Aces High Bulletin Board
General Forums => The O' Club => Topic started by: BlckMgk on November 29, 2004, 11:38:33 AM
-
Hey folks,
Was wondering if any of you were in the field of network securities or database management.
If not, do you know folks that you could recommend.
The jist of what I need to done is to secure our office network, and possibly setup a VPN for a few users aswell as a secure connection between databases.
Any advice would be appreciated.
Thanks,
BM
-
You can buy all the security stuff in the world. And then you surf to a website and you get a backdoor/trojan installed and your shrecked anyway.
Good luck ;)
-
If your based in the New York area I can recommend the network consultants that we use. We don't have a Proxy Server for Internet - Only 32 PCs with Internet Access so I use Internet Filter Softare from the link below. Its been running for a year and no problems - makes my life easy at work. For a database solution we use QED (Web Based and written in Java). They are based in Mass.
Internet Filter (http://www.internetfilter.com)
QED (http://www.qed.com)
-
In network security and currently in love with Netscreen (Juniper). Tell me what you want to secure - how many users - speed of your connection - are you wanting to secure/segment the databases internally?
-
Vulcan, I'd like to get in contact with you via phone or e-mail.
If this is possible shot me one at shipping@jagdistributors.com,
Thanks
-BM
-
Originally posted by BlckMgk
Hey folks,
Was wondering if any of you were in the field of network securities or database management.
If not, do you know folks that you could recommend.
The jist of what I need to done is to secure our office network, and possibly setup a VPN for a few users aswell as a secure connection between databases.
Any advice would be appreciated.
Thanks,
BM
Me, depending on what you're trying to accomplish.
-
email sent mate.
-
You can throw all the software & technology at it you want, but none of that fixes the primary security problem. Users. Normally, I'd recommend fixing that with a .45 & a shovel, but that's not always appropriate.
Write good security procedures. Drill them into your users heads. Enforce proper password procedures. Make an example out of somebody occasionally if they ignore you. It's pretty effective. Here, I'm alot more worried about getting hit by a social engineer than a 1337 h4x0r, because the good ones never let you realise you've been hit.
-
A brick is your best network security.
Knock everyone out before they can login.
-SW
-
Originally posted by indy007
You can throw all the software & technology at it you want, but none of that fixes the primary security problem. Users. Normally, I'd recommend fixing that with a .45 & a shovel, but that's not always appropriate.
Write good security procedures. Drill them into your users heads. Enforce proper password procedures. Make an example out of somebody occasionally if they ignore you. It's pretty effective. Here, I'm alot more worried about getting hit by a social engineer than a 1337 h4x0r, because the good ones never let you realise you've been hit.
Thats not the primary security problem anymore. Let me ask you a question, what sort of firewall do you use at work?
-
got a little Cisco PIX 501 on the rack. Only vulnerability I know about that could hit it is the uh.. SNMP exploit for DOS attacks. the VPNC exploit in 6.3.x isn't really a concern since nobody here gets to VPN.
our connection is contracted through the IT group at the distributor. car dealership's work kinda funny. no clue what they have on their end, and after having to talk to their techs, I don't trust it anyways.
There are only 3, thankfully, major security issues I have to keep my eye on full time here.
1) Information theft, that can lead to a hefty lawsuit by customers. That's the most major concern because... well... they've rammed it down my throat... but I don't make policy, I just enforce it.
2) Spyware & malware caused by (*@&# salespeople. I'm terrified of the day a customer hops on a kiosk PC, and the porn popups start spamming little bobby (see previous statement about lawsuit). I'll catch the fallout from that one, even though I didn't cause it, and am doing by best to prevent it... keeping thorough traffic logs in my safe for the day I have to defend myself.
3) Somebody hijacking the customer lounge wireless access. Can't fire up WEP or WPA cuz "everybody" is supposed to be able to use it. I have it isolated in a 192.x.x.x range, on it's own, very limited router, away from all of our live IP's. At least the building keeps the signals pretty well inside. Failing that, I have a wifi detector & a cattle-prod (BOFH is my hero) to ensure "site security". Customers are on their own, must protect their own stuff, but occasionally when I see wide open shares, I look around for them and point it out.
-
Originally posted by Vulcan
Thats not the primary security problem anymore. Let me ask you a question, what sort of firewall do you use at work?
Here's some links you might find useful...........
http://www.myrne.net/tech.htm
A useful collection of links on security and hacking issues, as well as setting up VPN. If you use Linux, you might find this one interesting (even if parts of it are a little dated, it's still relevant)
http://www.ibiblio.org/mdw/HOWTO/VPN-HOWTO/
And this one.......
http://www.e-infomax.com/ipmasq/
IP Masq is a pretty darn cool way of keeping a small network hidden from hackers (even if that wasnt its original intent). I've used it successfully on a home network, as has a buddy of mine who is a UNIX sysadmin.
-
Originally posted by indy007
got a little Cisco PIX 501 on the rack. Only vulnerability I know about that could hit it is the uh.. SNMP exploit for DOS attacks. the VPNC exploit in 6.3.x isn't really a concern since nobody here gets to VPN.
our connection is contracted through the IT group at the distributor. car dealership's work kinda funny. no clue what they have on their end, and after having to talk to their techs, I don't trust it anyways.
There are only 3, thankfully, major security issues I have to keep my eye on full time here.
1) Information theft, that can lead to a hefty lawsuit by customers. That's the most major concern because... well... they've rammed it down my throat... but I don't make policy, I just enforce it.
2) Spyware & malware caused by (*@&# salespeople. I'm terrified of the day a customer hops on a kiosk PC, and the porn popups start spamming little bobby (see previous statement about lawsuit). I'll catch the fallout from that one, even though I didn't cause it, and am doing by best to prevent it... keeping thorough traffic logs in my safe for the day I have to defend myself.
3) Somebody hijacking the customer lounge wireless access. Can't fire up WEP or WPA cuz "everybody" is supposed to be able to use it. I have it isolated in a 192.x.x.x range, on it's own, very limited router, away from all of our live IP's. At least the building keeps the signals pretty well inside. Failing that, I have a wifi detector & a cattle-prod (BOFH is my hero) to ensure "site security". Customers are on their own, must protect their own stuff, but occasionally when I see wide open shares, I look around for them and point it out.
Perfect example. Cisco PIX 501, probably the smallest stinking pile of poo you can use for security. If you brought it more than 12 months ago you're forgiven, if you brought it within the last 12 months you need a kick in the ass.
Three solutions that you should have looked at: Sonicwall TZ170; Sonicwall TZW or TZ170W; Netscreen 5GT.
All of these provide light IDP capabilites which not only will protect any services you might be hosting, but will also stop a huge amount of spyware/malware even getting through to your users desktops. The Netscreen also provides content filtering and anti-virus on the gateway (NAI).
In the case of the TZW/TZ170W these are integrated Wireless security solutions. You can secure your Wireless traffic with IPSEC as well as providing wireless guest services with a "walled garden" approach, as well as provide IDP on the wireless traffic to spot any nasty's.
A properly configured GOOD QUALITY firewall will stop the nasty's getting in, and in the case of these 3 report any nasty's trying to get out (even nasty's trying to tunnel over http).
That PIX on the edge of your network... you might as well have put a cheap crappy netgear in.
-
It was here before I got here. Also, my annual IT security budget is $0.00. I work with what I've got, which unfortunately is uh... not much.
-
Originally posted by StarOfAfrica2
Here's some links you might find useful...........
http://www.myrne.net/tech.htm
A useful collection of links on security and hacking issues, as well as setting up VPN. If you use Linux, you might find this one interesting (even if parts of it are a little dated, it's still relevant)
http://www.ibiblio.org/mdw/HOWTO/VPN-HOWTO/
And this one.......
http://www.e-infomax.com/ipmasq/
IP Masq is a pretty darn cool way of keeping a small network hidden from hackers (even if that wasnt its original intent). I've used it successfully on a home network, as has a buddy of mine who is a UNIX sysadmin.
Errr that stuff is all crap. sysadmins = people who think they know about networks but don't. That stuff deals with 5 year old security issues, its not going to help you in todays environment.
-
Originally posted by indy007
It was here before I got here. Also, my annual IT security budget is $0.00. I work with what I've got, which unfortunately is uh... not much.
Yeah I feel for ya. Why is it management never see the need until the network is falling down around their ears.
We run a test lab with a Netscreen 5GT in our office, and my counterpart in another office does the same with the Sonicwalls (we distribute both products among other things in NZ).
We have two demonstrations:
1) we have several "honeypots", email, ftp, http servers. These attract daily interest from hackers. All sorts of attacks come in. All we have to do is show them the logs and thats enough to scare most people into realizing their security is inadequate. Sometimes you see wierd attacks like this:
2004-11-30 16:51:06 emer optatck_6_IMAP_err has been detected from 202.73.198.140/50819 to 192.168.1.2/143 through policy 4 1 times.
2) we then demonstrate some basic web browsing with a McAfee protected PC through the firewalls with Deep Inspection/IDP turned off for that PC. McAfee usually pops up some spyware malware. We then repeat the sites we visit with Deep Inspection/IDP turned on, and of course McAfee stays silent, and the firewall logs show stuff like this:
2004-11-30 17:09:47 info HTTP:TUNNEL:CHAT-MSN-IM has been detected from 192.168.10.2/14473 to 65.54.213.62/80 through policy 15 1 times.
2004-11-30 17:08:04 error DB:MS-SQL:SQLXML-ISAPI-OF has been detected from 192.168.10.2/14408 to 207.97.253.208/80 through policy 15 1 times.
2004-11-30 16:35:19 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/14194 to 65.59.207.13/80 through policy 15 1 times.
2004-11-30 16:10:46 warn HTTP:REQERR:REQ-MALFORMED-URL has been detected from 192.168.10.2/13731 to 66.28.224.242/80 through policy 15 1 times.
2004-11-30 15:54:09 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/13619 to 207.246.136.196/80 through policy 15 1 times.
Now your Cisco PIX is letting that garbage straight through.
After that most people realize their Cisco, Linux, Checkpoint, or brand X firewall is not enough :) . Just talking about it doesn't seem to acheive much, whereas showing someone the benefits on a live system does. One customer recent customer replaced an old Watchguard with a Sonicwall 4060, first 2 days they had over 4000 attacks detected that previously had been going straight through that watchguard.
-
Originally posted by Vulcan
Errr that stuff is all crap. sysadmins = people who think they know about networks but don't. That stuff deals with 5 year old security issues, its not going to help you in todays environment.
Nice bedside manner. This is why they dont let the network guys out of the back room. Much of the stuff on the sites I pointed out IS dated, and I said as much. Its still relevant, and useful, with the proper attention to current threats. I wouldnt use it on a real network, but for a small one or home one its good stuff.
Obviously, intelligence and education dont indicate good manners or even good reading comprehension. At least not in your case.
-
Originally posted by Vulcan
Yeah I feel for ya. Why is it management never see the need until the network is falling down around their ears.
We run a test lab with a Netscreen 5GT in our office, and my counterpart in another office does the same with the Sonicwalls (we distribute both products among other things in NZ).
We have two demonstrations:
1) we have several "honeypots", email, ftp, http servers. These attract daily interest from hackers. All sorts of attacks come in. All we have to do is show them the logs and thats enough to scare most people into realizing their security is inadequate. Sometimes you see wierd attacks like this:
2004-11-30 16:51:06 emer optatck_6_IMAP_err has been detected from 202.73.198.140/50819 to 192.168.1.2/143 through policy 4 1 times.
2) we then demonstrate some basic web browsing with a McAfee protected PC through the firewalls with Deep Inspection/IDP turned off for that PC. McAfee usually pops up some spyware malware. We then repeat the sites we visit with Deep Inspection/IDP turned on, and of course McAfee stays silent, and the firewall logs show stuff like this:
2004-11-30 17:09:47 info HTTP:TUNNEL:CHAT-MSN-IM has been detected from 192.168.10.2/14473 to 65.54.213.62/80 through policy 15 1 times.
2004-11-30 17:08:04 error DB:MS-SQL:SQLXML-ISAPI-OF has been detected from 192.168.10.2/14408 to 207.97.253.208/80 through policy 15 1 times.
2004-11-30 16:35:19 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/14194 to 65.59.207.13/80 through policy 15 1 times.
2004-11-30 16:10:46 warn HTTP:REQERR:REQ-MALFORMED-URL has been detected from 192.168.10.2/13731 to 66.28.224.242/80 through policy 15 1 times.
2004-11-30 15:54:09 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/13619 to 207.246.136.196/80 through policy 15 1 times.
Now your Cisco PIX is letting that garbage straight through.
After that most people realize their Cisco, Linux, Checkpoint, or brand X firewall is not enough :) . Just talking about it doesn't seem to acheive much, whereas showing someone the benefits on a live system does. One customer recent customer replaced an old Watchguard with a Sonicwall 4060, first 2 days they had over 4000 attacks detected that previously had been going straight through that watchguard.
Well....if these are your logs, a few thing you do not point out, your source address is a privet IP and would have to be NATED,to get to the internet, i.e. the traffic is comming from the internal network.
try again !
-
Originally posted by Heater
Well....if these are your logs, a few thing you do not point out, your source address is a privet IP and would have to be NATED,to get to the internet, i.e. the traffic is comming from the internal network.
try again !
Actually heater, the session is initiated by the internal IP. You see, theres a basic fundamental requirement that the users browse to the webpage, the webpage doesn't browse to the user. Hence the source IP for the session is the NAT'd internal address.
If it were a remote internet using browsing to my web server, then the source IP would be their internet IP.
Back to skool for you pleeb!
-
Originally posted by StarOfAfrica2
Nice bedside manner. This is why they dont let the network guys out of the back room. Much of the stuff on the sites I pointed out IS dated, and I said as much. Its still relevant, and useful, with the proper attention to current threats. I wouldnt use it on a real network, but for a small one or home one its good stuff.
Obviously, intelligence and education dont indicate good manners or even good reading comprehension. At least not in your case.
LOL bedside manner? Your not one of my customers so I can say what I like. Pay me and I'll be polite.
If its not good enough for a "real" network then why the hell would you recommend it for a home network? Theres no reason for a home network to be any less protected than a "real" network, especially given people store lots of personal confidential information on their PC's at home, and may even use their home network to access their corporate network (ie VPN in).
I just don't like people linking to a bunch of crap that they tell others is good security. The worst offenders are sys admins, especially Linux or Microsoft monkeys who don't have a clue about the capabilities of anything beyond their OS.
-
Originally posted by BlckMgk
Hey folks,
Was wondering if any of you were in the field of network securities or database management.
If not, do you know folks that you could recommend.
The jist of what I need to done is to secure our office network, and possibly setup a VPN for a few users aswell as a secure connection between databases.
Any advice would be appreciated.
Thanks,
BM
would be glad to help, but i'm in Poland ;)
-
Originally posted by Vulcan
LOL bedside manner? Your not one of my customers so I can say what I like. Pay me and I'll be polite.
If its not good enough for a "real" network then why the hell would you recommend it for a home network? Theres no reason for a home network to be any less protected than a "real" network, especially given people store lots of personal confidential information on their PC's at home, and may even use their home network to access their corporate network (ie VPN in).
I just don't like people linking to a bunch of crap that they tell others is good security. The worst offenders are sys admins, especially Linux or Microsoft monkeys who don't have a clue about the capabilities of anything beyond their OS.
When I say "real" network, I'm talking more than a handful of computers in a large network. I'd use the setup any day for up to 5, maybe as much as 7 computers on a network, depending on the bandwidth of the connection. Not only is it secure, its free. All you are out is the cost of an older PC to stand as the "visible-to-the-internet" box holding your IP.
I said the links were useful. I even said IPMasq was good for a small network. I never said the links were "good security", or made a reccommendation that the info be followed, and again, I even mentioned that some of the information was dated. It was recommended for reading, and getting ideas, not to be taken as state-of-the-art gospel for IT security issues. Obviously your reading comprehension skills ARE in need of help. Of course, you dont need to read do you? Keep scratching monkey, maybe you'll get lucky eventually and find a clue.
Its awfully funny, you have such a thing against sysadmins. Every one I know gets to tell the network guys what to do, not the other way around. Sour grapes maybe?
-
Originally posted by StarOfAfrica2
Its awfully funny, you have such a thing against sysadmins. Every one I know gets to tell the network guys what to do, not the other way around. Sour grapes maybe?
Prolonged exposure to book learned MCSE has warped the perspectives of many of us. I don't have problems with good system admins. I know a few of them, and learned alot of useful stuff. However, those are few & far between. 90% of the system admins I've met had lots of certifications, but no practical experience. I wouldn't trust them to run a vacuum cleaner, let alone a production database box. They're the same people that quit their day-jobs, took a 2 week course, and flooded the market during the dot-com boom. On the flipside of that, I had to lecture some co-workers on how xDSL worked a few years ago... all of them were CCNA's at the minimum (except me, with no certs).. their eyes glazed over, and a 15 minute briefing turned into 2 hours of "It's irrelevant. You're thinking too much. It's not part of the issue." & "You know we're talking about DSL... right?".
Lack of common sense is universal, and analytical ability is very difficult to train. Now I'm a decently paid desktop tech/system admin/network admin/helpdesk support person, and don't have to play dueling ego's with any technical person. At least the users are still cowed into submission quickly enough with the appropriate jargon...
-
What can i say on this topic? Im a admin.
The Admins actually have a life. You "Uber" Nerds really are swinging your dicks in this thread aint you.
Well, i guess being laughed at all your life, you deserve some place to show off.
And by the way, set up your security system. It all comes down to the end user anyway. No matter what crap hardware you buy.
-
Originally posted by Vulcan
If its not good enough for a "real" network then why the hell would you recommend it for a home network? Theres no reason for a home network to be any less protected than a "real" network, especially given people store lots of personal confidential information on their PC's at home, and may even use their home network to access their corporate network (ie VPN in).
While I agree that both should be protected, a cheap netgear firewall is quite sufficient for most home networks. They aren't easy to hack if you at least change the password and there is much less motivation for someone to spend the effort to break into my home computer than a corporate network. Even if all some bozo is going to do is break in and upload shared filez he'll find a company's measly T1 far more useful than my relatively slow cable uplink speed. I've been continuously up on broadband for at least 6 years now and have never been hacked or at least have seen no evidence of it.
-
Originally posted by indy007
Prolonged exposure to book learned MCSE has warped the perspectives of many of us. I don't have problems with good system admins. I know a few of them, and learned alot of useful stuff. However, those are few & far between. 90% of the system admins I've met had lots of certifications, but no practical experience. I wouldn't trust them to run a vacuum cleaner, let alone a production database box. They're the same people that quit their day-jobs, took a 2 week course, and flooded the market during the dot-com boom. On the flipside of that, I had to lecture some co-workers on how xDSL worked a few years ago... all of them were CCNA's at the minimum (except me, with no certs).. their eyes glazed over, and a 15 minute briefing turned into 2 hours of "It's irrelevant. You're thinking too much. It's not part of the issue." & "You know we're talking about DSL... right?".
Lack of common sense is universal, and analytical ability is very difficult to train. Now I'm a decently paid desktop tech/system admin/network admin/helpdesk support person, and don't have to play dueling ego's with any technical person. At least the users are still cowed into submission quickly enough with the appropriate jargon...
You have a point. Its too easy these days to take a class on how to be a sysadmin and pass a test at the local vocational training college and say you are "certified." In their defense, in many areas its really hard to get hired on without either experience or certifictation. Guess which is easier to get? And there for awhile in the mid-90s companies really pushed certs. Microsoft didnt help matters by posting all over the internet that just having an MCSE cert. was enough to land you a 60k per year and up job. I can remember reading (from the Microsoft website) that a person with an MCP cert. should be making 25k-30k STARTING pay. Granted 25k aint much. I have an MCP and I sure dont brag about it. Thats like saying I listened to Sally Struthers and learned how to fix cars from home. It aint getting me a job at the Ford dealership garage. But seriously, alot of us were suckered into paying for those certs. because we were told companies wanted that.
I quit working on my MCSE after the first 3 tests. I decided I really wanted to learn UNIX systems but I couldnt afford to go back to college again. I'd been on the fence about Linux for some time, but it was really catching on in the late 90s. Even IBM jumped on the bandwagon. I threw my hat in the ring and went full forward. A company in St. Louis started training people to pass the Linux sysadmin cert. program, and also was doing switchovers for companies running WindowsNT that wanted to change to Linux, and offering 24 hour tech support. They promised people who passed the cert. tests out of their classes jobs starting at 40k per year with full benefits. They had offices in 8 cities, and claimed lots of revenue. They scammed us. Turned out they only had one client, had tons of hardware they got fronted to them, had lots of us in the classes providing them with some income, but they had the prospect looming of hiring all of us from the classes if we passed. Long story short, they folded operations and left us high and dry without our money and without jobs, AND without the certification. I went ahead and taught myself what I hadnt learned and paid for my own certification, certain that Linux was coming into its own and I wanted to be there, not just to take advantage but to understand it. It's success varies from city to city, but where I'm at now its pretty hard to find a job. Even Windows guys here, while in more demand, have a hard time. Too many of them. I changed careers and I'm happy enough. I get to dabble now instead of working in it every day.
-
Originally posted by Maniac
What can i say on this topic? Im a admin.
The Admins actually have a life.
Uh huh :rolleyes:
-
Originally posted by AKIron
While I agree that both should be protected, a cheap netgear firewall is quite sufficient for most home networks. They aren't easy to hack if you at least change the password and there is much less motivation for someone to spend the effort to break into my home computer than a corporate network. Even if all some bozo is going to do is break in and upload shared filez he'll find a company's measly T1 far more useful than my relatively slow cable uplink speed. I've been continuously up on broadband for at least 6 years now and have never been hacked or at least have seen no evidence of it.
Though I'm inclined to agree with some of what you say, theres a real shift in attack patterns and exploits going on.
Firstly, most attacks used to be of a disabling/damaging kind. This has no shifted to an exploitive/informaton gathering pattern.
Secondly, most attacks/hacks used to be done by hand. This has now shifted towards attack/exploit automation.
Last, most spyware/trojans came from clearly identifiable "dodgey" webpages or software. This has now shifted to hackers exploiting comprimised "good guy" web servers without taking them down.
As an example, say you visit a website like the AH BBS. One day someone hacks the BBS, gets in, but instead the usual kiddie crap uploads a trojan into the HTML. You come here, browse the site totally trusting HTC. Next thing you know you have a trojan. That person then installs keylogger software, and gets routine dumps emailed to them that allows them to search for username/password combinations. Is there anything you log into from home that you don't want others to see? They also sell your IP as part of zombi'd PC deals for spammers (1 million zombi'd pc's for $10k is what I've heard you can get for 24 hours).
Its getting so bad that many organisations like banks who provide online servers are moving down the path of two tier authenticaion systems and looking at making online banking customers subside these tokens. We've just had one start doing it in NZ.
-
Originally posted by AKIron
While I agree that both should be protected, a cheap netgear firewall is quite sufficient for most home networks. They aren't easy to hack if you at least change the password and there is much less motivation for someone to spend the effort to break into my home computer than a corporate network. Even if all some bozo is going to do is break in and upload shared filez he'll find a company's measly T1 far more useful than my relatively slow cable uplink speed. I've been continuously up on broadband for at least 6 years now and have never been hacked or at least have seen no evidence of it.
That's the whole truth. There is NO network that can't be compromised... the question is allways "when" not "if". I'm working for the biggest isp in Poland and as a IT manager (before that a sys admin many years) i know who we are hiring and how much we pay them - the security folks... every single one of them discovered and publilshed many hopes in various OS'es but the other thing (browse for lcamtuf, bulba or cliph) is how many of his finding they are keeping for themselves? And believe me, the answer is - not that little. Now think about the number of the guys wh have so great knowledge. Think about the number of the holes in the OS'es and software, then about how long it takes to prepare a security fix for the hole that is published.
That leads to the conclusion - every system/network can be compromised :)
When you look at it that way, you have to remember that mojority of the hackers are script kiddies who have no real knowledge. They can be stopped without using any sophisticated methods, also they are looking for non-secured systems to hack. A "cheap" firewall is more then enought to stop them.
Then it all dependes on your needs, for example, is not needed to implement the whole DMZ on a home network, but it can be a good idea for the company who really want to protect something while exposing something. There could be many more examples, you could build an advanced IDS/IPS systems and so on... :)
As for the specific systems youo could use, you allways have to make sure what you need, then how much you can spend on it. If you answer those questions you will only have to check what you can get for the money you cen spend and select the best option.
If you don't have the money to invest, in most cases you will have to invest your time (or someone's time) to build a solution that suits you.... or to recover from losing some of your data ;)
-
Originally posted by bikekil That's the whole truth. There is NO network that can't be compromised... the question is allways "when" not "if".
When you look at it that way, you have to remember that mojority of the hackers are script kiddies who have no real knowledge. They can be stopped without using any sophisticated methods, also they are looking for non-secured systems to hack. A "cheap" firewall is more then enought to stop them.
I disagree, the majority of hackers are no longer script kiddies. The script kiddie stuff is only the stuff thats actually detected the majority of the time. The hackers have switched from bragging mode to lets make some $$$ mode - and thats the stuff that slips by undetected. A cheap firewall is a almost a complete waste of time. You might as well put no firewall in and hope for the best with your AV software.
I rarely see the type of attacks a cheap firewall protects against coming in. In fact, I could put two PC's side by side, connect one to the internet with a cheap firewall, and average AV software. Connect the other directly to the internet with good AV software like McAfees 8i but no firewall. I guarantee the one with the cheap firewall would be comprised way before the one with McAfee 8i would.
Most network security is also focussed on assuming that a networking can be comprimised AND detecting it. Part of the Netscreen DI package is alerts on potential trojans trying to get out from infected machines.
Let me ask you this bikekil, what type of firewalls does your ISP use? Do you offer clean traffic options to your subscribers?
-
cisco pix, linux firewalls, freebsd firewalls - that's what we use.
we are not filtering the traffic for our "home" clients but we can do it for the "enterprise" ones however it's not my area of operations.
as for the firewalls for the offices, as long as you know what you are doing, iptables can do everything oyu need, it's more then cheap - it's free :D i say that iptables are enought to protect home and small business offices. you can read the logs as an admin and build your own or use avaliable scripts to look for the attack attempts if you don't like to read the logs yourself.... also people do live with so called "presonal firewalls" long years without being compromised. Of course you still need to know what to do, bur some "freeware" firewalls i've seen can filter out every traffic you need, so you only have to know how to use it.
Of course i'd never reccomewnd it as anything more then a firewall that's protecting a home PC.
-
Attack of the Networking NERDS.
-SW
-
Originally posted by Vulcan
A cheap firewall is a almost a complete waste of time. You might as well put no firewall in and hope for the best with your AV software.
As one who has cleaned up many messes caused by worms or other automated attacks against those with no protection I have to say this just isn't true. I've been in the networking field since '94 and I've never had to do the same for someone behind even simple nat. And yes, I hate working on home computers but it's inevitable when you're self-employed as all of your business customers have home computers.
-
Originally posted by AKIron
As one who has cleaned up many messes caused by worms or other automated attacks against those with no protection I have to say this just isn't true. I've been in the networking field since '94 and I've never had to do the same for someone behind even simple nat. And yes, I hate working on home computers but it's inevitable when you're self-employed as all of your business customers have home computers.
What he said. You need a basic FW. No matter how cheap it is it will do you good.
-
Of course there is nothing you can do to protect users from themselves, short of hitting them with a brick as SW suggested.
-
Originally posted by bikekil
cisco pix, linux firewalls, freebsd firewalls - that's what we use.
we are not filtering the traffic for our "home" clients but we can do it for the "enterprise" ones however it's not my area of operations.
Righteoooo I rest my case. Heres a perfect example of what I'm talking about.
-
Originally posted by Maniac
What he said. You need a basic FW. No matter how cheap it is it will do you good.
Explain to me why, assuming I have McAfee 8i installed, which protects me from worms, buffer overflows, trojans and virus's. Explain to me what the benefits of a cheap firewall would be?
-
Originally posted by Vulcan
Explain to me why, assuming I have McAfee 8i installed, which protects me from worms, buffer overflows, trojans and virus's. Explain to me what the benefits of a cheap firewall would be?
It's like putting a fence around your property. If somebody really wants to go over it, they will. However, it makes your fenceless neighbor's house look more enticing.
-
Originally posted by indy007
It's like putting a fence around your property. If somebody really wants to go over it, they will. However, it makes your fenceless neighbor's house look more enticing.
Not good enough. I want an exact technical explanation of the advantages of one personal computer, with a firewall and average AV software connected to the internet versus another personal computer with just mcafee 8i connected to the internet. I want to know exactly in technical terms the advantages of that cheap firewall.
-
Let me get this straight Vulcan, your advocating every home user should get one of the 3 appliances you mentioned?
Mcafee 8i huh....what other AV software are you running in conjunction with it?
-
Script Kiddie twin powers activate...
boor ....... yawn..........
Click your heels three times and say majic network please work.. real fast and all your network be belongs by us....
whos going to show up next the "Sweet Pickles Bus"..........
DoctorYO
PS Biktels solution with the ip tables is sound and i second that.. cant beat free...
all this norton, checkpoint and other bs is freakin seal clubbing at its best...
-
Originally posted by Vulcan
Explain to me why, assuming I have McAfee 8i installed, which protects me from worms, buffer overflows, trojans and virus's. Explain to me what the benefits of a cheap firewall would be?
You have to be kidding me?
I will give you an explanation tomorrow, its late here and im drunk, and i have to get to bed for work tomorrow.
And i have to read up on McAfee 8i before i comment, but you added that part afterwards. But it sounds like it have some sort of FW or port watcher or something.
Ill get back too ya.
Edit : HEHEE! :D , My knee jerk response would be McAfee 8i works on known "patterns", a basic FW blocks all incoming traffic. If theres a new virus/worm then Mcafee 8i is no use.
But then again, i have to read up on Mcafee 8i :-P
-
Originally posted by Vipermann
Let me get this straight Vulcan, your advocating every home user should get one of the 3 appliances you mentioned?
Mcafee 8i huh....what other AV software are you running in conjunction with it?
You ever seen a Netscreen 5GT ADSL in action? Every techie I've shown one to has asked for *special* pricing for one for home.
I know people can't afford them. But I hate the response like the above apathy where people often comment on how this "freeware" does a great job or try to make comments like "you'll always get comprimisied", when in reality there are perfectly good products on the market that will actually do a lot more than the average sysadmin knows about.
I'm betting only one person in this thread has played with the IDP functionality of a Netscreen or Sonicwall and seen it action. I'm betting not many have used any form of IDP device as well.
-
I've worked with Netscreens Vulcan and they are quality (if a bit pricey) devices. Not arguing about that. I can give you a very good reason to put in a cheap firewall vs software security. Have you ever watched someone run a dos or buffer overflow attack against a pc or router? A heck of a lot of traffic. Which do you want being pounded, your PC or that cheap firewall?
-
Interesting question akiron.
On one hand, your PC is probably going to just drop the packets anyway. It may cause some processor overhead.
On the other hand, your firewall will drop the packets, however the cheap firewall CPU is usually something in the sub 100mhz range. Its quite possible a DoS attack could overwhelm the firewall, whereas the PC might just take a 5-10% cpu hit.
-
Originally posted by Vulcan
Not good enough. I want an exact technical explanation of the advantages of one personal computer, with a firewall and average AV software connected to the internet versus another personal computer with just mcafee 8i connected to the internet. I want to know exactly in technical terms the advantages of that cheap firewall.
that personal computer have to be a windows box? :)
If it can be a open source system, then you have a firewall for free, intrusion detection for free and you should pay for the antivirus software ONLY and if you really want to save, you have the ClamAVF that's also a free solution.
In addition you can scan all of your e-mail by amavis + clamav (or f-secure or anything) you can scan every "proxy" traffic and so on... for free, or pretty cheap when you want to pay for the antiviral software (that's what we decided to do).
If you want to be sure it's secure, you can cluster the linux boxes :)
Centralised management and reporting - you can write your own script or use some log analyzer (webalizer) to have a centralised reporting. It's harder with the management part, but after all, you have the admins to manager the thing... if not, most of the stuff is based on a config files anyway, so you could write a management console that suits your needs pretty easy.
-----------------------------------
Everything whule we assume that you have a time to go with an open source thing. If you don;t have the time to invest in it, it's better to pay for a solution that it's already built :)
-
Originally posted by bikekil
If it can be a open source system, then you have a firewall for free, intrusion detection
OK lets pick this particular gem out.
What Layer 7 Firewall system is available for free on any open source system?
What IDP system is available for free on any open source system?
If you can provide either (which somehow I seriously doubt) who is responsible for attack signiture updates?
-
Vulcan,
How would you conpare one of there systems with a check point SecuRemote system.
does it compare well in pricing, can they be set up for High Availability with clustered systems?. for the added fee the give you the key for the ids addon as well. I have not looked into virus scanning on the system it self. We use corperate mcaffy(yes i know my spelling sucks)
-
Originally posted by Vulcan
OK lets pick this particular gem out.
What Layer 7 Firewall system is available for free on any open source system?
What IDP system is available for free on any open source system?
If you can provide either (which somehow I seriously doubt) who is responsible for attack signiture updates?
It is not free But i have been looking into a linux based system for home use, and depending how it works look into it in the workplace next year
http://www.astaro.com/
-
Originally posted by Vulcan
OK lets pick this particular gem out.
What Layer 7 Firewall system is available for free on any open source system?
What IDP system is available for free on any open source system?
If you can provide either (which somehow I seriously doubt) who is responsible for attack signiture updates?
Here is an example:
http://www.clarkconnect.com/info/
You have enerything you need and everything is based on open source solutions :)
They have some kind of support over there and are responsible for things... but,
Willing to try? it's pree for non-commercial purposes :)
If it's an open source thing - you can built it yourself without panyin anyone.
Attack signatures? why do i need them?
It's an addition to the regullar log analysis.
If i have no time (have no security team or so) i could base on the signatures of attacks that someone wrote and would have to wait for the updates... while it's more secure to controll things yourself and have the various features as a bonus.
Virus definitiopns are another story and it's really cool to have a good system form a good vendor.
As for the security updates for linux itself?
if a hole in a software is published you have to do:
apt-get update
apt-get upgrade
and you are good to go :)
Of course you can recompile stuff manual way.
(pure Debian baby, but ClarkConnect and some other distro's are using it too).
-
I believe you can get updated attack sigs from the snort sites. Not positive. But i am willing to bet they are there some where.