Conclusion I reached after 3,200 individual malware removals.

Interesting (and refreshing) perspective. I like it...especially when you don't seem to carry preconceived biases from something that may have happened many years ago....like companies have no ability to improve. Once flawed always flawed.....that's a narrow perception that many seem to have. I like to think these folks doing the research can make it better if they work in a good environment and have the motivation.

 

For once (or is it twice) I would have to agree with you RR! And the OP I don't understand what he's trying to say he talks allot about nothing IMO being a Noobie and all to Wilders.

TH

 

Are you saying I need to dumb down my posts?

 

Maybe you can answer my first question instead of ignoring it? If not this thread is useless and unnecessary as an Advisor to others IMO.

Thanks,

TH

 

Oh, excuse me for not addressing you personally, but you will find in the opening and third post your questions were answered before you asked them. I'm not a fan of WSA, but it's been OK on clicker relatives looking for free/cheap solutions, so I casually recommend it - with caveats, but prefer more premier solutions. To clip and paste from my first post, which already answered your questions;

Asked by TH: May I ask why you came up with Webroot SecureAnywhere?
Answered in Opening Post: For general users, clickers, kids, and non-techies I have found more automated solutions, and solutions with reputation blocking to be the most effective, where healthy reputations are required for most activities with programs.

Asked by TH: And why wouldn't you recommend Webroot or Trend to "Techie, Developer, Engineer, Hobbyist"?
Answered in Opening Post: These folks are generally not 'fooled' by dumb downloads, double packed archived files, two extension files, and other things. In doing so they rarely need reputation based systems, and these may actually be an impediment to them because techie types tend to be involved with development, beta testing, and other things to which reputation systems could drive them insane.

Of course this is dealing with consumer versions, which is why THAT was also noted in the first post... (nowhere did I say corporation/business)

 

Sorry still useless IMO it's what you didn't say and again another person that don't know truly how WSA works again, now my point how can you make suggestions of any product when you have not really used them or never learned how to use them. I just hate Noobies coming to Wilders giving so much Advice and everyone knows what I'm talking about and yet the new member can't even see when he has puts his own foot in mouth before giving Advice, so this Thread is plain garbage that you spewed out to us longtime members that can see BAD Advice when we see it. As one of my long time friends always said "The Only Safe Computer Is Unplugged" Thanks Big C!

Cya,

TH Walks away and shakes head.

 

I too feel like the OP is giving advice based on assumptions and personal beliefs. Which is OK. But to say that using no av is suicide... that's more than inaccurate. And of course, a bad advice.

 

I should say suicide unless you can guarantee only you - an advanced user - will be accessing the PC. I assume it would be entirely fine for most technies to run without an AV.

The major problem is a lot of people run with ancient versions of crucially exploited software. 2-3 year old Java's are a pretty common sight on compromised machines. So IMO just keeping things up to date reduces the attack surface significantly. Which I assume most people here already know. AV is listed down towards the bottom of what I consider requirements for safe computing. (personally speaking)

 

and i sadly have had to come to learn this in some cases. it drives me crazy because that is not me. i NEVER take someones money unless i feel i can fix their issue properly and without fault. im very ocd when it comes to my work and this is why i have so many clients and repeat customers. i have a VERY hard time knowingly taking anyone's money but there sadly are cases where people just refuse to listen and could care less what we as technicians tell them good or bad.

 

What's with the irate responses here? Jeez, Mayahana even gave kudos to Webroot with the exception of some very specific niches.

As it happens, AVs being helpful for Windows users in general is strongly backed by statistical evidence. That won't change my view of realtime desktop AVs as a concept (i.e. they're a ridiculous kludge), but there you go. "If it's stupid but it works..."

What I'm a bit more dubious about is the value of UTMs. I believe client-side, application layer attacks are more common than ones in the lower networking layers these days, especially where desktops are concerned. An AV proxy won't cache that stuff unless it's over unencrypted connections (barring some creepy MITM hacks). Likewise an IDS like Snort, unless there are recognizable patterns for it to find even in encrypted traffic.

OTOH, I know little about networking and "Internet of things" appliances. Also I set up an IDS on my gateway this evening, and it's already catching some very interesting stuff. So obviously YMMV.

 

I agree to a point. Depending on flow through or proxy scanning. Generally to be safe you want proxy scanning with rejection of unextractable threats. Even so from a purely AV perspective I think UTM's aren't as amazing as they could be but the NGFW's are becoming very potent.. Where they shine are through IPS/IDS, often rejecting malware outright because it exhibits exploit tendencies which the IPS/IDS picks up. AV scanning can happen over encrypted connections depending on the device. USG60 won't do it, but the USG110 will. All current Fortigate appliances will. Essentially issuing a trusted root CA to unencrypt then scan at the device level.

Did you setup an untangle or pfsense?

 

I have to agree, I didn't have the impression that the tone towards WSA was at all negative on the contrary. Additionally, as the OP seems to be linked to Trend Micro (one competitor) makes his generally positive feedback on WSA even more relevant. It does not happen every day that a company praise a direct competitor. Am I missing something??

 

@Mayahana, err... currently IPFire with SquidClamAV and Snort (w/ Emerging Threats ruleset, though I may shell out for a Sourcefire subscription at some point). Last night Snort picked up two instance of some kind of VoIP sniffing attempt, from IPs in Ireland; which is a little disturbing seeing as my land lines are VoIP. Also a bunch of attacks against SSH (exploits, not brute force).

Re using a trusted root CA to decrypt, wouldn't that make it difficult to recognize invalid certs? I haven't configured Squid for that... Not really sure the overhead of SquidClamAV is worth it actually.

I'm curious BTW what open source NIDS options there are, other than Snort?

Edit: so far I've found Bro (regrettable name there!) and Suricata. OSSEC also has some sort of NIDS functionality, not sure if it can be used on a gateway though.

 

Encrypted scanning by UTM's requires a root CA issued by the scanning appliance vendor. In the case of Fortinet it issues the root, trusted CA, which then replaces all incoming CA's allowing the scanning, then is pushed to the desktops which have the root Fortinet CA as trusted. This can require some micromanagement, and in some cases manual trusting of the CA on a per machine basis - depending. But in general it works, and you can toggle exclusions for scanning of financial institutions, and other IP's where privacy is an issue. This is actually more secure in terms of invalid certs because all localized certifications are handled by a single root CA authenticated by the Fortigate network. VOIP sniffing is pretty common, and the attacks on SSH are pretty massive in my experience, almost to scary proportions. I run my VOIP through OpenVPN end to end now to avoid intrusion/interception, which was a real problem before I started encrypting that traffic. My VOIP PAP was hacked twice before I decided to take voip security seriously.


Untangle seems to lack good IPS, I may need to try IPFire and utilize my own Snort configurations. Based on Untangle forums, and a certain level of arrogance there, I think they place too much value on NAT over true IDS/IPS, and I do not agree with this logic. There aren't really much options for opensource NIDS, I use Kaspersky UTM via ZyXEL for that reason as my front-end, as I want a more rapid response to emerging threats, moreso than Opensource would provide. But it's still valuable. When Untangle team keeps saying "IDS is useless anyway" I certainly wouldn't trust them as my front-line. (IMO)

 

@Mayahana: I don't know much about network crypto... Wouldn't what what you describe prevent looking at remote SSL cert info in the browser though?

As for the certificate itself, could I create a self-signed cert in a presumably clean environment, and configure my local machines to recognize it as a root certificate? That would obviously not be as trustworthy as the real deal, but I'm interested in doing this on old off-the-shelf hardware (seeing as I have plenty of that, and have trouble trusting anything installed as firmware).

Might be getting ahead of myself though; I don't know if IPFire could even be configured for HTTPS scanning.

I was also considering looking into the Sophos UTM distro, however
a) I've read "Sophail" and am a bit skeptical abut the quality of the AV proxy's codebase
b) My experience is that distros from AV companies tend to use *ancient* kernels, which is problematic for hardware support

Edit: re the VoIP hacking, mind if I ask what activities that involved and how you detected it?

 

Here's what is hitting my network externally, after 6 days of uptime, not including Untangle, this is ZyXEL USG NGFW exclusively.

 

Yes, HIPS/Sandboxing (with exploit protection) would have stopped this dead cold. Everyone knows that AV alone is not good enough. Of course when it comes to protecting "novice users" you should configure the sandbox in a way that it won't become confusing. But IMO it's almost a must have in a business environment. I like the approach of companies like Invincea, see link.

http://www.invincea.com/how-it-works/breach-prevention/

 

Thin Clients are what companies tend to do to lock things down.

 

Mayahana, many thanks for the insights you have provided in this thread, very interesting and valuable information.

Which model of ZyXEL USG NGFW would you recommend for a home office environment? I am currently running a 100mbps connection, which may increase to a gigabit connection in the future.

 

The primary considerations for selection of any UTM are;

1) Throughput with all of the features enabled.
2) Encrypted vs non-Encrypted Scanning.
3) Max Sessions

The base line for you would be the USG110 NGFW which provides 250Mbps throughput with ALL features enabled, and also provides HTTPS scanning via root CA issuance. This also provides up to 60,000 simultaneous sessions, which is enough for a couple dozen or more heavy users. If you drop down to the USG60 you would save money, but drop to 90Mbps throughput, and lose HTTPS scanning. Going to Gbe is a whole different story, UTM's can run many thousands of dollars that offer true Gbe throughput for full IPS/AV/URL scanning. Yearly renewals are required for the UTM features, these run $200-$300 or so a year for all features (AV/IPS/URL), but remember that's daily signature updates for all modules, and all things considered it's not bad.

(I'm a Fortinet Engineer NSE3, and ZyXEL Engineer ZCNP)

 

Here's
a model chart that will help

 

Thank you for the recommendation Mayahana and thank you Brocke for the chart. Where to buy? I see the USG110 on Amazon and Newegg for around $600. The licenses I only found on the Zyxel site for $445/1 year for the UTM bundle. If you have any recommendations on where to buy please let me know. Meanwhile, I need to study this device, it looks very powerful but complicated to get set up correctly.

 

Buy the 'Bundle' versions, which can include anywhere from one to three years of UTM signatures. Be careful with lower priced units where the UTM subscription is not included. Setup is pretty easy using the wizard, however the wizard will leave you vulnerable to remote intrusion, and doesn't fully setup the UTM aspects. I can easily talk you through it, or start a teamviewer session to set it up in a matter of 5 minutes. But unless you have static routes, VLANS, and VPN's then it's pretty simple man.

Here's a demo of the GUI; (accept the certificate error, all UTM's give this on login)
https://demousg110.zyxel.com/ext-js/web-pages/index/index.html
name: demo
password: demouser

It's like any other UTM, or enterprise FW mostly.. Setup your IPV4/Interface, then go to security policies, and setup polices. In your case all you want are Lan1_Outgoing, Lan1_Zywall, disable all of the others, then leave the root DENY ALL policy in place to block everything that touches the device that isn't wanted. Make rules for the UTM, essentally turning everything on, then apply those rules to the Lan1_outgoing policy. Finally, disable remote Admin access, make the admin port something obscure, turn off HTTP and HTTPS failover to admin, force HTTPS on specific port, then add rules for "DENY ALL" from any admin attempts coming from anything other than YOUR MACHINE IP (or local subnet range). Presto! All setup. Oh, edit the ADP to set to 'high' sensitivity.

Enterprise gear always works on cascading policy principle.. First, Second, Third, etc. The final rule has to be Deny-All to secure the device, and is by default on all enterprise gear. So merely put in your policies you want, leave out anything you do not, and it will be 'catch all' snagged by the Deny-All. Think of it this way - Firewall/NAT/Virtual open this or that up, while the policies determine what and why. That's the logic path that really helps explain commercial stuff. So even if you open a bunch of stuff on the internet, it's going nowhere unless you assign policies to give it the conditions that allow it.

That's why there is so much power in these, and why most of us are adamant about people using them. Home routers are generally pretty bad, and NAT as an exclusive security measure isn't cutting it at all anymore.

 

Here's some shots.. When I secure a device I disable all of the unnecessary policies, they create security holes. You would likely want to do the same as you won't need SSH and IPSEC, or VPN access. So that means my logs are generally pretty full of 'default deny' rules. That's good, that's what I want because it's an outright rejection of EVERYTHING I do not want.. (Ping, Traces, Portscans, SSH, IPSEC, Remote Admin, etc). It's a wholesale rejection of any potential hacker from outside of my subet.

First shot shows how cascading policies work, second shows when you have only 'basic' policies activated that your log is generally full of 'deny default' as the core total lockdown.

 

@Mayahana

You have almost stopped talking about the Asus with Trend Micro inside, how come?