How unhackable will this setup be?

[axfleming]

Hello.
Having followed your forum for a few months and benefiting from the excellent advice, I would like some opinions on a security setup.

How secure do you think this will be:

A Win2k PIII DP server with 1gig ram running a 256meg WinXP VM with uTorrent, Nod32 realtime, AVG Antispyware realtime and Superantispyware realtime.
uTorrent is mapped to a autodownload directory and a completed directory on the server so files can be saved and downloaded without opening up a VM console.
In addition to Winroute, F-Secure Internet Gatekeeper and Squid+Privoxy, the server will run Symantec AV Client realtime, with a scheduled task kicking off every 5 minutes to both run a manual Kapersky AV scan and to move checked files to a safe directory.
In another VM, software is installed in either a SVS layer or a Thinstall archive, with either of these being installed to their final destination.
Now is any form of realtime protection necessary on the workstations, aside from maybe SSM?
Winroute+F-Secure blocking ports eliminates need for firewall,
Squid+Privoxy blocking ads, animated gifs, javascript, etc,
Three anti-malware engines blocking viruses and spyware in addition to two antispyware engines,
and SVS or Thinstall should help keep the registry and Windows directories tidy.
With browsing of "unsafe" sites done in the XP VM, which can be reset in a minute, safe browsing can be done on the workstation.
With no realtime protection needed on the workstation, I can eliminate software conflicts and get the full use of my cpu power, with the server hard at work keeping out the baddies from the basement.
Is this feasible, the best of both worlds, top protection with no overhead?

[besafe]

I can't help you with your question as I truly don't know what hackers are capable of and what they aren't. However, the best advise I could offer is not to advertise what you plan to defend your system with because:

1.You might be presenting an unresistable challenge to the lurking hackers and

2. Once they know what you are using, hacking your system probably becomes much easier

[Mrkvonic]

Hello,

Unhackable:

Do you mean cracked from external source?
OR
You execute something locally?

Mrk

[axfleming]

Ok, maybe a little background.
In my company, I have been given the "enviable" task of checking warez, torrent, keygen etc sites to see if our software has been cracked and available for download.
If I discover any, I download it and analyze it to see what mechanism the hackers used and give recommendations to our developers.
Our CIO recommends using a VM for all sessions, but it is a pain to work permanently in a VM session.
So I am primarily concerned about inbound security from these dangerous sites, and malware protection from illegal warez.
As for knowing what hackers are capable of, who knows really what the human mind can conceive?
I know 100% safety may not be possible for this scenario, but maybe six nines?

[Meriadoc]

Hi,
How unhackable?
Depends, consider Mrkvonics questions!
As for the job in hand I think your CIO knows what he is talking about - I don't understand, 'but it is a pain to work permanently in a VM session.'
VMWare Lab Manager, Workstation would be my premiss, or if working alone, Workstation - vms and your tools.

I don't think all those realtime would be necessary, I would certainly worry about overhead.

[axfleming]

Hello Meriadoc,
I guess my questions come from my experience (or lack of) with malware.
I have been working with PCs since the DOS 3.31 days; DRDOS, OS/2 2.1, QEMM, 386MAX, Stacker etc.
Those were the days when you had to spend 500 bucks for a word processing program (I bought WP 5.1 for DOS).
So I have accumulated almost 15 years working with PCs, and I have never had a virus infection, never had a trojan, never a rootkit, and I am wondering what all the hype is about!
I check all the "dangerous" sites, and have never had to reinstall because of malware, but I have had to reinstall because of legitimate software which I paid for.
I just don't understand the current state of paranoia.
Everyone is putting in their sig all the different apps they are using for protection, and sometimes I wonder if these people are just bored looking for a problem to support their solution!

I just don't get it.

[axfleming]

@Meriadoc,
Overhead is not a problem currently.
So far, with Squid+Privoxy blocking ads and animated gifs, I am getting faster speed than using even solo Nod32.
Personally, I think that is the way to go for the future.
Have an old clunker where you can offload all this unnecessary defense crap, and have your workstation behind this layer.
I installed AVG antispyware from late last year; by default, it had 500,000+ malware sigs.
After I updated, it had around 750,000 sigs!!
It is unrealistic to think that your workstation can defend against an ever growing amount of malware apps!
Imagine when it gets to 3 million sigs!
Ultimately, everyone will have to move to having a dedicated malware checking
solution.
Check out Bill Gs demo of the home server MS is trying to sell.
Offload the security checking, and free your machine.

[lucas1985]

Quote:

Originally Posted by axfleming

Offload the security checking, and free your machine.

I'd say:
"Move the blacklist to the gateway/perimeter and use whitelisting/forensic tools in the workstations"

Quote:

Everyone is putting in their sig all the different apps they are using for protection, and sometimes I wonder if these people are just bored looking for a problem to support their solution!

I just don't get it.

Hello and Greetings today axfleming.

Some of that summation is indeed fact but the latter not the former. LoL

There's no such thing as boredom when you have ever suffered a severe system intrusion courtesy some website laden with malware/droppers or another failure attributed to laced online software who's mission in that occupation is to create Maximum disappointment for as many end-users as possible. Get's real personal when it's YOUR personal investment tampered with.

Myself, i do now go looking for problems, (research/submission purposes) but am also well guarded against permanant attachment by any of them, courtesy this huge inventory of securityware which is built up over time. Once you been officially initiated into the consortium club of suffered malware infestation and all the frustrations/wasted time that go hand in hand from them, believe me you never forget it, and you guard ever so more gallantly against ever repeating such an experience again no matter the load of shieldings available.

You're one of the lucky one's, hope your luck and especially planning, continue to serve you as well as always.

[Mrkvonic]

Hell,
axfleming, you're quite right dude about the hype.
But you must remember ... for most people here, it's a hobby. Just like collecting stamps. Or buying more shoes.
Mrk

[Rmus]

Quote:

Originally Posted by axfleming

Our CIO recommends using a VM for all sessions, but it is a pain to work permanently in a VM session.
So I am primarily concerned about inbound security from these dangerous sites, and malware protection from illegal warez.

Install Deep Freeze and Anti-Executable on your workstation. That and a firewall is all you need, and you will be safe in browsing the sites.

With AE, any attempt to remotely download an executable will be blocked (White List protection).

With Deep Freeze, A reboot will restore to previous good state, and your Windows directories and Registry will stay pristine.

Then, if you need to download/analyze something, you can do it in a VM if you want.

I regularly test malware (let it run) with the above setup with no problems.

Quote:

So I have accumulated almost 15 years working with PCs, and I have never had a virus infection, never had a trojan, never a rootkit, and I am wondering what all the hype is about!

Same here (14+ years)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier

[Meriadoc]

axfleming:

Quote:

I have been working with PCs...Those were the days when you had to spend 500 bucks for a word processing program

Yes, and hundreds to thousands for a drive (Megabytes)

Quote:

Have an old clunker where you can offload all this unnecessary defense crap, and have your workstation behind this layer...and free your machine.

I'm all for that.

[Meriadoc]

How is the F-Secure Internet Gatekeeper in your setup - I've been testing Astaro (now free) for a while now, but I do have a NG1100 appliance which runs an optional antivirus, antispyware, url filtering, certificate analysis, behaviour and zero-day protection.
Is it a full product, I'm just thinking if you are overlapping.