[PLUG] Winders Security Software Recommendations

Derek Loree drl at drloree.com
Thu Nov 6 13:37:02 UTC 2003


On Thu, 2003-11-06 at 10:46, Zot O'Connor wrote:
> On Thu, 2003-11-06 at 07:50, Derek Loree wrote:
> > On Thu, 2003-11-06 at 00:44, Jason Van Cleve wrote:
> > > Sorry if this is a tad OT, but I need some quick advice from you
> > network admins.  What are the going recommendations for firewall
> > software and virus software, on Windoze boxen.  This is for an
> > extremely end-user demographic--farmers on dial-up, in fact--so it has
> > to be easy to install.  (And hardware firewalls are out, because these
> > people could never be persuaded to buy one.)  Probably around 50%
> > Win98 and 50% XP.
> > > 
> > I still have to recommend dial-on-demand floppy routers, the hardware
> > can be found for next to nothing, and once they are set-up nobody has to
> > mess with anything.  On a winblowz box, you never know when some popup
> > will install a server that will get by zonealarm (or disable it).
> 
> I am assuming this is a rollout to many people.  A added box has a
> number of new points of failure:
> 
> 1)  The hardware (Chips, memory, etc.).
> 2)  The floppy.
> 3)  Its network card.
> 4)  The network card in the windows box.
> 5)  The cable (assuming a crossover).
> 6)  The power supply to the box.
> 7)  People believing that the "box" is broken.
> 
> 1-6 are huge when everything is remote.

Practically speaking, only 2 and 7 are real problems.  4 need not be
considered, network cards are at least as sturdy as win-modems (and more
stable from my experience).  The floppy router will need to be running a
"real" modem, which will make for a much better connection and they seem
to run forever.  As for 5, network cables are at least as sturdy as
phone lines, subject only to physical damage.  Sure there is a chance
that other hardware will fail (you forgot the memory), but most of the
older stuff that is still around is very sturdy.

If you start with a fresh power supply and CPU fan (if it needs one),
then the average time to failure should be at least a couple of years.

So, it really comes down to the floppy as the main weakness.  This can
be solved by using a slightly newer box that will boot a CD-ROM
firewall, or by wrapping the floppy drive in a plastic bag.  It looks
tacky, but it does solve at least two of the most common problems.  Dirt
collecting on the media as it sits waiting for a power outage and people
ejecting the disk because they have been trained to think that a
computer shouldn't be booting the floppy disk.  Heat build up is not an
issue, because the floppy drive is run so rarely.
>   
> 
> 7 is enormous.  People see this "other" box, and it does black magic,
> and therefore it is the evil thing.  I am not exaggerating.  I had a
> tech savvy client call me 6 or 7 times because the proxies I built were
> down.  I would walk them through a process to only discover that the
> proxies were clearly blocking only HTTP calls that were routed to the
> database, the same database that went down repeatedly.  Each time I had
> to explain how difficult it would be for the proxy to suddenly go down
> for one type of call over the other when it did no content filtering. 
> But each time they blamed the black box rather than run a simple test. 
> I finally created an active web page to do monitoring, but that is
> another story of human stupidity.
> 
The beauty of these black box's is that they just work.  When the end
user gets used to this idea, they learn to start their trouble shooting
elsewhere.  I have a feeling (but no concrete evidence) that supporting
a herd of floppy routers (essentially configured the same) would be much
less expensive than supporting a herd of winblows machines directly
connected to the web, just from a man-hours required point of view.

> The main advantage of a box approach is with SSH you can log in and
> monitor the connectivity and answer questions.
> 
Not if it can't dial out.  But, you can have the customer log in (this
could be over a null-modem) and follow instructions from tech support.
 
> The real problem is the box only protects against direct port attacks
> per se.  If you add squid it can filter adware, some malicious code.  If
> you add A/V streams it will catch downloaded streams.
> 
> It will not catch malware that is not detected in streams.  It will not
> protect IE from attacks (unless the filter is updated constantly).
> 
I will have to admit that this is true, but this is not part of the
firewall function, it is a function that MUST be run on winblows to make
up for the lack of careful design, independent of the firewalling
technique.  There is a difference between network intrusion and software
intrusion, the firewall should be responsible for stopping network
intrusion, and software on the local host should be responsible for
stopping software intrusion.  You can't get away from running software
intrusion stoppers on each winblows box.
 
> It will not protect if these machines are portable.
> 
This is also true, and short of running a reasonable OS on the portable,
I don't have a good answer to this one.

I know this will probably never fly, but it sure is fun to imagine an
ISP that will provide linux boxes as a firewall solution.

Derek Loree







More information about the PLUG mailing list