Slashdot Mirror

You said

7.) Protect vs. DNS amplification attacks

No, hosts files to not prevent DNS amplification attacks. These attacks do not depend whatsoever on the configuration of your computer. These attacks are performed from outside your network. Here's how it works:

1. I send a packet to a DNS server on the internet, lets say 8.8.8.8, this packet requests a large amount of data, like a request for the whole DNS database. This packet also has spoofed your address as the requesting address.
2. You receive large amount of data.
3. You have just been taken off the Internet due to repeated use of this attack. Congratulations, your hosts file is now useless as you have been DDOSed, and if you are lucky, your Internet router hasn't fried from the overload.

This is not a benefit of hosts files. Take it off your list. DNS amplification attacks are not attacks against a DNS server, they are DDOS (Distributed Denial of Service in case you didn't know) against an internet connection. Your hosts file will be utterly useless when your ISP is receiving 7 Gbit of traffic destined for you, not many people have that kind of connection.

More information:
http://www.watchguard.com/info...

If you aren't a security professional, don't act like you know what you are talking about, as it makes you look very foolish. If you are a security professional, read up on this stuff, as it could save your career.

DNS amplification attacks were recently replaced by NTP amplification attacks. These attacks can take down even large ISPs. Your hosts file won't help you there either. Recent NTP amplification attacks can and have pushed more than 100Gbit of traffic using just a few NTP servers.

http://www.darkreading.com/att...?

Anyone developing software needs a clue about names, and about unicode and text encodings.

http://www.kalzumeus.com/2010/...

http://www.joelonsoftware.com/...

(Then learn lots, lots more about text encodings).

Also, whether or not they use SQL directly, about metacharacter attacks and SQL injection:

http://bobby-tables.com/

http://watchguard.com/infocent...

Some suggestions for you:
Watchguard firewalls are all multi-wan capable and are nice units.

If cash is an issue and you have an old box lying around, run PFSense

Just some basic understanding of the networking stack. You can easily arp spoof to create a MITM attack against users on a common subnet.

http://www.watchguard.com/infocenter/editorial/135324.asp

>using it for porn is worse as the risk of malware is higher

There's a reasonable doubt that she used it for porn, if we can go by the newspaper article.

How many people here have had to clear off a relative's machine that was infested with unclosable unwanted popups? Is there anyone here who doesn't know about stealth-installed adware that inflates traffic figures by visiting a zillion sites in short order?

Anyone who doesn't know about that phenomenon should view the Watchguard video about drive-by downloads

At work we use a Watchguard java applet, which I don't particularly like, but it does the job as you describe. We use it to restrict users/workstations to our own websites and limited tech support sites.
To enable this access on the client PC, the user opens IE, goes to a local page that contains the applet, and enters their password in the applet. As long as that window is open in the background, they have access to the allowed sites.
I don't deal with the server end myself but I think it comes in hardware or software flavours.

Why are we ruling out elavation of privelages from there on? Sure, you would need a different vulnerability coexisting. Not that you have to get root access to annoy or do alot of damage anyway...

Probably a Cisco box rather

if they wanna be cheap something from watchguard will do or a strong nokia/cisco solution if they want a proper high end system.

I've been working since 1998 on network security and tested a lot of firewalls. My recomendation: Use hardware appliances like Juniper NetScreen (http://www.juniper.net/products/integrated/), Fortinet (http://www.fortinet.com/) or WatchGuard (http://www.watchguard.com/). All of them are >U$$100 but that may be the best deal comparing the price to the US$100 per machine you're asking.

i recomend looking into watchguard. It uses linux.

or get the developer to do that for you.

Don't laugh. It is probably not as hard as one would think:

Compile using WineLib.

I'm learning this myself, but the crux of the matter is that although I am learned in perl, I am not in C, so I'm a bit ahead of myself. I really need to go back and learn C, then jump forward to trying to help companies out of precisely these kinds of messes.

I'm gong through this right now trying to convince WatchGuard that they need to do a compile of their Firebox manager for Linux, FreeBSD, and maybe even MacOS X using DarWineLib. They won't hear any of it. :( It really sucks. They have an awesome Linux-based firewall, but it requires windows to configure...wtf?

Actually, at DefCon they do this. It's called the 'Running Man' (check out this story: Click!). It looks pretty cool...

I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.

We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.

Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.

I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.

I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.

As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.

I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.

On a similar note, Watchguard has a firewall line called the X Series which has different models all of which are identical hardware. Your licenses open up additional features, including enabling the three additional ethernet ports which are defaultly disabled. Something about that doesn't seem right to me, but they're not the only ones doing it.

Use a hardware firewall, or a decent router with a firewall built in, instead of depending on something that's software-based. That way, the nasties are stopped before they even get to your computer.

I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II to handle things.

Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.

If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.

If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.

If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.

The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).

Happy hunting.

I'm going to assume that the Windows system at home is some kind of workstation, in addition to being a data repository of some kind, and that based on your comments, you need secure, remote access to this system. I'm also assuming that you want to maintain the confidentiality, integrity, and availability of your data.

Some of my suggestions are processes. Some of them are specific technologies or products. In order of increasing complexity (and ridiculousness), do the following:

1. Regularly backup your data and store the copies off-site. CD-R is cheap and readily available. Safety deposit boxes are easy to lease.
2. Don't use wireless networking.
3. Install a hardware firewall capable of acting as a VPN server, e.g. the Watchguard Firebox SOHO 6tc. Set it up "default deny" for traffic inbound from the Internet.
4. Enable automatic critical operating system updates. If you don't trust your vendor
5. Install a modern anti-virus package and schedule automatic daily updates and nightly scans.
6. Install a modern anti-spyware package and schedule automatic daily updates and nightly scans.
7. Set a schedule to check for updates to the software packages you regularly use, e.g. Office.
8. Restrict access to web sites, e.g. by using IE's security zones feature, a JunkBuster proxy, certain firewalls that include popup blockers, etc.
9. Encrypt sensitive data, e.g. with PGP, with Windows EFS; store the escrowed recovery keys on separate media in a sealed (frangible) envelope in your safety deposit box.
10. Enable VPN access.
11. Configure and use a one-time password system for all authentication to this system, e.g. RSA SecurID, S/Key.
12. Locate the system in a EM-shielded enclosure. Light is also a form of EM.
13. Install a small thermite bomb inside the computer case that will slag the hard drive if someone physically tampers with the system. The old electromagnet-in-the-door trick won't work reliably.
14. Cut the power cord off the computer. Bury the computer under six feet of concrete.

For it to be considered prior art, your appliance has to predate January 28, 2000 (date the patent was filed)

I remember using Watchguard Webblocker feature before 1999, and it did pretty much what was described by the grandparent post.

..what about the others.

There are a few other hardware vendors that use Linux and, to my knowledge do not release the source. The first that comes to mind is Watchguard. They make the Firebox firewall which uses the 2.2x kernel and a whole bunch of other highly modified stuff including Watchguard specific modules that almost certainly need to be LGPLed at the least. I have not formally requested the source from the but, I don't see it on their site and it doesn't come with thier software CD-ROM.

When you want to do one job, and do it well, a dedicated piece of hardware almost always wins out over a general-purpose computer. Can a PC with 2 nics and the appropriate software do everything a high-end router can do? Sure it can. Then why do people by dedicated routers? Because they are more reliable, have better performance, consume less power, and are simpler to administer. It's the same reason you have a toaster and an oven. A toater does one thing: it converts bread into toast easily, reliably, and efficiently. You can't cook your Thanksgiving turkey in the toaster, but that's why you have an oven. You can make toast in your regular oven, but it takes more power, it's easier to burn it, and it's far less convienient.

An embedded, dedicated solution?

Don't get me wrong, though I've personally not used a BSD as a firewall, I know people who have, and they're happy with it, completely happy. But I really prefer something which was built from the ground up to be a firewall and ONLY a firewall.

I've worked extensively with the Sonicwall devices, and I've also heard some good things about the WatchGuard Firebox series. Then again, if you want to go gung ho all out and out, you can get a Cisco PIX.

Basically, for me, it boils down to having a specific device for a specific job, as opposed to having a general purpose piece of software running on commodity hardware for a specific job.

What you need is a firewall with multiple interfaces. You could go commercial and buy something like a Watchguard Firebox or set up a cheap linux box and use a pre-packaged linux firewall like IPCop or SmoothWall where you just boot off a cd and install/configure a Linux firewall.

What you end up setting up is a DMZ. You would have a "Trusted" interface that could be your private library network, a DMZ interface that could be your public access network, and an external interface that is your connection to the Internet.

You could set up the IPs as 192.168.0.0/24 for the trusted, 192.168.100/24 for the DMZ, and use your external ip segment for the external. You still can use all of the same network hardware that you have in place.

Hope this helps.

hmm, lets see, you receive 40k pieces of spam per year, that comes down to about 110 a day. So what you're saying is, you can run /., but dont have the skillset to just set up an smtp proxy to filter all that crap? If your gonna be lazy about it just get a Firebox and let it do it for you

CAVE technology in general is making rapid advances, and *home versions are in the making, particularly for gaming. Up until now the Beckman Institute had a 4 screen version, which is great. Although a 6 screen version is better, that too will be outdated within years.

Anyone attending SigGraph 2000/01 probably couldn't miss the elumens "little" home caves that you sit in [it looks like a big soup bowl sitting on its side and it ROCKS!!. check it out here Although it only provides a 180 degrees, the immersive effects are great, and there are no corners. This was also created by a former NCSA employee of the Immersive Environments Group. For 20k you can own the technology today.

People like Rajlich who created the multiusr quake are also exploring bringing CAVE/immersive tech. to the home gamer.

VRCO.com has already ported the CAVEGL to linux, allowing you run VR apps using the cave graphics library on top of OpenGL. 6 screens is great, but in several years this wont be a big deal.

As the Legendary Donna Cox puts it, the future is in multi-user VR immersive environments in which avatars congregate for business and pleasure. Multi-user gaming is also driving the technology very quickly, so dont be surprised to see more posts on VR and its uses...

VRdot.org???

***GREATfirewalls are so hard to find***

Faced with $500 for a solution with a built-in limitation or $200 for an old 486 running Linux, I chose Linux. As I said, things may have changed in the last year and Linksys may now provision up to 255 PCs for no extra cost, in which case I have no idea why anyone would buy the WatchGuard SOHO product.

Sure, an old PC with *nix on it is cheaper, but this is quieter and requires less power. It's got a browser configurable setup, serves DHCP, allows for 10 users expandable to 50 users (4 ports, but you can daisy chain another hub off it) and is self updating.

A pretty cool unit for a home network. They also sell units for 100+ users, for small to mid size offices.

Sure, an old PC with *nix on it is cheaper, but this is quieter and requires less power. It's got a browser configurable setup, serves DHCP, allows for 10 users expandable to 50 users (4 ports, but you can daisy chain another hub off it) and is self updating.

A pretty cool unit for a home network. They also sell units for 100+ users, for small to mid size offices.

Like many products, watchguard is running embedded Linux. Like most embedded Linux products, they don't bother to tell you that. Which is understandable, since to the average user it does not matter what the underlying OS is!!! Do you ever wonder who wrote the software in you microwave? No, you just expect it to work, with minimal intervention by you. That's why embedded devices are ideal for the other 50% of people out there who don't care to learn how to install software on a PC. One of the biggest mistakes techies make is the assumption that since computers seem trivial to them, they should be easy for everybody to understand. But let's face it, guys -- 99% of the world doesn't think like you do. Case in point: a friend of mine was talking to a secretary, who was talking about how things tend to go from bad to worse. He remarked, "Well, you can't get around the second law of thermodynamics!" In response, she just stared at him, then turned and walked away. Now, his comment made perfect sense to me, but 99.5% of the people out there would be saying "What the f**k are you talking about!"

Hi,

I've found my home LAN to be relatively secure. I started with these two things:

One) Purchase a WatchGuard SOHO Firewall/Gateway device. Only $350 at Outpost.com (free overnight shipping!). This little beauty does DCHP and NATs your LAN as well. You can plug 5 machines directly into it, or extend it with a hub. There is also a VPN option if you want it. It is configurable via a web interface, and can basically upgrade itself from their website.

Two) Start running iptables on the 2.4 Linux boxes, and ipchains on the 2.2 boxes. Here is a version of the firewall.sh script that I run to configure iptables to keep the box reasonably safe, without going overboard.

Hi,

I've found my home LAN to be relatively secure. I started with these two things:

One) Purchase a WatchGuard SOHO Firewall/Gateway device. Only $350 at Outpost.com (free overnight shipping!). This little beauty does DCHP and NATs your LAN as well. You can plug 5 machines directly into it, or extend it with a hub. There is also a VPN option if you want it. It is configurable via a web interface, and can basically upgrade itself from their website.

Two) Start running iptables on the 2.4 Linux boxes, and ipchains on the 2.2 boxes. Here is a version of the firewall.sh script that I run to configure iptables to keep the box reasonably safe, without going overboard.

I use the Watchguard SOHO. It's a small, modem sized box that runs a modified version of Linux with a web interface. The biggest drawback about this unit is it's lack of rule configuration options (by default it allows everything out and nothing in), and you can only specify 5 or 6 port forwards for things like http, DNS, SMTP, etc.

The Linux community is very, very effective at creating a public reactions crisis on the Internet for any company, and a company that has just gone public and hasn't established much of a track record is extremely vulnerable to any bad news. There will be thousands of day traders out there who won't necessarily react even-handedly to any bad news, and a lot of them use altavista, excite, or hotbot as their primary research tools.

If an event like Rasterman's resignation happened after Redhat was publicly traded, his letter and the resulting entertaining threads on Slashdot probably would have slammed their stock price.

I'm sure we'll get to see working examples of this in the near future. Stay tuned.

David Bonn, CTO, Watchguard Technologies

-------
"I'll shoot beer cans, but only in self-defense" -- Edward Abbey