Is it worth to install Firewall in home pc?

**catch** · April 5th, 2004, 10:19 PM

chsh, you post so much bullshit it is frequently difficult for me to waste the time to go through and correct everything, in this case I'll make an exception.

Which only furthers my point regarding his relative experience "out in the wilds" as it were. We've seen time and again what government standards have garnered in terms of real security: Various web defacements, reported break-ins to various government departments supposedly adhering to DARPA's security guidelines.

You've seen what government standards have garned in terms of real security? Damn straight you have. When is the last time a high security government or military system has been compromised? What's that? Never? Gee lucky that. (Don't want those hackers launching nukes) All that gets broken in are low security systems with nothing important on them, same goes for defacements. I actually covered this topic in:
http://www.antionline.com/showthread...hreadid=244586
High end secure systems like SMG ( http://www.smat.us/crypto/docs/mailguard.pdf ), STOP ( http://www.radium.ncsc.mil/tpep/libr...L-92-003-E.pdf ), KSOS ( http://csrc.nist.gov/publications/history/ford78.pdf ), and the likes are not even theoretically possible to compromise remotely, then again, these systems are not wasted on public webservers with nothing to protect.
I am sure you might go off about NASA getting broken into and plans for the shuttle being stolen or whatever, so what. Despite what the media liked to hype up, those plans are not some super duper top secret thing. Only a few countries in the world would have the technology to build the shuttle anyhow, and those that do have already/could easily develop their own plans, hence the low security rating. (they have no value)

Now to a far more objective point, do you even know what DARPA is? It is pretty clear by your speaking of their security guidelines that you do not. DARPA (Defense Advanced Research Projects Agency - http://www.darpa.mil ) does not establish security guidelines, never has, never will. In fact DARPA's mission statement makes this very clear:

The DARPA mission is to develop imaginative, innovative and often high-risk research ideas offering a significant technological impact that will go well beyond the normal evolutionary developmental approaches; and, to pursue these ideas from the demonstration of technical feasibility through the development of prototype systems.

- http://www.darpa.mil/body/mission.html

Security guidelines are esablished by the United States' Department of Defense (DOD) National Computer Security Center (NTSC - http://www.radium.ncsc.mil/tpep/ or (410) 854-4376 if you prefer), which is an organizational unit within the National Security Agency (NSA ) and charged with information systems security for classified information. The National Institute of Standards and Technology (NIST - http://csrc.nist.gov/ ) as a oraganizational unit within the Department of Commerce is responsible for sensetive but unclassified information systems security. Standards set forward by or based on those set forward by the NCSC and NIST have in some form found their way into not only into every secure US, Canadian, English, French, German, Japanese, and Australian military information systems installation, but also into every first world bank and damn near every fortune 500 company.

What was that about out in the wilds?

In your opinion, and apparently catch's. Security organisations like SANS appear to disagree with you.

SANS is is like television, they don't want to be too surprising or compelling because doing so will make people fell dumb and scared, which in turn loses their audience. SANS specifically targets people that don't really know anything about security, that is why they have so much focus on the very tangible, like top vulnerabilities. They do this because if the site was full of theorums proving and disproving various security models, the site would lose mass appeal. If you want information on computer security, go to the ACM's (http://www.acm.org ) security based SIGs, those people will set you straight.

No desktop operating systems since Win95 have had 0 services by default. Win 3.11 had to be configured to allow it, but many OEMs did this in its default configuration, meaning a lot of those desktops had services enabled by default.

"No desktop operating systems" is a bold statement, but I'll let it slide as there is no point in being picky. The real point is that why the preoccupation with default configurations? All you Linux fans are the same way, think you're so smart, but base the entire worth of the system in the way someone else configured it for you.

Default configurations, number of defacements, and number of published exploits... is this all that your security knowledge is comprised of? I could pick up the same level of knowledge using Steve Gibson's website as my only resource.

Why don't you go look up what a "reference monitor" is ( http://seclab.cs.ucdavis.edu/project...CD/ande72b.pdf section 3.4 page 24/25) and then you should have an idea about why security should be controlled at the lowest point. Things like firewalls on desktop/network server systems, relying on your web/email/dns/ftp/whatever service software itself for security, and monolithic kernels are all indicated to be bad by the single founding principal of all secure systems for the last 32 years.

So what will satisfy you?
I can post documents and you'll just say they are wrong, I can cite companies, you'll say they are exceptions, I can direct you to other places of learning why my arguments are not the exception, you won't go there, I could challenge you with compromising a system that utilizes my principals and give you admin passwords, whatever trojans you want on the system anything, you'll say I rigged the contest. So seriously, it seems plain as day obvious to me that users (authorized or not) should never have the ability to directly interface with any element of a systems security mechanisms (hence you can run the least secure service software on a secure OS and the system will remain secure) this is also why running firewalls on desktops/network servers are bad, you allow a remote user to directly interface with an aspect of the local system's security, unless of course you gain something by it, like having a need to filter particular ports, (in these cases you should still use a stand alone firewall like Sidewinder G2 as this gives additional layers of abstraction, the firewall is outside of the systems's reference monitor and the stand alone system is outside of what it is protecting) then it may be deemed an acceptable risk, otherwise you gain risk with no gain in protection.

catch

Edited to add: I have no disagreements about the idea to purchase a router/firewall appliance. Though unneeded services should still be closed.

**nihil** · April 5th, 2004, 11:01 PM

I think that the basic problem is that this post is in the wrong forum?

"Newbie security questions" or whatever? would be more appropriate?...we are getting professional answers to amateur questions?

#4 Old Jewry
Southwark Towers, #32 London Bridge Street
#1 London Bridge Street
?

I think that someone following this thread will understand the above

Cheers

And a happy Easter to all

***Tiger Shark*** · April 5th, 2004, 11:27 PM

Catch:

I am trying like hell to give you AP's..... I even went and put out some others and came back.... Doesn't work.... Sorry.

JUPM.... I can't apply any AP's to Catch, not even positive, even though it's 3 full days since I negged him..... That's hardly right..... Can it be fixed so I get the choice of what I want to give? If I want to "over-neg" him, then deny me the right..... But if I want to reverse my last AP then it should be allowed and would cause no exploitation of the system.... Any chance of that happening?.... Intmon.... You reading this? I know... It's tiring, but us unpaid are clearly reading it..... could you?

Now I have forgotten where I was going...... <sigh> Old age and a WAP in the pub is a _very_ bad thing..... <ROFL>

Ahhh.... I got it.... Never fear, Tiger is here.... <panic while you still can>. There is no doubt that you know your stuff, you can document it and that you, obviously, live it. As usual, _we_ only disagree on the "potential for implemention". I fully see your point about this not being a "third grade forum" and your posts do "stretch the mind" of many. That's a good thing.... I have learned a lot from you. What we disagree on in most cases is your "categorical" statements..... Your answer to this question was, to all intents and purposes "No".... I think my last post was the "conclusion" to this question.... I notice you didn't address that post...

but that's a whole other issue....

I enjoy jousting with you..... I know perfectly well that you are absolutely correct when you say what you say and that it functions exactly as you say it does.... But that's where you "live"... The rest of us live "down the street"... It's a fun place.... We have no assurances.... No TOS.... We have that old limited budget thingie, the requirement that our brainless users don't have to jump through a gazillion hoops to edit a word file or read an email from some numbskull out there in the big wide world, etc. etc etc. and the inability to really create the systems you discuss, (the most important part of the equation).

We've discussed these same points before.... I stick to my position..... If you wish I would be quite happy to have you come here and secure my systems, (650 workstations that I only have admin control over 350)..... That's my world.... I'll split the air fare, you won't have any other cost except buying the odd beer here and there to make me feel good.... Secure it your way within my budget, user constraints and my ability to further manage the risk after you leave..... I'm up for that.... are you? It'll be a lot of fun meeting you in person and seeing if you can mitigate my user's issues.....

**catch** · April 6th, 2004, 12:05 AM

Tiger, I didn't see your other post to reply to it until after I'd written my last reply.

My point is this, the solutions I present are not expensive or difficult to utilize, they used to be 20 years ago, and that stigma has stuck.

I donate my time to an organization that provides free and sliding scale IS solutions for under-funded social programs (drug clinics, battered women and children's shelters, etc) and I am head of security planning. The reason why this is such an ideal match for them is that all of the effort an cost is hiring someone that knows how to design it. Since the systems are immune from the vast majority of application level bugs and malware these organizations can have secure systems (frequently dealing with HIPAA) that don't need to be maintained for security.

The normal problem is hiring someone like me and my team to get you pointed in the right direction, and here I provide the service for free and get flamed for it. Thank about it:

1. Send the user to any number of FAQs all over the web teaching them how to kill extra services and be availible for any questions they may have. (A few hours, maybe a day at most.)

2. Instruct the user about how user permissions and privileges work, then direct them to practical documents on the subject of running client software as a different lower level user and about they themselves operating at a non administrative level user, and how to lock down the admin account (utilizing an operator account) so that in the even they blow something up as admin, the damage is contained. (A few more hours, another day at the most)

Now, a user has spent 2 days, and in doing so they have secured their system against every type of attack dealing with confidentiality and integrity. All that remains is availibility, which considering the resources of a home system is already greatly impaired. The user never needs to patch... they don't need to patch their non-existant firewall, AV system, or client software for security concerns. the user can still game, p2p, web browse, send email, use office, copy DVDs... all those wonderful things how users do.

catch

PM me about the other.

***chsh*** · April 6th, 2004, 12:52 AM

Originally posted here by catch
chsh, you post so much bullshit it is frequently difficult for me to waste the time to go through and correct everything, in this case I'll make an exception.

I welcome the effort.

You've seen what government standards have garned in terms of real security? Damn straight you have. When is the last time a high security government or military system has been compromised? What's that? Never?

http://www.wired.com/news/technology...,34539,00.html - NASA, DoD
http://www.usatoday.com/tech/news/20...ack-attack.htm - NOAA
http://www1.cnn.com/TECH/computing/9905/10/hack.attack/ - I&PS, DoE
http://rf-web.tamu.edu/security/secg...ry/Hacking.htm - Many gov't departments, tho admittedly old.
http://www.merit.edu/mail.archives/n.../msg00054.html - The Mil being broken into.

If the government was doing their job so well, why did Bush feel the need to create a Cybersecurity Chief position, and accompanying department, with one of the goals being "to secure the government's own systems"?

All that gets broken in are low security systems with nothing important on them, same goes for defacements.

So you are saying that as long as nothing critical (which is certainly not what was indicated by SOME of the links I linked above) is done, there is no security problem? No home user has anything classified on their system, so why bother securing it? Is that your stance?

High end secure systems like SMG ( http://www.smat.us/crypto/docs/mailguard.pdf ), STOP ( http://www.radium.ncsc.mil/tpep/libr...L-92-003-E.pdf ), KSOS ( http://csrc.nist.gov/publications/history/ford78.pdf ), and the likes are not even theoretically possible to compromise remotely, then again, these systems are not wasted on public webservers with nothing to protect.

The titanic was unsinkable too. Saying that government security is obviously perfectly good because it's 'not wasted on public webservers with nothing to protect' is merely saying that they have achieved security through obscurity, and haven't been put to a constant, real live test.

I am sure you might go off about NASA getting broken into and plans for the shuttle being stolen or whatever, so what. Despite what the media liked to hype up, those plans are not some super duper top secret thing.

So what? Wow, you can tell you have either been contracted to or directly employed by government. You are talking serious breaches in security, and saying they don't matter because they aren't "super duper top secret". Tell any of the engineers at NASA who worked on the design, that someone came in and stole the plans for their shuttles (which could potentially be in the hands of various private commercial spacefaring endeavours), and then tell them it is all irrelevant. They'll have a VERY different view of the situation, as would your average home user. What you classify as important is not what others classify as important. Someone is asking if it is worthwhile, and you tell them no based on your definition of the importance of THEIR information. Fortunately not everyone approaches the issue with the pompousness you do, and in the spirit of actually trying to HELP the person out, rather than deem them unimportant, have dispensed the kind of information they might find useful. This applies equally to a home user. The important thing is they have deemed their data as important.

Only a few countries in the world would have the technology to build the shuttle anyhow, and those that do have already/could easily develop their own plans, hence the low security rating. (they have no value)

That is a matter of opinion now isn't it? If NASA didn't think they were valuable, why not give them away as mail-order pamphlets on their site, why make ANY effort to protect the data at all?

Now to a far more objective point, do you even know what DARPA is? It is pretty clear by your speaking of their security guidelines that you do not. DARPA (Defense Advanced Research Projects Agency - http://www.darpa.mil ) does not establish security guidelines, never has, never will.

You are correct, I miswrote that. The point is no less valid: The security guidelines developed by the U.S. government have been noted time and again to be subpar (even by the government's own security panels).

What was that about out in the wilds?

You said it yourself, the networks are all closed, private, inaccessible through any means to the Internet. That makes them an isolated place, hence "out in the wilds" does not apply.

SANS is is like television, they don't want to be too surprising or compelling because doing so will make people fell dumb and scared, which in turn loses their audience. SANS specifically targets people that don't really know anything about security, that is why they have so much focus on the very tangible, like top vulnerabilities. They do this because if the site was full of theorums proving and disproving various security models, the site would lose mass appeal. If you want information on computer security, go to the ACM's (http://www.acm.org ) security based SIGs, those people will set you straight.

I find it kind of ironic that "those people will set [me] straight", yet they require me to register to even browse the whitepapers they have there, which are by and large managerial in nature, and detail specifications on how to prepare individuals to learn about security vulnerabilities. All the technical-sounding documents I was able to find provided me with this lovely message when I tried to view them with my "limited" access account: *Your present login: chsh does not have access to this feature.. They have no interest in setting me straight, or if they do, they want to see my money first. Amusingly, SANS is nothing like Television -- you don't have to pay anything to get access to some of their information, only to become certified.

The real point is that why the preoccupation with default configurations? All you Linux fans are the same way, think you're so smart, but base the entire worth of the system in the way someone else configured it for you.

This has absolutely nothing to do with Linux, and everything to do with the knowledge level of your average user. Unfortunately, the majority of users out there do not have the understanding and capabilities of someone as versed in the technology as yourself. You seem to be unable to comprehend this simple fact. You continually derail this thread to discuss your government ultra-secure system, and are totally dodging the whole point of this: The user who asked how to make their system MORE secure. From your argument, it seems to me that you believe a computer with an app. firewall is LESS secure "out in the wilds" (unfamiliar territory to coddled government systems) than one without one.

I have not yet spoken of how your government is run, and how policies are set, nor do I know all the various and sundry technologies that go into securing "Top Secret" government systems, I imagine they are quite extensive. I do not pretend I know the systems, and as such do not speak of them. It is rather evident to me that you are in a similar position when discussing the home user, or small business, etc..

So what will satisfy you?

You cluing into the fact that just because you know how to use a hammer REALLY well, it does NOT mean that every problem is a nail.

I can post documents and you'll just say they are wrong

Where have I said that? I said they were irrelevant, sure...

I can cite companies, you'll say they are exceptions, I can direct you to other places of learning why my arguments are not the exception, you won't go there

I already did, and was unable to access any of this information. What you seem to fail to understand is I'm not saying you are outright wrong, but rather you are wrong as applies to this situation.

I could challenge you with compromising a system that utilizes my principals and give you admin passwords, whatever trojans you want on the system anything, you'll say I rigged the contest.

I will? I'd be intrigued to say the least. Is that an open offer, or an out-of-hand insult since you wouldn't ever set such a situation up?

**catch** · April 6th, 2004, 01:59 AM

http://www.wired.com/news/technology...,34539,00.html - NASA, DoD
http://www.usatoday.com/tech/news/20...ack-attack.htm - NOAA
http://www1.cnn.com/TECH/computing/9905/10/hack.attack/ - I&PS, DoE
http://rf-web.tamu.edu/security/secg...ry/Hacking.htm - Many gov't departments, tho admittedly old.
http://www.merit.edu/mail.archives/n.../msg00054.html - The Mil being broken into.

I said high security, none of those are high security systems. The loss by those attacks is insignificant, and consequently so were the countermeasures protecting them

If the government was doing their job so well, why did Bush feel the need to create a Cybersecurity Chief position, and accompanying department, with one of the goals being "to secure the government's own systems"?

1. Bush is an idiot.
2. This deals primarily with securing commercial systems.
3. This features no introduction of new policy against high security installations, and is consequently off topic.

So you are saying that as long as nothing critical (which is certainly not what was indicated by SOME of the links I linked above) is done, there is no security problem? No home user has anything classified on their system, so why bother securing it? Is that your stance?

If you read the document I posted, it clearly states that so long as the ALE is less than the cost of the countermeasure, the risk will go unmitigated. In none of the attacks you mention, was classified data disclosed.

The titanic was unsinkable too. Saying that government security is obviously perfectly good because it's 'not wasted on public webservers with nothing to protect' is merely saying that they have achieved security through obscurity, and haven't been put to a constant, real live test.

Security is simple math, it has nothing to do with user testing. High end systems use finite state reference monitors, these are of course... theoretically impossible to crack.
Why don't you actually read my document on risk management that I posted in the last thread, and questions like these will be answered.

So what? Wow, you can tell you have either been contracted to or directly employed by government. You are talking serious breaches in security, and saying they don't matter because they aren't "super duper top secret".

Aren't even classified. Corporations and banks work the same way... why not go familairize yourself with ISO17799/BS7799? All these questions would be answered.

Tell any of the engineers at NASA who worked on the design, that someone came in and stole the plans for their shuttles (which could potentially be in the hands of various private commercial spacefaring endeavours), and then tell them it is all irrelevant.

The classification of that data was up to the data owners, if they felt it was more important, it would have been protected. They felt no point in wasting unneeded resources.

They'll have a VERY different view of the situation, as would your average home user.

That is why data classification isn't their job, that kind of emotional attachment is unproductive, and home users are allowed to classify their own data as they see fit, provided their systems have labeling capabilities.

What you classify as important is not what others classify as important.

It is up to the data owner, they are they one's who establish the initial classification. (this is very, very basic IS security stuff here... not like I'm breaking new ground.)

Someone is asking if it is worthwhile, and you tell them no based on your definition of the importance of THEIR information.

I didn't give advice, I explained what firewalls are intented for and when they are not needed.

Fortunately not everyone approaches the issue with the pompousness you do,

Nor the level of a community college education in IS security as you do.

and in the spirit of actually trying to HELP the person out, rather than deem them unimportant, have dispensed the kind of information they might find useful. This applies equally to a home user. The important thing is they have deemed their data as important.

Again, I didn't tell the user what to do, I clarified the hype about firewalls not being the cure all security fix in every situation.

That is a matter of opinion now isn't it? If NASA didn't think they were valuable, why not give them away as mail-order pamphlets on their site, why make ANY effort to protect the data at all?

This is where fine granulairty of control comes in, something totally foriegn to those from Linux world.

You are correct, I miswrote that. The point is no less valid: The security guidelines developed by the U.S. government have been noted time and again to be subpar (even by the government's own security panels).

When a hacker launches nukes, then you can tell me how subpar it is... the only thing you are arguing as subpar is the classifications given to the data, not the protections availible.

You said it yourself, the networks are all closed, private, inaccessible through any means to the Internet. That makes them an isolated place, hence "out in the wilds" does not apply.

When did I say that? If military systems (like silos, and submarines, and bases) communicate with each other... then there must be a way to access them remotely. My response about out in the wild is that ALL technical commercial security standards are merely detuned versions of DOD/MIL standards. That is the real world.

[quote]I find it kind of ironic that "those people will set [me] straight", yet they require me to register to even browse the whitepapers they have there, which are by and large managerial in nature, and detail specifications on how to prepare individuals to learn about security vulnerabilities. All the technical-sounding documents I was able to find provided me with this lovely message when I tried to view them with my "limited" access account: *Your present login: chsh does not have access to this feature.. They have no interest in setting me straight, or if they do, they want to see my money first. Amusingly, SANS is nothing like Television -- you don't have to pay anything to get access to some of their information, only to become certified.[quote]
They don't want just anyone to come along and be stupid. The fee is nominal and goes to a good cause... but requiring payment information allows for more binding user agreements and fewer "trolls" I believe they are called. If there are any documents you are interested in, kindly let me know and I will gladly forward them to you.
TV is also free, free and full of commercials. (unless you want good TV which at first has more channels and then the premium stuff is no commercials either.)

This has absolutely nothing to do with Linux, and everything to do with the knowledge level of your average user.

If he is a newbie, he should have posted in that forum, things like honeypots are advanced topics. I am not a mind reader, nor will I attempt to try.

Unfortunately, the majority of users out there do not have the understanding and capabilities of someone as versed in the technology as yourself. You seem to be unable to comprehend this simple fact.

And how are they supposed to ever get educated if everyone constantly pitches thoughtless solutions at them.

You continually derail this thread to discuss your government ultra-secure system,

If by that you mean, my home system, my family memers' (including grandmother's) home systems, all of my friends' home systems, the system incorporated at a large number of corporations and non-profit agencies around the world... then yes... if you mean all that, then I confess, I have just been trying to derail this conversation with those exotic, useless, non-real world systems.

and are totally dodging the whole point of this: The user who asked how to make their system MORE secure. From your argument, it seems to me that you believe a computer with an app. firewall is LESS secure "out in the wilds" (unfamiliar territory to coddled government systems) than one without one.

This is absolutely true. Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure. It is a mathematical fact.

I have not yet spoken of how your government is run, and how policies are set, nor do I know all the various and sundry technologies that go into securing "Top Secret" government systems, I imagine they are quite extensive. I do not pretend I know the systems, and as such do not speak of them. It is rather evident to me that you are in a similar position when discussing the home user, or small business, etc..

I respect your candor, but the truth of the matter is that computer security at any level is broken down into the following:

1. Risk (add up assests, calculate threats, predict exposure, calculate total expected loss, research counter-measures, compare their cost to their reduction in loss, take the cheaper choice)
2. Policy (implement counter-meausres and determine how to utilize the counter-meausres on what, classify and label your assets/objects and your users)
3. Accountability (ensure that subjects are identified to the system and audit the system to ensure the policy is being maintained)
4. Assurance (track relevnt changes in risk and repeat the process as needed)

In a home system all of these steps apply just the same as they would for a missle launch control center. The only difference is how comprehensive and formalized they are. All of us do these things all the time on our systems and never even think twice about it.
All I did in this situation was inform the poster of a more efficient counter-measure, I didn't alter his policy.

You cluing into the fact that just because you know how to use a hammer REALLY well, it does NOT mean that every problem is a nail.

IS security is a spectrum, always about finding the most efficient solutions. If you could run KSOS and still use your computer the same, and the cost of opertion was actually reduced. Would you run it? Or would you just assume that it was used for things of high security so it isn't appropriate for this situation?
The comercial security world takes advantage of users' ignorance, they use lots of fancy keywords and bells and whistles, they are confined by the fact that they need to sell products that the user has some basic conceptual understanding of.
"Firewall, it's like a digital moat." "Oh ok!" another sale
"Mandatory Access Controls, it's like an apartment building... where wait that doesn't work... well you see data can only be written to the same higher levels of security within the confidentiality model and read at the same or lower levels, but then the integrity model is the opposite, but sometimes you have a situation that calls for the tranquilty property and then you can only read and write at the same level within both security models. Sometimes you need to violate this model so the system is provided with a few trusted agents for various tasks as well." "Um..." "Now I know what you are thinking! What about covert channels? Our system monitors both data and timing covert channels to an accurace of...." Clearly... no sale is gonna happen.

Users don't need to understand how the technology works, they just need to know how to be productive within it, but they want to know... this means that the majority of comercial products have to be dumbed down to the level of someone that knows nothing about IS security. The Military and their standards which have filtered into many COTS systems are not saddled with the same problem. They are simply the best.

I already did, and was unable to access any of this information. What you seem to fail to understand is I'm not saying you are outright wrong, but rather you are wrong as applies to this situation.

"See, that's the thing, he ISN'T right on any level, considering the data given, and the situation being asked about, Catch is dead wrong"
I am sure you can see why I misunderstood what that was stated as a reply to "Catch has his points and he is right on a "higher" theoretical level."

I will? I'd be intrigued to say the least. Is that an open offer, or an out-of-hand insult since you wouldn't ever set such a situation up?

If you are interested, it would be fun... if for nothing else I'd be curious to see the feedback on it. It'll need to happen sometime this week/weekend though. I have a system in mind, Windows 2000 no less, let me know if oyu are interested and I'll tell you the setup I'm willing to offer.

catch

***allenb1963*** · April 6th, 2004, 02:44 AM

catch...I capitulate....you ARE correct. My apologies for my "dry comment" back on page one.

Now see guys?? That wasn't hard for me at all...anyone else care to give it a try?

***chsh*** · April 6th, 2004, 02:50 AM

Since you are AGAIN taking things off course, I'm just going to reply to the stuff that is actually on topic to the thread.

Originally posted here by catch
[...]
Again, I didn't tell the user what to do, I clarified the hype about firewalls not being the cure all security fix in every situation.

Yes, you did give your opinion.

It is important to only add counter measures in response to threats that justify them, in this instance, I don't see that being the case.

.

And how are they supposed to ever get educated if everyone constantly pitches thoughtless solutions at them.

Who is pitching the thoughtless solution? You are saying the OP's data isn't valuable enough to warrant protection. The OP asked a question, and IMHO you answered it in a rather high-and-mighty ignorant fashion.

If by that you mean, my home system, my family memers' (including grandmother's) home systems, all of my friends' home systems, the system incorporated at a large number of corporations and non-profit agencies around the world... then yes... if you mean all that, then I confess, I have just been trying to derail this conversation with those exotic, useless, non-real world systems.

Detail how you secure the home systems for someone utterly unrelated to you to whom you have no guarantee of control over? System administration policies only go as far as the control of the body which sets them.

This is absolutely true. Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure. It is a mathematical fact.

Explain how an app. firewall DOESN'T alter the security of the system.

I respect your candor

Well I'm glad to see this thread isn't getting overly personal.

but the truth of the matter is that computer security at any level is broken down into the following:
1. Risk (add up assests, calculate threats, predict exposure, calculate total expected loss, research counter-measures, compare their cost to their reduction in loss, take the cheaper choice)
2. Policy (implement counter-meausres and determine how to utilize the counter-meausres on what, classify and label your assets/objects and your users)
3. Accountability (ensure that subjects are identified to the system and audit the system to ensure the policy is being maintained)
4. Assurance (track relevnt changes in risk and repeat the process as needed)

In a home system all of these steps apply just the same as they would for a missle launch control center. The only difference is how comprehensive and formalized they are. All of us do these things all the time on our systems and never even think twice about it.
All I did in this situation was inform the poster of a more efficient counter-measure, I didn't alter his policy.

If you reread the last sentence of your first post, it sure makes it sound like you are trying to alter his policy.

IS security is a spectrum, always about finding the most efficient solutions. If you could run KSOS and still use your computer the same, and the cost of opertion was actually reduced. Would you run it?

Of course. The example is however irrelevant since the situation is not such, and it is an extreme whose sole purpose appears to be to distract from the facts.

Or would you just assume that it was used for things of high security so it isn't appropriate for this situation?
The comercial security world takes advantage of users' ignorance, they use lots of fancy keywords and bells and whistles, they are confined by the fact that they need to sell products that the user has some basic conceptual understanding of.

While I agree in essence with that, the issue is not one of either the fault of the commercial industry, nor the lack of willing user educators. It is a lack of users who are willing to be educated. It would be best if Highschools started impressing upon kids how to secure their boxes so that a coming generation understands the basic principles so many of us wish users understood. Such is not the case unfortunately.

Users don't need to understand how the technology works, they just need to know how to be productive within it, but they want to know... this means that the majority of comercial products have to be dumbed down to the level of someone that knows nothing about IS security. The Military and their standards which have filtered into many COTS systems are not saddled with the same problem. They are simply the best.

I'm not arguing that, as I said before, this is more about the USER. Going against conventional wisdom simply because conventional wisdom doesn't apply to your particular field of work doesn't mean you are right. There is a reason conventional wisdom exists, and why so many refer users to these sorts of applications. The vast majority of such users -- as you accurately point out -- dont have any interest in HOW something works, but rather the easiest way to work with that something, be it an Office suite, an email client, etc..

"See, that's the thing, he ISN'T right on any level, considering the data given, and the situation being asked about, Catch is dead wrong"
I am sure you can see why I misunderstood what that was stated as a reply to "Catch has his points and he is right on a "higher" theoretical level."

Yes, I still agree with that statement, with the situation and data given, I think you are wrong.

If you are interested, it would be fun... if for nothing else I'd be curious to see the feedback on it. It'll need to happen sometime this week/weekend though. I have a system in mind, Windows 2000 no less, let me know if oyu are interested and I'll tell you the setup I'm willing to offer.

Just this weekend? Damn, I do have a life, as much as I may not seem to.

But sure, pm me the details, or just PM me and I will give you my email address. I would like to give it a shot. I just want to be clear, I'm all for hardening a system, and I know it can be an effective defese. As I see it, for your average home user, that is asking a lot of a crowd of individuals who are by and large relatively new to life with a computer, let alone on the internet.

**gore** · April 6th, 2004, 03:10 AM

Catch, Pooh did something similar not long ago, maybe you could make it kind of like a project where you can let a few people take a "crack at it" ? You could make a thread about what you use to lock the box down maybe? I just know a lot of people here use Windows 2000 and that could be invaluable information to see how exactly you can harden it.

Maybe?

I still say this is one of the better threads the front page has seen in a while. Probably one of the better discussions the front page has seen in some time, and name calling has been at a minimum. Not as much flaming as most people would think

Then again, I'v stayed the hell out of the main arguement.

Catch is someone I do consider a buddy of mine, but he can hold his own I think, as can Chris...I mean, Chsh, sorry, forgot we can't be on a first name basis.

**catch** · April 6th, 2004, 03:37 AM

Since you are AGAIN taking things off course, I'm just going to reply to the stuff that is actually on topic to the thread.

Mmhmm...

Yes, you did give your opinion.

I stated fact. Firewalls are intended for X|Y if neither X|Y are true, the firewall is not called for.

Who is pitching the thoughtless solution? You are saying the OP's data isn't valuable enough to warrant protection.

Where did I say this? You view my solution as a lack of protection merely because it is not a type of protection to agree with or understand, it is still protection. My intent would be to have the original poster have the highest security, usable system... do you think they'll get there by listening to me or by installing Zone Alarm?

Detail how you secure the home systems for someone utterly unrelated to you to whom you have no guarantee of control over? System administration policies only go as far as the control of the body which sets them.

All that can be done is provide a framework, depending on how forceful that frame work is and or the cooperation of the system custodian controls the rest.

Explain how an app. firewall DOESN'T alter the security of the system.

First, the firewall deals with the security of the network, however if there is no network between the firewall and the systems it is securing, well than what is it securing?

Second I stated: "Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure." Clearly a firewall is outside of the systems reference monitor.

If you reread the last sentence of your first post, it sure makes it sound like you are trying to alter his policy.

Not at all, suggesting a different counter-measure is a part of risk mitigation, which falls under the risk portion of computer security. Policy development deals classifying and implementing the selected counter-measure from risk management. Security Policy has nothing to do with choosing between two types of counter-measures.

Of course. The example is however irrelevant since the situation is not such, and it is an extreme whose sole purpose appears to be to distract from the facts.

How do you know it isn't? have you ever looked into it? Either way, it still holds valid. IS security is just logical math, rules apply. Extremes are easier to prove, if you cannot find a paradox in the extreme, then you can't find one in the subtle where things get murkier.

There is a reason conventional wisdom exists

Yes, because most people are lazy and uneducated. It's "wisdom" cause it kinda sorta works, otherwise it'd be called "knowledge."

Just this weekend? Damn, I do have a life, as much as I may not seem to.

I'm moving next week and am not sure how long it might be after that.

But sure, pm me the details, or just PM me and I will give you my email address. I would like to give it a shot. I just want to be clear, I'm all for hardening a system, and I know it can be an effective defese.

We discussed this before as well about hardened systems by default. The system in question will not be hardened in anyway, in fact it will be significantly weakened (remeber what I said about using extremes as they are easier to prove?)

I will offer a windows 2000 http/ftp server with the following:
1. The ftp root will be world writable and contained within the http root for simpler execution.
2. All anon access for the IIS user will be via SID:500
3. The admin account policy will not be altered in anyway
4. IIS will be in default installation

You will be free to upload any malicious scripts that you feel like, any trojans, cmd.exe if you like so you can have a command line.
All you need to do is deface the homepage, which will be owned by and have full control by SID:500.
Does this sound fair to you?
If I win and the system cannot be compromised in 96 hours, I never get attacked again for my advice by anyone who attempts in addition to a public apology.
If I lose, I will admit that I was wrong, apologize in public and not return to this site.

Deal?

catch

Thread: Is it worth to install Firewall in home pc?

Thread Tools

Display

Posting Permissions