Just How Paranoid Are You?

An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"

Physical access!

[BWJones]

The most critical item any computer security professional will tell you to take care of: Physical access. If you have a concern, this is your first line of defense and in fact, most top secret installations have considerable resources dedicated to physical access. Next down the line in terms of security risk will be issues related to physical access that again most top secret installations have resolved by disallowing any removable media in or around secured systems. After that comes any issues of network security because your greatest security risk is internal access.

You should not be carrying any sensitive work related items or data home, but if you have personal stuff (or a home business with IT critical information) you wish to secure, short of establishing a computer "vault" with limited access in your home (actually had one once for a project I was working on), you need to start with a secure OS. This does not mean Windows, unless you can afford a "hardened" version and are skilled at management. In fact, I would say from your question that all of the things you are already doing are the absolute minimum if you are using Windows. If you are truly this paranoid and keep sensitive info on your personal computer, and you obviously have a connection to the Internet, it should also mean, physically removing the Internet connection from your computer at times when you do not need it. Multi-casting OS capable machines like certain flavors *NIX are helpful here, so you dont have to deal with Windows network wizard every time you connect back up (if you use certain settings for your network). Wireless should be a no-no as well. IF you are really (read pathologically or are doing something quite illegal) paranoid, you could also build a Faraday cage around your room and charge it to reduce risk of TEMPEST related probes, but again if this is a concern, someone simply breaking in (again access) is often easier and cheaper.

When you are actually connected to the Internet, a hardware firewall is an absolute necessity. Network address translation will help limit some attacks. And aside from all the other things you are doing (strong passwords, encryption etc....), I would strongly urge you to constantly pay attention to your logs. Your most important data will be gleaned from the logs in terms of who is attacking, their strategies for attacking, when and where.

Re:Physical access!

[drinkypoo]

Hardware firewall? What, it's built all from gates and has no code on it? There's no such thing. A linksys befsr41 is a "hardware firewall" because it's a dedicated firewall appliance, right? It runs Linux. A PIX 520, that's a hardware firewall, yes? They cost a lot new and they come in a 4U case. Woops, it's an intel PC.

A firewall that's not on a trusted host, that's a necessity. It doesn't really matter if it's a Nokia box or monowall, what matters is that you configure it correctly and keep it updated. I'm thinking about setting up a transparent bridging firewall so my wall doesn't even have to have IP addresses.

Re:Physical access!

[jakupovic]

Ok, I'm gonna bite how about http://www.ntcompatible.com/thread29224-1.html

basically "netsh interface set interface name="Local Area Connection" admin=DISABLED"

Re:Physical access!

[crazyphilman]

When I think of "hardware firewall" I think of a device which stores its software and rules in static ROM which (hopefully) can't be flashed from the LAN side. This is more secure because A) it's not a machine you're actually working on, and B) there's nothing really THERE except for the operating software, and that would be kind of tricky to hack, C) it can be set up so that nobody can really initiate anything from the LAN port anyway.

What I do at my apartment is this:

I have a hardware firewall the size of a paperback book, a D-Link that's fully patched, with rules that won't allow any incoming traffic and which logs everything I didn't initiate and periodically emails me the logs when they fill up;

My computer is a mil-spec Panasonic CF-28 laptop, water resistant and shockproof, with an armored LCD and a silicone-mounted hard drive in a stainless steel caddy;

My operating system is Slackware Linux which I've hardened. It isn't running any services anyone can try to connect to, and it's running a paranoid iptables firewall which drops all packets I didn't specifically ask for, logging everything sneaky. It's fully patched, and I have different accounts I use for accessing the internet and doing other work (if I'm going to program or write, I disconnect the ethernet cable and log in with my other userid).

I use an up to date Mozilla or Firefox exclusively, and I have software installation disabled (I only enable it when I'm going to get something from the Mozilla site).

For mail, I use kmail, set up so it doesn't automatically display HTML -- I have to choose to view HTML if I know the sender.

I *think* I've thought about just about everything, but who knows? Of course, if something weird happens, I've got good backups so I can rebuild my system in an evening.

Careful with swap and temp files

[homer_ca]

"and all remotely personal information stored on a 256bit AES encrypted volume."

Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.

My security system

[einhverfr]

Physical access is a concern. But I work from home and have my servers here (my business is currently home-based). So simple things like locking doors etc.

The first question is how you identify what threats you are protecting yourself from. My list includes viruses, script kiddiez, and the occasional person who has moderate resources and wants to break into my network. I am not too worried about tempest probes because the it would take a lot of time to get enough information off my systes this way to be of use, but I am more concerned about vandalism and damage.

So here are my mechanisms:

1) Keep door locked when not at home.
2) Hardware firewall on old Acer Advantage. Kernel does not support loadable kernel modules (which makes it a pain to change a network card, as the kernel must be recompiled). Firewall runs IPTables and logs most denied traffic.
3) Daily and monthly reports of firewall activity are sent to my inbox via cron and FWReport. FWReport leans towards false-positives, bit it gives you an idea of what "may" be happening.
4) Remote access requires SSH and public key authentication. Remote access is not possible via password.
5) Email servers run Qmail.
6) Most servers are jailed.
7) Most logs are set to "append only"
8) Servers run minimal configurations with a minimum of extensions. For example, Apache does not run any modules not currently required.
9) Windows is not generally allowed on the network.