A Swiming Pool Is Not A Moat
Computer Security 101 for the Small / Casual User, Part 1.
Last month, we discussed how and why "Security" is indeed an important issue for ALL computer users, even those who "only" casually use E-Mail and/or surf the 'net from their stand-alone home PCs. We closed by pointing out that it is the responsibility of everyone who connects (even indirectly) to the Internet — yes, this means YOU — to ensure that their systems are adequately protected against such attacks and illicit use. Hopefully, that article gave you enough understanding of the stakes and consequences involved to make you want to do something about it.
So the obvious (if rhetorical) question becomes, how do you “ensure that your systems are adequately protected against such attacks and illicit use”?
The usual generic advice that you've heard a thousand times before is to run a good antivirus program[1] and keep its “definitions” or “signatures” files up-to-date. That's valid, as far as it goes; but it doesn't go nearly far enough. The same holds true for popular “spyware” scanning programs like Ad-Aware and Spybot Search & Destroy. These tools can be very useful when they're needed; in fact, we use and recommend both of the ones just mentioned. But they, like on-demand virus scanners, are fundamentally after-the-fact “fix-it kits”, not preemptive protection. The fitting analogy here is to the spare tire in your car. You definitely want to have it available if/when you need it; but if all is right with the world, that day will never come. Conversely, if you're repeatedly relying on it to get you home, you've got some other much larger and more fundamental problem — and that is what you need to fix. Nobody is supposed to get three flat tires per week!
In other words, the goal should be to prevent the problem, not just mop up after it. The best — and only truly effective — way to accomplish this to eliminate the attack vectors (i.e., the routes into your computer that the malware takes), so that you cannot be infected; and hence, you cannot subsequently infect others.. To do that, the first thing you need to understand is that ALL so-called "security vulnerabilities" are created by bad software — yes, every single one of them. And to at least some degree, all non-trivial software is buggy — i.e., bad. There is an old adage which applies here:
| The only truly secure computer is one which is powered-down, disconnected from all other computers, and locked away where no one can physically get to it. |
Unfortunately, that also makes for a pretty useless computer. But it nicely points up the fundamental approach that is needed, which is two-fold:
The first step is to realize that no matter how diligently we patch, update, tweak, and otherwise attempt to remove vulnerabilities from a computer system, we can never be 100% confident of our success in that pursuit. Even if we were to do a perfect job and create the mythical “perfectly secure computer” with all known vulnerabilities excised today, a new vulnerability can (and probably will) be discovered tomorrow. So an additional line of defense is required, in the form of a properly configured stand-alone outboard firewall (often called a “hardware” firewall, although that term is actually something of a misnomer). Suitable devices can either be purchased “off the shelf”[2], usually at very modest cost; or they may be built from a spare obsolete PC using any of several special-purpose free software packages designed expressly for this purpose, such as Freesco, IPCop, or SmoothWall Express. We generally prefer the latter approach, as it offers greater flexibility, upgradability and control, and at least potentially better protection; but either can be made to suffice.
Do not be fooled by popular marketing myths into thinking that a so-called “software firewall” or “personal firewall program” can ever be an adequate substitute for a proper outboard firewall. All such products are at least mostly snake oil, aimed squarely at the naive user[3]; and it can be fairly said that they are actually detrimental to most of their users, due to the false sense of security they inspire. They aren't even really firewalls; as can be easily realized by considering the meaning of the term “firewall”. Much like a moat must completely surround the castle in order to be effective, by definition a “firewall” is supposed to be an impenetrable barrier standing between the threat and the object you're trying to protect. But these so-called “software firewall” or “personal firewall” products are merely application programs running on the same machine they are putatively trying to “protect”. Hence, their fundamental concept is inherently flawed, because (at least part of) the target machine remains directly connected (and thus exposed) to the general Internet. In effect, they are swimming pools inside the castle. Sure, a particularly clumsy Barbarian might slip and fall into it while on his rampage through the Royal abode; but by then, he and his cohorts have already smashed the furniture, pillaged the pantry, and done unspeakable acts to the cooks and chambermaids. Further, because these are simply application programs running on your general-purpose PC, it only takes one mouse click on the wrong link on the wrong web page to instantly download a Trojan Horse program which will completely disable that “software firewall”, and BANG — you are “own3d”, as all of your illusory “protection” has been nullified. By comparison, while an outboard firewall cannot be counted on to prevent such a user-initiated download, it also cannot be affected by it, since it is not an application program running on the target machine
With our properly configured outboard firewall in place, next month we will address step two, which is securing (to the extent possible) the target PC itself.
Footnotes:
[1] This task is not as simple as it may at first seem. Many of the “biggest name” anti-virus programs are actually among the poorest possible choices. For example, current Symantec products, including Norton AntiVirus, come loaded with a DRM Trojan (and a badly implemented one, at that); hence it can be reasonably said that they constitute malware in and of themselves. NAI/McAfee has a long dismal history of spamming; which means that they are by definition untrustworthy and patronizing them would be unethical. Others, such as Avast, F-Prot for Windows, and PC-Cillin, remove themselves from possible consideration by virtue of the fact that they (at least claim) dependency on Microsoft Internet Explorer. Still others insist on “phoning home” (putatively for “automatic updates”; but you have no way to ever be sure that the information exchange is limited to that) without your express permission or approval and/or require so-called "online product activation" (both of which are security problems in and of themselves). Fact is, we have yet to find an anti-virus tool that we really like in all respects; hence, we are loathe to make any specific recommendations. But after eliminating those packages ruled out by the foregoing issues, the following are at least potentially worth consideration:
AVG Anti-Virus Free
AVG Anti-Virus Professional Edition
ClamAV , ClamAV for Windows, and ClamWin Free (which are all related, but different)
Sophos Anti-Virus
There may be other worthy candidates; but these currently seem to be the best bets.
[2] For the home or very small office user, entry-level models such as the D-Link DI-804HV, Linksys BEFSX41v2, and Netgear RP614, will usually prove sufficient.; if WiFi (IEEE 802.11a/b/g) wireless LAN connectivity is needed, such as for a roaming laptop, then models such as the D-Link DI-824VUP, Linksys WRT54GL and Netgear WGU624 would be more appropriate. Please note that these references and links are provided solely as examples for your convenience, and do not constitute a specific recommendation; there may be other makes/models which offer equal or superior performance and/or value.
[3] For confirmation and further background information on this, see this article by Steve Atkins of SamSpade.Org and Word to the Wise.
|
|
|
