Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 8th, 2008, 1:47pm
   Mischel Internet Security Forum
   Internet Security
   General (Moderators: Helena, Gavin_Coe, Magnus)
   A few notes on your 'security paper'.		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: A few notes on your 'security paper'.  (Read 615 times)
Marty
 Guest

Email
A few notes on your 'security paper'.
« on: Mar 5th, 2002, 2:50pm »		 Quote Quote  Modify Modify   Remove Remove
Hi Magnus,
 
Just a few notes on the paper in the subject.  Please note, I mean everything with respect and no 'attack' is intended.  I just want to clear a few issues up, which may help some people.
 
I'm quite amazed at the lack of ANY reference regarding NAT/Network Address Translation.
In todays technological world, and the ever increasing rise in popularity of Cable Modems and ADSL - more and more people are taking into account the security risks of the Internet, and are trying routers.  If not for the ease of connection sharing, routers offer one VERY vital security measure, and that's network address translation.  A machine behind a router will be 99.9% inpenetrable to trojans.  This is because a trojan that installs itself on a machine behind a router/in a LAN and starts *listening* on a port, would only be listening on a PRIVATE address.  This would be totally inaccessible from the Internet, and as such a victim would never be able to be compromised.  There is of course a very very unlikely situation of a machine becoming compromised, and the router having the infected port being forwarded to the infected machine.  
 
This would, in effect, make your product less useful and I can understand any willing lack of information.
 
The other real 'issue' I have with your paper is your over exaggeration of firewalls, in particular software ones.
Whilst I know nothing about your previous employment, technical expertise or any other tricks you've picked up during your time online, you seem like a man who knows a thing or two.  I also consider myself to know a few things, here and there.  Personally i'm disgusted with what seems to be a sometimes over-faithful trust in software firewalls.
We have to remember here that your average user base will be Windows users.  This is strictly for the ease-of-use environment it has to offer.  As such, the most commonly used firewall products would be either ZoneAlarm (tends to be the favourite, as it has a 'free' version) or Norton.  There are others to consider, but these are the two primary candidates.
Having used both these products, I see *no* real configuration options.  Which leads me onto this point, you say the following:
"As for the attacks that saturate your bandwidth, there is no final solution. If you have a firewall between your network and the Internet, you can probably configure it to start dropping packets if one single host suddenly starts sending you a large amount of data"
 
Now whilst I respect that from an advanced knowledge point of view, it's certainly possible to be running some form of IDS/deep stateful packet inspection on a host and for it to detect, trigger and block any extensive flooding from a source address - I challenge you to show me a product that can do this on a Windows machine.
I, personally, having used many many HOME software firewall packages (corporate ones are excluded), have found no such function available for home users.
Which leads me onto my final point.
 
Whilst I agree with most things your report points out, I think you really do need to make the differences clear between your 'basic' security measures and precautions available for limited platforms, ie Windows, and the more advanced such as Unix, Linux and the like.
Windows really does need a LOT more work done on it, security wise.  The rate of advance is ever so much more slow, due to the lack of open source software.
This, along with the ever increasing rate of Internet growth.
 
With these facts in mind, I urge you to consider rewriting an article (maybe even writing it with somebody *cough*) to incorporate a few more Internet techniques such as NAT, Encryption(SSL), Proxies and the like.  All these can drastically improve your own protection and some of them are *so* easy to use.
But fundamentally, I think it should be made clear what Windows can and *can't* do in terms of protection, and how you can get the maximum out of what you've got, sometimes with no extra cost.
 
On a side note, I'm pleased you've decided to develop software to help the lesser knowledgeable people of the Internet - more power to you!
 
Again, this post wasn't intended as a form of attack or plug - it was just some advice from one fanatic to another Smiley
Take care.
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4091
Re: A few notes on your 'security paper'.
« Reply #1 on: Mar 5th, 2002, 8:26pm »		 Quote Quote  Modify Modify
Hi Marty,
 
No offense taken at all. Constructive criticism is always welcome.
 
You make a very good point with respect to NAT routing. At the time the paper was written, broadband wasn't in every man's home, and so NAT setups was something that was mostly for corporations. Now that NAT routers are commonplace, it does make sense to include some text about it, since, as you say, NAT routing is a very effective way to block remote access trojans. (Or rather, to prevent an adversary connecting to a running trojan if it is running on a machine that is behind a NAT router.)
 
Most of the references to firewalls in that paper are actually to hardware firewalls, although that is not explicitly stated. My favorite setup is FreeBSD with IPF. The granular control you have over firewall rules with IPF is something amazing. Plus, it's stateful! Sadly this isn't something that can be recommended to an enterprise as there just isn't room to play around with installing an operating system and tweaking of firewall rules in a corporate environment. In that kind of environment, a pre-packaged solution such as Watchguard's Firebox is a better way to go.
 
Windows is really not a good environment when it comes to reliably handling such duties as running a web server or firewall. (If I recall correctly, the Firebox is simply a custom Unix with some special proxying software.) Therefore, no, I don't suggest to anyone to start filtering packets using Windows if they're going to be protecting a network against DoS attacks Smiley
 
I agree that the paper mixes some more 'advanced' topics with advice intended for home users. I've been thinking of writing a guide solely aimed at home users using Windows on how to secure their machine(s) and data. If you have any ideas of what topics you think might go into such a paper, or if you want to collaborate in writing one, then feel free to e-mail me at magnus@trojanhunter.com
IP Logged
Marty
 Guest

Email
Re: A few notes on your 'security paper'.
« Reply #2 on: Mar 6th, 2002, 6:34am »		 Quote Quote  Modify Modify   Remove Remove
Hi again, Magnus.
 
NAT is indeed a great thing.  I only mentioned it because more and more people seem to be asking "Which router?" to buy.  There's also an increase in the people trying out Linux, *BSD and other OS's - so I felt it was worth mentioning Smiley
 
Stateful packet inspection is a godsend!
Sometimes a firewall isn't good enough, and if you run things like a webserver you're possibly vulnerable to the latest exploits (ie if you use ISS, *snigger*)
With something like packet inspection/real time IDS - you can write your own rules as soon as any information on a possible vulnerability is found, and stop it quickly.
 
Anyway, keep up the good work on trojan guard - i'm sure many people are benefiting from your work Smiley
 
I've dropped you a mail, by the way.
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register