Computer security - NAC

[Brett Dikeman]

At 3:05 PM -0400 10/23/00, Robert Myers wrote:

>All this is freeware.  If you are concerned over potential 
>vulnerability then this may be a way for you to achieve some level 
>of security.  If anyone would like some URLs, lemme know.

Some is the key word here.

The free firewalls, save the BSD and Linux based, dedicated-machine 
systems, are for the most part worthless.  Even the ones you have to 
pay for are usually pretty crappy.

Even checkpoint, which is considered top of the line enterprise 
solution(costing MANY thousands of dollars), failed a lot of basic 
tests in the NT version because they failed to replace a lot of NT's 
networking code; the joke being that the firewall itself was then 
vulnerable to the attacks it was trying to protect other systems 
from.  The Solaris version is another story entirely.

Also, beware of the security scanning tools; they're basic at best, 
and usually intended only to "scare" you and get you to buy the 
associated software package which will, of course, make your computer 
-more- secure(more=some.)  They're not out to check your 
firewall...they're just interested in the guys and gals who don't 
have anything(aka the "Something on the web said my computer wasn't 
secure!  Oh my god!" :-)

I haven't heard anything about the tools Bob is using...good or bad, 
so I'm neutral.  OTOH, I've never heard of the company or the 
product, which tends to put something lower on my list.

Like with anything else, use Bob's positive experience as 
encouragement to check out the software, hunt down some reviews.  If 
you don't find this package, you might find a different one.  There 
ARE some freeware jems out there(and if they're true jems, there will 
be plenty of user comments and reviews out there to prove it), but 
even those can have some big holes; there was one particular Windows 
based free router/NAT package which had a MASSIVE security hole; it 
was so bad, that even the cable/DSL ISP's were scanning their 
customers to detect the program, and disabling their accounts.

There -are- exceptions to both the web-based scanning tools and the 
personal firewall programs, but they're rare.

The most secure solution(but also the most expensive for a SOHO 
situation) is usually something like the various SOHO firewall 
"appliances" running around.  I would recommend a WatchGuard Firebox 
SOHO for the basic user; SonicWall makes a VERY nice unit that has 
some extremely advanced features; for example, I get paged if someone 
tries an attack on the firewall; it also has logging to a syslog 
server, or sending me logs every 7 days or when they fill...via 
email.  If you don't know what syslog is, the Sonicwall is probably 
overkill for you; it's expensive and not worth it if you don't 
want(or can't use) the additional features.

The logs show a frightening amount of attacks; it recognizes many of 
them(something the watchguard was quite poor at BTW.)  It's been 
quiet recently, since at the moment, I don't have web or incoming 
mail enabled.  When I did, however, i was barraged with attacks, port 
scans, the whole 9 yards.  A day worth of logs would span more than a 
page of single-line items.  People see a few common services, and 
that leads them to believe that your system is worth poking at.

Scans for windows exploits are by far the most common.  Occasionally 
I see something more unusual, like Sun RPC attacks, things like that. 
Every once in a while, I look up the IP address in the logs and fire 
off an email to the source ISP :-)

Bret
-- 
----
Brett Dikeman				Systems Engineer
CFN(formerly iClick, Inc)			914-872-8043
120 Bloomingdale Rd.			914-872-8100(fax)
White Plains, NY 10605			http://www.iclick.com
PGP Fingerprint: 06C2 5D5B D2B4 7626  BB24 2BBC 9E4A C8B3
PGP Key location: http://pdikeman.ne.mediaone.net/pgp/brett.pgp