The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: Re: New UKHA Spinoff Group


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Shuttle & via epia... now firewalls



> I don't think using an old 486 (?15 worth?) that I got free
> is throwing
> money away...

Perhaps not, but the original post referred to 3 via epia based PC's, one per task, which cost rather more than 15 quid.

> >My point was that pc hardware can serve several functions
> easily and not
> >require separate boxes for everything.
>
> If you're going to the trouble of building/using a hardware
> firewall, then
> you may as well do the job properly. Any changes you make to

See Mark Harrison's post on what a firewall *should* look like.
_that_ is doing the job properly.
Your =A315 pc is not.
If you're going to tell someone to do the job properly, then don't hold up<= BR> your imperfect system as an example of how to do so!

> >Firewall software, simplistically does little more than say
> "hello packet.
> >Do I know you and am I allowed to let you in (or out)?".
>
> There's a fair bit more to it than that. IPCHAIN/IPTABLES
> basically does
> this, SNORT looks for patterns over multiple packets
> indicating intrusions
> into the network, then there's the logging, etc. etc.

Um...I was simplifying it.  That's why there's no need to mention logg= ing
etc.

> >I set permissions on my shares appropriate to the situation
> - e.g. my media
> >files are read only to users in my domain.
> >My personal document shares are read/write to me but no
> access to anyone.
> >etc.
>
> Setting files as R/O will slow Mr. Hacker down for a few

Sorry, I meant the shares on my XP/2k boxes are set to allow users in my domain Read-Only access to the media files, not that the files were simply<= BR> set to be read only.
This is a bit more secure than hoping they don't know how to go right-click= ,
properties and uncheck the read-only flag :)

> Your personal shares won't last that long when he gets admin
> rights... Then

Of course anybody with admin rights can do anything they like.  The th= ing is
to stop them getting admin rights in the first place.
My hardware firewall/router opening port 80 only to a specific machine is not the same as going 'look - here's my admin password, and BTW all my NT shares are open to world too'.

> he can pop back when he wants to. Perhaps he'll investigate
> your servers,
> find out what Homeseer is and turn all your taps on and flood
> the house? OR

Maybe he will find out what homeseer is, but given that I don't have it, then who cares? :D

> >Just because I run a firewall does not mean my network is
> 100% secure, even
> >if _nothing_ else is running on the box.
>
> No, but a properly built/configed wall will stop all but the
> best of 'em.

Well perhaps they'll look on your 'proper' =A315 firewall as more of a
challenge than my lowly hardware firewall and leave mine alone :]

> >I am arguing that it is not always necessary to go for the
> top security
> >system.
>
> True, but if you're going to bother, then do the job properly.

Oh so you _are_ going to go for a full on 3+ machine firewall, utilising different OS'es and firewall software at each stage?
After all, if _you're_ going to bother, then _you_ do the job properly.

> >You are arguing that more security is required to prevent
> Joe hacker using
> >your machine to attack a government system (Wargames anyone?)
>
> Check out http://www.honeynet.org<= /a> unadvertised machines
> getting compromised
> 15mins after going online... And according to

Yes, we all know about ppl who get a broadband connection and plug it
straight into their PC with no protection at all.
And we all know there is software out there to scan a range of addresses an= d
see if there are any open ports at those addresses.

> >At least my hardware router is the external 'face' of the lan
>
> Yes, because bit of NAT is almost as good as a Cisco firewall :

then there's the packet filtering, port blocking, accesslogging, mac addres= s
restrictions.....
Please don't ridicule a product when you don't even know what it is or what=
it's capabilities are.

> I don't mean to flame Tony, but the net is a dangerous place, and it's=

You do a good job though :>

Yes, net attacks are on the increase. 
Yes, ppl do connect their machines to the net without any security in place=
Yes, there are ppl running port scanners out there
Yes, in an ideal world, we'd all have a 'proper' firewall that was totally<= BR> invunerable to any kind of attack.

BUT
- Not everyone connects their machines to the net with no security in place=
- Not everyone wants or needs that the level of protection afforded by a 'proper' firewall.
- Anything less than 'proper' should not be dismissed as totally insecure,<= BR> which is implied in your email.

Also, have you considered that by going for a 'proper' firewall (what you consider 'proper' (a $15 pc - not a multi machine firewall)) you may infact=
increase the likelihood of being attacked?
A l33t hacker discovering your system is reasonably well protected may feel=
you have something to hide - otherwise you wouldn't have that level of
protection, so they get to work and crack that puppy open (after all, if they can deal with firewalls costing tens of thousands of pounds then they<= BR> can p*ss all over your cheap solution), get in and, realising there really<= BR> is nothing of any interest there, they destroy all your files because they<= BR> are so annoyed that _you_ caused them to waste their time hacking your
system when it was a b0ring system anyway.......

> Sermon over.

Thank fcuk for that :]

Lets not start a real flame war.  As discussed with others yesterday,<= BR> different ppl have different needs and views on the level of network
security you need.
I think this thread has run it's course now.



Tony


***********************************************************************
      Visit our Internet site at
http://www.rbsmarkets.com

This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
The Royal Bank of Scotland is registered in Scotland No 90312
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB
Regulated by the Financial Services Authority
***********************************************************************

Yahoo! Groups Spons= or

For more information: http://www= .automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.