Lessons from the front line...

Discussion in 'other firewalls' started by TJworld, Nov 30, 2005.

Thread Status:
Not open for further replies.
  1. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    Looking over these forums occassionally, and especially seeing the signatures listing enough software to fill a truck, I do worry that many people are losing the joy of surfing and straight-forward use of the 'net.

    It seems to me the agenda is set by many large commercial vested interests and so-called security experts making unknowledgeable users fear attacks and infections of various sorts in order to get us to spend money on bloated and resource-hungry software requiring tens of megabytes un-necessarily, that also gets in the way of what I want to do today.

    I have been using the Internet since the late 1980's intensively and have never been compromised by network attack nor had systems infected by virus or spyware - unless I was testing in a lab environment. According to the experts thats apparently through luck rather than judgement.

    It all comes down to common sense measures.
    • Don't download software that has dubious pedigree - resist the what-if urge unless you have an isolated PC to do such things.
    • Use a web browser that will not execute code without your permission (e.g. Mozilla Firefox), or turn such features off (in IE, disable Browser Helper Objects (BHOs) and disable ActiveX.
    • Employ an email server that can detect and reject connections from suspicious servers before email is delivered into your network (e.g. Netwinsite's Surgemail)
    • Use an email application that will deal with messages as pure text (which is that they are) with the option to view embedded HTML versions only when you've satisfied yourself as to the contents (e.g. Mozilla Thunderbird)
    • If you're using Windows don't do your day-to-day work with an account that has Administrator privileges.

    I don't want to sound holier-than-thou, but I do want to encourage people to realise that if they follow some basic steps they do not need to spend a great deal of money nor worry endlessly about the issue.

    I'm a deep-down dirty hacker techy type working with Windows and Linux network systems in business, research & development, software development and leisure use. I spend a lot of my time downloading and testing new software, as well as trawling the 'net looking in odd corners for interesting tid-bits, so I go places where there's more risk.

    Adminstrator Permissions
    This is probably the biggest single change users (especially home-users) could make to protect themselves. In stand-alone settings Windows XP by default puts the users in the Adminstrators group, which allows them to do anything. This means any rogue software they inadvertently download and execute will run with those privileges.

    Make your regular account part of the Users group, which doesn't have privileges to install software. Use another (Administrators group) account for installing software or managing systems, or have a script that temporarily adds your account to the Adminstrators group, or else use the Run As... option to run particular programs with elevated privileges.

    Firewalls
    A recent corporate change I made brings the whole bloatware / money / functionality issue into sharp relief.

    My businesses have relied on Internet access and have predominantly used Windows for desktop and back-office where the focus was on main-stream non-technical customers.

    So we adopted Microsoft-style responses... Microsoft's Internet Security Accelerator (ISA Server) 2000 and 2004. Through-out the time we used and mostly recommended it I hated the thing with a passion because it got in the way and prevented many of the more creative things we needed to use the net for.

    Last year ISA Server 2004 was getting particularly annoying - unbelievably it is not possible to create a simple server-publishing rule where the server service (web server, say) is on the same PC as ISA Server.
    I also discovered it silently installed SQL Server in the background to store logs and fairly took over a dual-CPU server's memory and CPU cycles.

    There are other more subtle issues like it blocking RPC and epmapper traffic even when its policy said it wasnt, but thats getting techy.

    Anyhow... I was getting increasingly fed up with being told you can't do that by the software and, when I talked to Microsoft Private Support, by the supposedly intelligent technical support staff.

    I knew what I wanted all along - something like Linux IPtables where the packet filter/firewall works with me, not against me.

    Without much hope of escaping this feeling of being stiffled I decided to look around and somehow discovered IDRC's (now Third Brigade) CHX-I 2.x suite and it was, in many ways, a perfect moment.

    In all the MS Windows world it was the first time I'd found something that would do what I wanted easily, without fuss, without taking over most of a PC, and without telling me I wasn't allowed to do something!

    Now, with a few simple rules, I can protect individual PCs or entire networks (packet filters), intercept and manipulate the data as it comes in and goes out (payload filters), trigger reactions to events to open and close ports only when necessary (triggers), and log as little or as much as I need depending on circumstances without needing a bloody great database!

    And all that from a few hundred kilobytes of well-crafted code.

    Whats even better from my perspective is, in email conversations with one of the guys that developed CHX and owned IDRC (Rares Stefan) it appears they intend making the core code open-source at some point after 3.0 release!

    Thats the kind of action that creates respect as well as confidence in a product, where peer-review of key security code is possible, other developers (like me) can contribute code, and generally the product gets the benefit of thousands of individual techies looking over it.

    It also means I can develop vertical-market extensions on the common core for particular issues I face, and contribute that code back to the community.

    Email
    On the subject of love-hate with Microsoft server software... next up is Microsoft Exchange Server 2000 and 2003.

    I spent many hundreds of frustrating hours over the years trying to ensure this beast kept things ticking. The most annoying part was being unable, despite spending a lot of money on external add-on software, to block the mountains of spam most corporates receive.

    Like many email servers it suffers from a major failing - it will accept email before deciding it is spam. So it will allow the spammers to eat up server resources and cause headaches for the IT guys later, because unravelling a corrupted Exchange database is not something I'd wish on anyone.

    Then along came Netwinsite's Surgemail. Talk about a revalation! Out-of-the-box it reduced spam problems by 95%, simply by using some common-sense measures like SPF as well as an intelligent spam filter called ASpam. It also has an integrated virus-scanner that gives me confidence, although once the ASpam engine has rejected so much the anti-virus rarely has anything to do.
    Its managed via an easy-to-understand web interface and with integrated web-mail, POP3 IMAP4, it makes providing email service a pleasure not a pain once more.

    In Summary
    A few simple measures can save you spending thousands, and give you more flexibilty and confidence in the solutions. Don't go for the biggest or the loudest or the most marketed... on those criteria I'd never have discovered CHX, and it is in my opinion the single best change I ever made.

    When in doubt, remember what the definition of an expert is... An ex is a has-been, and a spurt is a drip under pressure :p

    Don't let the buggers get you down
    -----
    TJ.
     
  2. Dave-54321

    Dave-54321 Guest

    If CHX went open-source that would be AMAZING!
     
  3. Arup

    Arup Guest

    I agree, CHX is truly an amazing product, in today's age of un-necessary bloat which draw a thin line between suite and firewall, even though CHX is not going open source by any means, it would remain to be free for personal use. The new version 3.0 promises so many goodies, primarily among them, the Trigger feature just like a router, CHX is exactly like a software equivalent of a router, almost as unobtrusive and bug free.
     
  4. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    A quote from an email of 30th June 2005, from Rares Stefan to me:
     
  5. Arup

    Arup Guest

    Yep, the word is hopefully, would be good if they do so but its still free for home use.
     
  6. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    Open-source freedom doesn't mean zero-cost!

    In my opinion valuable things should never be given away free... it leads to expectations of something-for-nothing, especially in the digital world.

    Being able to independently assess it's fitness-for-purpose and quality, and contribute to its continued development in areas where the development team might not want to go, or have the resources to do so, is far more important.

    It gives users freedom of action in the event the original developers move on to other things, or the company decides for commercial reasons to cease development or support of a product.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A good security application should provide two things - protection from one or more "threats" and control over some aspect of your system. So firewalls protect from incoming attacks but also give you control over what programs send data out - process protection software restricts what malware can do but also lets you decide what Windows can run. There are a number of "poor" security apps that don't give you control ("nanny state computing") but most people posting here seem to gravitate to the better ones.

    On top of that, much of the "joy of surfing" now depends on users filtering traffic. Spam, animated/floating adverts, blinking text, Flash bandwidth killers, popups and popunders and intrusive information gathering have all become far too frequent an ocurrence so taking steps to improve security (locking down browser options as you have mentioned, but also using ad/web filtering) can be key to a better online experience. I have zero tolerance for most advertising (and will spend 10 minutes knocking up a custom filter in Proxomitron to kill any that slip through if I think the website is too good to boycott) but thanks to judicious use of security applications, I see virtually none and haven't seen an unsolicited popup for a couple of years now.

    So yes, there are bad applications and overly-fearful users - but the consequences of over-securing a system are rarely as bad as under-securing one. It is also likely that malware authors will use ever more creative means of spreading their wares, making "safe hex" harder and increasing the need for third-party security tools.
     
  8. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    I guess it depends on which kind of person you are... is the glass half-full, or half-empty?

    Me... I leave the car unlocked when I go into town and trust people not to mess with it, but if they do, boy!, they better be ready for some trouble because in some respects that good ole You-Esss-of-Aye boy GeeDbl-U is right about shock and awe :D

    But after all its only a computer, its not like its real life... and of course you do back-up everthing... you do, don't you? :rolleyes:
     
  9. Arup

    Arup Guest


    So very true, free means no respect, we humans like to pay because of our vanity, then suffer and defend our expenditure, no matter how bad, I am an eternal leech so I use all freebies and so far, they all run great.
     
  10. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    The payment need not be monetary, it can be in-kind.

    Thats the whole point of open-source... you can pay by helping improve extend or support the package - sometimes that form of payment is more valuable than meer money.
     
  11. Arup

    Arup Guest

    TJworld,

    Are you behind a router and then using CHX as a second filter?
     
  12. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    CHX-I is the primary and secondary filter.

    CHX is on the Internet servers, on the LAN/Internet gateway, and on internal LAN workstations and servers.

    Having them all monitored via a central MMC makes management and monitoring so easy, and gives a great overview of network activity.

    Often-times I'll see someone abusing one of the servers and instantly add their IP/range to the pre-defined IP list "Unwanted Visitors", then refresh each CHX instance from the centrally-stored list, and the 'visitor' is no more.

    (I run a modified tcpview.exe from SysInternals that monitors real-time connections to multiple PCs).
     
  13. Arup

    Arup Guest

    Very good, I bridged my router and use CHX as I do P2P and avoid all the hassles of routers like choking on heavy use with P2P etc. Also much safer as I don't have to do port forwarding or triggering and my speeds are higher in bridged mode with CHX than router mode, also CHX offers far better protection.
     
  14. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    What I particularly like about CHX-I is, with a trivial script, I can synchronise the packet-filter rules between CHX-I and Linux IPtables so management of both can be done from the one MMC.
     
  15. Arup

    Arup Guest

    The new CHX with payload and http stream promises to be even more intersting, it also has other protocol protection as well.
     
  16. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    Indeed, I'm very impressed with it so far. There is a lot that could be done to extend it too, which is why I hope they do decide to take it open-source.

    One of my current projects is an object-aware network monitor that pulls together real-time data from CHX, tcpview, filemon, and server logs to give IT managers a clear picture of who is accessing what, and how.

    Doing this over an entire network gives one a great deal of insight into potential vulnerabilities, and using this information to instantly impose restrictions via CHX-I has great potential.

    For example, with traffic-shaping I can have a trigger that detects too many connections to a particular resource (a streaming media source, say) and automatically throttles it - either for a single visitor or a group.

    Likewise it can detect someone attempting to do a wget of an entire site - taking a copy of it - and if that is against policy impose restrictions on that visitor such as limiting the number of concurrent connections, the bandwidth, or the number of files they can access per visit.

    Using triggers HTML requests that breach policy can be redirected to a page that explains why the visitor is being restricted.

    Another use: if a port-scan is detected the IP can be instantly blocked across all servers, and a Real-time Black List DNS server can be updated with the IP of the scanner. This has great potential for sharing and actively blocking IPs of machines that are compromised and being used by trojans.
     
    Last edited: Dec 1, 2005
  17. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    Something that shouldn't be overlooked from CHX-I 2.x, is the Network Address Translation (NAT) module.

    Its fantastic to have the degree of control it gives, and it makes using Windows Networking just like Linux.

    On Linux I have IPtables port-forwarding MASQ rules to redirect all outgoing requests to port 80 (i.e; web browsing) to the local Squid caching proxy server port.

    With the CHX-I NAT module and the NT version of Squid, the same redirection rule is easy to set up. No longer do the internal web clients need to be configured to use a proxy - as far as they are concerned they're directly connecting.

    When the NAT module see's connections outgoing to port 80 it redirects to the local Squid port and takes advantage of local caching.

    This simple set-up entirely replaced the need for ISA Server and reduced the resource requirement substantially and most of all, since making the change, the amount of time spent managing the firewall/cache has been reduced significantly.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hurllo,
    TJ, you are talking about a level of knowledge and skill a bit above the average user. What you suggest requires a fair level of confidence to use and write scripts and conglomerate various apps into a powerful formula.
    But your general idea is completely true.
    People live in fear and are governed by gut feelings. Most people will run either too many or too few security applications.
    Apart from people who LIKE to tweak and play with security, after all it's just another hobby like duck hunting or bdsm clubbing, most users go head over heels, missing the true meaning of computer security.
    With a bit of thinking, it's enough to run firewall and anti-virus and an non-MS browser to practice reasonably safe internet life.
    To mention simplicity, here are the few things I have found valuable over the last years:
    Proxomitron web filter - a great little thing. Reinforced with filters, like Kye-U or Gripen package, Proxomitron not only kills ads, it also removes exploits and vulnerabilities from web pages. I have tested Proxomitron against tests on Secunia and found it fully capable of neutralizing the unpatched exploits in browsers.
    Configuring your own router - without router.
    Take two computers or more and inter-connect them, then configure a home network using Internet Connection Sharing. This done, turn off the firewall at any of the computers and head for the tests at grc or sygate. All ports closed. The gateway computer is a router now.
    Firefox browser with extensions - not only will it run faster, it can be impregnated to be safer and less cluttered. Two of the most powerful extensions are Adblock and Noscript. Adblock is a sort of Proxomitron-like addition to Firefox, whereas Noscript is a customizable console for java and javascript.
    Bart PE bootable Windows CD - very handy. It can be used to recover from disasters, including failed OS and malware. The disk, strengthened by drivers and plugins that turn it into Ultimate Boot CD for Windows, contains dozens of good applications, including anti-virus and anti-malware, disk diagnostics, repair, imaging and backup, burning, Firefox browser and more and more. Unlike Linux disks, Bart PE can write to NTFS drives. This can allow anyone to save their data even if Windows virtually gets wiped out.
    Small simple things, yet so mighty.
    Cheers,
    Mrk
     
  19. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    um... hate to ask but... whats an anti-virus program? :p

    Yup, thats right, I don't run one :)

    Like you say it comes down to what you know... if you know the pedigree of executable content, or have the tools to analyse it before it is allowed to execute, then its unlikely that a hidden payload will get through.

    I have a directory crammed full of trojans, viri, and various software impregnated with malicious payloads that I've downloaded but none of it is a threat because none of it will be executed.

    After a simple hex-editor exploration of a few of these to get a 'feel' for what they look like its not hard to spot the malicious from the innocent.
    Anything that feels the need to obscure its content using encryption is banned right away, closely followed by anything that has an imports list that makes calls to Windows kernel-functions it has no business with.

    Even the most neophite users, when shown these things in simple terms they can relate to, quickly develop the basic instincts of safe and successful hacking.

    When you give the power and feeling of control back to the user, through education, its wonderful to see them blosoom.
     
  20. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That's great, but most users don't have the time or inclination to learn such things. Most of the users I encounter would rather pay me the money to set them up with a few well placed apps so they can proceed with other, somtimes more important, things. Computers are often tools of work or leisure. Work isn't going to leave room for that kind of thing, and that kind of learning is not leisure to anyone that's not a geek. Nobody's going to doubt that what you're suggesting works, but I don't think you suggestion is a viable solution for all. There's always that balance between time and money, no matter what you are looking at.
     
  21. TJworld

    TJworld Registered Member

    Joined:
    Jun 25, 2005
    Posts:
    13
    I think you missed the point of my article... its not about being a geek or not, its about letting people know they can be in charge of their own destiny, and don't need to feel the degree of fear / anxiety the focus on intrusion / infection generally seems to cause.

    Too few people that know whats what speak up for common-sense, or encourage users to get out there and explore... I couldn't phrase it better than Paranoid2000 when he (she?) called it nanny-state computing.

    The nanny-state in all things is an insidious malaise and for the 'net in particular - something that can inspire creativity and be so wonderfully educational and entertaining - it has the potential to undermine what the Internet is - an organised anarchy of ideas and expression.
     
  22. Looks like the same argument going on here in the DSL Broadband Reports.

    Unlike over here though, there is a marked preference for fewer if not zero use of apps. Probably reflects the generally higher skill level of the people there than here I guess.
     
  23. Happy Bytes

    Happy Bytes Guest

    huh? :eek:
     
  24. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    TJworld,

    While I agree with absolutely everything you say for a subset of advanced users, when you start to talk about a simple hex-edit exploration, we start to part company. If you believe that typical, mainstream users - in other words, the vast bulk of the PC using community - or in your words neophyte users, are equipped to pick up a hex editor and go from there, you are sadly miscalibrated on the knowledge base of an average PC user, even those users frequenting sites like this. I'm certain a reasonable but small fraction of the users that frequent this site could follow your advice and be absolutely fine. I also believe that the vast majority can't.

    That should be the primary lesson from the front line. A secondary lesson, perhaps more in line with your thoughts, is that undisciplined heaping of a large number of realtime security applications onto a PC, applications that the user simply doesn't understand, is certainly not the answer either.

    Blue
     
  25. Oh sorry.

    With certain exceptions like the security vendors types who are here to hawk their wares of course. But I'm talking about the typical member. They seem to have more IT pros (not necessarly out and out security guys more like system admin types) while here we have more people here of the home user types even the 'experienced' ones who find using command line a novelty.
     
Loading...
Thread Status:
Not open for further replies.