What is your security setup these days?

CIS beta 8.2.0.4474
- AV: Stateful,
- FW: Custom,
- AS: Enabled,
- HIPS: Safe.
360 TS in "Balanced" Mode with regular "Patch Up" (Windows Updates off),
MBAE free
EMET 5.2 covers all apps not covered by MBAE
SBIE with different sandboxes for browsers and other internet apps

PC endures this setup unless CIS sandbox kicks in.

 

how can you still use panda?

last week it broke half of my friends windows systems because of an update...

 

Now is the best time to use it because the team are on there toes making sure nothing like that happens again, I would use if I didn't have BD paid.

 

Auto quarantine turned off, so not a problem.

 

Was thinking that also, will see which one I prefer.

 

Good Afternoon! Re-installed Avast A/V Pro in concert with WSA Security Plus...and AppGuard...Stay Sicher my Friends! Sincerely...Securon

 

I am not into this type of protection: so what percentage of the IP addresses in the world are those 1.5 million IP's blocked?

 

Few..

But I have 75% of the world blocked on my UTM/NGFW already. Including the entire continent of South America, Africa, etc.

It sure eliminates a lot of potential hackers and threats.

 

Well 75% really makes a difference. How much real protection do you have over me?

I simply deny scripts in Chrome and allow a few countries level exceptions (see pic), use Norton as DNS and enable chrome's malware and phising protection (and have flash/pdf set click to play)?

 

A LOT.. You are focused on desktops, not your network, and specifically, not your LAN to WAN egress. In addition much of your focus seems to be on 80/443, what about a trojan shoving traffic through 53 for example? Most importantly, I country-block by more than simple IP, other metrics then just domains, including IPtables based on assignments by region. (blocks sold to China, but not even DDNS'd yet for example) So in effect, much of your security is theatrics.

That helps - somewhat - but if you aren't in full control of LAN to WAN, WAN to LAN, then it's mostly theatrics.

 

You pretend to know a lot of IT and seem to assume others don't. You should watch some rerun's of Kung Fu with David Carradine as little grashopper. Mr Mayahana (ZCNP), (NSE4), (TCSP), (RSE), (dSSE), (ASE), (CCNA), (LTCP), (HHE Sage), (S6 White Belt),(BACP), (A+), (NET+), (SEC+). WIP - (SCS), (MCSA).

Theatrics?

All guests are on the 5GHz network with dynamic allocation for only 20 IP's in the IP address pool with lease time of two hours and LAN partitioning enabled (guest client's can't communicate with each other). Maintenance through a DHCP reserved MAC/IP-address (my windows tablet). Parental control enabled with varying close down times during the week for all 20 dynamic IP addresses and exclusive network access for my pseudo static Windows Tablet IP-address (so I always can get in to check the logs after I have been informed by mail that we were probed).

Having physically separated guest usage, I hold my visitors responsible for their own internet behavior, so for any self inflicted pain, bypassing Norton ConnectSafe DNS: "frankly my dear, I don't give a . . . "

All of our home devices are on 2.4 Ghz LAN with static IP addresses. Access has been limited on MAC address and IP filtering table (port/protocol). On all clients I have simular setup. Windows update and mail connect to a few known remote IP's. We use IE11 for HTTPS traffic (on-line banking, linkedIn, tax department, wife's facebook etc). Chrome has a free VPN service extension (which is on by default on all clients). All risk-ware is disabled and WFW is enabled on application/protocol/port. With these tricks I only have to allow limited number of URL's and IP's in my LAN!

You may brag about your high powered and high cost UTM setup, but you can't beat the attack surface reduction on our 2.4 Ghz LAN with this safe and simple set up Mr six sigma white belt

 

Hi Kees.
Yandex seem the most efficient.
Especially for users who use Firefox not equipped with this feature in Chrome:

http://googleonlinesecurity.blogspot.it/2015/02/more-protection-from-unwanted-software.html



I'm checking (MDL).

 

FYI Adguard for chrome checks Google, Yandex and WOT when enabling malware protection, possibly the Adguard for FF does the same.

 

Remember, you were the guy that had different primary and secondary DNS with the impression they cascaded by default on each query, not understanding how DNS functioned at all. Nevertheless, these are still theatrics. A static IP address offers no additional security. Now if you said "I have segregated vLAN's with isolated static scopes on different subnet classifications" (Blue Zones) then we're be progressing past theatrics. I won't derail the topic though, my apologies, but I was merely answering your question of 'are you any more secure than I am', which we know the answer to now.

PS: VPNs can bypass your gateway, and in some cases, desktop security rendering IP tables, and other techniques invalid. Which is why we deploy application control on UTM's to prohibit VPN's from running. Just an FYI.

 

@Mayahana

First you happily posted to be secured from 1.5 million IP's blocked. Then I asked what percentage does that 1.5 billion is on all the IP-addresses in the world.

Next you came with an answer that you bocked countries and continents. I showed that with Chrome you can do the same.

Then you said my focus was on the desktop in stead of network. I showed that with some simple tricks it is possible to white list remote IP's running through your network.

Now I am dumb and dumber morphed into one person and suddenly the danger has moved from port 53 to VPN services. Which according to you can bypass the gateway and in some cases the desktop security rendering IP tables.

I am not going to comment on that. Just look at the picture and see that I only have to allow five remote IP's to visit any website. In a week my FW logs do not exceed 20 remote IP's allowed access in/out our 2.4 Ghz Lan.

Could you post a log of the IP's allowed through your network this week?

 

Explaining network security is out of the scope of this threat, I will just say it's still theatrics, and I don't think you'll gain the awareness of why from a forum.

Let's get it back on topic.

 

Trying out RCC, and I like it.

 

I know some of the words mayahana and security used

 

Back to Avast free.Don't know exactly why,feeling uncomfortable with 360TS...maybe it's just my imagination as usual...

 

Lol the same feelings but anyway with 360TS.

 

Back to Outpost SS Pro with Sandboxie...of course.Oh and Kerish Doctor,if that counts ?

Regards Eck

 

Another fairly big update.

Connection/Multi-Homed:
180Mbps Cable Connection WAN1
AT&T 10Mbps DSL - Multi-Homed, Failover via WAN2.
AT&T 4G LTE Hotspot Box - Provided by work for free, in the event everything else fails.
OpenDNS

Frontend:
Motorola DOCSIS3.0 SB6141
Sophos UTM 9.3 Layer 8 NGFW/UTM Appliance
ASUS RT-AC87R (Access Point Mode Only)
- Primary Wireless, Ghetto-vLAN with Restricted LAN access. Hardware timer to kill this from 12m-7am every night. (threat surface and telemetry harvesting reduction)
TP-Link AP
- Segregated AP for security cameras only. MAC restricted to just cameras. No LAN connectivity, PF to SEC Server. On 24/7. Signal truncated to exact dimensions of home.
Layer 3 GBE 16 Port Switch (Cisco)

Systems:
Win 8.1x w/Tweaks+Lockdowns
Trustport Antivirus 2015 w/PUA Enabled, HIPS on Full.
PeerBlock (paid, with all Malware/Adware databases - 1.5 million IP's blocked)
Admuncher (for Heuristic Script and Webbug Blocking)
Chrome w/uBlock(default), Vanilla Cookie HTTPS Everywhere.

Backup/Redundancy
Lenovo IX4-300D 12TB Raid10 Network Access Storage (NAS)
3X Cyberpower 1500VA AVR UPS
Generac 20,000 Watt Air-Cooled Aluminum Enclosure Natural Gas Powered Standby Gen w/Transfer Switch

Network Structure
Subnet Segregation (Blue Zones)
vLAN Isolation
MAC Filtration

I also run a variety of servers. Including an obfuscation server that pushes out 'fake' network traffic, searches, and activity to mask real activity. In addition to a security system (including cams) server.

 

@Mayahana I have two questions which related to inconsistencies in your setup

Given the fact that you only have three UPS and run a variety of servers, so most of these servers are virtual. 3x1500Volt UPS-ses means you have one for WAN/LAN/NAS and probably one for data server and one as backup for previous two (also servicing the security cams). With only your wife, a son and a daughter living at home (in all your post you did not mention more) AND everyone having his own (probably fat) client, WHY would you run a VARIETY of servers (I can understand a few)? Q1


With so many (virtual) servers, your three physical servers will at least have 2TB disks (probably more). Your NAS is only 12 TB. This would mean that your NAS is not big enough to facilitate three generations backup of the servers and the endpoints. Such a PRO like you, would have a backup of the backup and most likely would store the parent and grand parent in the cloud. A PRO would NOT want the backup to be the single point of failure. You have three wan connections (double backup), so I assume you want the most valuable of your digital duplicates (the data) backup up twice also. This explains the (limited) 12TB capacity of your NAS. With cloud storage you would not apply a time lock at night (when everyone is a sleep, this would be the most likely upload of the previous generation NAS backup to the cloud). So I am puzzled how do you have organised the backup of the backup? Q2


Regards Kees

 

I see lots and lots of information security, but no physical security.

Unless Mayahana is standing there with a loaded weapon ready to fire, it's a single point of failure.

But maybe he is.... sitting, and waiting, locked and loaded... That's why I'm afraid to go over to Mayahana's house unexpected.

Thank you.

 

Frank,

I agree needing such a setup for only four home users, certainly triggers the imagination.

Normally such segregated network/server/data setup combined with a closed camera circuits and an obfuscated server sending fake network traffic are more likely to be found in the dungeons of a security agency or a place (with also little sunlight) where all inhabitants wear orange overalls.

Regards Kees