Anti-virus and firewalls

Windows firewall, a router and good AV. That is all you need.

With my HP 2133 (which is SLOW) I'm thinking of going pants down - just relying on a Ghost image and regular data backups.

Hi SJB

Your netopia router is a network address translator (NAT) - it translates your PCs IP address to its IP address and in effect hides your PC from the Internet - so an attacker cannot reach it directly. Unless the attacker can compromise your router.

Zone Alarm will protect a PC on your network from attacks by other PCs on your home network, which is very very very unlikely to be an issue. It will also warn you if an application tries to access the Internet without your permission, which could be useful. If would stop a Trojan Horse leaking out personal information, for example, but then your AV should catch the Trojan anyway.

The problem with all these things is that take up processing power from your PC - anti-virus is the worst offender.

If I used a PC then I think AV would be all I'd use. The NAT in your Netopia router should be adequate as a firewall.

If you're worried about PC security then have a look at the Gibson site - it'll tell you if you have a problem. Steve Gibson is a good guy so no harm will come to your system.

ATB Rotf

if you configure your router to block everything except http traffic you won't need a firewall at all. Hardware beats software.

Rich

quote:

Originally posted by Jim Lawson:
Windows firewall, a router and good AV. That is all you need.

NO!

Do not rely on Windows Firewall, if someone can make a virus to affect Windows, then they can get around its firewall with ease.

A hardware router that gives a separate IP address to incoming attempts to access your computer is the best defence (as Sir Crispin and ROTF say).

I also use ESET Smart Security for firewall and anti virus and have found it very good. Not one of the major names, but then not one that is targeted by the more complex viruses. It is useful as it stops any Microsoft programmes accessing the internet, unless they are OKed permission by me.

I turn off both the Windows firewall and also, and probably more importantly automatic updates. If Windows is working OK, then why change it, and more importantly are the updates it installs to your advantage, or to the advantage of Microsoft?

There are lots of options, and Microsoft's own options are usually not the best.

You can rely on Windows Firewall. Windows updates are one the most important security defenses available because they address precisely the vulnerabilities that are available to those who would hack you through drive by downloads etc.

Not patching manually or through automatic updates is a bad idea.

From ESET's site:

"To help avoid infection caused by Microsoft operating system vulnerabilities make sure your computer is always up to date with the latest Microsoft Windows update."

This, in conjunction with a router and AV software, is your best defense.

quote:

Originally posted by JamieL:
Do not rely on Windows Firewall, if someone can make a virus to affect Windows, then they can get around its firewall with ease.
....
I turn off both the Windows firewall and also, and probably more importantly automatic updates. If Windows is working OK, then why change it, and more importantly are the updates it installs to your advantage, or to the advantage of Microsoft?

First, if the system is compromised, no firewall will help. If a virus gets inside the system, it cannot be detected. That's the whole point.

Second, the fact that you don't see the need for upgrades doesn't mean that it doesn't exist. Take, for example, security exploits - they don't bother you until someone exploits them . And the AV and a firewall are no protection against that. Simply put, a system with an open exploit is always vulnerable.

If you don't trust Microsoft that's fine. Start to think different and switch to a Mac. Or move to Linux, and have everything under control. But don't keep your system without updates, that helps no-one, and hurts you.

Windows updates. Let me make a comparison.

If your car was working fine, but someone came at 3am in the morning, moved the mirrors, the drivers seat, put on different tyres and changed the balance of the steering, how would you feel?

These could all be improvements for the average person, but if you had the car set how you like to drive it, it would make the car difficult for you to drive.

That is what Windows does to your computer if you let it change itself automatically.

The main problem with Windows is that it has been designed so that it can be remotely changed by Microsoft, and hackers/virus makers simply pretend to be Microsoft and then can attack your system. There is also the problem that Microsoft assume that everyone is too stupid to use a computer, and so hide what is happening from you. In UNIX when you launch a programme, you see all the data the launch uses displayed, and if there are any problems you can see what they are, the same for crashes, or locks.

The Windows firewall is fine if you just want to browse the net and run Microsoft programmes, but if you use things like bit torrent, or other programmes that use the net in a more interactive way, then it is not good enough to cope with what is needed.

The safest way to protect your computer is to not have it on the net, I use an older computer for net access, and my new computer stays off the net, as do the work UNIX systems, all interconnected on a router.

In short I have found Windows updates to be nothing but negative. I have considered LINUX but some programmes I use are easier to use on a PC. Macs I have yet to be convinced by, more on their inflexibility and hardware side. If I could run everything from a UNIX/IRIX system I would, but that is not convenient at the moment.

To add to the car similily, if you are happy to go the a garage and let them do everything you need to your car then fine (I do that with my car), and if you want to let Microsoft do that to your computer that is fine too.

If you have a system that you have fine tuned for specific purposes, and you know how to maintain it at that high performance, then do the maintenance yourself.

quote:

First, if the system is compromised, no firewall will help.

Depends - if the virus is transmitting data out then a firewall that stops access to malicious destinations will offer some useful protection, but clever attacks do try to circumvent such firewalls or are they IPSs or are the web filters (they are all ACLs when it comes down to it).

I agree that maintaining patchin levels (Windows update) is important; this is also true of software update on the Mac.

Just get an Amiga and relax

ATB Rotf

quote:

Originally posted by JamieL:
The main problem with Windows is that it has been designed so that it can be remotely changed by Microsoft, and hackers/virus makers simply pretend to be Microsoft and then can attack your system. There is also the problem that Microsoft assume that everyone is too stupid to use a computer, and so hide what is happening from you. In UNIX when you launch a programme, you see all the data the launch uses displayed, and if there are any problems you can see what they are, the same for crashes, or locks.

The Windows firewall is fine if you just want to browse the net and run Microsoft programmes, but if you use things like bit torrent, or other programmes that use the net in a more interactive way, then it is not good enough to cope with what is needed.

The safest way to protect your computer is to not have it on the net, I use an older computer for net access, and my new computer stays off the net, as do the work UNIX systems, all interconnected on a router.

If you don't keep a computer on the network, than it can run anything. If you do connect the computers together, however, a virus can infect the one on the internet, and use that to spread across the entire network. I've never seen a virus who does that, but I haven't seen may viruses in general, and that doesn't prove anything . It's not difficult to write a virus which would open an SSL tunnel to a remote port 443, which would get pass any firewall, and just use that to open an attack vector into the entire network...

All in all, unpatched computers are a risk. If you want to use them, remove the network cables from them, or keep two separate networks - one internet, one trusted. Everything else is just a false sense of security, or a case of security through obscurity. If you want to use a Windows machine, do it, but don't think you have the upper hand on MS because you don't let them update the computer you're using. There is no need to do it automagicaly, but you should apply ALL the security updates ASAP.

Same thing applies for any *nix system. They need to be updated as well. If you want a nice SGI box, that's wonderful, but keep it updated as well (and be prepared for a lot of manual labour doing that... ). No difference, really. Security wise, I'd rather use a well patched Windows, than an OpenBSD system left unpatched for a few years... Tough, all-in-all I'm still against Windows solutions, whenever possible.

@ROTF:

I stand corrected. Could we settle on "is the system is compromised with a well written mallware, no firewall will help"? What I mean is: once you have kernel-level access, it's trivial to break a firewall as well...

Dear Sloop,

Unfortunately there is no substitute for knowledge; and everyone here can give you an answer but ultimately you have to judge what we are saying, and how the risk stacks up in your given circumstances.

The main attack vectors for most home users are:

1. email;
2. download from untrusted sites;
3. network communications;
4. bringing in files from other places which are infected; and
5. unpatched vulnerabilities, which are leveraged through 1 - 4.

I've probably missed something but I'll leave that to the anally retentive to point out.

Trust is a massive topic all to itself.

Now lets look at a real life example - my father.

He runs an unfirewalled / no AV system using Windows 95.

He uses his system twice a week, for less than ten minutes on each occasion.

The ONLY thing he does is connect direct to his bank, move his cash around and log off.

He connects onto the internet using a modem.

I have fully discussed the issues around this with my father, and he is happy with the level of risk he is taking doing nothing.

He IS making an informed decision.

For you - what is it that you do on the internet? On that machine?



If you are a more regular user of the WWW I would advise:

Use an old PC and set up IPCOP - free linux based firewall.

Especially good if you want to limit what other family members want to do.

Use this behind your router: don't rely on anything said about router and firewalls / DMZs. In my experience they are tacked on extras and not well executed.

Patch regularly.

Load Winclam AV and update daily.

Use a simple email client that will not automatically run code within downloaded emails.

Ensure you virus check any files you are moving onto your PC.

Personally I would NOT use windows as my base operating system. It is complex and easy to get wrong. Load up Ubuntu.

If you need windows - I do to code in t-sql and .Net - then run a virtual machine in VMware; VMware server is free, and you already own a licence.

Once you have set up your base Windows build save the files as your backup - for when windoze inevitably falls over and dies.



Sir Crispin Cupcake

if you configure your router to block everything except http traffic you won't need a firewall at all. Hardware beats software.

Rich

Sorry - NO, NO, NO.

You can tunnel other protocols through HTTP.

M

Thanks for all the replies, almost as many opinions on computers as there is on hifi!

In the end a reformat and reinstall but this time with only one user account seems to have got the system performing again.

It may be because I zapped the myriad of programs Master Sloop Jnr had on it as well.

Lost all my daughters email though which didn't go down too well. I blame her for wanting those outlook fancy floral type emails and scorning Pegasus mail!


Thanks again.


SJB

quote:

Originally posted by Sloop John B:
I have for some years now used Zone Alarm.

While beginning a pre-reformat backup of the younger Sloop's PC I turned off zone alarm (after disconnecting from Internet) and was quite amazed at the speed increase once zone alarm was not doing its thing.


I know anti-virus is pretty essential but how essential is the software firewall( which I presume is the main slowing factor)?


I have a netopia router with it's firewall setting set to medium (Recommended setting. This level of firewall protection allows information to be sent securely to the Internet, but prevents anyone from the Internet from identifying the network address of your Router. This is the Internet equivalent of having an unlisted phone number.)


Any suggestions options for safe computing with less of a hog on system resources?


Thanks

SJB

As a person who have been using computers for a long time and have implemented some mission critical software, I would say that you can do much better without Zone Alarm, AV, firewall since these stuffs do more harm than good for the following reasons:

o Modern routers are very good at keeping the intruders out. By default, no one can access your system since all network (tcp / udp) ports are blocked.

o All web mail systems such as Yahoo, Gmail have built-in AV.

o All AV cause big detrimental effects on your PC. Too often, they are always late in dealing with new viruses.

o IE, Firefox, Chrome are now pretty good at preventing accidental user errors. But most important, you need to be careful when you click or run something from the internet.

o If your kids are using your PC, set up some Parent Control stuffs.

My advices may sound a bit radical but I think in the end, they will save you a lot of hassles causes by AV, firewall stuffs. They do more harm than the viruses themselves.

If you are a PC user, I would recommend Windows Defender which are free from Miscrosoft, for a Mac and Linux user, you need none.

I now have MaCafee on my WPC since BT have chandged from Norton/Symantec. Not unexpectedly it wasn't easy to get rid of Norton, taking about five MaCafee installs, before the norton website spat out a removal tool.

quote:

Originally posted by QTT:

quote:

Originally posted by Sloop John B:
I have for some years now used Zone Alarm.

While beginning a pre-reformat backup of the younger Sloop's PC I turned off zone alarm (after disconnecting from Internet) and was quite amazed at the speed increase once zone alarm was not doing its thing.


I know anti-virus is pretty essential but how essential is the software firewall( which I presume is the main slowing factor)?


I have a netopia router with it's firewall setting set to medium (Recommended setting. This level of firewall protection allows information to be sent securely to the Internet, but prevents anyone from the Internet from identifying the network address of your Router. This is the Internet equivalent of having an unlisted phone number.)


Any suggestions options for safe computing with less of a hog on system resources?


Thanks

SJB

As a person who have been using computers for a long time and have implemented some mission critical software, I would say that you can do much better without Zone Alarm, AV, firewall since these stuffs do more harm than good for the following reasons:

o Modern routers are very good at keeping the intruders out. By default, no one can access your system since all network (tcp / udp) ports are blocked.

o All web mail systems such as Yahoo, Gmail have built-in AV.

o All AV cause big detrimental effects on your PC. Too often, they are always late in dealing with new viruses.

o IE, Firefox, Chrome are now pretty good at preventing accidental user errors. But most important, you need to be careful when you click or run something from the internet.

o If your kids are using your PC, set up some Parent Control stuffs.

My advices may sound a bit radical but I think in the end, they will save you a lot of hassles causes by AV, firewall stuffs. They do more harm than the viruses themselves.

If you are a PC user, I would recommend Windows Defender which are free from Miscrosoft, for a Mac and Linux user, you need none.

As someone who also has been using computers for many years, including several years as IT manager in charge of the IT infrastructure of a large college, can I say that this is one of the biggest loads of ignorant, uninformed BS I've seen since a similar thread on here two or three years ago when somebody claimed protection was unnecessary as long as you were careful which sites you visited. It's late here (4am) and I've had a beer or 2 so I'm not going to go into details at the moment but PLEASE disregard this dangerous advice. It's almost like it was written by a hacker.

quote:

Originally posted by TomK:
As someone who also has been using computers for many years, including several years as IT manager in charge of the IT infrastructure of a large college, can I say that this is one of the biggest loads of ignorant, uninformed BS I've seen since a similar thread on here two or three years ago when somebody claimed protection was unnecessary as long as you were careful which sites you visited. It's late here (4am) and I've had a beer or 2 so I'm not going to go into details at the moment but PLEASE disregard this dangerous advice. It's almost like it was written by a hacker.

So what would you recommend? Sounds like the MPs to me, LOL?