Cut down on security

Discussion in 'other security issues & news' started by damian666, May 28, 2007.

Thread Status:
Not open for further replies.
  1. damian666

    damian666 Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    63
    Hi
    Just wondered how people would feel about just using prevx 2 and a good inbound and out bound firewall as the only protection on their pc,s (no anti-virus software) would you need to add something like ssm basically what do think you could get away with security wise and why
    THANK YOU
    Dame666
     
  2. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: This will be the trend for the future. If you decide to use Prevx2 and a top-notched firewall(I call it fulltime fw) w/ inbound-outbound network control, if possible, adding application firewall feature, IMO, you may want to consider adding sandboxing/virtualization apps. Then you are covered basically in terms of defense. Adding some reservists such as av,as scanners may ease up some worries in case criticism arise.
     
  3. herbalist

    herbalist Guest

    For real time protection, you need to accomplish 3 things:
    1. Control over the internet traffic in and out of your PC.
    2. Control over the processes that are allowed to run on that PC.
    3. Control over the content contained in the allowed traffic.

    Number 1 is accomplished with a firewall. External hardware firewalls and routers are generally stronger against incoming threats. Software firewalls give better outbound control, and often more detailed control over incoming traffic. I use both. With software firewalls, how well the ruleset or configuration is done is equally as important as the application that's selected.

    Number 2 can be accomplished in several ways. PrevX is one option. Others use HIPS, sandboxes, virtualization apps, or the system policy editor. The "which is better" discussion is unending. Like firewalls, how well they're configured is extremely important, especially with HIPS.

    Number 3 is the filtering or removal of malicious scripts, annoying ads, and other unwanted elements contained in web pages. It can be anything from browser settings, browser extensions like NoScript and AdBlock, a hosts file, a separate filtering app like Proxomitron, or a combination of these. Each has their advantages and disadvantages. Proxomitron is very powerful but requires a fair amount of user knowlege to make use of its full potential. Browser extensions are easier but only protect the browser they're installed on.

    There's a huge amount of discussion about the different apps that perform these 3 functions. That's all well and good, but the important thing is that these 3 work together. How well they work as a group is more important than what any one of them can do by itself. My package of choice is SSM free, Kerio 2.1.5, and Proxomitron. They're good choices for users who want detailed control and don't mind making all the decisions or taking the time to learn the details. With these 3 apps, there's a fair amount of learning to be done. Many users don't want or don't have time for that level of involvment in the functioning of their systems. You have to choose what matches you and your preferences.

    There's a large number of possible combinations that provide varying levels of protection. You've mentioned apps for the first 2. You just need to cover number 3, web filtering.
    Rick
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,
    If your setup works well and you know what you're doing, then you're fine.
    Alternative browser, while not strictly security, can do quite well for security.
    Mrk
     
  5. damian666

    damian666 Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    63
    Thanks for your replys i have ssm,cyberhawk,kerio 2.1.5,aol active virus shield,registryprot do you think this is ok or too much?
    THANK YOU
     
  6. herbalist

    herbalist Guest

    SSM and Cyberhawk duplicate a lot of coverage, as does SSM and RegistryProt. RegistryProt covers only the most important keys. SSM covers these with its registry module and more.

    Regarding not using AVs, I've been running without a resident AV for over a year now. I still have AVs but they're used for scanning only. It's entirely possible to use a PC without an AV, or any other signature based security-ware that depends on identifying the files/process. To do so requires a change in how you and your security-ware deal with an unknown. The conventional AV approach is to check the process or file against a huge but always incomplete and out of date list of malware and undesirable apps. If the item in question is not one of the many thousands items in that signature file, it's allowed to run. Visualize doing this with paper lists containing a few hundred thousand items for every file you touch. A very inefficient process indeed, especially when you consider that all it tells you is that the file in question is or is not on their list of undesirables.

    My security is based on a policy of default-deny. In its simplest terms, it means that nothing is allowed to run except for a list of 50 or 100 processes that are part of my system or the apps I use. SSM handles the enforcement duties, a task for which it's perfectly suited. Any attempt to launch a process not on that list is intercepted. If something can't run, it can't infect you. It really is as simple as that. Trojans, keyloggers, adware, etc are processes. Other malware that functions by altering system files rely on some sort of installers, which are also processes that SSM will intercept. It will also intercept the installers of legitimate software. That can be good or inconvenient, depending on how that PC is used and by how many people.

    Depending on how SSM is configured, when a new process or installer attempts to run, it will do one of a couple things. If it's running with the UI (user interface) disconnected, the new process is blocked outright. If its UI is connected, the user is prompted about the attempt to launch a new process and given information about what process tried to launch it. If the user took the time to integrate an AV scanner, they can use the "scan" link on the alert to scan the file responsible for that new process, a much better use for an AV than always checking everything.

    Whether this type of approach would work for you is something only you can decide. It's best suited for systems that are finished, where the user has the apps they'll be using installed. It's not good on systems where users are regularly trying new software or changing things. It's a good choice for people who know their systems, the apps they run, and have a basic working knowlege of how a PC works. For users who don't know their systems or those who can't tell whether a process is part of their normal system or an infected trojan that was dropped, this approach isn't suitable.
    Rick
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't use any AV/AS/AT/AK/AR-scanner anymore for many reasons and they don't fit in my frozen snapshot either, because :
    1. they require daily updatings of signatures
    2. these daily updatings occur at a random time during the day.
    If I want to keep these updatings, I have to re-freeze my snapshot and that is risky, especially when I have to do this during the day.
    I only do updatings of my frozen snapshot right after reboot and I do them manually.
    So I avoid any security software that requires signature updates.

    Look'n'Stop, Anti-Executable, DefenseWall and ScriptDefender don't require signature updates, only occassional software updates, which I also do at the right moment.
    I really had to change my old habits after using a frozen snapshot and I still have to get familiar with this and develop new procedures, because the old procedures aren't valid anymore.
    I have to do other things and I have to do it in the right sequence. :)
     
  8. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Hi Rick,
    Do not forget XSS and Undetectable phishing through XSS.
    If you're interested, I tried to throw my 2 cents about Proxomitron VS Firefox extensions in a "cut down" perspective here.
     
  9. herbalist

    herbalist Guest

    Defending against malicious material delivered via the browser is a huge subject of its own. While Proxomitron is at the core of my protection, it doesn't stand alone. In addition to Proxo, I also have the Show IP extension, which displays the IP addy(s) of the site you're connecting to. It catches a lot of redirects. I also have severe restrictions on what the browser is allowed to do. SSM severely limits what processes it can launch, with wscript and cscript topping the list. IMO, defending against every possible attack that can come thru a browser is beyond what any single security app can do. With web content becoming more interactive and "feature filled", this will be a long term problem.
    Rick
     
Loading...
Thread Status:
Not open for further replies.