[ previous ] [ next ] [ threads ]
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Wed, 28 Jan 2004 08:05:10 +1000
Hi Mark,

On Wed, 2004-01-28 at 03:01, Mark Spieth wrote:
> -----Original Message-----
> From: Jim Gifford [mailto:jim at giffords dot net] 
> Sent: Tuesday, January 27, 2004 11:49 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Feature request which would make m0n0wall even
> better ;)
> On Tue, Jan 27, 2004 at 11:08:50AM -0500, Mark Spieth wrote:
> > This is BAD BAD BAD BAD BAD! I can repeat it some more if you want...
> A
> > firewall should just be a firewall period end of story. If people
> would
> > keep things updated, then it might be a different case, But they
> won't,
> > hell I still see code red attacks out there.. 
> For a company network, the firewall should only do firewall.  Separate
> secure boxes inside the network should provide additional services.
> In a home network, having everything in one box isn't as risky.  For one
> thing, home networks aren't "juicy" targets like company networks are.
> A real world physical example that might put this into perspective:
>     At the last place I worked, we had proximity access cards.  You
>     needed the card to get in the front door outside of normal hours.
>     You needed the card to access the stairs and elevator from the
>     ground floor.  You needed the card to access the machine rooms.
>     There is a complicated alarm system, with dialout and cellular links
>     to contact the alarm monitoring people.
>     In my house, I have 1 key that fits both doors, and I keep the
>     doors locked at all times (aside from during egress/ingress).
>     I don't have a fancy alarm system.  I have one cat that might love
>     an intruder to death.  I have several computers, some expensive home
>     entertainment equipment, and standard appliances and furniture.
> I don't have as strong or as expensive a security setup at home as they
> had at work.  On the other hand, I have less than 30,000 dollars worth
> of
> stuff (that is likely a very high number actually), whereas the company
> had several tens of millions of dollars worth of equipment.  Their risk
> was greater, so their security measures were greater.
> > The end result is and will be that these insecure *nix boxes running
> all
> > this extra software, will get hacked, now personally if you put extra
> > stuff on your firewall and it gets hacked, and the hacker then deletes
> > all your companies accounting files so that you don't get a paycheck,
> I
> > really could care less, But that won't be the end of it, They will
> then
> > use that hacked box to go hacking other peoples boxes including ones I
> > manage and that's where I have a problem. You want NTP etc.. Go buy a
> > $25.00 PII300 used box and run NTP behind your firewall, no guarantee
> it
> > won't get hacked, But your chances are much better than running it,
> > samba and a whole mess of other things on your box...
> In a home, many people *will not* dedicate 5 computers just for
> "infrastructure".  1 or 2 perhaps, but even that is a stretch.  m0n0wall
> on a soekris has the benefit of looking like a device instead of a
> computer.  *grin*  In a home, people often don't have a DMZ, nor do they
> generally need one.
> If someone is running a network gateway with a lot of extra services
> (including firewall, etc), and they are aware of the risks, then if they
> get compromised, they will have to live with that.
> I personally will be having my firewall only be a firewall (and once I
> get my big server rebuilt, I'll turn off DHCP on the m0n0wall and put it
> on the server instead).
> Also consider that every extra machine you add has an OS and software
> that must be kept up to date.  Someone has to manage that machine,
> and stay on top of patches.  In a company network those costs are
> expected.  In a home network, most people simply want things to work
> without having to spend a lot of time making them work.
> >> In a home network, having everything in one box isn't as risky.
> >> For onething, home networks aren't "juicy" targets like company
> >> networks are.
> This is an extremely incorrect statement, Infact most script kiddies
> (which comprise most of the hacking attempts) do huge scans on network
> addresses they have no idea who they are hacking, and would hack a home
> machine first, you are less likely to get caught or even have the end
> user know the system was compromised. Once the home machine is hacked
> they will then use it to go after other systems. 

Yes, I agree.  

1. It is signifiantly easier to hack a home system.  Most lack
firewalls, decent antivirus and any semblence of security.
2. Many (most?) home users have broadband, therefore cannot notice the
small amount of bandwidth used by a nefarious user.
3. The only time a home user generally even looks at a log is just
before they put it on their fire or bbq
4. Once a home network is hacked, there are often a number of things the
script kiddies can do - all with tools written by better hackers, of
course - to continue hacking this network, but more importantly, other
networks.  A hack thru one of your PCs to a business will look like a
hack from your PC into that business.  Not fun!
5. Who wants an open relay server secretly installed on their home
6. Which home user (average home user, that is) would know if they were
hacked, let alone know what to do to stop it, trace it and protect from
it happening again?  Most of them will take their "unstable" PC to the
local computer noob (sorry, local computer store containing a highly
qualified and knowlegable technician) and be told that their Windows
needs reinstalling, and that they need a bigger hard drive and better
video card.

PS Please don't top-post a reply to a (correctly) bottom-posted thread. 
It takes the whole thing out of context, and makes following the logical
flow of the thread rather difficult.



Hilton Travis                   Email: Hilton at QuarkAV dot com
Manager, Quark AudioVisual      Phone: +61-(0)7-3343-3889
         Quark Computers        Phone: +61-(0)419-792-394
(Brisbane, Australia)            http://www.QuarkAV.com/

Open Source Projects:		http://www.ares-desktop.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.