yes an Firewall is a most for Every net user( whether a novice or an expert) . Though hackers look for companies pc for using them as zombies. But Expoliting a single pc is also helpful hackers as it provides a good help.
Printable View
yes an Firewall is a most for Every net user( whether a novice or an expert) . Though hackers look for companies pc for using them as zombies. But Expoliting a single pc is also helpful hackers as it provides a good help.
if you are using a dsl or brodband connection i would recomend a firewall just because you are contantlly connected online and wide open to people getting in to your system. if you are useing a router i wound not install a firewall as some routers allready have an internal firewall built into it.
Catch just got pissy and negged everybody who disagreed with him.
Hmmm.
Hrmm.. Perhaps I should have said something earlier. You know, in reality, having a firewall can be a good thing but if I may suggest something: don't rely on anything one thing for security. Better security is a layered approach like an onion. To rely on strictly a firewall or to rely strictly on AV or even to rely on a hardened OS isn't the answer. I'd suggest the following:
- - understand your OS and it's weaknesses. Figure out where someone will break in (a risk analysis)
- employ tools to help counter any threats (the list below is by no means exhaustive but I think you get the idea)
- don't rely on those tools to find the answer as to whether you are secure or not. Actually test and re-test multiple timesQuote:
- hardening host
- firewall
- NIDS
- antivirus
- spyware/adware detection
- trojan detection
- HIDS
- auditing
- process evaluation
- stay aware and paranoid. Remember, if it sounds too good to be true, likely it is too good to be true
- stay educated. (never stop the quest to learn no matter how trivial it seems or you think you seem; if need be, ignore the naysayers)
- repeat as necessary
Too many people here view their answer as the correct answer rather than as being part of the puzzle we call security. There are many ways to defend ourselves. By using variety we keep the attackers on their toes and give them more of a challenge.
I too would say disregard what catch said, not because I don't like the guy, he has his points, but because he is wrong in this instance. Argue it if you want, but here's why:
The attack paths to a server can be protected in the ways you suggest, using packet filters, running no services, etc., etc..
The same cannot be said for the desktop. A server does not check its email, browse the web, open potentially dangerous links, etc.. For this reason, you CANNOT assume that all outbound traffic is valid and proper, nor can you assume the desktop will be running no services. For those reasons alone, you should be running a firewall. You should also be running a good Anti-Virus solution. The two in tandem will keep 99% of desktops relatively clean.
I am not going to stoop to calling you arrogant, or any other terms which I may or may not believe are accurate -- mostly because it isn't necessary and only further takes away from the discussion.
The key thing that so many security training courses (like CISSP) miss out on is examining the attack paths an attacker can take. There is little examination done of the potential weak points in a security system on the desktop, by and large it is all geared towards the server. This is why large networks even today STILL have problems with viruses running rampant, trojans being installed, or in the recent case of a very high profile game development company, targeted attacks. With so much time and resources being spent on defending the automated attacks, it has been shown that targeted manual attacks can be infinitely more effective than possibly they ever could before.
This is a weird thread. I think I'll stick with my firewall. It doesn't use up too much system resources, and it's better than getting pwned by some skiddie who thinks he's leet.
Creator: Darned fine idea...... Catch has his points and he is right on a "higher" theoretical level. But for us average "grunts" a firewall does more benefit in protection than it does harm in system resource use. I'll spend my 1-2% system resource use against my cost of a reformat/reinstall any day. Simple economics.... ;)
See, that's the thing, he ISN'T right on any level, considering the data given, and the situation being asked about, Catch is dead wrong.Quote:
Originally posted here by Tiger Shark
Creator: Darned fine idea...... Catch has his points and he is right on a "higher" theoretical level.
Running no services on a server?Quote:
Originally posted here by chsh
[B]I too would say disregard what catch said, not because I don't like the guy, he has his points, but because he is wrong in this instance. Argue it if you want, but here's why:
The attack paths to a server can be protected in the ways you suggest, using packet filters, running no services, etc., etc..
You cannot assume that a local firewall will help this either, there are better ways to secure the desktop.Quote:
The same cannot be said for the desktop. A server does not check its email, browse the web, open potentially dangerous links, etc.. For this reason, you CANNOT assume that all outbound traffic is valid and proper,
In that case it would be a server, the reason all these terms exist are so people know exactly what each other are talking about, if you wish to use the language loosely enough to pull different meanings from things, don't be surprised when a misunderstand occurs.Quote:
nor can you assume the desktop will be running no services.
For what reasons? Not knowing how to use the term "Server"?Quote:
For those reasons alone, you should be running a firewall. You should also be running a good Anti-Virus solution.
All the local AV and firewall do is give local code more juicy targets, as they tend to require a great number of permissions. Also now you need to worry about exploits in you firewall, your AV, and you OS instead of just the OS. AV systems should only be used on filtering systems same with firewalls. High assurance, isolated proxying systems the clean network traffic, they have no place on standalone systems, especialy such low assurance systems as the standanrd COTS desktop.
Cite your source for this figure please.Quote:
The two in tandem will keep 99% of desktops relatively clean.
Not sure how we got there, my original intent was to explain to users what firewalls are intended for. Most people seem to think they are just a security cure all, and that is not the case.Quote:
I am not going to stoop to calling you arrogant, or any other terms which I may or may not believe are accurate -- mostly because it isn't necessary and only further takes away from the discussion.
The CISSP in particular is geared toward a general theoretical understanding of IS security, no more no less.Quote:
The key thing that so many security training courses (like CISSP) miss out on is examining the attack paths an attacker can take. There is little examination done of the potential weak points in a security system on the desktop, by and large it is all geared towards the server.
[quote]This is why large networks even today STILL have problems with viruses running rampant, trojans being installed, or in the recent case of a very high profile game development company, targeted attacks.[quote]
The reason for this is that overall poor foundation of security in the vast majority of commercial systems. So much of modern COTS security is is just bad versions of problems fixed in the 70's believe it or not. Reinventing the wheel is all that is happening now. DARPA (the same agency that brought you the 5th gen firewall) in fact, since 9/01 has had a number of solicitations for network attack resolutions, dynamic worm quanrentine and the likes based on old technolgy just made into commercial ready packages. Because current design ideals are simply not up to the task.
This is very true, especially from an insider (this of course isn't much of a concern with a single user home system) but I still feel that a local firewall isn't the best solution for this type of problem. Firewalls are not designed to protect boxes, they are designed to protect and control connections. Defense of the box rests on the box itself. All protections against attackers, malware, and evil users in general need to be found within the TCB, otherwise anything you slap on after the fact is only going to hurt the security of the system.Quote:
With so much time and resources being spent on defending the automated attacks, it has been shown that targeted manual attacks can be infinitely more effective than possibly they ever could before.
Granted this may be above the average user's capabilities, but I assumed they were here to learn. Besides, 10,000 other people will tell them to install Zone Alarm, so what value does that really have?
catch
Ok, catch, since you seem to wish to carry on the arguement.So teach me how to harden my box. give out some of this magic information.Quote:
Granted this may be above the average user's capabilities, but I assumed they were here to learn. Besides, 10,000 other people will tell them to install Zone Alarm, so what value does that really have?
Say that I am an average user. I have a relatively new computer of midrange ..... say a 1.2 ghz processer runing XP Home, 40 gigs of hard drive space. I use this to surf the web, write and recieve e-mail, download music and games from the internet. Browse a little porno, and go to some sites that probably contain alot of spyware/malware on a fairly regular basis. I want to keep all the graphics capabilities on my box cause they are pretty, and want to see the graphics and neat displays on web sites I go to. Oh, and I do a little online gaming. I am your average user, and I could care less about IP's or any other strange terms that use indecipherable initials.
Teach me in plain language that I (as your average user) can understand and implement. Keep me safe while I am doing my thing.
Oh and of course you have to do this in less than 250 words because anything longer would just bore me and I wouldn't read it, much less implement it.