hardware vs software security

Discussion in 'Computer Security' started by Leythos, Oct 24, 2003.

  1. Leythos

    Leythos Guest

    In article <>,
    says...
    > What's the best protection from hackers, a router or software like Zone Alarms?
    > or do I require both?


    I would start with the router to keep uninvited guests from even
    reaching your network/system. With that in mind, you should also install
    something like ZA as a secondary measure and to catch anything that does
    make it through the router. Routers are a one-way type device, the block
    in the inbound, but don't block anything outbound.

    ZA will block in both directions, but you don't really want ZA to be
    your first line of defense if you can install a router too. I don't like
    the idea of exposing any computer directly to the public (even with ZA
    installed).

    If you install ZA without the router, you will see a lot of activity in
    the logs. If you install a router and ZA your ZA logs will be mostly
    empty.

    Don't forget to install a quality anti-virus package. I've used Norton
    AV (not NIS or other flavors) on my personal computers for years and
    found that it catches everything that's ever come my way.



    --
    --

    (Remove 999 to reply to me)
    Leythos, Oct 24, 2003
    #1
    1. Advertising

  2. Leythos

    Lee Higdon Guest

    "Randy F. Smith" <> wrote in message
    news:...
    What's the best protection from hackers, a router or software like Zone
    Alarms?
    or do I require both?

    --
    Randy F. Smith
    iBox Technologies
    Industrial & Security Computer Cabinets
    www.iboxcabinets.com

    A router, properly setup, would be your best bet, after you properly take
    steps to secure your OS. A PFW gives added protection, but isn't the final
    solution.
    Lee Higdon, Oct 24, 2003
    #2
    1. Advertising

  3. Leythos

    donutbandit Guest

    "Randy F. Smith" <> wrote in
    news::

    >
    > ------=_NextPart_001_0054_01C39A20.4EA25BC0
    > What's the best protection from hackers, a router or software like
    > Zone Alarms? or do I require both?
    >


    Are you on dialup or broadband?

    Generally, a personal firewall is enough for dialup users. On broadband,
    I'd use a router.

    You are going to get all kinds of suggestions and arguments over what is
    best. Personally, I'm on dialup, and I find Kerio Personal Firewall to be
    just fine, and all I need.

    I wouldn't have Zone Alarm on my computer if someone paid me to, but even
    that stirs up aruguments, and this is really not a firewall group.

    Just think about this - ZA Free is crippleware, and just why does that
    kernel have to be connected to ZA Central at all times? What is it telling
    them? Spyware masquerading as a firewall?
    donutbandit, Oct 24, 2003
    #3
  4. What's the best protection from hackers, a router or software like Zone Alarms?
    or do I require both?

    --
    Randy F. Smith
    iBox Technologies
    Industrial & Security Computer Cabinets
    www.iboxcabinets.com
    Randy F. Smith, Oct 24, 2003
    #4
  5. Leythos

    Chuck Guest

    On Fri, 24 Oct 2003 11:16:44 -0700, "Randy F. Smith"
    <> wrote:

    >What's the best protection from hackers, a router or software like Zone Alarms?
    >or do I require both?


    The best defense is a layered strategy.
    1) Hardware: NAT router, preferably with SPI.
    2) Software: Personal firewall, Religiously configured and patched.
    3) Software: Current and Religiously used virus detection /
    protection..
    4) Software: Current and Religiously used spyware detection /
    protection.
    5) Software: Properly configured and patched operating system and
    applications.
    6) Social: Use common sense on the internet. Don't open dodgy email
    with a permissive html based email application. Don't surf the web to
    questionable websites with a non-hardened browser (i.e., IE). Don't
    apply patches mailed to you by Microsoft. Don't accept advice from a
    computer security expert running Windows 9x who has a website on
    GeoSlums.


    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
    Chuck, Oct 24, 2003
    #5
  6. Leythos

    donutbandit Guest

    Chuck <> wrote in
    news::

    > Don't accept advice from a
    > computer security expert running Windows 9x who has a website on
    > GeoSlums.
    >


    Windows 9X has proven itself to be far more secure than NT/2000/XP, so the
    "expert" running it is likely a hell of a lot smarter than you are.

    While you were busy patching your NT based system against Lovsan and Swen,
    we 9X users were laughing. We don't have to deal with DCOM, and RPCSS.EXE
    is to us just a quiet little app that sits in the Windows folder and does
    absolutely nothing.

    We also don't have to validate our registration with Microshit every time
    we change anything about our OS.

    I don't know exactly who you were targeting with this remark, but GeoSlums,
    as you call it, is a viable place to maintain a free webpage.

    *Noting YOUR email address - Yahoo?* ;)
    donutbandit, Oct 24, 2003
    #6
  7. Leythos

    Jeff Umbach Guest

    So you never read the RFCs which pointed out that the vulnerability exists
    on ALL versions of Windows? Yes, ALL versions includes 9x.

    Not to mention also that 9x has no security whatsoever on it's desktop and
    file shares.

    --
    Jeff Umbach

    "donutbandit" <> wrote in message
    news:Xns941E89D072E7Bdonutbandit@216.102.43.227...
    > Chuck <> wrote in
    > news::
    >
    > > Don't accept advice from a
    > > computer security expert running Windows 9x who has a website on
    > > GeoSlums.
    > >

    >
    > Windows 9X has proven itself to be far more secure than NT/2000/XP, so the
    > "expert" running it is likely a hell of a lot smarter than you are.
    >
    > While you were busy patching your NT based system against Lovsan and Swen,
    > we 9X users were laughing. We don't have to deal with DCOM, and RPCSS.EXE
    > is to us just a quiet little app that sits in the Windows folder and does
    > absolutely nothing.
    >
    > We also don't have to validate our registration with Microshit every time
    > we change anything about our OS.
    >
    > I don't know exactly who you were targeting with this remark, but

    GeoSlums,
    > as you call it, is a viable place to maintain a free webpage.
    >
    > *Noting YOUR email address - Yahoo?* ;)
    Jeff Umbach, Oct 24, 2003
    #7
  8. Leythos

    jayjwa Guest

    Chuck wrote:

    > The best defense is a layered strategy.
    > 1) Hardware: NAT router, preferably with SPI.
    > 2) Software: Personal firewall, Religiously configured and patched.
    > 3) Software: Current and Religiously used virus detection /
    > protection..
    > 4) Software: Current and Religiously used spyware detection /
    > protection.
    > 5) Software: Properly configured and patched operating system and
    > applications.
    > 6) Social: Use common sense on the internet. Don't open dodgy email
    > with a permissive html based email application. Don't surf the web to
    > questionable websites with a non-hardened browser (i.e., IE). Don't
    > apply patches mailed to you by Microsoft.



    Yeah! And don't take candy from strangers!!



    Don't accept advice from a
    > computer security expert running Windows 9x who has a website on
    > GeoSlums.


    I know who that is!!

    --
    -=-=-=-=-=-=-=-=-=-=-=The New Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-=-=
    - jayjwa *Https Only* Mod-SSL / PGP Key / CA Onsite
    Was I helpful?: https://atr2.ath.cx/papers/affero.php
    What every Windows user needs: https://atr2.ath.cx/pub/pic.jpg
    Mail: Spam servers:
    /cgi-bin/ping-jay.cgi or finger for GPG & info
    /pub is public WWW directory Registered Linux fanatic #37
    =-=-=-=-=-=-=-=Linux Tough.Powered By Slackware=-=-=-=-=-=-=-=
    jayjwa, Oct 25, 2003
    #8
  9. Leythos

    Jim Watt Guest

    On 24 Oct 2003 13:37:11 -0500, Chuck <> wrote:


    >Don't accept advice from a computer security expert running
    >Windows 9x


    Ohhhhhhh that includes me.

    What exactly is the problem? It seems to work OK do
    I really need XP to run a web browser and Agent?

    To answer the original question, having a router with
    NAT, a personal firewall to trap outgoing crap, updating
    the AV frequently and running spybot and exercising
    caution on what to run seems to work well for me.

    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Oct 25, 2003
    #9
  10. Leythos

    Jim Watt Guest

    On Fri, 24 Oct 2003 22:40:32 GMT, "Jeff Umbach"
    <> wrote:

    >Not to mention also that 9x has no security whatsoever on it's desktop and
    >file shares.


    It requires a password, and if you are behind NAT on the router
    how exactly is anyone going to share your disk?
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Oct 25, 2003
    #10
  11. Leythos

    Chuck Guest

    On Sat, 25 Oct 2003 12:38:46 +0200, Jim Watt <_way>
    wrote:

    >On 24 Oct 2003 13:37:11 -0500, Chuck <> wrote:
    >
    >
    >>Don't accept advice from a computer security expert running
    >>Windows 9x

    >
    >Ohhhhhhh that includes me.
    >

    Yeah but you don't advertise your website like -----er does. Damn it,
    you made me say its name.

    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
    Chuck, Oct 25, 2003
    #11
  12. Leythos

    Chuck Guest

    On Sat, 25 Oct 2003 12:40:41 +0200, Jim Watt <_way>
    wrote:

    >On Fri, 24 Oct 2003 22:40:32 GMT, "Jeff Umbach"
    ><> wrote:
    >
    >>Not to mention also that 9x has no security whatsoever on it's desktop and
    >>file shares.

    >
    >It requires a password, and if you are behind NAT on the router
    >how exactly is anyone going to share your disk?


    It's a layered strategy. You have layers because you know that you
    can't be 100% reliant on any one of the layers - there will always be
    weaknesses.

    1) Hardware: NAT router, preferably with SPI.

    I like to think of the NAT router being the most secure and reliable
    of the layers. But I know that's not enough, particularly from
    reading comments by many in comp.security.firewalls that a NAT router
    is not a real firewall anyway. I also know that, sure as I'm sitting
    there, some hacker is trying to figure out an exploit that will get
    thru a NAT router. I'm not willing to bet my system against him
    succeeding.

    I open holes in my NAT router. I have applications that open well
    known ports. Some require UPnP. (DOHH) I'm "stealth" by Gibson's
    website standards. I've run NMap though, just playing with it, and
    I know there are scans other than what Steve runs from his free
    website, that might show me other than "stealth".

    As for the reliability of the other layers, by themselves, the
    possibilities are endless.

    2) Software: Personal firewall, Religiously configured and patched.
    3) Software: Current and Religiously used virus detection /
    protection..
    4) Software: Current and Religiously used spyware detection /
    protection.
    5) Software: Properly configured and patched operating system and
    applications.

    Applying Patches and Signature Updates is a reactive procedure. You
    are relying upon exploits being discovered, analysed, resolved by the
    proper organisation (Microshit?), and you applying each patch / update
    BEFORE the unknown black hat tries his newly discovered exploit
    against you. Lots of luck.

    Particularly since there are stories about a white hat discovering an
    undocumented exploit, and reporting it to M$, who ignores him. So he
    publishes the exploit, to let others know about it. And M$ argues
    with him about being irresponsible in letting the black hats know
    about yet another weakness in their code (like no black hats could
    ever discover an exploit before M$). And then takes their sweet time
    fixing the exploit. And fscks up the fix - so you bork your system
    when you apply it. And so on.

    6) Social: Use common sense on the internet. Don't open dodgy email
    with a permissive html based email application. Don't surf the web to
    questionable websites with a non-hardened browser (i.e., IE). Don't
    apply patches mailed to you by Microsoft. Don't accept advice from a
    computer security expert running Windows 9x who has a website on
    GeoSlums.

    I'm just as careless as anybody. I like fun websites. I have friends
    who like fun websites. Every so often, I know I'm surfing in
    dangerous territory. But I do it anyway.

    BTW, my final comment was referring to ONE person, who shall remain
    nameless here. We all know who uses Win9x and advertises a GeoSlums
    website repeatedly.

    However, re Win9x. The last time I used that, I remember hitting Esc
    when asked for a userid. And it let me in just the same.


    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
    Chuck, Oct 25, 2003
    #12
  13. Leythos

    Jim Watt Guest

    On 25 Oct 2003 12:22:11 -0500, Chuck <> wrote:

    >However, re Win9x. The last time I used that, I remember hitting Esc
    >when asked for a userid. And it let me in just the same.


    Yes and no, it does let you in, but you cannot readily access the
    passwords stored under other users.

    But I take your point about security expurts with win/95
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Oct 25, 2003
    #13
  14. Leythos

    Jim Watt Guest

    Jim Watt, Oct 25, 2003
    #14
  15. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    In article <>, on Sat, 25 Oct 2003
    22:55:11 +0200, Jim Watt
    <_way> wrote:

    | On 25 Oct 2003 11:49:09 -0500, Chuck <> wrote:
    |
    | >Yeah but you don't advertise your website
    |
    | you mean http://www.gibnet.com/isl/hoax.htm

    Nice page! <grin>

    <davidp />

    - --
    David Postill

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com
    Comment: Get key from pgpkeys.mit.edu:11370

    iQA/AwUBP5ryenxp7q1nhFwUEQItrwCfd7VHgLM0UElYbWP2mons7IlegVsAn3S3
    uAgxp/06xPnhAKOK8v7J4FHe
    =nunf
    -----END PGP SIGNATURE-----
    David Postill, Oct 25, 2003
    #15
  16. Leythos

    Chuck Guest

    On Sat, 25 Oct 2003 22:55:11 +0200, Jim Watt <_way>
    wrote:

    >On 25 Oct 2003 11:49:09 -0500, Chuck <> wrote:
    >
    >>Yeah but you don't advertise your website

    >
    >you mean http://www.gibnet.com/isl/hoax.htm
    >
    >No, I never mention it.


    Kewl page. NOT GeoSlums though.

    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
    Chuck, Oct 25, 2003
    #16
  17. Hi,

    > What's the best protection from hackers, a router or software like Zone
    > Alarms? or do I require both?


    wrong question, the first must be, which things you want to defend..

    a hardware firewall cannot be better than a software firewall on your pc,
    the argument is simple:

    when you use an hardware firewall:

    a.) pakets dropped by an hardware firwall are gone so you are safe
    b.) pakets not dropped will reach you unaltered.

    otherwise:

    the same..

    cu.
    Florian Reitmeir, Oct 26, 2003
    #17
  18. Leythos

    Chuck Guest

    On Sun, 26 Oct 2003 04:17:45 +0100, Florian Reitmeir <>
    wrote:

    >Hi,
    >
    >> What's the best protection from hackers, a router or software like Zone
    >> Alarms? or do I require both?

    >
    >wrong question, the first must be, which things you want to defend..
    >
    >a hardware firewall cannot be better than a software firewall on your pc,
    >the argument is simple:
    >
    >when you use an hardware firewall:
    >
    >a.) pakets dropped by an hardware firwall are gone so you are safe
    >b.) pakets not dropped will reach you unaltered.
    >
    >otherwise:
    >
    >the same..
    >
    >cu.


    The term "better" is somewhat misleading. You're trying to compare
    apples and oranges.

    The hardware firewall blocks the incoming crap, so your software
    firewall has a lot less work to do. Software firewalls can't catch
    every exploit either. The Windows Messenger spam is a good example -
    unless your software firewall is properly configured, you'll still get
    that sh!t. A NAT router, OTOH, totally blocks it.

    You still need a software firewall though to block unwanted outgoing
    traffic. If not a software firewall, then a port monitor. Both are
    not a bad idea. Crap like Swen is coded to disable improperly
    configured software firewalls. Having a NAT router, and a port
    monitor, could save your @ss, if you were to get infected by Swen (or
    its successor, which is surely coming).

    Chuck
    I hate spam - PLEASE get rid of the spam before emailing me!
    Paranoia comes from experience - and is not necessarily a bad thing.
    Chuck, Oct 26, 2003
    #18
  19. Leythos

    Volker Birk Guest

    Florian Reitmeir <> wrote:
    > a hardware firewall cannot be better than a software firewall on your pc,
    > the argument is simple:
    > when you use an hardware firewall:
    > a.) pakets dropped by an hardware firwall are gone so you are safe
    > b.) pakets not dropped will reach you unaltered.


    Many things which sound simple, are simply dumb.

    VB.
    --
    X-Pie Software GmbH
    Postfach 1540, 88334 Bad Waldsee
    Phone +49-7524-996806 Fax +49-7524-996807
    mailto: http://www.x-pie.de
    Volker Birk, Oct 26, 2003
    #19
  20. Leythos

    Leythos Guest

    In article <bnfecb$cv2$-muenchen.de>, says...
    > Hi,
    >
    > > What's the best protection from hackers, a router or software like Zone
    > > Alarms? or do I require both?

    >
    > wrong question, the first must be, which things you want to defend..
    >
    > a hardware firewall cannot be better than a software firewall on your pc,
    > the argument is simple:
    >
    > when you use an hardware firewall:
    >
    > a.) pakets dropped by an hardware firwall are gone so you are safe
    > b.) pakets not dropped will reach you unaltered.


    B is not true. In the case of a quality firewall, not a router, a
    firewall can provide proxy services that can alter the content of email,
    web browsing, etc.

    The WatchGuard Firebox can remove email attachments based on type, can
    remove email header information, can change header information on
    outbound to hide the internal server information. The http proxy service
    can remove cookies, remove active-x, can require that the site provide a
    content rating, etc... The FTP service and be made read-only....

    So, a real firewall appliance can be much more than just a simple
    filter, and many are.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Oct 26, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Julian Knight
    Replies:
    0
    Views:
    523
    Julian Knight
    Jul 16, 2004
  2. Tomcat

    hardware security question

    Tomcat, Jan 17, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    423
    David Taylor
    Jan 17, 2006
  3. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    566
    COMSOLIT Messmer
    Sep 5, 2003
  4. Amnon Itos
    Replies:
    1
    Views:
    455
    Leythos
    Apr 13, 2004
  5. Jim Watt
    Replies:
    0
    Views:
    577
    Jim Watt
    Apr 27, 2008
Loading...

Share This Page