a firewall because you are told
    (especially by vendors and marketing people)can be even more dangerous
    .... to your pocket
     
    ge0rge, Nov 16, 2005
    #29
  10. I won't take the bait, but if you google for "windows net messenger
    vulnerability" the second item is
    http://xforce.iss.net/xforce/alerts/id/156. It's old (from 2003), but
    the principle is there. It was a service, enabled by default in all
    versions of windows, that was listening on the network and could be
    remotely exploited. A firewall would have prevented the malicious
    packets from reaching that port. Similar vulerabilites have existed
    for UPNP and several other MS technologies.
    You forgot the "that you know of" part. Part of what a firewall does
    for you is to protect you from things you don't know. It can also
    limit the damage done if something does slip through your antivirus
    or antispam software. You do understand that it takes time for the
    vendors to issue updates to protect against malware, don't you? That
    time is a window of vulnerability during which you have no protection
    from the AV software.

    A firewall can also prevent malware from "phoning home" and/or opening
    up ports to listen for remote control. Imagine that you are running a
    personal firewall on your machine and you get a pop-up from the FW
    "Program Nastyware wants to contact aaa.bbb.ccc.ddd, do you want to
    allow it?"
    If you don't believe us, how about CERT?
    http://www.cert.org/tech_tips/home_networks.html If you look at
    Section IV, firewalls (#3) come after antivirus (#2) and before
    updates (#7).


    Mike
     
    Michael Zawrotny, Nov 17, 2005
    #30
  11. eeh

    ge0rge Guest

    Michael Zawrotny wrote:
    ....
    You have a point there. Given that MS have now closed these
    vulnerabilities, I take the point back again. However, because of the
    greed and stupidity of software vendors, I would not be surprised in the
    least that the same mistakes will be repeated. So, I give you the point
    back.
    I concede that point as well ... assuming you have a well configured
    firewall and not just a run-of-the-mill install & forget.
    You have two points.
    I admit I would be well chuffed if my firewall did that! Okay, 3 good
    points. Thank God for that! ... instead of the usual you'll be sorry.
    Now, I will have one last say on this topic and shut up as this thread
    is fast becoming a dead horse and there is no point in flogging it anymore.
    I have absolutely no doubt that a firewall is a vital component in
    *network* security and for protecting *server* machines. The assertion
    that it is stupid not to run a firewall regardless of configuration just
    does not make sense to me (but you made 3 good points). For my part, I
    was trying to put across that a firewall does not protect you against
    viruses (which is the principal reason most ordinary people bought into
    this firewall hype) and is, by and large, born out by warnings I got
    from other posters in this thread.

    So, to set the record straight, I will quote (on the link you gave for
    cert) from their firewall FAQ -
    <quote>
    Firewalls can't protect very well against things like viruses. There
    are too many ways of encoding binary files for transfer over networks,
    and too many different architectures and viruses to try to search for
    them all. In other words, a firewall cannot replace
    security-consciousness on the part of your users. In general, a firewall
    cannot protect against a data-driven attack--attacks in which something
    is mailed or copied to an internal host where it is then executed. This
    form of attack has occurred in the past against various versions of
    sendmail, ghostscript, and scripting mail user agents like OutLook.
    ....
    Nevertheless, an increasing number of firewall vendors are offering
    ``virus detecting'' firewalls. They're probably only useful for naive
    users exchanging Windows-on-Intel executable programs and
    malicious-macro-capable application documents. There are many
    firewall-based approaches for dealing with problems like the
    ``ILOVEYOU'' worm and related attacks, but these are really
    oversimplified approaches that try to limit the damage of something that
    is so stupid it never should have occurred in the first place. Do not
    count on any protection from attackers with this feature.

    A strong firewall is never a substitute for sensible software that
    recognizes the nature of what it's handling--untrusted data from an
    unauthenticated party--and behaves appropriately. Do not think that
    because ``everyone'' is using that mailer or because the vendor is a
    gargantuan multinational company, you're safe. In fact, it isn't true
    that ``everyone'' is using any mailer, and companies that specialize in
    turning technology invented elsewhere into something that's ``easy to
    use'' without any expertise are more likely to produce software that can
    be fooled
    </quote>

    The facile solution - get a firewall - is what I could not swallow. The
    amount of thinking and meticulousness with which I see my security admin
    puts in his work is what makes me sceptical that your ordinary user can
    derive any benefit from installing a firewall except to give her a false
    sense of security with regards to viruses.
     
    ge0rge, Nov 17, 2005
    #31
  12. [ snip ]
    It's true that a firewall won't protect you from viruses, per se.
    However, the recent malware that has had the largest impact have all
    been worms or had worm like propagation. That is, it is
    self-propagating, using a direct network connection from infected
    computer to new victim. A firewall with a reasonable configuration
    of not allowing random, non-local machines to initiate the connection
    will prevent that.

    Unfortunately, "virus" get used in ways that are technically incorrect
    when one is communicating to the general public. If I start telling
    my users about the differences between viruses, worms, trojans, etc.,
    their eyes will glaze over an they'll stop listening before I can get
    to the real point.

    In this case the point is that a firewall can help keep worms out and
    from spreading if they get in another way (e.g. by email), prevent
    trojans from phoning home, and prevent the remote control part of a
    trojan from being reached by the bad guy. They may also prevent your
    computer from being a zombie spam bot. A firewall won't, however,
    prevent the ILOVEYOU virus from wiping out files on your hard drive if
    you open it up and don't have an antivirus program running.

    A firewall is not a panacea. It is one part of a good system security
    setup, with other parts being updates, antivirus, etc.

    In one sense it's like physical security. You don't leave all of the
    doors and windows unlocked just because you have a burglar alarm. The
    analogy is valid in that firewalls and locks help to keep the intruder
    on the outside of the perimeter. Antivirus and burglar alarms only
    activate once the intrusion has started.


    Mike
     
    Michael Zawrotny, Nov 17, 2005
    #32
  13. eeh

    ge0rge Guest

    Michael Zawrotny wrote:
    ....
    Well put arguments! I accept them ... not so much for the preservation
    of my own machines which I am unconcerned really but as a denizen of the
    net responsible for not unwittingly infecting friends and other people
    alike.

    Have a nice day.
     
    ge0rge, Nov 17, 2005
    #33
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.