Security

[715]

Probably almost everyone has a hardware firewall (say a WiFi router) but what fraction of those people do you think know how to program it?

[Skuzzy]

The most common vector is email.

And you don't have to give up all the sparklies if you have a good firewall scanning all that traffic

Very true.  LOL!  I forgot the most common attack vector.  DOH!

 I mentioned shutting all that down fluff as an option as most people do not have a decent firewall, even though they think they do.

I still shut off many things as they are just a nuisance to me.  Java will never be installed on any of my computers, for example.

[Bizman]

Probably almost everyone has a hardware firewall (say a WiFi router) but what fraction of those people do you think know how to program it?

That's so very true! I've been trying to find instructions about what and how to program it, but that information can't be found in the manuals. "This function" allows you to set "this function" as enabled or disabled doesn't really give you any information. So after several brands of modem/routers I've simply set the firewall to "on" using default settings. So far both my operator and myself have being happy with that - I've worked on cases where the service provider has closed the connection until the virus traffic has been cut down.

[Skuzzy]

Probably almost everyone has a hardware firewall (say a WiFi router) but what fraction of those people do you think know how to program it?

Those firewalls are very simplistic.  One should not rely on those to provide proper security against many different attack vectors.  About the most consistent thing they do is prevent outsiders from asynchronously attacking your network.  What they don't stop is most everything else.

There are many dedicated firewall devices available.  The best are going top cost quite a bit, but then provide more than passive protection.  Vulcan can talk about that better than I can, as I built my firewall.

[Vulcan]

Most of them are just packet filters. Not even what I would class as a firewall.

Packet Filters < Stateful Packet Inspection Firewalls < Deep Packet Inspection Firewalls.

Packet filters merely check packets against basic policies and are very easily bypassed/attacked. They do not detect data content such as virsuses or malware.

SPI firewalls have a state table, so are robust against being bypassed/and stateful attacks.  They do not detect data content such as virsuses or malware.

Only a DPI Firewall will detect and block malware and viruses.

There is a range of SPI firewalls that try to pretend to be DPI but are not really (often the freebie stuff using proxy to do AV scanning). However they are better than just SPI.

Home users typically do not use DPI firewalls as they tend to start off a bit more expensive (around us$500 with 1 year of services included and up from there).

[save]

Unfortunately the bad guys are winning right now, using SSL over port 443 (almost always is open) to connect to the mothership (bad guys HQ networks).

I work with a number of DPI / NG firewalls and WAF, IDP, and reputation/category filters etc for big companies.

For a home users/small business , IT education and awareness is more important than all the Firewalls and Antivirus/Malware programs in the world, even if they do help out. 

Cheapest way of getting out of trouble for a small company is to use appliance firewall with proxy and DPI, with reputation/category filters,  locked down PC's with good antivirus/antimalware programs


Best way of protecting a website is to use a WAF, they are incredible expensive and manpower hungry though.

[Vulcan]

A good DPI firewall will block access to C&C botnets, and will also SSL Decrypt.

WAF is not necessary for all websites, IPS should be enough. WAF is only really for transactional websites where you think you site might accidentally divulge stuff it should.

Anyone using a proxy based firewall should be shot. They have severe memory and scan limitations.

[save]

A good DPI firewall will block access to C&C botnets, and will also SSL Decrypt.

WAF is not necessary for all websites, IPS should be enough. WAF is only really for transactional websites where you think you site might accidentally divulge stuff it should.

Anyone using a proxy based firewall should be shot. They have severe memory and scan limitations.

WAF are sometimes required outside of finacial websites (read Governments, Military etc) most also provide functions to allow them to remove some or all numbers of a credit card, or social security numbers, etc, on a in/output stream.

A firewall do not need to be proxy based to be able to use for example Http based proxy functions.

Agreed, a proxy based firewall have limitations (or hefty hardware requirements).

[Bino]

What about using a Linux-based software firewall distro on an old spare PC box, i.e., ClearOS or IPFire ?

[Vulcan]

WAF are sometimes required outside of finacial websites (read Governments, Military etc) most also provide functions to allow them to remove some or all numbers of a credit card, or social security numbers, etc, on a in/output stream.

You are confusing IPS and DLP with WAF. WAF's primary function is to validate web transactions (not necessarily financial) against a known rule set or baseline. Commonly they're used to protect, SOAP/XML transactions, or anything hooking into a database. WAF typically have an IPS function though usually very limited. If you're buying WAF for IPS/DLP then that is a very expensive and inefficient way of doing it.

[save]

WAF appliances are normally modularized, you pay for the functionality your/customers security policy requres, and yes, they are expensive.

[MADe]

Oh, I also forgot to mention I have a hardened firewall.  I tend to forget about that.  It catches any bad guys before they can get to any of my computers.

There is one filter which catches any binary data in the WEB port(s) data stream which is not supposed to be there.  It lets me know about it so I can enable or disable that data coming through.  Another filter checks the image data to ensure it is not carrying a bad guy.

35+ years on the net and nothing has nailed me yet.

Skuzzy could you elaborate as to what you mean by hardened firewall.
If you remember I just recently had to redo my pc due to ransomware encrypting my pc. To bad for them that I keep nothing of value on my pc, so I just did a reinstall. I use malwarebytes premy, windows firewall generally, but I had turned it off, and the NAT in my modem. None of it worked.
It was a pain getting my pc back to where it was. It had been awhile since I had to do an install and of course I had forgotten many little tidbits. Just do not do it everyday.

So some knowledge on the subject would be appreciated. Some knowledge that did not interfere with the game and would stop this ransomware crap. Best choice for firewall options, best choice for a single virus killer. Also whats best security settings for IE 11?
ty

[Skuzzy]

The broadest explanation of a hardened firewall simply means it has more features dealing with securing a connection (packet filtering, stateful data and header checking, application proxies....).

[Vulcan]

Hardening in general IT terms means you do things to lock down something and minimize its attack surface (ie less points of vulnerability). it applies to all IT products not just firewalls.

Firewalls are broken down into:
 - packet filters (simplest form, not really effective these days, this is what most home routers are)
 - Stateful Packet Inspection (most common but useless against modern attacks/threats)
 - Deep Packet Inspection (current technology which is most effective but requires more CPU horsepower)

[Getback]

I'm reviewing my logs and I see 52.1.188.138 appears quite often on blocked IP Addresses. It's Amazonas or something like that. I haven't even been to Amazon on that computer.

What's up with that?