cancel
Showing results for 
Search instead for 
Did you mean: 

'always on' security measures.

N/A

'always on' security measures.

F9, and other ISPs, are pushing to sell ADSL.

However I see no advice to customers on taking measures to secure these always-on static-ip connections! I am not technically literate in these matters, but I would guess these connections are at somewhat of a greater risk to probing than a dial-up dynamically-allocated ip account.

Any knowledgeable folk (f9 or others) willing to offer advice here ?

regards
<a f9 customer>
16 REPLIES
N/A

'always on' security measures.

My connection is through cable modem with NTLHome and is "always on".

I installed Norton Internet Security. It includes a firewall which tells me when I'm under attack, blocks it and allows me to trace the source of the attack. It was less than £50 and well worth the money.

Lately, I needed to hook a laptop and the desktop pc's together and so I installed a Belkin Cable/DSL router (it allows 4 pc's to be networked and handles the sharing of the internet connection between them) This seems to have blocked all attacks (i.e. norton no longer kicks in - the hub just rejects stuff).

Finally, don't hold your breath waiting for f9 staff to reply here, they don't monitor this forum.

Andy.
N/A

'always on' security measures.

You're right: always-on (or "nearly always-on" as cyteck reminds us now and then) systems do offer more convenient targets for the bad guys.

My own approach is to do much of the security stuff at some remove from my own PCs. A bit like the castles of old: the main thing to be protected is the keep (my PC or network of PCs), but you don't let potential enemies come right up to it, you install a moat and a high wall some distance away with the intention of holding and defeating the enemy there. For me, this means using an ADSL router with built in firewall, packet filtering and NAT, which are pretty much standard features for them these days. Other people might use an old PC and install products like IPCop (http://www.ipcop.org/) or SmoothWall (http://www.smoothwall.org/) and connect their ADSL modem or router as the front end to this, and their PCs behind it. Although both IPCop and SmoothWall are essentially specialised Linux systems, once installed, they can be configured from a web browser operating on your Windows PC.

The perimeter defences - the moat and wall - are intended to stop intruders at some distance from you, but you may also wish to use software running on your PC itself (in terms of our analogy, putting up a decent door on the castle's keep; or, to use another analogy, it's a "belt and braces" approach). Recent versions of Windows provide the Internet Connection Firewall (ICF) which can be activated from Network Connections by right clicking on the particular connection you're interested in (say, a dial-up profile), selecting properties, and then the Advanced tab. You'll see an option for the Internet Connection Firewall which you need to select in order to "Protect my computer and network by limiting or preventing access to this computer from the Internet".

Trouble is, ICF doesn't do exactly what it says because Microsoft doesn't make any distinction between the Internet and an Intranet. In other words, if you run a little home network and activate ICF on an Ethernet adaptor, none of the other PCs on your network will then be able to access it. As Microsoft says in its help on this: "You should not enable Internet Connection Firewall (ICF) on any connection that does not directly connect to the Internet. If the firewall is enabled on the network adapter of an ICS client computer, it will interfere with some communications between that computer and all other computers on the network." However, the software does allow you to add service definitions which to some extent allow you to get round this.

None of this software, though, will protect you from a different threat (and for that matter, neither will temporary connections): trojans, or software which you download and bring onto your system yourself, but which unknown to you is up to no good. For example a common assumption with firewalls is that any connection originating from inside your network going out to the Internet at large is OK and does not need to be stopped. On the other hand any connection request originating from outside and coming in to you is considered bad and is dropped (you can configure incoming connections on specific ports, such as to allow access to a web server, for example), but in general connections are established from inside, not from outside. A trojan defeats this thinking, for you bring it into your system, from where it can now establish a connection from inside your network to its home outside, to send back information, or even download further files from "home" on your system.

I'm not sure that there's an easy answer to trojans - perhaps someone else can offer some advice on this! Certainly be aware of them, and be very careful about what you download. But, as I say, they are a potential problem regardless of whether your connection is permanent or temporary, although a temporary connection will obviously make it more difficult for them to "phone home".
N/A

'always on' security measures.

task,

This 'trojan' concept sounds the same as that championed on the www.grc.com site: to quote, "your Internet connection flows both ways, therefore, so must your security", where the author makes the point that a connected PC needs both 'external instrusion' and 'internal extrusion' management.

The site also offers a download utility to test the effectiveness of the latter, but this is where paranoi creeps in: you voluntarily download and run an executable that openly emmulates a trojan, but who knows what else is going on in the background !

ps, dehaneysteven, the above site also gives NIS a mention in respect of internal extrusion, worth a look i'd say.
N/A

'always on' security measures.

On installation, the Norton firewall searces out all executables which will attempt to contact or listen to the outside world. You then decide whether to allow, block or prompt when the access is attempted. After installation, if any application it doesn't know about tries to access the web, it gets halted and you get asked.

To be honest, it's been a while since I set it up and now I don't have to bother with it. I do recall it took a bit of tweaking to get it right. Best find the norton web-site and take a look.
N/A

Firewall shielding

Hi,

Please could I just add my own comments & experience here to this subject & thread. I have had an ADSL (almost always on type connection with F9 since last summer). Yes! your right the very nature of broadband with a static IP address does indeed leave a connected machine more likely to be probed.

However, I downloaded the very excellent ZoneAlarm (free firewall) version 2.361 which is rock solid, extremely robust from probing and attacks of all kinds. (NOTE: zonelabs have changed the interface & design of there free firewall since my version of this product. Personally I dont like what they have done in the more recent versions. version 2.361 is totally amazing but version 3.0 I uninstalled after a very short time).

Whats very good about Zonelarms firewall is that it uses the Stateful packet inspection technique which is very hard to get past and I would recommend anyone who has a broadband connection MUST have a firewall or your basically going to be attacked.

My firewall logs show that daily my machine is probed any where from 50 to 500 times, i.e. this is normal for an ADSL connected system. So a firewall is an essential security item otherwise its like standing naked in your local high street (i.e. leaves you incredibly vulnerable) and so my advise would be DONT DO THIS, ALWAYS HAVE A FIREWALL.

**there are numerous free firewalls around & a search on the web will show you many although not all firewalls are the same nor as good. Zonealarm has been around some time and is well tried & tested and thats the main reason I mention it here.

Regards Ivan
N/A

'always on' security measures.

Ivan,

Quote
otherwise its like standing naked in your local high street

Is this the voice of experience? :lol:
N/A

Re: Firewall shielding

Quote

However, I downloaded the very excellent ZoneAlarm (free firewall) version 2.361 which is rock solid, extremely robust from probing and attacks of all kinds. (NOTE: zonelabs have changed the interface & design of there free firewall since my version of this product. Personally I dont like what they have done in the more recent versions. version 2.361 is totally amazing but version 3.0 I uninstalled after a very short time).

Whats very good about Zonelarms firewall is that it uses the Stateful packet inspection technique which is very hard to get past and I would recommend anyone who has a broadband connection MUST have a firewall or your basically going to be attacked.


ZoneAlarm (from www.zonelabs.com) is a package that claims to protect against trojans, and from what friends who have it tell me, it does indeed do this, by bringing up a dialogue box if an outgoing connection is requested, and allowing you to either permit or prevent it.
N/A

'always on' security measures.

Quote

This 'trojan' concept sounds the same as that championed on the www.grc.com site: to quote, "your Internet connection flows both ways, therefore, so must your security", where the author makes the point that a connected PC needs both 'external instrusion' and 'internal extrusion' management.


Yes, a good point.

I'd forgotten about ShieldsUP! which also operates from that site. I remember using this to test my system shortly after I'd installed ADSL. I've just tried it again, and it made another good point: that something it couldn't achieve today might be achievable tomorrow, so you always have to be vigilant; it's no good resting on the laurels of today's successful defence because tomorrow the potential cracker may try some different, more cunning, trick.

Quote

The site also offers a download utility to test the effectiveness of the latter, but this is where paranoi creeps in: you voluntarily download and run an executable that openly emulates a trojan, but who knows what else is going on in the background !


Ah! It's that sort of thinking which might save you one day!!!!

I suppose that's where digital signatures are supposed to come into play. If you download a piece of software which has been signed by "abc.com" and it turns out to harm your system, then abc.com can be held accountable - only they can put an abc.com signature on it, and so their signature indicates acceptance of a responsibility. At least, that's the theory. If software is unsigned then it is automatically more suspect because you can't point the finger so decisively at a particular organisation, and therefore can't pin them down.

You can use the netstat command to see which ports are in use on your system - at that moment in time. The Windows version is a bit limited, but netstat -o shows you active connections. And the nmap package http://www.insecure.org/nmap/index.html, often included in Linux distributions, can also be used to monitor your network. There's also the aptly named SATAN (Security Administrator Tool for Analysing Networks) http://www.fish.com/satan/ but I think it's now considered to be rather out-of-date.
N/A

'always on' security measures.

Personally, I'm not a big fan of software firewalls such as Zonealarm or Norton Firewall - in the end they are only pieces of software which offer limited protection only when running. If, for any reason, the software is closed, you are vulnerable to attacks again. If you use your internet connection on more than one computer the software has to be up and running on each machine.

I would highly recommend a hardware firewall with NAT capabilities. This way, you can be sure that everything is blocked unless you specifically open a certain port to map through to a certain internal IP address. On most good hardware firewalls, you can even tell it not to respond to ping requests!! A hardware firewall would sit at the source of your internet connection, so you can be sure that any computers you use are protected without the need for software. I use the Netgear DG814 ADSL modem router and firewall, which is perfect for my needs, doing everything I have mentioned above.

Of course, trojans get in through you letting them in by browsing the web or reading infected e-mails, so these require a good piece of anti-virus software. For this, I would recommend Sophos (www.sophos.com) as it uses fewer system resources than other software such as Norton AntiVirus and is extremely effective in protecting your system - any infected file is not allowed to be opened, so the viruses / trojans are never actually allowed to infect your system. This is opposed to the approach of many other pieces of anti-virus software, which simply detect an already-infected system, and tell you to get rid of the infected files! Sophos is fairly expensive, but it's the best software I've ever found.
N/A

Ah! Yes

Hi,

NAT's are fine for those people who can afford such a networking device, also such a piece of kit is not simple to set-up or install and often requires a skilled person who has a great deal of knowledge about networking to configure just like routers,etc.

You could argue about security issues until the cows come home because even NAT's can fail and then your whole net work is at risk. The point I'm trying to make here is that all technology has its floors, vulnerabilities & failure points or failure levels.

The only reason I mentioned ZoneAlarm is that it is a simple yet effective solution that is well in the reach of most ordinary internet users, at a cost that is managable and ZA has a simple setup process that most novice web users could deal with i.e. nothing overly difficult or complex.

Ivan
N/A

'always on' security measures.

I don't agree that routers/networks are hard things to set up. Everyone has to learn from somewhere, and with a clear set of instructions, it is easy to install a router with NAT capabilities. If people view them as devices only for experts, which of course they are not meant to be, then they will not even attempt to try to set one up. My router, the Netgear DG814, is definitely aimed at home users and comes with adequate instructions to facilitate its setup in this environment. The web interface is well designed, and provides all the information a beginner would need to set it up including a wizard which guides you through the process. There is also detailed information for those who need to know about IP addressing etc.

I recently helped a friend set up a router over the phone, with absolutely no prior knowledge of his make/model. He just needed to know where to plug things in, and only wanted the router so he could use XBox Live through his cable connection. He managed this sucessfully, and is very confident that he no longer needs Norton Firewall cluttering up his system.

NAT isn't a technology which is likely to fail like software firewalls, as the NAT hardware would need to know which device to map ports through to for anyone to be able to get to a networked computer on that port. Without any mappings, any packets sent to that port would simply be 'lost' en-route. On the other hand, when a packet is intercepted by a software firewall, it has already reached the intended system, so the chances of the firewall failing are much higher.

I think it is important that people who have an interest in networking are not put off by the thought that networks are beyond their capabilities. Of course, some aspects need technical knowledge, but with the increasing popularity of home networking, modern operating systems incorporate as many features as possible to make it easy for beginners.
N/A

'always on' security measures.

I agree that a NAT router is simple to set up. If you can set up a PC and say an e-mail account then a NAT router will be easy, just a couple more sockets and you have to set up the gateway in the TCP/IP settings (DNS servers may be handy too), then you'll probably be fine, the router should work ok out of the box. They can then be tweaked if and when the users wants.

Also NAT is good ,by not inpeneratable. Although I would imagine for a home PC/Network it is probably enough as most hackers probably wouldn't bother spending the time hacking it unless they knew what was on the other side and wanted it.

I personnally use a NAT router and a software Firewall (Sygate's). I find this suits my needs nicely. I don't get many (if any) attacks on my firewall as I assume most get lost at the NAT router, which hackers can do as much as they want (within reason, more a figure of speach than anything there). The firewall is just incase, it also gives me more control over what programs can send information out from my pc.

I've heard good things about version 2.XX of ZoneAlarm, but by the time I tried it it was on version 3.XX, so I opted for Sygate's Personnal Firewall, which also uses SPI and I am pretty pleased with it. It also uses less resources than ZoneAlarm 3.XX, not sure about version 2.XX.
N/A

Disagree strongly is some respects

Hi Guys,

Yes! I agree with you both but only to a limited degree, Yes! since ADSL has become far more popular recently there are many manufacturers of broadband kit that have made huge strides to make installation of there equipement far more easy. And Yes! I have no intention of wanting to put anyone off having a go at learning about networking,etc and installing there own ADSL kit or home networks and so on.

However, the bit that upsets me & does annoy me is that some ADSL equipment vendors make installation & configuration sound so easy and so many naive or inexperienced users end up stuck in the river without a paddle as it where.

And frankly the number of times I've seen & heard about people who got completely and utter stuck with kit they just could get working for one reason or another (and that does include people who've made postings in the past here on F9) so this is why I have to disagree with you. I also disagree that routers are easy to set-up I worked in IT professionally and I only installed my first router last year and it most definately wasnt simple or easy. May be the kit your talking about was for you but that wasnt the case for me nor is it the case for others and thats my point really. I.E. Its not the same for all users nor with all kit, it varies hugely depending what you buy.

Ivan
N/A

'always on' security measures.

I'd say it rather depends on your system and what you do with it - is it a single PC used for browsing, e-mail and the odd bit of gaming, perhaps connected via a USB Modem? or is it a network which you use to support some kind of business - or somewhere between the two.

Whatever you do the best defence is defence in depth, do not rely on any single piece of hardware or software - none of them are infallible or invincible as we all know.

Do you really NEED to be "always on" ? if not then use the most secure feature of your system - the power switch - turn it off when you dont need to be using it for any appreciable length of time - not only will that protect you from externally originating e-ttack it will save you some utility costs and remove a fire risk from your home at the same time :-).

The very MINIMUM you should do is install firewall and anti-virus software - but then you already had that even when you were on a dial up connection right?

Now many (most?) of the products available for these jobs will "protect you " out of the box or thats what they claim - well to an extent thats true you will be (probably) a good bit safer - but dont just install them and sit back - learn about them, their settings and configuration and importantly go learn about the types of threat you face. If you get the option set your settings to paranoid default to block everything untill you specifically allow it - you might be surprised to see what some applications send over the wire when they are open.

Ok so you might have installed a firewall and anti virus and even learned about them etc - but have you done enough? Nope - did you check that your systems were patched with the latest security updates? Your applications? There is no point fitting high security locks to your door if you are going to leave your windows wide open - so you need to do that (preferably first) and preferably often. (ok caveat here that sometimes updates [esp windows updates] leave something else important broken)

Dont lull yourself into a false sense of security if you have this in place - be suspicious - check your logs and check em regularly - see anything you dont recognise? do a bit of digging - why is the ATI Driver connecting to a microsoft server (or some other address) everytime it starts up - will it stop working if I block it?

You can get tools to help scour your logs and the popular FW/AV tools have some built in help to highlight suspicious activity.

Is your system a network? Then don't rely only on your perimeter firewall in the router or the NAT features to protect you - even if you have AV systems on each of your PCs you can still be bitten by unknown trojans etc - firewall ALL of your equipment unless you have a compelling reason not to. That at least gives some protection if one of your internal systems is compromised say by a virus spread by e-mail.

Are you running a webserver locally? is the port open to the DSL connection? Is that intentional? What about other services like FTP or SMTP?

Thats a whole new source of headaches - Make sure it is locked down too - latest security patches - all unecessary features switched off disabled etc etc.

If you have ports opened up through your NAT firewall then install and set up some form of IDS system too there are several freebie ones out there - I use a combination of snort and pure secure - its not perfect but it works for me and it woke me up to a whole lot of murk when I started exposing a web server through my firewall.

But overall the BEST the absolutely VERY BEST thing you can do to protect yourself and your systems is to learn - about the threats and what you can do about them - knowledge really is power. Go do some research, keep up to date.

I have a small network connected via ADSL, I use a Netgear DG814 router - which is a snap to set up although its logs are rubbish. The router drops inbound packets so you dont get any feel for just how hostile the environment ouside your network actually is - of course there is nothing to stop you configuring a DMZ host to find out.

Each of the machines connected have Symantec Norton Firewall and AV software installed - one bugbear I have with them is that the log file sizes are too small and get overwritten too soon, but that aside they suffice - I had Zone Alarm at one time but it simply didnt get on with my set up for some reason and broke it badly so I had to uninstall it.

I have a webserver exposed through the firewall so in addition I run snort (www.snort.org) in conjunction with Pure Secure (www.demarc.com - it is commercial but free for personal use) to provide an IDS capability on top of that I have been using Who's On (www.whos-on.net) which is a web server log browser which gives a nice little near real time display of who is accessing the web server what they are requesting and highlights suspicious activity etc that does cost a bit of lolly though so I think I'll write my own log tool when the eval period is up.

Also I am paranoid and suspicious lol.

With the firewall dropping most packets detected attacks are restricted to IIS probes - I get a dozen or so per day mostly attempts to spread a CodeRed Variant with a few script kiddie vulnerability probes thrown in.

If you are in the Microsoft fold then go check its security tools and checklists site (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp) - get the Baseline Security Analyser and scan your system, read the articles and how-tos.

If you are a linux boffin then read the howtos, go check the site for your distribution etc (you can tell that I am a linux afficionado can't you! lol)

It doesn't do any harm to check out the various security themed websites either um (www.securityfocus.com springs to mind)

On the router cost point I'd probably just say that if you can afford an ADSL subscription you can afford the hundred or so quid that the router costs basically.

I said the DG814 was a snap to set up - it was for me - I am no network expert but I am no slouch either, so naive or inexperienced people may not be so lucky, however it did do what it said it would do out of the tin as it were and the wizard worked perfectly for first set up - if it wasn't for the obligatory and characteristic( :-) ) F9 mistake with my new username and password then I would have been online and connected from opening the box in under 5 minutes.

Anyway thats enough ranting for one night, hope it doesn't come over as too condescending.
Cheers