Not understanding half of it is neither unusual, nor a problem. What *is* a
problem is getting each half mixed up, such that the bit you actually don't
understand is in fact the bit you thought you did understand.
In my experience.
:-)
Piers
-----Original Message-----
From: Chuck Norcutt [mailto:chucknorcutt@xxxxxxxxxxxxxxxx]
Sent: 18 January 2014 03:24
To: Olympus Camera Discussion
Subject: Re: [OM] [OT] Firewalls and other (mostly Linux related) network
security questions
Thanks, Scott. I'll cogitate on this one for a while too. (actually
probably a double or triple while) since I don't understand half of it.
Chuck Norcutt
On 1/17/2014 7:59 PM, Scott Gomez wrote:
> This has been an interesting thread. A couple of observations I might
> add, without reference to the specific questions:
>
> My experience, so far, with open sourced (i.e. Linux) and closed
> source products (Windows and Mac) has been that known security
> vulnerabilities are often fixed within hours of being found, as
> opposed to weeks (Microsoft) or months (Apple). Certainly not always
> true, but definitely more often true, in my experience.
>
> You can't save modifications to a Live CD version after creation of the
CD.
>
> One of my reasons for choosing Fedora over Ubuntu as my personal
> flavor of Linux OS is the presence of SELinux. Left on (which many
> people do not, as they believe it interferes with "ease of
> installation" of software later) it provides an added layer of
> security against unauthorized changes. So far, since much earlier
> versions than current, I've not had any issues in installing anything
> I need from Fedora's repositories when using Fedora with SELinux fully
enabled.
>
> There is a tendency among more novice users of Linux who have come
> from the Windows world to turn off many built-in protections in order
> to make Linux work "more like Windows". This is a seriously bad idea.
> Better to invest some time reading to learn *why* Linux is telling you
> you can't/shouldn't do something, then do it correctly.
>
> There have been a few articles lately about many, many versions from
> many manufacturers of "home routers" being quite easily compromised,
> as the out of the box configuration is insecure. Learn the router.
>
> Inexpensive switches may provide decent port-to-port isolation, but
> they're still all on the same LAN. An inexpensive mid-grade switch or
> a refurbed or used high-end switch provides much better control, and
> can allow you to create your internal network with VLANs to keep
> routine traffic and financial traffic separated. Additionally, many
> newer switches support creation of ACLs (Access Control Lists) that
> prevent unwanted traffic between systems even on the same VLAN.
>
> $0 for a pfSense download plus an old otherwise useless PC with two
> ethernet ports will provide you the ability to handle much better
> firewalling than you can get from a "home router". After installing
> and verifying operation on the default configuration, start by closing
> nearly all ports outbound, and only open what you need. It's very easy
> to not only open the ports you need, but also to restrict different
> types of traffic to only being able to contact specific IPs on the
> outside. The same is true for inbound traffic.
>
> But mostly, I happen to think that simply switching from Windows to
> Linux--and not screwing with the Linux install--will more than handle
> most issues regarding financial transactions on line for most folks.
> Password compromise on the site due to lousy passwords or reused
> passwords is a far more likely occurrance. Password length, for
> example, provides far better password security than complexity of short
passwords.
>
> ---
> Scott
>
>
> On Fri, Jan 17, 2014 at 2:48 PM, Sandy Harris
<sandyinchina@xxxxxxxxx>wrote:
>
>> On Fri, Jan 17, 2014 at 10:18 AM, Chuck Norcutt
>> <chucknorcutt@xxxxxxxxxxxxxxxx> wrote:
>>
>>> Moose's last post about building a new fire-breathing computer and
>>> equipping it with the Zone Alarm firewall causes me to ask a
>>> question that has been on my mind the last couple of weeks.
>>>
>>> Independent of OS and real/perceived vulnerabilities do we really
>>> need software firewalls if our machines are talking to the internet
>>> through a router? One of the functions of a router is to hide our
>>> real IP addresses from the outside world.
>>>
>>> (1) Assuming we haven't deliberately established ports for
>>> peer-to-peer connections (?) are we not safe from outside probing
>>> given that we're hidden behind the router?
>>
>> Yes, but with exceptions.
>>
>> First, there might be an attack on the router. Among the things
>> Snowden revealed were a number of those from NSA's TAO (Tailored
>> Access) group. The ones I've read about were for high-end routers
>> used in corporate & gov't networks. but there may be some for lesser
>> routers as well.
>>
>>> (2) If not, what function does the software firewall provide that
>>> the router doesn't?
>>
>> It is basically the other way round; a router or other hardware
>> firewall can do things that software cannot. Still, defense-in-depth
>> or belt-and-suspenders are good ideas; using both is OK.
>>
>>> (3) Is the distinction even important now that most security
>>> breaches are passing through our browsers? (maybe Apple guys should
>>> pay
>> attention?).
>>
>> Yes.
>>
>>> Now some other security related questions having to do with Linux
>>> because, after following "Krebs on Security" recently
>>> <http://krebsonsecurity.com/> , I've become paranoid about doing
>>> banking and financial transactions on Windows. According to Krebs
>>> and others the most secure way to operate is by using a Linux
>>> distribution on Live CD. Since the CD is not writeable the OS cannot be
modified.
>>
>> The downside of that is that neither OS nor browser can get updates,
>> including security upgrades.
>>
>>> My wife's
>>> old Dell laptop is still running XP and needs to be replaced with
>>> something more modern. My thought was to repurpose the old laptop
>>> as a dedicated Linux machine whose only purpose is financial
>>> transactions and the only websites it ever visits is those of the
financial institutions.
>>
>> I'm a Linux user and trust it more than I would Windows/ Here's an
>> old post of mine on a foreigners-in-China forum on the differences:
>> http://raoulschinasaloon.com/index.php?topic=2460.0
>>
>> The key here, I think, is having a dedicated financial machine.
>>
>> However, given that. I'm not entirely certain a Linux system is going
>> to be noticeably more secure than a carefully managed Windows system,
>> starting by wiping it, re-installing Windows fresh and doing all of
>> Microsoft's updates.
>>
>>> But I have a few questions about such a configuration.
>>> (4) Since a Live CD is not writeable how is configuration data saved
>>> (such as URL favorites for the browser and other stuff)? Does that
>>> not require at least some other small storage device? How is it
selected?
>>> (5) That question doesn't arise if Linux is installed on a USB
>>> memory stick or flash card on USB adapter. That should also improve
>>> boot time but seems to undo the security of the unwriteable Live CD.
>>
>> Yes. It would be possible to build a file with the required bookmarks
>> and include it on the CD, but I doubt that would work well over the
>> long term.
>>
>>> I had
>>> thought that maybe an SD card could be used with its write protect
>>> switch set to prevent writing but my understanding of that is that
>>> it's not really a hardware prevention but a software convention
>>> providing no real security. Anyone know for sure?
>>
>> My understanding is that is hardware, but I could be wrong.
>>
>>> (6) If the Linux machine is residing on a (mostly) Windows LAN is
>>> the Linux machine still vulnerable through the LAN?
>>
>> Some attacks, like getting other machines to monitor what the Linux
>> box does or sabotage it with bogus network traffic, are possible, at
>> least in theory. They don't even need Windows; a Postscript printer
>> is capable of running them. That said, they do not look likely unless
>> your opponents are both professional and determined.
>>
>> If it is a wireless LAN there are other problems. Avoid that if possible.
>>
>>> If so, is it possible
>>> to isolate the Linux machine by installing it behind a second router?
>>
>> Yes, or just on a different router port.
>>
>>> If so, how are two routers installed behind a single cable modem?
>>> Can one simply install a switch and plug both routers into the switch?
>>
>> The more usual setup would be one router with a switch either built
>> into it or placed behind it. Most switches manage the traffic so one
>> client cannot see things sent to another client. Check the switch
>> manual and try a web search to see if there are attacks on the
>> switch, but in most cases a switch should give adequate isolation.
>>
>>> (7) Am I overly paranoid?
>>
>> No.
>> --
>> _________________________________________________________________
>> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>> Themed Olympus Photo Exhibition: http://www.tope.nl/
>>
>>
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|