How many antivirii's can you install?

[thehorse13]

If that were the case, we'd call them Firewall Suggestions, and not Firewall Rules.

Precisely. Computers & related hardware do what we tell them to do. Now, there is a difference between doing what we tell it and doing what we want. Bottom line, unless there is a bug in the product, or you are a dumbass and misconfigure the device, the rule will work. This is another reason why you lab test equipment before deploying it.

Having more than one AV *could* cause issues. I had a user with NAV and MacAfee installed on his laptop. The combonation of the two caused the machine to crawl. In effect, the damn thing was being DoSed by its own software. In addition, like another user posted, each saw the other's quaranteen folder and a vicious circle of false positive infections were being logged.

Dialup users should use a software firewall. Sure, this is perfectly sound advice. Telling a dialup user to add 10 other things is *not* sound advice - it's stupidity. Some may argue that it is layered protection but if you add a ton of crap, you'll have to be technically savvy in order to make everything work togther (if possible). If you have this level of skill to begin with, you clearly wont need all the additional crap clogging up the works.

Any decent mid range Cisco switch has VLAN capabilities. I happen to deploy Cisco gear but other manufacturers also have VLAN capabilities. You wont find this feature on a device made for home users.

Configuration of a software firewall is not easier than a cable/dsl router. All you do is plug in the wires and *maybe* add auth credentials (based on your ISP) and off you go. The Linksys router is ready to go out of the box. NATing by itself, will take care of 90% of the crap that will bang against your home network.

Though I respect many of the people who posted content to this thread, I have to go with JP on most if not all counts. Anyone who has been in this business for more than a decade can tell you that there are many folks out there spitting out advice without truly understanding the implications. I run into this each and every day.

One last thing, AngelicKnight , when someone like JP disagrees with your position and more or less calls you a butthead on a public forum, I'm not exactly sure that you should feel honored that he responded. Just a thought.

[nihil]

Dialup users should use a software firewall. Sure, this is perfectly sound advice. Telling a dialup user to add 10 other things is *not* sound advice - it's stupidity. Some may argue that it is layered protection but if you add a ton of crap, you'll have to be technically savvy in order to make everything work togther (if possible). If you have this level of skill to begin with, you clearly wont need all the additional crap clogging up the works.

The fundamental principle here is those items that are INTERACTIVE and those that are ON DEMAND.

Basically, you should avoid running two interactive applications that are doing the same thing. Similarly, you should close an interactive application before running an on demand one that does the same thing. It is a question of that which is running concurrently and that which runs consecutively?

It does not matter how many on demand applications you have so long as they are run consecutively and do not clash with any interactive applications you might have running. That is why (amongst other reasons) I prefer to run them in "safe mode" where possible.

Whilst it is true that modern computers are very powerful and capable of multi tasking, it must be borne in mind that if you decide to run multiple applications from different sources you are responsible for the integration and compatibility..........forever......... In a commercial environment, this is tested in the laboratory on "reference machines", as Hoss mentioned.

There is other software such as some of those that I mentioned in an earlier post, that do not actually "run" until a specified event occurs, or an application is launched. These I would generally consider "safe", but if they are plug-ins, remember that you are responsible for the integration when upgrades come along. The rules regarding not running two applications doing the same task concurrently, also apply.

I happen to believe in layered protection, within the guidelines I have just mentioned.

Cheers

[AngelicKnight]

One last thing, AngelicKnight , when someone like JP disagrees with your position and more or less calls you a butthead on a public forum, I'm not exactly sure that you should feel honored that he responded. Just a thought.

I was trying to be in good humor and show a little resect to the vets. I'm beginning to wonder if that was a mistake on my part, assuming professionals would prevail in a place like this.

Not being able to counter a point without playing "holier than thou" is far from being professional. I don't get why some people here can't simply say "I disagree with you because of X" without adding "you idiot!" What's the point in even setting up this community as an educational resource when you patronize everyone who isn't as all-knowing as you? If we knew everything, we wouldn't even need to be here, and there be no reason for AO to even exist.

The newbie thread starter here asked everyone's opinion on a concept, and some of you, instead of just offering your input, have made it your mission to exhibit how superior you are in your knowledge. This is doing nothing to aid him in his understanding of the concept at hand, other than teaching him who NOT to talk to about it.

I definately find this behavior highly disappointing out of so-called "professionals". I may not know much of what I'm talking about yet, but I'm taking everyone's input very seriously and striving hard to learn more. And at least I REALIZE I don't know much. So let's get off the high horses and stick to making our cases.

That said, I think that in the world of security, you don't assume food will never pass through the ceramic plate. You're prepared for even what you think can't happen. Is that such a stupid newbie thought? Am I not always hearing from you guys that we are the paranoid folks for good reason? That's the underlying reason I say "why not?" in certain situations where erring on the side of caution is far better an outcome.

[embro1001]

That said, I think that in the world of security, you don't assume food will never pass through the ceramic plate. You're prepared for even what you think can't happen. Is that such a stupid newbie thought? Am I not always hearing from you guys that we are the paranoid folks for good reason? That's the underlying reason I say "why not?" in certain situations where erring on the side of caution is far better an outcome.

I never said not to expect food to pass through the plate, but what good would having a paper one do? I may not entirely know what I'm talking about (I'm not exactly the hardware guru) but if something can get past the hardware that easily, what's to say that a thin firewall would be any more effective?

Fill me in here, so I can sound learn-ed in the future.

[AngelicKnight]

I never said not to expect food to pass through the plate, but what good would having a paper one do?

Now that's a good point. Indeed, in all likelihood not much. But the way I look at it, if theyr'e going to get through, then by golly, I'm going to make it as annoying for them as possible all along the way, so that they'll get sick of sifting through paper plates. But yes, I concur that in all likelihood, you're probably screwed at that point.

This is exactly what I did for a nonprofit I volunteered for (my first real hands-on network experience). They have a firewalled router in place, but I configured ZoneAlarm on each box on the network. ZA didn't consume enough resources to slow anyone down, and didn't interefere with the hardware firewall or anything else for that matter, ran seemlessly.

Trying in my limited newbie thought (especially at that time) to think as an intruder, I knew if it was me, after working to get through the hardware firewall only to run into a software firewall on each machine, I'd think, "Gee, what an a-hole!" Also hopefully, at this point they'd get frustrated enough to decide working more to infiltrate just isn't worth it (I know, wishful thinking, but hey).

And yes, ZA isn't the gold medal of firewalls, but it's the best I had to work with at the time.

And yes, I do admit this may be an idiot idea, but from where I see it so far, it seems reasonable in theory...Certainly isn't hurting anything. And for new blood like myself, the major way to learn is by experimenting, and since I set all that up they haven't had a single problem, not so much as an e-mail virus slip through, whereas before I started working there they were hurting pretty bad.

[vvirtho]

I just want to say . . . nihil . . . . you're my hero!! As one who cannot afford the 'latest and greatest' in software or hardware but makes due with what is at hand - I applaud your comments. One of the reasons I joined AntiOnline was to learn of alternative ways to secure systems, even when they are now considered 'outdated' by most. Whenever I build a new system, I spend hours working out the bugs and making sure it is as secure as possible. Most of the knowledge I've acquired has been through these forums and the helpful insights from its members. Thanks to everyone who continues to contribute.

V.

[Cybr1d]

whats with all the kiss-asses lately? Is that the new way to earn APs?

[AngelicKnight]

Ah, Cybr1d's jealous. Need some worshipping?

[embro1001]

Originally posted here by Cybr1d
whats with all the kiss-asses lately? Is that the new way to earn APs?

Would you rather have a few kiss-asses or just a bunch of asses?

[mohaughn]

Originally posted here by JP
If you "know what you're doing", you realize installing both is stupid, and you don't do it in the first place. You don't just install security mechanisms because "it wouldn't hurt" if it "doesn't help" either.

I'm not sure where people are getting confused as to what exactly a firewall does, and why so many people are saying install both.

For example, someone said they installed a desktop firewall to take care of things that "slip through" their hardware firewall?

Firewalls are set up with a set of rules. Things don't just "slip through" them. It's not like the rules only work "some of the time". If that were the case, we'd call them Firewall Suggestions, and not Firewall Rules.

Even the largest of corporations and governmental agencies rely on border firewalls, and certainly don't expect each desktop to act as a firewall as well. Why not? Because that's not the role of a desktop computer, and for good reason!

Firewalls are intended to be a border access control device, plain and simple. Desktop software versions of them were invented during the "dial up" era as a gimp version of a firewall, because individuals didn't have control over border access at all. (The earliest versions of these were freeware programs written by users on IRC to block things like winnuke. Software companies figured hey, might as well add a bit more functionality and make a commercial product out of them). They have long since outlived their usefulness, and exist solely to satisfy a consumer demand driven by a clear lack of understanding of what a firewall is and does, and the role one plays in information security.

I stand by my earlier recommendation.

I have to totally disagree with this.. I have never read in any security documentation that a firewall is solely intended as a border protection device(as in only on the outer most edge of your network)... I think you will find that more and more companies are enabling the software firewall built into XP so that they have less of an internal impact when a virus begins to run wild inside of their environment. The whole idea of only putting security at your broders was a bad one, and one that should have died several years ago... The concept of a border on a network doesn't exist anymore with the size of many corporate networks.. My personal take on it is that almost all computers will run a software based firewall regardless of what other network security is in place specifically to prevent "insider" attacks.

My company has 50k+ desktops, every single new desktop that has XP has the firewall enabled in our custom install. I've also attended an MS security conference as well as a hands on training session of theirs and they are 100% pushing the idea of software firewalls on all systems. ISA on the perimeter and Windows Firewall on the desktop is the new MS mantra.. I have also been involved with several outsourcing projects that my company is running for other fortune500 companies and they are taking the same software firewall on the desktop approach. The main reason is that it is just about impossible to prevent somebody from plugging a non-trusted computer into your trusted network(yes there is new cisco equipment that is better at doing this, but it is easier and less expensive to deploy a software based firewall than a whole new network topology). So you get that one computer that has the new gaobot on it, and all of the sudden it is running wild on your corporate network. A software based firewall gives you almost 100% protection from unknown exploits that seek to infect a machine through an OS vulnerability. You can't infect the machine if the packet can't get to high up the TCP/IP stack...

How does this train of thought apply to an individual user and not just a corporation? Very easy question to answer.. Let's say you have three windows based machines on your home network. Machine A gets infected with the 0day netsky.abcxyz variant because one of your kids accidentally hit yes instead of no when prompted to install something(you have after all told them not to every accept installs if they don't know what it is)... So you now have a virus that is running totally unchecked on your local network. Now none of your AV software can pick up this new variant because they haven't had time to develop and deploy a new dat file. So all of your machines are now infected with this new virii as they all had the same vulnerability exposed that MS has yet to patch... But, if you would have had a software based firewall on each machine, only that first machine would be infected as that stateful packet inspection on your software based firewall doesn't allow the new netsky packets into your other machines as no data was ever requested from that machine on that port.

So again I say, network borders(the outermost edge) as your only place of protection is just a bad idea..