North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Computer? Six Steps to Safer Surfing

  • From: Sean Donelan
  • Date: Fri Dec 24 08:21:01 2004

In practice, the biggest difference between infected computers and
non-infected computers appears to be the age of installed patches.
The debate about AV/firewalls is a bit of a red herring.

On Mon, 20 Dec 2004, Fred Baker wrote:
> I guess my question is: why rely on a firewall at all? Yes, a firewall at
> ingress to a network will reduce the probability or effectiveness of an
> attack from "outside" in many cases. But in many cases the infection is
> from "inside", and in any event something in the network or in the end
> system at the edge of the network can only really address link and network
> layer attacks effectively.

Standalone firewalls (network/hardware firewalls) are useful
administrative boundaries, but are limited security tools especially in a
world of mobile laptops and tunnels. Inside/outside is very blurry for
most home users. Almost everything a home user does is "outside" the
home network perimeter. The reality appears to be network worms are
only one vector for compromising a computer. I'm not sure network
worms are even the most common infection vector today.

Although I think standalone firewalls are a Maginot Line, I still
perform the initial bootstrap and patching of new consumer-grade
computers behind a standalone firewall.  The options for dialup users
are even more limited. However the lack of patching seems to be a
bigger problem for dialup users.

> I personally would far rather presume that the end system is responsible
> for its own security, and that there are security considerations at every
> layer. Reduce the incidence and track attacks with network-based tools, but
> in the final analysis build the applications and stack code to withstand
> attacks.

You are almost always safer turning off the service on the host, rather
than letting the service run and trying to block access. Trying to
figure out all the possible communication channels is very difficult. If
you build your own system configuration, by simply not installing or running
unnecessary services eliminates both known and unknown vulnerabilities in
those services.  Some operating systems make it very difficult to
discover what is running on the computer or turning off unusused
services.  Microsoft Windows has a bug in several versions of netstat, so
you can't even rely on the vendor's own tools.

An infected computer is still infected even if you block some access.
Worse, the average user isn't very good at deciding what access to permit
or deny. The problem is what do you do when your basic end system is
untrustworthy and can not successfully manage its own security?