[ale] how can a firewalled PC POSSIBLY be attacked?

Chuck Peters cp at axs.org
Sat Jan 26 14:02:02 EST 2013


On Tue, Jan 22, 2013 at 10:05 PM, Matt Hessel <matt.hessel at gmail.com> wrote:

> Really good question, and on a subject I work very closely in..
>
> Firewalls are more of a security blanket than a guard dog.  They
> normally do not validate the code you recieve, or the sites you visit,
> or even exploitable code that runs over the interfaces... they only
> look at source and destination ip addresses and the port for the
> traffic.


If we want to do something more than a security blanket, what would you
suggest?

I have an old reliable 500Mhz Dell machine I would like to put to good use.
 Perhaps you can recommend some specialized Linux/BSD distribution that we
can use for a firewall/IDS, or an access point running hostap and
freeradius?

A couple of years ago the Linux Journal Paranoid Penguin column suggested
running a transparent firewall in front of your NAT device.  And then it
might be a good idea to run snort or some other IDS.  In another Paranoid
Penguin column it showed how to setup radius authentication so you could
run WPA Enterprise to rotate the encryption keys rather than using the one
pre-shared key.

Not that I am naturally paranoid, but what I worry about in terms of weak
points.
0. What I don't know about!
1. Our NAT firewall sometimes allows people at least a glimpse inside the
LAN.
2. Printers and wireless access points from vendors who rarely or never
provide security updates, and it has been shown many times
how vulnerable these kind of devices can be used.
3. Flash, Acrobat Reader and Java have a horrible record of keeping those
applications secure, and the browser defaults to allowing any website to
run those apps.  Noscript can help with firefox, but it is just so annoying
to use on all too many websites.  Chrome and Chromium have a plugins "click
to play" option which is not enabled by default.
4. Of course I try to keep everything up to date, but that isn't always
enough.
5. DNS cache poisoning attacks.  Running my own bind servers for the LAN
helps, but DNSSEC and DANE enabled applications would be better for the
Internet as a whole.
6. Cable Cards, our most recent addition.  Supposedly they don't do two way
communication on the cable side, but why should I trust
the proprietary CableLabs and our local cable company when they are more
concerned about treating customers as pirates...
7. Voip device.


Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130126/78cd0f90/attachment-0001.html>


More information about the Ale mailing list