Moose's last post about building a new fire-breathing computer and
equipping it with the Zone Alarm firewall causes me to ask a question
that has been on my mind the last couple of weeks.
Independent of OS and real/perceived vulnerabilities do we really need
software firewalls if our machines are talking to the internet through a
router? One of the functions of a router is to hide our real IP
addresses from the outside world.
(1) Assuming we haven't deliberately established ports for peer-to-peer
connections (?) are we not safe from outside probing given that we're
hidden behind the router?
(2) If not, what function does the software firewall provide that the
router doesn't?
(3) Is the distinction even important now that most security breaches
are passing through our browsers? (maybe Apple guys should pay attention?).
Now some other security related questions having to do with Linux
because, after following "Krebs on Security" recently
<http://krebsonsecurity.com/> , I've become paranoid about doing banking
and financial transactions on Windows. According to Krebs and others
the most secure way to operate is by using a Linux distribution on Live
CD. Since the CD is not writeable the OS cannot be modified. My wife's
old Dell laptop is still running XP and needs to be replaced with
something more modern. My thought was to repurpose the old laptop as a
dedicated Linux machine whose only purpose is financial transactions and
the only websites it ever visits is those of the financial institutions.
But I have a few questions about such a configuration.
(4) Since a Live CD is not writeable how is configuration data saved
(such as URL favorites for the browser and other stuff)? Does that not
require at least some other small storage device? How is it selected?
(5) That question doesn't arise if Linux is installed on a USB memory
stick or flash card on USB adapter. That should also improve boot time
but seems to undo the security of the unwriteable Live CD. I had
thought that maybe an SD card could be used with its write protect
switch set to prevent writing but my understanding of that is that it's
not really a hardware prevention but a software convention providing no
real security. Anyone know for sure?
(6) If the Linux machine is residing on a (mostly) Windows LAN is the
Linux machine still vulnerable through the LAN? If so, is it possible
to isolate the Linux machine by installing it behind a second router?
If so, how are two routers installed behind a single cable modem? Can
one simply install a switch and plug both routers into the switch?
(7) Am I overly paranoid?
Thanks for any answers,
Chuck Norcutt
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|