Slashdot Mirror

Sophos Antivirus's AutoUpdate feature flows over HTTP. This has been a known issue since 2013 and Sophos doesn't care.

Great idea.

I agree, so does my Security Gateway.

Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.

1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit? How can you ever be 100% sure that your infected system really is disinfected without scanning from another untainted OS and/or machine? Once you're infected, it's wipe & re-image time...

P.S. Modern bot-nets run silently -- You could be infected right now & not know it. My gateway alerts me to suspicious network activity...

Why should you move functionality from where it makes sense, to where it doesn't?

I can update just the gateway and all machines behind it benefit, instead of having all the machines install new AV signatures.

Granted, I primarily use Linux, but I have several Windows boxes I use for compatibility testing. It's a pain to keep them all up to date (even with VMs & disk images), or to scan them all via net-boot or boot CD periodically. I can avoid the entire mess if I scan all inbound data.

From there, it's just a short step to unmaintainable spaghetti code.

I disagree... It doesn't have to be spaghetti code (really a moot point: No matter how pristine and elegant the code is, it's always one developer away from becoming spaghetti code).

Considering that the alternatives are praying to $deity that MS will patch your systems before they're infected, or keeping a large, invasive, processor intensive AV software suite up to date & running on each machine, I think an external real-time network AV is an elegant solution.

(If performance is needed I place my Fedora system or Game Console in the DMZ).

Agreed, Astaro is an excellent choice.

To get your free copy (10 ip limit) you will need to create a "myAstaro" account, here is direct link:
https://www.astaro.com/user/login

Once logged in you can download the "Astaro Security Gateway" as a bootable ISO, this will install the gateway on your PC of choice (make sure you have two network cards, one for WAN and one for LAN). Please keep in mind this will completely format the PC.

you might want to check out Astaro. There's a free home use license. Traffic shaping lets you cap your p2p bandwidth, or guarantee bandwidth for your voip traffic. It can install on x86 hardware, so plenty of horsepower.

Astaro's web site is http://www.astaro.com/ and their community support forums are at http://www.astaro.org/

It needs a PIII or better, with 512MB RAM or more, but is VERY full-featured... VPNS, SMTP relay, http content filtering and antivirus, QOS, ...

use http://www.astaro.com/
  - either the appliance (i have not used the appliance yet) or download the software (version 7 has the best features) and use it on a spare computer. i use it at home and work and love it.
specifically re: spam -
I agree with philosophy of earlier poster - gotta take a multi-layer approach, a good firewall / proxy like astaro is just one link.

astaro lets you set up pop and smtp proxies so you can check with their rules and filters (updated daily) and or your own, plus users get a daily quarantine digest so if something is being held they will know and it can be released (but only by and administrator - so you get to be in the loop if they want the email) - plus you can filter outgoing so as not not propagate if you get infected, plus you can do white and blacklist, plus AV scanning, plus... (you get the idea)

can try it out for free as well. (no, i dont work for astaro - it just has been very useful to me).
r.

We are considering upgrading to a firewall system with high-availability capabilities. Astaro is on the top of our list right now. Its Linux based and is reasonably priced considering the features. I believe they have a "home" edition that you can install on your own machine and use for a limited network for demonstration purposes. Maybe somebody else has used it here and could provide better commenting.

We currently have some old Watchguard fireboxes which have mostly worked well, minus a lockup incident which we believe was related to a dead fan.

http://www.astaro.com./ 'nuff said.

You can totally do all that with Astaro

The free version of Astaro is much better than IPCop. It's got many, many, more features plus, if you're a home user you can get really cheap upgrades to add IDS, Web filtering, and email antispam/antivirus scanning. I use their commercial appliance where I work and it's great. Common Criteria and ICSA certification - plus it's Linux based.

We're using an Astaro Firewall & Spam filter for 100 users. We get updates very frequently, up to 6 times daily, and the results are excellent. On occasion we will find a new spam variant getting through and normally in less than a day that hole will be closed with an automatic update. This is in an environment where some mail users received 300 spams a day. I walked into this situation before I knew how bad it was - Groupwise 6.0 on a Netware 6.0. With the firewall/SMTP proxy solution, we get great spam filtering and we didn't have to touch Groupwise other to set a smart SMTP host.

I have definately become a fan of Astaro. It is not free, but in my opinion very reasonable, and worth the cost in time savings. It works with the built-in windows client, and the thing pretty much installs and sets itself up. They have a free 30-day full featured demo, and the entire thing is free for "home use".

Did I mention I have become a huge fan? or was it already obvious?

If you run Windows, your shit will get pwned. The only question is when it will happen.

1. The number of users in your organization who are just straight up stupid and will run anything that arrives in their inbox. Stupid users with laptops that they use on their cable/DSL at home and then bring into the office chock full of malware count as two people.

2. The number of users in your organization who are too [self-]important to learn how to use their computer properly.

The number of users in your organization who are exempt from your security policies because they are too important to be penalized for ignoring them (e.g. the upper-level manager who has full admin privileges on his PC, has LimeWire installed and surfs shady porn sites all day). All of those count as three people.

If you've got an extra computer with a couple nic's, heck even a sub-$500 computer would do, check out Astaro Security Linux. You can get a home use license for free and for around $60 you can upgrade it to include web filtering from Cobion, Spam Assassin based anti spam, and Kaspersky AV for Web/Email - all in a nice neat package. I use the full blow version with intrusion protection to protect our company's network and short of Checkpoint it's probably the best out there. You name it, it's got it - Statefull packet inspection, VLAN support, DHCP, VPN, etc.

Check out Astaro at http://www.astaro.com/. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.

I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities.

You can balance FLOSS and proprietary techs with something like Astaro Security Linux. They do appliances or standalone software.

one nice, but not free for commercial use, is Astaro

Grab the disk image, it'll install in about 15-20 minutes and you can try it out.

Home-use is free, too... which makes VPN to/from work a breeze.

A cheap/old PC with Astaro Secure Linux firewall, http://www.astaro.com./ You can even download and install it on a test box. There is an online excellent online demo so you can also evaluate it.

Make sure the software-based firewall is turned on at every Windows XP machine--make sure everything's at WinXP SP2; the firewall isn't half bad.

Use the built-in Win2k3 firewall.

Install Astaro on an older PC as a _real_ firewall "appliance" - it is VERY good.
http://www.astaro.com/

http://www.astaro.com/
http://www.m0n0.ch/wall/
http://www.clarkconnect.org/

those few and some unused hardware will get you going.

RedHat and Astaro Security Linux have merged to become Red Ass Linux

All welcome our Red Ass overlords!

I use the Astaro firewall on an old pentium machine as a firewall.

I use a linksys WRT54G (un-mod'd at this point) for wireless.

90% of the machines in the house are macs now. Any intel/athlon that's left is running some flavor of linux.

The last ibook purchase became the 'general' family computer. It replaced the last windows machine I had.

If you've never tried Astaro, I highly recommend it. It's free for home use. And it's based on Linux. A nice http management interface, and it's easy to VPN into so your family can connect remotely.

It really depends on what the rest of the hardware in the box is. AMD's (especially K6-II/III and Duron) CPUs tend to be seen as the low cost alternative and put in a box with a cheapo mobo, cheap mem and everything that goes with it, more often than Intel's CPUs. This is just my observation in dealing with a lot of SMEs, some who go all out and some who try to save where ever possible.

Shining example. We run an Astaro firewall for one of our clients. At first they didn't have machine available, when we wanted to start it as a proof of concept. We used one of our own boxes standing around the office, a Duron 800mhz on a PC-Chips board with SiS everything onboard, 512MB SD-RAM running at 100mhz. This PC worked quite nicely, and load never went past about 0.90

Later they retired one of their desktops to be the Astaro box. It's a P4 core 2Ghz Celeron, Intel board, 512MB SD-RAM (at 133Mhz). Load is constantly on 5.0. We've swapped out everything on that box, except the CPU. Even with a DDR board, it still running at an excessively high load.

Another example. I have an AthlonXP 2400+ on a SD-RAM board. A friend of mine has a 3ghz HT P4 with DDR333. He helped me once make ogg files of various quality of a movie's sound to compare. The P4 was only a fraction faster per file than the Athlon. Encoding two files at a time, we expected the P4 to be much quicker overall, but despite the HT, the Atlon was actually quicker per file. The encoding time per file stayed the same (time devided by two files), while on the P4 it took longer per file if we did two at a time.

This doesn't mean that the Athlon is always a faster CPU. My friend's gaming is a bit smoother, and he compiles KDE for example quite a bit quicker too. It's just that the performance depends entirely on what you do, and what quality hardware you use. If you put an Athlon on a good motherboard, it will kick arse. If you put a P4 on a crab board, it will suck.

Sorry those be the rules, don't like it use dial-up at my place.

I have had better luck with Astaro. The built in SOCKS server and Anti-Virus email protection help lots.

Personally, I've used Astaro Security Linux for a long time since moving from Smoothwall, and I find it far superior.

It's of course free for home use, runs on anything down to a P100, and all the up2date is handled by Astaro themselves.

Hell, they even have FREE evaluation webinar-live-workshops for people to get acquainted with Astaro if they are new (and presumeably to help with a purchasing decision for business) You can signup for the Eval Workshop for free here.

When they release their version 5, I hope it gets the same kind of publicity, they are hands down the coolest internet firewall and don't seem to get much press.

Personally, I've used Astaro Security Linux for a long time since moving from Smoothwall, and I find it far superior.

It's of course free for home use, runs on anything down to a P100, and all the up2date is handled by Astaro themselves.

Hell, they even have FREE evaluation webinar-live-workshops for people to get acquainted with Astaro if they are new (and presumeably to help with a purchasing decision for business) You can signup for the Eval Workshop for free here.

When they release their version 5, I hope it gets the same kind of publicity, they are hands down the coolest internet firewall and don't seem to get much press.

Specifically, lwn.net/Distributions/index.php3#secure and possibly also the special purpose distros (mini, floppy, cd, whatever).

Engarde, Immunix, and Openwall are all designed to be secure platforms for server or firewall development.

If you want something small, you might look at LEAF or Coyote or Wolverine. Coyote is free, Wolverine is $30-$120 depending on which license you need.

Personally, I'm using Astaro (free for personal use). It seems to be well designed from a security perspective (everything is chrooted, etc.), but it is not easy to customize the web interface, etc. A 'pluspack' is downloadable which includes gcc, etc, or you can compile on RedHat if you have the right versions of all the libraries.

Don't forget about Astaro Security Linux... I've been happily using it as a firewall box for quite a while. A bit more robust than IPCop and Smoothwall in my experiance. I'll have to check out ClarkConnect though, looks interesting.

Astaro

iptables -I INPUT -j DROP -p tcp -s 101.102.103.104/32 --sport 80 -m string --string "GIF89a"

OK, that's a bit brutal, and it could do with a "only match between byte ranges xx and yy of the stream", but that'll come, I'm sure (besides, you said "all GIF images", and it's as hard to do that completely [i.e. including GIFs embedded in other file types such as .doc and .tar] and solely with iptables as it is with INSPECT - using a filtering proxy would be a better approach).

My point was that although you can do that sort of thing with INSPECT, I know of precisely one person at one organisation from my former employer's entire European customer base who's done that. And they went through a fair bit of pain when they wanted to upgrade from 3.0b to 4 because of that and the changes in the layout of the standard INSPECT code between 3.0b and 4. (They ended up abandoning their custom INSPECT cleverness when they upgraded, due to lack of migration support from CheckPoint, if I remember correctly).

Oh, and no CVP helper for FW-1 that I've ever used, used INSPECT to help out with stream disassembly and recognition. They only used the equivalent of netfilter's ROUTE or DNAT targets to provide the equivalent of a transparent proxy implementation.

I've been using and supporting FW-1 since 1998 and I don't deny that it's a pretty solid product, but it's overkill and overpriced for most users. Similarly, there's very little to defend the hack described in the original story; if you've already got Nokia IPxxx hardware and a FW-1 license, either use it to run FW-1, or sell it and buy a Dell with the proceeds to run Linux+iptables or BSD+[i]pf instead.

Finally, if you want enterprise management of Linux+iptables, you're probably best off going with something like ASL plus Solsoft NP.

--

The Symantec firewall formerly was known as "Raptor Firewall" or "Axent Raptor Firewall". It is a hybrid firerwall with quite a number of transparent security proxies, whereas Linux machines "only" do stateful plus maybe (standard) proxies for only a limited number of protocols. For a class overview see http://wyae.de/secure_gateway/gateways.php

In my experience the Raptor is(was) quite good and not really comparable to a custom linux machine or off-the-shelf linux firewall (e.g. Astaro) - though I like the latter, too. It's playing in a completely different (IMHO higher) class.

The Raptor's SPs are among most stringent I know of - but can be a real pain to pass through for nearly-compatible stuff. The Notes SMTP gate was infamous for being rejected by Raptor because of RFC-noncompliance...

Apropos "maintenance-free": no forewall is maintenance-free. Never. You'll always have to have a look at the logs, at unusual behavious, etc. The only difference here is wether you have to care about building software patches yourself or to have a company do that for you. But the load of necessary maintenance work still is to be done. If you ignore that, you'll pay the price, probably earlier than later...

• Astaro Security Linux: kernel 2.4.x
• BBIAgent: kernel 2.4.13
• ClarkConnect: iptables, kernel 2.4.9-31 (RH 7.2)
• Trinux: iptables, kernel 2.4.x (Slackware)

• Coyote Linux: kernel 2.2.19
• IPCop: kernel 2.2.x
• LEAF/LRP/Dachstein: kernel 2.2.19
• Mandrake SNF: kernel 2.2.19
• Smoothwall: kernel 2.2.19

• Freesco: ipfwadm, 2.0.38 (!)
• FWTK: Dunno, looks old, mentions ipfwadm

This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux

P.S. - I don not work for these guys, I am just impressed by what they offer.

Underclock the proc and run it without a fan but get a big cheap socket 7 heatsink and get an rpm adjustable fan that will rev up and down according to a temparture probe included. I have an amd 500mhz underclocked to 375mhz without a fan that runs my firewall.

There's also a support community.

Some companies such as Pyramid are reselling Astaro with hardware and support.

There's also a support community.

Some companies such as Pyramid are reselling Astaro with hardware and support.

This is an awesome linux-based router solution that I've setup for clients in the past. Just like most OSS, whenever there's a vulnerability, they fix it fast, and you don't have to pay for a CCNE.

Astaro Security Linux

Huh. This is so off-topic and provocative that I will be nice to you.

Firstly, if you want to ask a question, and there is no relevant story at the time, go to the "Submit Story" link that you can probably see in the top-left corner below the Slashdot title. Choose "Ask Slashdot" in the Topic and Section drop down menu.

Now in response to the question, my answer would be to do a lot more research. Many of the best firewall systems are in fact free. Open source firewall's generally means more peice of mind. Linux and BSD are both great for running firewall's. An example of a free Linux distribution made specifically for firewall's is Astaro Security Linux. There are many other Linux distributions usable as firewall's. These will generally give you more security than any Windows based firewall, at a much lower total cost of ownership.

Apologies to the Slashdot community for this reply to an off-topic post.