[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: OT: Going without Norton



Network security primer for private LANs:
What your computer sends out over the net is as important, and potentially compromising, as what you receive from the net. For example, some malicious code is able to find passwords and account numbers stored on the hardisk, then establish a connection to a server on the Internet and deliver this information to persons unknown. You will not see this activity in your Windows GUI, and you might not even notice any degradation in LAN performance while it is going on. Some malicious code disguises itself as legitimate Windows functionality, so you will not detect it in the Windows Task Manager either.
There are two main sources of malicious code: email attachments, and web
sites which encourage you to "click here to enhance your Internet
experience".
In general, you want to control two things: 1) what programs are running
and trying to get access to the network, and 2) what data attachments
are coming and going over the network.
In general, AV software checks what data attachments are inbound, but
does not check what programs are outbound (though it may check/prevent
new programs from being installed). A firewall such as ZoneAlram (or
similar) checks what programs are trying to come in and get out over the
net (by identifying their associated TCP/UDP port numbers), but does not
usually control user data/attachments. "Suites" tend to blur these
distinctions by offering an all-in-one package of functions.
The disadvantages of AV software are: 1) You must keep it current. That
means: 1a) you have to keep paying for it, and 1b) you have tolerate it
locking up the network whenever it updates itself. 2) Scanning files
slows down the CPU. I am not familiar with Kaspersky; if some say it
does not slow down the CPU, fine and dandy, maybe it is more subtle than
the Norton AV (or less thorough). My own brief experience with Norton AV
was awful; it insisted on re-scanning documents I myself had created and
saved, every time I re-opened them, which is a complete waste of CPU.
In addition, I have a more general objection to AV software. There is no
such thing as a vaccine against all possible and future viruses. AV
software is just like flu vaccines: we have to wait for the first cases
to turn up before we can devise a specific measure against it. That
means that no matter how current your AV software is, there will always
be a window of vulnerability between the first outbreak of the next
generation of viruses and the availability of the next batch of AV
updates against them. Some viruses are smart enough to prevent AV
software from updating itself--they attack the AV .exe itself and
rewrite some of its code so that it cannot update itself and remove the
infection.
Now, getting back to the two main sources of malicious code: email
attachments and web site 'enhancements'. Once you've downloaded
malicious code onto your computer from either of the two main sources,
your AV software may, or may not, protect you, depending on how current
the AV definitions are and whether the malicious code has already
attacked your AV software. AV software offers a cure, if it is still
functional and current. _Prevention_ is better. You can prevent the
second sort of invasion by not clicking on these so-called web
enhancements. Of course, they may be disguised as something else
entirely, and the really dastardly ones don't even allow you the choice
of "OK" and "CANCEL" buttons; they just have "OK". ZoneAlarm has a 'slam
shut' button (and a keyboard shortcut) to interrupt such malicious
downloads.
ZoneAlarm adds new features from time to time, but it is not necessary
to update it; once you know what programs and port numbers you want to
let out/in, you never need to update it; it does not become more
vulnerable with time, as AV software does, because there are no new port
numbers you would have to block. The number of port numbers is fixed,
and the default setting on any good firewall (on a router or ZoneAlarm
on a pc) is to block everything not known to be friendly. Second,
ZoneAlarm has no affect on network performance, and very little on the
CPU compared to AV scanning.
ZoneAlarm does require some configuration and some knowledge of port
numbers, and I appreciate that this can put some people off. I don't
think much of one-button security measures; security is not an on-off issue.
As Wolfgang noted, a router with a good firewall should make ZoneAlarm
software on the pc behind the router superfluous. Bear two things in
mind, however. First, a router firewall blocks ports coming into the
LAN, but may not block traffic going out--unless you know this to be
otherwise, assume that the router firewall blocks only inbound traffic.
(ZoneAlarm checks both directions.) Second, firewalls usually do not
check user data or email attachments; they check TCP/UDP port numbers,
and that is not where viruses are. Viruses are in the user data portion
of a packet. So, to protect yourself from malicious user
data/attachments, you need to view your emails on the server and if
necessary delete them from the server, before downloading them through
the firewall. MailWasherPro is the right tool for this
(www.firetrust.com). Prevention is better than cure.
In my opinion, a combination of MailWasher and ZoneAlarm (or MailWasher
and a good router FW in both directions) is adequate for private LAN
security. That's what I run.
The Symantec web site is very useful as an information source, and
somewhere at their site is a list of known hostile servers; if you see
your pc trying to establish a connection to one of them, kill the
session and block that IP address in your FW.
For those who do not like ZoneAlarm, there is a tool which shows you
what TCP/UDP ports or sessions are currently active, with both source
address and destination address listed. There is also a kill function to
terminate unwanted sessions. It is called "TCP View", freeware from
www.sysinternals.com, the same people who brought you "Process Explorer"
(knocks the socks off Windows Task Manager). TCP View does not block
anything automatically; if you see something suspicious, you have to
kill it yourself. If yous see dozens of open or 'listening' sessions to
places you are not surfing to, this is suspicious. TCP View also does
not prevent the same program from attempting to get out again
later--this is where ZoneAlarm offers a significant level of security.

Attached is a screenshot of TCP View.
For those who may not know this already, I'll also mention the DOS-level command, "netstat", which shows you what sessions are open. "netstat ?" lists the additional parameters available; you will search in vain for a kill function.
If anyone has need of more detailed instructions how to configure
ZoneAlarm, feel free to contact me off-list.

End of lecture. Hope this helps someone.

JPEG image