Okay members of Wilders this is your chance to show and share your knowledge.

What is the idea?
Setup a multi layered defense architecture with as little overlap as possible. Use the diagram to fill in your selected set of security aps.

What is the challenge
To argument your choices, e.g. I do not want pop-ups therefore I use community based security programs or I do not want to pay for security aps or I think two consequetive layers of defense nonsence because . . .

What is the reward
Respect of the Wilders Members, have fun

Okay, since nobody dared I will give it a try

When setting up a multi layered defense my preferences are:
- freeware
- to stop an attack as early as possible. T

This is the reason why I prefer Sandboxing/Virtualisation (DefenseWall) above classical HIPS, like SSM or Antihook.

Ad DSA (Dynamic Secruity Agent)
According to this preference you can ask: why do you have such a 'weak'(only 2 plusses) choice, while there are also excellent freeware FW like Comodo or Jettico.
The reason for this is that I Comodo for instance notices when a white listed application gets changed (e.g. dll implant), but it only warns when the changed application tries to connect to the internet. I think this is a pity, because the DLL-implant already has taken place. I have to go through a lot of effort to un-do this implant. When Comodo should warn me at the moment (f.i. Zapass) of implant taking place it would be my choice. Now it warns me that a thief is wanting to break out (in stead of preventing the thief to break in).
Because I have a hardware (build-in) inbound firewall, I can live with the basic/primary TCP-inititate protection (no packe filtering) DSA offers. I also realise that DSA is not very termination 'hardened'. But I trust the strong defense of DefenseWall. Since DW is not a network/application firewall, the simple protection DSA offers complements DW. Since (to my knowledge) it is hard to find a freeware security ap with the same strong protection of DW.
With this fact (first line of defense of DW being the strongest), I do not think has any use of stacking other applications behind DW, eating processing power.
I have disabled the behavior elements of DSA (system and email anomoly feature), because I do not see the added value (in relation to CPU use). This is the reason I did not mention DSA at behavioral blocking.
Although being a white list application DSA has a learining mode in which you can unselect the "Require user approval for each alert". this silences the learning period.

DefenseWall
When I select a security program I look at three aspects:
a) strength of design architecture (theoretical protection strength)
b) quality of implementation (does it work in practice)
c) usability (is easy to configure,

According this preference sequence it would be obviuos to use VMWare (OS and file system seperation) which offers the highest theoretical protection, or the nex best Sanboxie/BufferZone (file system seperation). The reason for not choosing VMWare (even advised by Ilya of DW to use when trying programs) is money and CPU capacity. The fact is that I rate the usability/seamless implementation of access restriction Sandboxes over the file seperation sandboxes is that my wife uses that PC a lot.

So why did I choose DefenseWall in stead of GeSWall?
GeSWall is freeware, Brian offers excellent support, GeSWall is based on policy management technology of XP (a design plus). The reason is simple, GesWall has 4 levels of intrusion protection, while DW has only two. Also GeSWall offers more granular control, but the down side is that the user has to make the correct decisions. Thus leaving the weakest link (myself) as the critical element.
I think GeSwall is as strong a DefenseWall, only in the test of Gizmo comparing 8 sandboxes geswall failed the drive by test, while DW tested by the same author in a 6 HIPS review passed those test. DW out of the box with no pop-ups was the clear winner of the 6 HIPS review. Although the HIPS and the Sanbox test were not 1-on-1 comparible, the infection drive test was the same. So this configuration risk (of the weakest link - myself) was the reason to spend 30 bucks on DW. I admit thet the reason of choice was more a pshychological than a logical one (set and forget plus of DW).
(on my play-time laptop with valuable info on it I use SSM free and GeSWall free). Because of the positive reviews and the ease of use I therefore rated DW 5 plusses.

ANTIVIR
In Av-comparatives Antivir scores well on tests, it the best free AV. I do need an e-mail AV, because my ADSL service providers does this for me. I realise that KAV with PDM (behavior) or NOD with active heuristics (also a behavior form of additional protection) are better choices, but the cost more.
Antivie is a blacklist AV with limited heuristic capabilities that is why the four plusses are mentioned in that cell.

Note 1
I use static defense of SpaywareBlaster. It uses a blacklist of IP-adresses, tracking cookies and Active-X. I also use on demand phising of IE7 (my wife need IE because her music pay site requires active X).

That's it any comments or replies are appreciated.

Forgotten to upload the picture:wacko:

Kees1958,

A now somewhat dated thread on Security that you use and its purpose (http://www.wilderssecurity.com/showthread.php?t=78484), my own contribution at the time is here (http://www.wilderssecurity.com/showpost.php?p=352128&postcount=6), tried to tackle similar ground although the functional breakout was not as explicit.

I don't believe my underlying philosophy for typical users has changed a lot, but the offerings certainly have with the recent flood of various proactive applications. I didn't restrict myself to free, so my own contribution does not apply to the present thread, but the basic design ethic does, and it's really not a lot different from the one you propose.

Blue

Blue,

You give me to much credits, it is not my model. It is a model used by either Gartner or Forrester (IT research/consultancy firms doing paid research for the industry and large companies). I should not have used the I manner of speech.

The underlying phylosofy is that the setup should be setup from top to bottom (outside -> inside) and that the setup diffiiculty increases from left (black list) to right (white list) with community based knowledge sharing as an intelligent workaround (so novice users are assisted in making choices by the community). The third (ranking the plusses in the cells) evaluation criteria is design strength, quality of implementation and ease of use.

By the way the freeware is not a criteria for this post, just something I prefere and therefore mentioned in my example and explanation.

Thanks for the links.


Regards

-{ Quote: "You give me to much credits, it is not my model. It is a model used by either Gartner or Forrester (IT research/consultancy firms doing paid research for the industry and large companies). I should not have used the I manner of speech." }-Regardless of origin, it's a useful and nicely structured way to pull a planned implementation together.
-{ Quote: "The underlying phylosofy is that the setup should be aligned from top to bottom (outside -> inside), and that the setup diffiiculty increases from left (black list) to right (white list) with community based knowledge sharing as an intelligent workaround (so novice users are assisted in making choices by the community)" }-In some respects, potential strength also increases from left to right (i.e. going from blacklist/default allow to whitelist/default deny).

I would tend to characterize a setup in which all levels are covered as quite secure, as long as the appropriate selections within each domain are made. Therein lies the rub for a casual user and a market opportunity for vendors of comprehensive security suites.

Blue

My pc :512 ram P4 1.8
My object is to use free programs that do not use too much ram,and get along with each other.
I use sandboxie sometimes.Iuse sandboxie for my kids MSN.
I use ssm free after I boot.It is not in the auto start.
Updating is easy antivir and cyberhawk update easily.

I also use spyware blaster and spybot to immunate.

-{ Quote: "Regardless of origin, it's a useful and nicely structured way to pull a planned implementation together.
In some respects, potential strength also increases from left to right (i.e. going from blacklist/default allow to whitelist/default deny).

I would tend to characterize a setup in which all levels are covered as quite secure, as long as the appropriate selections within each domain are made. Therein lies the rub for a casual user and a market opportunity for vendors of comprehensive security suites.

Blue" }-

First remark: You are right
That is what I had forgotten to say. Strength increases from left to right.

Second remark:
That is the idea to cover all levels. Only for overlap the top down approach (with the exception of out bound is used) is used to decide which one to drop (the idea is to stop the threat as early as possible).

-{ Quote: "My pc :512 ram P4 1.8
My object is to use free programs that do not use too much ram,and get along with each other.
I use sandboxie sometimes.Iuse sandboxie for my kids MSN.
I use ssm free after I boot.It is not in the auto start.
Updating is easy antivir and cyberhawk update easily.

I also use spyware blaster and spybot to immunate." }-

Okay try to fill on which area's they protect (black list - behavior - whitelist). I think there is overlap between Sygate (process change protection), cyberhawk and SSM. When you have paid SSM dump CyberHawk and switch of process change detection of sygate, When you have all freewar you could also decide to dump CyberHawk, because white list protection is stronger than behavior protection. (CyberHawk is more an application level protection)

I thought Cyberhawk was community based.Am I wrong? I am using all free versions so I am not sure about dumping Cyberhawk.Or can I use another software in place of cyberhawk ,sygate and ssm.If there is one please let me know.But with this configuration I am very happy and not a fly passed through my PC.Lol.

i hope this is right, but anyways:

http://img156.imageshack.us/img156/4877/multilayereddefenseyb7.gif

This is the way I´m designing my future security setup. For now:

-NAT Router: I´ve chosen an UTM Linux distro with the possibility of installing xBSD if I can understand it. Tnis have antispam, content filtering, intrusion detection(Snort) and a transparent proxy with antivirus scanning thanks to ClamAV, AVG and F-Prot(waiting with desire the next version)
-Outbond: Jetico v1 with NTWrapper

-Threat gate entry: GeSWall
-Application level: AppDefend ? I don´t wanna a full blown classical HIPS like SSM or the new ProSecurity. May be this category is too much in my setup
-Data level: Antivir or NOD 32 perhaps without IMON

And:
-On demand scanners: Ewido + SAS for now. May be I´ll dump both
-"Passive" security: Script Defender(or Script Sentry ?) + SpywareBlaster + IE SpyAd
-Firefox w/NoScript and another add-ons
-Thunderbird
-System hardening: Harden-It, BugOff, WWDC, services tweaks, etc

-BACKUP SYSTEM ;D

-{ Quote: "I thought Cyberhawk was community based.Am I wrong? I am using all free versions so I am not sure about dumping Cyberhawk.Or can I use another software in place of cyberhawk ,sygate and ssm.If there is one please let me know.But with this configuration I am very happy and not a fly passed through my PC.Lol." }-

I do not know Sygate very well (so I do not know whether it monitors process changes).

To exclude redundancy: you could choose for CyberHawk or SSM. Because white list is stronger than behaviora (generally), I would choose for SSM.
Yes CyberHawk is also CIPS

-{ Quote: "i hope this is right, but anyways:

http://img156.imageshack.us/img156/4877/multilayereddefenseyb7.gif" }-

Yes it is!
Only Nod also has some behavioral features (active heuristics). So your defense is even better and not overlapping (strict behavior defense like in CyberHawk or PrevX differs from Heuristics)

-{ Quote: "I do not know Sygate very well (so I do not know whether it monitors process changes).

To exclude redundancy: you could choose for CyberHawk or SSM. Because white list is stronger than behaviora (generally), I would choose for SSM.
Yes CyberHawk is also CIPS" }-
Sorry to ask so much questions,but I have been reading these forums for a long time and I have read most of your posts and learned many things,thank you for sharing your knowledge.
Last question since sygate is old and DSA acts more like a firewall is it okay if I dump sygate and cyberhawk and use DSA.You are using DSA can you please tell me how much RAM it uses.

Hi CET,

Tomorrow I am going to drive three old off-road motor bikes, one car and a small truck from Amsterdam to Dakar. It is a charity drive called Drive for Africa. The vehicles are sold in Dakar and Banjul. The money goes to local charity goals (like schools, waterpumps, etc.). So I won't be able to answer any questions for the next weeks.

As for DSA. It uses about 17K. DSA is very easy to configure (when you unselect the notify user in the training stage and select all running processes/applications after start up once). I have only "e-mail, process and outbound application" protection enabled. As for the 'malware hardness' of this application I rate the free version of ProSecurity better (sounds stupid while I use DSA), because it offers application control, outbound TCP control on high/basic level (like DSA) and checks wheter process are modified (that is I think extra compared to DSA).

It is just lazyness of me to use DSA in stead of PS. Reason for this is that the default of PS is rather wide (when you trust an application, it is allowed to do a lot). In the past have I have been using SSM-free (also has an option to trust all running processes). Nice thing of SSM is that it's learning mode is in 'paranoid' modus. This means after some training you will have the tightest protection of a whitelist ap. When you are sure that SSM works, you can disconnect the user interface in paranoid mode. In this way you won't be getting opo-ups (for me that is good, because my wife uses teh system and she default allows all, becaus she hates irritating pop-ups). Only pity is that the SSM-free does not check on outbound traffic being initiated (paid version does).

All the whitelist aps mentioned above do not do packet filtering or some intelligent behavior analysis/blocking on traffic level (to protect you from flood/DoS/sync attacks, like good firewalls like Comodo seem to do).

When you only want high-level traffic initiating protection DSA and PS are good for you. I think because we are sitting behind a hardware firewall it is sufficient (uncheck windows XP and save CPU resources). Because DSA has this basic TCP check windows XP recognises DSA as a firewall.

When you have questions, try others like Blue Zanetti, IBK, Bellgamin, Sukaroff, Aigle, Interact, or Tommy, I like their input to this forum a lot.

Regards Kees

Thank you,from İZMİR Turkey.I wish you good luck with your charity drive.Many of the forum users are saying that their wifes are using the PC......so they do different combinations of software for them.I am a woman 43 yrs old and my ex husband did not know anything about computers(he owned a big company) so not all women or men are the same.I just wanted to point this out.
;D

Hello,

I might be a party-pooper (no table for me), but I'll write down what I think might be appropriate for home users.

Windows

Network: Commodo / Sygate or Sygate + Smoothwall

Threat gate - as above, run p2p app as limited (DropMyRights or similar), disable autostart

Application level - only for browser.

Data level - none.

I don't believe in blacklisting, whitelisting, community or bad behavior AI.

As you see, there is little overlap, if any.


Linux

Network - Smoothwall (maybe with Snort) and/or iptables
Threat gate - nothing really
Application level - nothing really
Data level - enabled by default (local user rights)

Mrk

u think its appropriate for home users to run Windows w/o antivirus?

-{ Quote: "u think its appropriate for home users to run Windows w/o antivirus?" }-Since many technically astute users run Windows from home...., the answer would have to be a qualified yes for a very small subpopulation...

More detailed answer - if you have to ask, the answer is no. In general, answers that don't involve a prepackaged and basically self running AV and/or suite will elicit a rather puzzled look from most users. Since the range of experience and capabilities run the gamut here, the range of appropriate answer will as well. Casual users, those who use a PC as a tool to aid them in everyday life, in other words the majority of the installed user base, are advised to use an AV and/or a security suite or some sort.

Blue

Hello,

In my active online life, since 1999 or so, I have never witnessed a real-life situation anti-virus detecting / countering virus etc. I'm really wondering what people are doing to get them to shout. And this is mr. porn talking here.

Relying on AV as the holy grail of security is ... false. You deny yourself the real power of control and invest it in a tool that is nothing more than a lookup table a few smart scripts. AV will not keep you safe. At best, it will give a user some sense of security - and probably keep him from trying to educate himself.

AV can be nice. I use several AVs in several different setups. But not for the sake of protection against web threats.

I do think average users should combine AVs with some other tools. The magic is knowing how to utilize them correctly. Not for scanning cracked files and then running them if they come clean. That's not what AVs are meant for.

AVs are to be used to scan files that you TRUST. Not the ones you don't. The ones you don't - just don't run them. The ones you do might accidentally be infected - for instance, a CV from a friend or something. Those are the ones you should look after. Not something called winCracker2111.exe.

Furthermore, the thread was about how we would individually setup a system. My setup does not apply to everyone, of course. Everyone and their choices.

Mrk

-{ Quote: "Hello,

In my active online life, since 1999 or so, I have never witnessed a real-life situation anti-virus detecting / countering virus etc. I'm really wondering what people are doing to get them to shout. And this is mr. porn talking here." }-I have, but it is orders of magnitude less frequent than one might suppose reading on this site. A genuine threat? Once every few years or so.

-{ Quote: "Relying on AV as the holy grail of security is ... false. You deny yourself the real power of control and invest it in a tool that is nothing more than a lookup table a few smart scripts. AV will not keep you safe. At best, it will give a user some sense of security - and probably keep him from trying to educate himself." }-The implicit assumption here is that the user wishes to and will successfully educate themselves. Empirical evidence seems to be at odds with this outcome.

-{ Quote: "AV can be nice. I use several AVs in several different setups. But not for the sake of protection against web threats.

I do think average users should combine AVs with some other tools. The magic is knowing how to utilize them correctly. Not for scanning cracked files and then running them if they come clean. That's not what AVs are meant for." }-Excellent point, and probably more important than I'd like to believe.

-{ Quote: "AVs are to be used to scan files that you TRUST. Not the ones you don't. The ones you don't - just don't run them. The ones you do might accidentally be infected - for instance, a CV from a friend or something. Those are the ones you should look after. Not something called winCracker2111.exe.

Furthermore, the thread was about how we would individually setup a system. My setup does not apply to everyone, of course. Everyone and their choices.

Mrk" }-True, point taken.

Blue

-{ Quote: "But not for the sake of protection against web threats." }-
what tool do u rely on for protecting against web threats?
-{ Quote: "AVs are to be used to scan files that you TRUST. Not the ones you don't." }-
would u mind explaining this logic more?
-{ Quote: "The ones you don't - just don't run them." }-
that does make sense i guess, though not i practice i could perform.
-{ Quote: "Furthermore, the thread was about how we would individually setup a system." }-
so the setup u mentioned is also your personal setup?

-{ Quote: "Thank you,from İZMİR Turkey.I wish you good luck with your charity drive.Many of the forum users are saying that their wifes are using the PC......so they do different combinations of software for them.I am a woman 43 yrs old and my ex husband did not know anything about computers(he owned a big company) so not all women or men are the same.I just wanted to point this out.
;D" }-

Haha, your right. My wife has a masters in psychology. I'am not telling she is dumb, just not interested in technique. In Holland most women are aware of equal treatment. I for example am a business director, but I have to iron my own shirts and 8 out of 10 times I am doing the cooking at home, because my wife is later at home than I am. We share the cleaning of the house.

So although I play rugby, was 2nd at Tea-kwan-do in the Netherlands, drive bikes. I have a boss at home, she is addressed with mrs.

;)

Hello,

WSFuser, to answer your questions:

Web threats:

Firefox / Noscript will cover 99.9% of all web threats.

I think other network based activies do not fall directly under web threats, because anything done on the web is a web threat. Nevertheless, P2P and IM apps should be run as restricted. The choice of the application is also crucial.

Of course, a firewall is there as the first line of defense. Make your pick.

AV:

Troy fell because they trusted the horse and let it in. You will be extra careful when you run a file called wincrack.exe, right? But real troubles occur when people do not expect them. You get a file from a friend called story.doc. This file is infected. Not on purpose. It's just your friend has an infection that appends a bit of code to any document he writes. He sends you a story so you can check his spelling. Because this file comes from a friend, you'll normally assume it's ok, right?

This is when and where you must be extra careful.

Example:

Three years ago, before I got married, my girlfriend at the time (now upgraded to wife) lived in the university dorms. She wanted to watch a movie, but she didn't have a codec. So she asked a friend at the dorms to install a codec for her. I was not there at the moment to assist.

What happened?

The friend installed some **** that came bundled with VX2.

My point: A person you trusted did inadvertent damage. He was only trying to help. Even he did not know that he was using that crap.

BTW, here's the best way to test "suspect" files / software:

Install Linux.
Install VMware Server.
Install Windows as guest.
Install your everyday applications.
Now test your suspected files and see the operating system react.
If everything works, cool. If not, revert to a snapsot and ditch the perp.

Using imaging or shadow software can also work for people who do not wish to meddle with linux. Free solutions include ShadowSurfer and DriveImageXML.

Malware aside, this is the right way to test programs before you assimilate them into your borg. If you can afford an extra guiney pig machine, even better.

Mentioned setups:

I have several computers, all of which serve different purposes, so a setup would be inaccurate. I have several setups that I like. But I also have several setups that I like less, but I run them because I like to test stuff.

I also believe in simplicity. Computers are just ... computers. People turn the online experience into some sort of war. Totally out of perspective. Just dumb stupid machines. Fifteen years ago, we used to read books and never bother about "threats".

One of the main reasons why we at Wilders talk about security so much is because we LOVE it. We love to feel adventurous and install stuff. In the process, we lose the sense of reality.

This rant aside, I do have computers that are equipped with only a firewall. I even run machines without a firewall. I have also machines that run a firewall and anti-virus and sit behind a custom-built router.

Think about it. I'm looking at last 7 years. During which I did quite a lot of file sharing, browsing the "adult" sites and all sorts of fun. I have not stumbled upon any malware in the way. It might be there. But I don't bother it, and it don't bother me. We has an understanding.

Besides, using anti-this and anti-that to clean and prevent infections is really the wrong way of doing it. What is simpler than booting off a linux CD and inspecting the partitions when they are dormant?

I have no intention of provoking anyone. I'm not braver or smarter than others and I don't know any special secrets. It's just that I treat a computer as a replacable piece of machinery. They are so easily replacable. After all, we do it every 3-4 years!

The most important thing is the personal data - here, every precaution should be taken. Multiple copies on CD / DVD, printed material, whatever. But apart from that?

Mrk

thank you for the detailed response Mrk.
-{ Quote: "BTW, here's the best way to test "suspect" files / software:

Install Linux.
Install VMware Server.
Install Windows as guest.
Install your everyday applications.
Now test your suspected files and see the operating system react.
If everything works, cool. If not, revert to a snapsot and ditch the perp." }-
best way? possibly. practical? not rele

Hello,

First, the posts I make are the reflection of my own thoughts, so when I say "best", what I mean is "most convenient for me".

That said, what's impractical about Linux?
Install, let's say, Ubuntu and dual-boot alongisde Windows.
Then, you can have all of the software mentioned for 0 money, save your Windows. Here comes a slight challenge - money wise - but if you know a Microsoft worker, you can have the XP for US$ 25 - or any of their products, for that matter. Then, taking into account that people often change their computers and buy extra systems, it's likely you'll have an extra Windows in your store. Maybe a no-longer used W2K.

BTW, anything starting with Linux is definitely good.

Mrk

linux isnt impractical, but installing it just to test files seems superfluous to me.

if u already dual-boot, then its no problem.

-{ Quote: "

The implicit assumption here is that the user wishes to and will successfully educate themselves. Empirical evidence seems to be at odds with this outcome.
" }-

Blue, I think your answer while correct might not actually be answering the specific question . I believe WSFuser question like most questions posed here are more personal and relates not to some general mystical user who doesn't come here but to himself.

I would translate his question to this

Would a newbie who initially knew little about computers, but spent the last 2-3 years reading on this forum diligently resulting security solutions for home use, learning about the range of security products available for home user, and in the course of evaluating them,picking up bits and pieces about security threats (and computers in general) on how they spread, how they work (on a high level none-technical way) be knowledgeable enough to do without an AV (or all this heavy protection)?

Even if the about description does not fit Wsfuser , I believe given that Wilders has being in existence for over 4 years, it has resulted in training and educating quite a large pool of members who fit the above description.

People who can't claim to be experts, but are vastly more aware of security threats than the average person and are at the point where they can't improve significantly without going really hardcore, serious studying.

I think it's a more interesting and relevant question than considering the case of a user outside of forums like this who doesn't give a damn, because the answer would be obvious.

PS The funny thing is the average Wilder's members is far more aware of the range and capabilities of security products (particularly HIPS for home use) than most people who can legitimately claim to be security experts (outside of the guys who sell this stuff of course). :)

PSS I wonder if the time learning how to configure all your HIPS play with each other nicely, learning the meaning of various technical tests, to be able to discuss the merits of various AV tests and functions of HIPS is a easier or harder than learning to use linux. :)

-{ Quote: "I think it's a more interesting and relevant question than considering the case of a user outside of forums like this who doesn't give a damn, because the answer would be obvious." }-Fair enough, but I do tend to focus on that mythical user since they drive the main market.

There's always an opportunity to establish niche market options, however in the security arena I would say that the niche market is beyond saturated. I cannot see it sustaining all the offerings out there. To me it looks very similar to the compiler market around the time and a few years after Borland launched Turbo Pascal. At that time there were literally hundreds of options, many of them involving niche languages that many users here have never even heard of, which have be supplanted by a few predominate generalized solutions over time.

I see the same evolution for the security market.

Blue