#206214 - 2012-11-14 09:23 AM
Re: What AV solution does your Company use
[Re: Lonkero]
|
Björn
Korg Regular
Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.
|
Lonk, thank you for switching to a layout that has an ö ;).
But,
Arend's definition differs from yours. Arend said it can't be PC. is this what you mean when you say purpose built?
>> It might, but it differs more from yours ;). A PC that's built for a purpose with a stripped down os and specifically designed os could be purpose built yes. The matter comes to how you boil down to the lines of software firewall and hardware firewall.
you say they are purpose build "boxes", and then you say these boxes can be VM's. so they are not build at all but ran inside the full OS of some other kind, even further away from the definition of dedicated purpose built "box"
and then you go on writing linux based firewalls and isa are not purpose build since they are not bare metal. but the VM in your previous comment is a bare metal?
and yet again, that vm is running under windows or linux based host.
>> I'm removing myself from only including "prebuilt" hardware, it's a matter of purpose - yes, a linux distro can be purpose built, windows machines not so much, it's a matter of overhead as well. If you run a vm under a full OS, it's still not that OS that handles the fw parts, it's the VM using resources from the host machine to provide the features.
you get more bare metal taking a PC and installing linux on it with kernel optimized for this kind of stuff.
>> You could, but the amount of tinkering that's needed for it.. good luck ;).
about your comment on firewalls and transport layer. that might have been the case in 80's and early 90's but all today's firewalls should work on application level. if they don't it's like using fax instead of email or 28k modem in place of anything faster as they both do communication in a way that fits the definition of "communication".
>> I included the consumer fw's here, all still does not act on application level. Nah mate, I mean that even if it states it's operating on the application level, it's not always application aware 100%. And it's not a matter of the 80's and 90's.. it's a matter of into the 00's. Today, most (even consumer products) does this to some extent, but lack the processing power to do it "enough". Same as with low end stuff.
I also agree with doc, to some degree - it's a matter of layers and actually keeping stuff up to date. If we just left everything as it is now, of course it will be compromised sooner rather then later.
Lonk, Port scanners and using traps is one way, but yes - no direct access in any direction and having jump boxes that gets wiped and updated till the next day is a more fun way to ensure that if something gets compromised, it's not critical.
But back to the traps - every little script kiddie out there got several ip's to go with, so perhaps you simply shoot down the first obvious scanner, but what if the attack takes another approach as phishing or dns poisoning? Even better, gets in as a MiTM? A simple scanning tool is just to parse the masses of external IP's, checking if there's anything just responding to requests. Even if you block that, you've just hit a flag, and they will hand that data over to the next "parser", and depending on their lazyness level, either start identifying what's behind the ip, or just start throwing possible remote exploits at you. Still, you've just marked yourself as "active" :).
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!
|
|
Top
|
|
|
|
|
#206246 - 2012-11-21 08:49 PM
Re: What AV solution does your Company use
[Re: Lonkero]
|
Robdutoit
Hey THIS is FUN
Registered: 2012-03-27
Posts: 363
Loc: London, England
|
Lonkero, with reference to this statement
a simple rule is not to allow direct access to the box itself in any way from the outside.
and another one is to add a "trap port" from well known ports, like ssh, telnet or ftp or something that anything trying to connect to those gets blocked for five or so minutes. effectively "frustrates" any port scanners and blocks most security scanning tools
I understand the part about adding a trap port. I don't know how to do that, but I will research that.
What I am not clear on, is exactly what you mean by not allowing direct access to the box itself from the outside. As the box is visible to the Internet by virtue of a public IP Address and if the box is also used as the proxy server, then by definition one has access to the box albeit not direct. I assume that you mean you mean don't allow people to logon to the firewall from outside? Or the firewall must not act as the VPN server, but rather tunnel the VPN to a machine on the local network using a redirected port?
Basically what I am intending to do is install a very minimalist setup of Slackware. On this box, I will be using IPTables for the firewall, Dansguardian for the content filtering, and I have actually forgotten what I am intending to use for the proxy, but if memory serves, the firewall will redirect traffic from port 80 through the dansguardian content filter and then out to port whatever and allow for internet access that way.
On my windows server, I am intending to use OpenVPN to tunnel traffic from the Internet client to the network.
You also mentioned
although firewall capabilities differ and the power of the firewall is a deciding factor. and the who ever is setting it up is another.
that's why still most of the firewalls out there are set up to be full open from in to any.
I assume that you mean that people have installed a firewall, which is basically a proxy server, but they have otherwise opened all ports or do you mean something different?
Lastly what is an accelerator chip? Is it something like a video card that has an onboard cpu to handle the graphics instead of relying on the main cpu
although firewall appliances sometimes come with slower cpu they can still beat PC based systems in speed thanks to accelerator chips for things like encryption. the newer CPU's are starting to be fast enough for this not to be the case, but for example larger network topologies routed IPSEC VPNs used to choke CPUs easy...
Don't tell me that you are saying that I need to get a core i7 computer. Actually that is on my list of things to do - get a hardware spec requirement list for my slackware box.
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 229 anonymous users online.
|
|
|
