How Are You Protecting Your Computers?

b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"

Not much.

I don't bother with a software firewall. They're pretty pointless, as long as you have a hardware firewall.

All of my machines are behind a Linksys WRT54G. The windows machines have Spybot, Adaware and Norton installed on them.

Never had a problem. Ever.

Home setup

[consolidatedbord]

Yes, it's a bit of damn overkill for a home setup, but you can never be too safe. :)

-cable modem->linux 2.4 kernel router running iptables
-norton antivirus corporate edition
-Microsoft Software Update Services for the Windows boxes
-iptables for the Linux boxes
-ntop and snort for traffic monitoring
-I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
-various other utilities to monitor tcp/ip traffic
-good old fashioned obsessive tailing of logfiles along with vgrep
:)

Re:Home setup

[LordDartan]

Concerning using tail on log files. I read at one time that it's possible (maybe even easy??) to put an exploit in a log file (you know what gets logged with httpd, so it's easy to get what you want in a log file) that causes an overflow and for the exploit to run. I don't remember where I read that, but ever since, I just use less and hit > to go to the end of the file.

Re:Home setup

[Kronovohr]

I think what you're referring to is the return of the ANSI bomb -- there have been several patches to programs such as less and vim to prevent this from occurring, but your recollection is correct; you can place certain control sequences in output messages (I'd imagine a wide-open syslog would be relatively simple) that, when displayed via certain terminals and/or certain programs, could cause command execution with the privileges of the user.

Here is the result of some quick googling on the subject.

Not much

[dtfinch]

I have a 5 port d-link router set up as a NAT, the cheapest I could find. After purchase I set the password and upgraded the firmware. That's the extent of my firewalling.

Most of my email and browsing is done in Mozilla. Never got infected through Internet Explorer or Outlook Express though. I have a Linux PC and a Windows XP PC running side by side. I don't use antivirus software and I don't get viruses or spyware.

Re:You forgot the web browser (Firefox)

[venomkid]

Well, you could go so far as to say (correctly) that by inviting any data into your computer, you're less secure. Even by plugging in a network cable and letting it sit there you're less secure.

"Scripts or not" doesn't help when something like the recent GDI debacle occurs.

The trick is in finding a balance that keeps you safe enough from attack but open enough to do what you want to do.

So far, considering how fast they put out updates and how many exploits the leading browser has, I think Firefox does a pretty good job of this.

Re:vmlinuz

[NanoGator]

"I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post)."

I apologize if I have misinterpreted your meaning, but your post does read that way.

"If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall)."

I left out OSX only because he cannot install OSX on a Windows machine.

As for the odds being low, that doesn't really help, does it? You still have to regularly install updates to Linux and the apps you run on top of it, Mozilla for example. I found this out myself. Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.

"So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!"

My only real point is that you have to be vigilant either way. It's a question of whether or not it's 'worth the fuss'. Interestingly enough, Windows' highly publicized insecurity has lead to some interesting developments such as auto-updating virus protection and Windows Update itself. If Linux doesn't have these, it needs them, especially when it reaches enough users for worms etc to really be an issue.

I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.

Old PC running Devil-Linux boot CD-ROM ..

[torpor]

.. which also doubles as my Squid proxy/cache and DNS machine ..

Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat ...

Re:K.I.S.S. - always been and always will be best

[CaptainCheese]

IPSEC can be brute brute-forced and/or dictionary attacked, just like anything can... and IPtables are the same, if the cracker can assume any neccessary IP address and remain adressable. Whereas a net based attack must come from a correctly addressed (even if it's a compromised 3rd party) machine, or the packets will simply never return to the attacker.

You are comparatively safe with IPsec, however this is just because five people down the block don't know what it is, making them a softer target.

Anyone who really wants in to a cable based LAN has to find a place to jack in, and you're fitting a metaphorical socket to your front door.

Of course, any external networking connections are inherently insecure compared to none - physical security is the best security layer, But I doubt many /. readers are using that policy.

Why TightVNC? Other questions.

[Futurepower(R)]

Many questions:

Why did you choose TightVNC? Why not RealVNC, UltraVNC, or TridiaVNC?

Is it better to pay for VNC software, like Tridia VNC Pro or Radmin? Which software has video resolution scaling of the remote desktop?

What security is best? Is it good to use a VPN for secure access, or is SSH better? What Windows SSH server do you use?

What VPN hardware is best? We bought a NetGear FVS318 hardware firewall/router/VPN for a customer, and discovered that the remote administration password is openly transmitted. We found that logging out in the remote administration menu didn't always actually log out. We found Javascript errors. With the 2.4 firmware, more than one client can be logged in at the same time. That situation, two clients at the same time, would give an error message with the 2.3 firmware, so things seem to be going backward in some ways, in firmware that is already shaky. Our experience with Netgear technical support is that it is very limited. On the telephone we got someone in Tamil Nadu, India, who was allowed to practice for a short time with Netgear equipment, but who doesn't any longer have access to actual equipment. The online tech support just gave error messages. Not only that, but Fry's and Netgear arranged a rebate trick. They have a very long rebate receipt, and ask you to enter your address both at the top and at the bottom. If you don't enter it at the bottom, they deny your rebate.

OpenBSD

[missing000]

While no OS is good enough to ignore security issues on, OpenBSD comes damn close. You couple it with a good firewall policy and the chance of someone getting inside the default install is virtualy nil.

truly wonderful firewall

[nusratt]

-- Agnitum.com's "Outpost" firewall, with all kinds of free plug-ins which let me control -- on a PER-DOMAIN basis -- things like scripts, activeX, java, referrers, etc. Also controls those things separately for http vs mail vs news.
Tried it on trial, liked it so much I paid for it. :o

-- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.

-- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.

-- SpyBot, AdAware

Re:Ok, fine, I'll bite...

[Penis_Envy]

I have to respond. The parent was correct. It's amazing seeing what people do to run windows, and what I've had to do in the past.

You say you seriously doubt anyone has done a fresh install of distro-of-choice and not spent time tweaking things to get the system fully usable. Then you go on to say you're hoping to build your first linux box.

I think you'll be pleasantly surprised, depending on what distro you choose. Someone below mentioned OpenBSD, and that's a good recommendation. I think you'll find that a fair amount of the unix-y environments start you off at a solid base, and allow you to build up. This is in contrast to whenever I have the (in my opinion, of course) displeasure of dealing with a windows install, where I have to tear down and build up.

No, not all distro's are the same. Sometimes they have annoying services listening on all interfaces, like cups or lprd. That's one of the reasons why OpenBSD is nice. It starts you off with a good base from which to build up. I have recently switched to the excellent ubuntu distrobution from debian sarge. I am pleasantly surprised by the fact that very few services are listening by default, so there's really not all that much to do to "secure" the box (at least from a basic point of view). In fact, when I installed ubuntu over debian, I kept my old home directory, so there was no tweaking to get my desktop how I want it. I guess you could do the same with windows, but it's a pain to mess around with the registry to point to a different location/drive for user's home folders. All I have to do is mount the old volume as /home and it works fine.

Not only that, but the installation of new software is tremendously easier for the unix-y domain, at least debian, where apt-get is very good at solving your problems. No cds to look for, no keys to look for, makes it all very easy. So I think you're making a kind of incorrect blanket statement based on your experience with windows (it seems).

That said, I prefer the old tiny personal firewall, but only the old version (2 or 3?) as the new one doesn't have as nice an interface. It seems to barf a fair amount when installed on XP, so I'm actually shying away from that these days. You didn't say which version of windows you're using. I've been using the virus scanner from etrust, free to valid microsoft users: ezarmor. It seems to work okay, and it's free. It also includes a firewall of sorts, but I don't recall being very impressed, so I installed tpf again. AV gets rather expensive, rather quickly. I purchased the symantec AV/Firewall suite for something like $50. As always, there's a linux NAT box protecting it all, allowing easy port forwarding. I've also used the linksys wrt54g and it seems to work okay. It's available pretty cheaply now, and allowed me to reduce the number of crud that clutters up the gf's apartment.

Anyway, I wish you luck with your new linux box, and I think (once you get used to it) you'll find it pleasantly surprising.