Multi-layer security vs Separate machines

Instead of having a single all-purpose machine which requires all these layers of protection, wouldn't it just be easier to get another machine and use it solely for surfing?
With the money you would need to buy licenses for three or four of these security apps, you can buy a very capable used PC, and since the user profile doesn't contain any exes or dlls, it can be stored on the secure machine and accessed by the internet machine without risk of infection.

Sorry if I appear to be beating a dead horse, but I have been reading a lot of posts, and I still can't understand why one would want to use all these softs instead of just using separate machines.
bigc73542's sig states "The Only Safe Computer Is Unplugged"; isn't the separate machine strategy closer to this ideal?

I think the primary disadvantage for using separate machines is that the user must exercise greater self-control, but the mega multi-layered approach has the disadvantage of being much more complicated to both use and maintain.

I would really appreciate it if someone could enlighten me with a possible scenario where a multi-layered single machine is consistently more secure than separate work environments.

 

If I had the money and space, I would get a second computer for security reasons.

One machine would be have an AV (or more) and be used for downloading. The second machine would be fine with only need a sandbox or virtualization. Plus without an AV, the second computer would be faster.

 

Using the money saved from not buying 4 security soft licenses, you could buy a tiny used Micro ATX machine.

Why would you need a sandbox or virtualization on the second if the only websites you go to with that machine are, for example, your financial institutions?

 

I wouldnt want a cheap computer because I would use the machine for more demanding tasks too.

Secondly I never said I would only visit certain sites.

 

The second machine is supposed to be for risky Internet use only; what is the point if you are going to also use it for other tasks?

The first machine would be for important tasks only; what is the point if you are going to use it to surf everywhere?

So basically you are saying that you wish you could have two machines, period.

 

I think most members here will agree that as well as being security conscious due to past experiences from Windows 98 days, most of us are obsessed by ever newer software innovations in this field as well.

You do raise a very good point though. Why not just settle on one single machine, strickly & ONLY for surfing/downloads whatever, armed with (hopefully) the best preventions offered (according to your budget of course), and let it go at that.

To jeopardize say some quality photo or scientific research programs that you went out on a limb for maybe, and run them on the same machine you surf with, puts those apps at risk to be corrupted or even destroyed completely.

Then again, some will argue that with adequate backup software, thats not so much a concern for them since they can just restore the image and Presto! back in the biz again.

Still, very interesting point you bring out. Extending themselves by surfing with additional internet serviced machines and licensing those in addition, adds up eventually.

I personally, due to my previous malware researching, maintain a chain of ?? several hard drives on at least 5 different machines, all internet capable and ready but HIPS/Virtualization/ISR/BackUp investments have completely drowned any need on my end for maintaining licensed AV's, i use freeware AV's On-Demand or internet AV Detections to check integrity of files/systems.

I've found, thanks to introduction of free HIPS of invaluable resource and benefit and as such is made thrifty the purchases for backup programs, sandboxes, ISR's. Great investments, and it stops there.

For me they free up resources for Hardware Upgrades such as memory and other peripherals etc.

 

A PC can be very well secured at little or no cost. My security package costs zero. It doesn't take a "mega multi-layered approach" either. I run 3 security apps on my primary PC, a firewall, HIPS, and Proxomitron. Properly configured, those 3 can keep you safe from most anything, provided that you don't choose to allow something malicious. A PC isn't that hard to secure if the user doesn't use a default-permit security policy, aka everything not specifically identified as malicious is allowed.

That statement is a problem in itself. Define "risky use". Sites normally regarded as trustworthy are being hacked at an increasing rate. A user doesn't have to engage in risky behavior to contact malicious code.

A well designed security package doesn't need much maintenance. The only real cost is setup time. With 2 PCs, you have increased hardware costs if they're both going online. You'll have to set up some kind of home network, and take precautions to make sure the "risky use" PC doesn't infect the other PCs on your network. You have increased power costs. Increased space requirements. Twice as many wires and cables. I don't see any advantage to having a PC just for risky browsing unless you're using it for testing or research. Some people run a 2nd PC just for P2P. That would make sense if you're sharing a lot of files or it's serving as a major hub, but not for the average user.

 

Any site which does not use HTTPS, or which is not from a company you can take to court.

You have contrasted the advantages of a security strategy based primarily on common sense with the disadvantages of a strategy based on separate hardware; unsurprising that the separate hardware strategy would look terrible in this light.

My question was directed more to the advocates of multiple layers, essentially saying, if one is going to go through all that trouble of configuring all these separate layers so that they work together, why not just go all the way and go separate hardware?
In that case, IMO having twice as many cables and wires may very well be preferable to having twice as many security softs to deal with on your pc.

 

The easiest thing to do is to surf the internet from a "live CD"- Everything is loaded into RAM on bootup. When you turn off the computer, everything goes away.

 

I have only ONE computer, but I have 2 system partitions in which I can boot.

Off-line system partition
It has no internet connection (disabled in WinXPproSP2)
It has no security softwares.
It has no internet softwares.
That's where I work and play without any disturbance caused by malware or anti-malware.
I use this off-line system partition since March 2006 and it works faster of course, because there is no security. I never have any problems there, absolute silence.

On-line system partition
It has an internet connection of course and a bunch of security and internet softwares.
I froze this system partition, because I don't trust my security softwares and that means no change, unless I want it.

When I leave my desktop to surf on the internet, my Firefox is sandboxed and my data partition is locked automatically, so I can't forget it.
This means that any malware is trapped in a double isolated area : in a sandbox and in a boring system partition with an empty folder "My Documents".
The only thing a malware can do there is stealing sand and wait until my reboot kills them.
Keyloggers are useless, my bank solved that problem forever.

This is where I try new legit softwares and when these software cause problems and they sometimes do, I reboot and I have my clean and unused system partition back as nothing happened.

On top of that, I have clean, unused and updated images for restoration only and they give my computer back when something goes terrible wrong in my actual system partition. That happened 4 times since March 2006 caused by legit softwares, that didn't like my system.
So I hardly use ShadowProtect for restoring my system partition, I use ShadowProtect regularly to update my clean images with the latest version of softwares, the latest configuration and sometimes a new legit software that is worth to keep. Simple routine work.
FDISR provides a safe link between my clean and actual system partition and that keeps my actual system partition up-to-date without double work.

 

How long did that take you to configure Erik?

 

Multi-layer feels a lot safer. You need to do a lot of work to set it up, hence it must be safer.

 

It takes as much time as a complete MANUAL installation of Windows and all Applications from scratch, starting with an empty harddisk [C:]
Unfortunately, the software, I use to make it all possible (besides ShadowProtect) is terminated : FDISR Workstation. You can't buy it anymore.

On long term (within 5 years, maybe longer), I have to find another software to make that possible, so one day, I have to start all over again.
At this moment there is no alternative, otherwise I would have done it already, because I don't like softwares on my computer, that have no future anymore.
So I'm waiting for a miracle in the software world.

 

Multi-layered security in an off-line system partition, where I do all my work and hobbies ? It doesn't need security, because there is no internet connection.

 

Lol Erik, ive already got FD-ISR but am currently just using it as a replacement to windows system restore. I like your setup, but dont have the time or the patience to create it atm.

 

I've been using the seperate machine method for quite a while now. I have a stand alone system which i use soley for my online financial business. While this type of setup costs more, i feel its well worth it. Plus i don't have to bog down my main rig with security layers anymore.

 

LOL. In that case keep FDISR, it's one of a kind. It is a real time-saver and a troubleshooter in deeds, once you know how to use it right.

 

Thanks for the correction. The second machine just needs to be enough to run teh AV.

I would use my machines differently:

1st computer: games, general tasks, surfing (no downloading)

2nd computer: surfing (downloading only), p2p

 

Hello,

It's a waste of a computer to use it for browsing only. There are so many ways you can utilize a single machine before you expand:

- virtualization / emulation
- different profiles
- different users
- portable apps / mojopac

Plus it doesn't take Area 51 to be secure and have fun on the net ...

Mrk

 

You took half of my post out of context. It doesn't have to cost anything to secure a PC to be safe for most any activity. If you run more than one, you add the problem of networking them and securing the other PCs against whatever the "risky use" one might pick up. That approach creates as many problems as it solves.

I've run Win98 almost exclusively for years. A lot of people have been suggesting I try Win2000 since I don't like or trust XP. It only took a day to install 2K on a 2nd hard drive, set up the dual boot, equip it with the apps I use, and get it updated and secured. It doesn't take that long to secure a PC. It actually takes much longer to get all the updates, patches, applications, driver updates, etc installed on a PC than it does to configure a couple of security apps.

You don't need a single purpose PC for "risky use". I've yet to find a site that can compromise my primary PC. About the only times I prefer to use a separate PC is for testing security apps or working with live malware. If you're considering a separate PC just to avoid setting up a security package, you're making it harder and more complicated than it has to be.
Rick

 

And if that second machine used for risky internet use gets infected, no doubt frequently, then where does that leave you? Spending more time re-installing Windoze or even images than it takes to set up a basic security profile of av and fw on one pc.

 

Well if it gets infected, the second computer did its job; your main one is still up, running, and clean.

 

I'm not not against the use of a second machine but it would have to be for a serious good reason to use one, such as day trading (as a hot standby) or for business use.

 

Well me thinks the advantage of a second machine is simplicity.

Isn't security about keeping things simple? The more complexity the more chance of a cockup. Though it seems that this principle conflicts with the one advocating more layers, since adding layers adds more complexity due to interaction between the layers....

EA recognises the advantage of simplicity hence his love of his strategy. But when it comes down to it, his target is effectively the same as having 2 or more PCs really (except a bit less secure, cos it uses software to do it)

Herbalist would tell you his setup isn't really complicated... But by any normal standards, configuring SSM is not by any means simple, and possibility of making a configuration error or a bug in the complicated software (that uses none-documented methods remember) is not insignificant.

True, you need to spend time setting up two pcs rather than one, but setting up windows is no easy task either, but that is a recognized and well documented procedure, and it can be eased by setting up one pc then cloning it...

That is not to say that everyone has to use multi-pcs, or that the "safe pc" has to be wide open with no protection!

It seems people seem to think that if they don't run with their super multi-duper layer they would be infected for sure...

In my experience even with standard conventional protection (Av,firewall) and unrestricted browsing it is hard to get infected by visiting sites. (the risk is higher with other methods).

If you restrict that to use it only for banking sites, i wouldn't worry much about getting infected. Sure bank sites in india have being infected but even that didn't affect half-way protected pcs (pc that's were patched)....

The risk here is discipline. Are you disciplined enough to do only online banking on one computer?

 

VMs are one form of multiple separate machines. Even setting up different user accounts for different tasks should give most of the benefits of multiple machines.