[ILUG] Security: Was Naive ADSL/WiFi questions (long (sorry!))?

Michael Watterson watty at eircom.net
Sat Jun 23 09:37:20 IST 2007 

Josh Glover wrote:
> On 23/06/07, Rick Moen <rick at linuxmafia.com> wrote:
>
>> Quoting Josh Glover (jmglov at wmalumni.com):
>>
>> > http://www.itsecurity.com/interviews/interview-bruice-schneier-051607/
>> > http://www.schneier.com/blog/archives/2007/06/nonsecurity_con_1.html
>>
>> http://www.ranum.com/security/computer_security/editorials/master-tzu/
>
> Interesting that you quote Marcus Ranum, as he and Bruce Schneier have
> an ongoing "feud". ;)
>
> http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1256994,00.html 
>
>
Iv'e run a firewall since 1995. For about ten years I installed Small 
Office systems with a separate firewall.

My conclusions about security :
1) Physical Access. If there is physical access all bets are off.
2) Users have to be allowed access to their own PCs, unfortunately, so 
they need training. Works better than AV software.
3) External Access. Don't allow unknown providence  SW to be  run.  
Floppy,  CD, or Internet. Why almost every PC supplied had Floppy left 
as default boot device?  Disable all network bindings and services not 
needed.
4) Don't run AV software as (a) Gives users a false sense of security so 
they won't bother with lessons in (2) and (b) It doesn't really work
5) Be 110% expert in configuring any service / device connected to Internet.
6) Only patch for real threats. In 2 years of being responsible for one 
office's IIS /NT4.0 server on the actual Web via firewall one patch  was 
needed to  protect  against  a DOS attack. Everything else was a 
question of configuration.
6) Have a mail server that eats anything executable and mail clients 
with no or really off javascript and that are given a false proxy 
address to block any internet content.
7) If in doubt use an non-AV tool that detects unwelcome visitors, when 
in doubt.
8) Block all webmail so the mail server is filtering.

I ran a NT4.0 based firewall proxy for 10 years at home with only the 
main NT SP updates, no patches, hotfixes or AV.
I use silentrunners.org to occasionally check any XP system I'm 
suspicious of.
The offices I managed never had any viruses or Trojans.

My experience is that with a properly configured Firewall almost 100% of 
malware is self inflicted via ignorance and that almost all the security 
warnings are irrelevant if you have a firewall and not running any 
Internet Services.

So for last couple of years I don't host any service on Internet unless 
it is setup with username, password and a white list of IPs to connect 
(say stream my own video source or VNC) and it's known to be securable. 
My Mailserver no longer uses SMTP to recieve mail, it picks it all up 
via POP3.

I use hosted Web, FTP,  Mailserver  etc  with  200G monthly cap and  an 
annual  cost less than typical ISP connection now for last couple of 
years. Pick a hosting company that keeps those secure and have your own 
backups. Self hosting even for a moderate sized buisness should be history.

All my kids have had Internet on their own PCs as they got old enough to 
use a PC since 1995 (own PCs since about 1992). Even with 2 students 
working on the from home based Multimedia business etc, we never have 
had a single virus or trojan.  Linux has been an off & on "minority 
sport" in the house since 1998 with the kids.

Traditionally people had to be fairly expert to install and use Unixes 
at all. I've always maintained that, that is where the security came 
from. Most IT "professionals" and vendors appear to know less about MS 
configuration than Linux Endusers know about Linux.  Even Microsoft 
seems to think Vista is Win98 and appears to have forgotten why most of 
the stuff they inherited from IBM OS/2 and DEC VMS was in NT3.1 I had an 
NT 3.5 server on 12M RAM and 386 20MHz CPU that worked fine. I had RH6.0 
on 486-66MHz with 32M of RAM.

When you see the software bloat, C++ compilers being used to write bad C 
and the spec of HW needed, I can't but feel we are going backwards from 
what was known in 1985 - 1986 when I worked on C++ compiler, Occam, 
Modula-2, Parallel  processing,  Provably  correct SW,  Object 
Orientated SW etc. About the only step forward seems to be able to have 
a real SQL  server  for data  on a  Laptop instead of  brain dead CP/80 
type solutions like DbaseII and Access etc. 

Linux might be getting more user friendly and more driver support, but 
it's heading down the same one way street that NT has got to with Vista. 
Vista is definately NT's ME. It's hard to see given how big it is now 
and bloated that MS hasn't gone over the event horizon. An NT4.0 based 
server will still run with file, print and Mail with about 24M of RAM 
utilised  on a P90.  Even Embedded Linux OS on Kernel 2.4 now seems to 
need a higher spec.

Bloat means less secure & reliable SW as no one can understand it.

-- 
Mike

More information about the ILUG mailing list