> Hi:
> I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT
> router with it's firewall enabled as well as blocking anonymous internet
> requests (black-hole) mode for years, and have not had any problems
> (that I am aware of). Because of the hw router, I figured I didn't need
> to run firewall software on the PCs behind the router. This includes
> running the XP box totally unsecured with it's firewall turned off, and
> no anti-virus software.
You have to think about what the different sorts of protection mechanism
do. The hardware firewall prevents any outside connection (attacker or
worm) getting in. It has no effect on anything on legitimate channels,
but it will stop connections opened from the outside.
The firewall can also be configured to limit outgoing connections. A
particularly useful one is to limit outgoing SMTP connections (on port
25) to only your ISP. For the majority of networks, there are only two
reasons a computer will send traffic on the SMTP port - one is to send
email via your ISP, and the other is if your PC is part of a virus/spam
botnet. This simple block will greatly limit the damage if you do get
something on the PC.
Another important configuration on the firewall router is to ensure that
UPnP is turned off. In theory, UPnP is great - it means that if you are
running a program such as a bittorrent client that needs an incoming
port, the firewall will open it for you automatically. It also means
that if you are running malware, the malware can open a control port
automatically making it far easier to control your PC from the outside.
A software firewall on a PC can do things that the hardware firewall
cannot, but it is not close to being as solid as the hardware firewall
(this is on Windows - on *nix, the firewall is rock solid as long as it
is properly configured). A software firewall can block incoming or
outgoing traffic according to application, and it will still work even
if another computer on your network is infected. But remember that
there are always ways around these restrictions - clever malware will be
hindered and delayed, but not blocked for ever. And third-party
firewalls are often so large and bloated that attackers use bugs in the
firewall software to break in - the windows built-in firewall is at
least as secure as any third-party tools on windows. Remember, however,
that windows firewalls make it a lot harder to trace problems with
connections, and get in the way of ordinary networking.
Quote:> Now I am worrying that maybe this isn't so true. There are several
> means by which things could go wrong. What comes to mind are (in order
> starting with what I think are the most likely risks): java and
> javascript code that runs in the web browsers (see note below), Active-X
> controls in M$ IE, recent exploits involving things which I would have
> considered passive such as images and flash video, downloading a program
> infected by a virus or trojan. Also, this recent DNS hijacking business
> is scary.
That's correct - there are plenty of other ways to get malware into your
PC that the firewall does not block. The main three routes are web
pages, email, and other computers on the network.
For web and email, the biggest step is to use your head. No amount of
technical protection measures will save you if you are fooled by emails
titled "I lov you" or install a new "media player codec" to see some
film star in the *. The technical measures are to prevent others
attacking your systems, and to prevent harm from accidents (such as
mistyped web addresses, DNS hijacked sites, or otherwise compromised web
sites).
For web browsing on Windows, the critical step is to lock down IE (set
it to its highest and most paranoid security setting), then never touch
it again unless you can't avoid it. Change the settings for specific
sites that still require IE.
For email, the important steps are to ensure that all email is virus
scanned on the way in (any decent ISP will do that for you), and avoid
MS email clients. Also don't click on links in emails unless you are
confident they are safe.
The other way people get stuff onto their PC's is from other computers
on their network. It's not uncommon for machines to get infected from
*age kid's connecting laptops into each other's home networks -
remember that you are then behind the hardware firewall! Using a
software firewall can certainly help against this sort of thing. An
alternative is to use something like OpenWRT on your firewall/router,
and set up separate virtual LANs. That way you split your home network
into separate networks, and any malware has to pass through the firewall
to get between computers or subnets (think of it like individual
hardware firewalls for each subnet).
Quote:> We have used administrative controls to mitigate some of these hazards,
> by doing the following:
> 1. Basically nothing about the java, javascript, and flash/images.
That's overly paranoid, as long as you are not frequenting the darker
areas of the Internet or using IE.
Quote:> 2. For Active-X, my wife who uses XP frequently, only uses IE for
> accessing trusted sites such as a bank or a merchant that cannot
> function without IE (almost never). We primarily use Firefox on XP. She
> also uses XP to Skype.
Also make sure that the default for IE is to disable ActiveX and pretty
much anything else, and only allow it for specific sites.
Quote:> 3. To avoid viruses we simply don't install programs that aren't from a
> source that is trusted. By that I mean, a vendor that we sought out and
> know well, like Vmware, Skype, Mozilla, OpenOffice, etc. We use
> Seamonkey or Thunderbird on Linux for email (including my wife). So
> attachments are of little danger. We are pretty good at spotting scams,
> and my wife knows how to look at full headers, etc. We use no M$
> software except for XP itself.
Good idea.
Quote:> 4. In case the XP is compromised, which I regard as more likely than
> Linux, we don't run my Linux box at the same time as her XP, since I
> have the most important family data on my Linux box. Thus, the only way
> anyone could get to important personal data is if an exploit that got on
> her XP could access her ext2 partition (unlikely) and install something
> into the Linux partition, or crack the router, then wait in the router
> to attack either of the Linux machines when they are up. I consider
> these scenarios extremely unlikely.
Unless you think you are a likely specific target for attacks, you
should be safe (at least, relative to the chances of other disasters in
life).
Quote:> So it's mainly the browser scripts and other exploits that are the main
> danger. Should I be running software firewalls on both XP and Linux
> boxes, and anti-virus programs on XP, or is the router and our
> administrative policies enough?
Anti-virus software on anything other than an email gateway is a big
drain of resources for very little gain (and your ISP should handle the
email scanning). If you don't download or copy infected programs onto
your computer, there is no need to scan them before running them. It is
worth installing ClamWin so that you have a decent scanner when you need
it - use it to check downloaded files before running them. But
commercial anti-virus and on-access scanning is not worth the cost.
Using windows software firewall (again, avoid commercial or third-party
firewalls) is easy enough. But it is not necessary unless you have
other computers on the network that are likely to be infected with
something, and it gets in the way of normal networking. I have seldom
felt it is worth the effort.
On Linux, there is also no need to set up iptables unless you are
directly connected to the Internet. What would it stop? On most
distributions, services are only enabled if they are actually in use and
configured. If you are not running a web server, for example, then it
doesn't matter whether incoming http packets are stopped by iptables or
dropped by the kernel when it finds there is no program listening for them.
by