This has been an interesting thread. A couple of observations I might add,
without reference to the specific questions:
My experience, so far, with open sourced (i.e. Linux) and closed source
products (Windows and Mac) has been that known security vulnerabilities are
often fixed within hours of being found, as opposed to weeks (Microsoft) or
months (Apple). Certainly not always true, but definitely more often true,
in my experience.
You can't save modifications to a Live CD version after creation of the CD.
One of my reasons for choosing Fedora over Ubuntu as my personal flavor of
Linux OS is the presence of SELinux. Left on (which many people do not, as
they believe it interferes with "ease of installation" of software later)
it provides an added layer of security against unauthorized changes. So
far, since much earlier versions than current, I've not had any issues in
installing anything I need from Fedora's repositories when using Fedora
with SELinux fully enabled.
There is a tendency among more novice users of Linux who have come from the
Windows world to turn off many built-in protections in order to make Linux
work "more like Windows". This is a seriously bad idea. Better to invest
some time reading to learn *why* Linux is telling you you can't/shouldn't
do something, then do it correctly.
There have been a few articles lately about many, many versions from many
manufacturers of "home routers" being quite easily compromised, as the out
of the box configuration is insecure. Learn the router.
Inexpensive switches may provide decent port-to-port isolation, but they're
still all on the same LAN. An inexpensive mid-grade switch or a refurbed or
used high-end switch provides much better control, and can allow you to
create your internal network with VLANs to keep routine traffic and
financial traffic separated. Additionally, many newer switches support
creation of ACLs (Access Control Lists) that prevent unwanted traffic
between systems even on the same VLAN.
$0 for a pfSense download plus an old otherwise useless PC with two
ethernet ports will provide you the ability to handle much better
firewalling than you can get from a "home router". After installing and
verifying operation on the default configuration, start by closing nearly
all ports outbound, and only open what you need. It's very easy to not only
open the ports you need, but also to restrict different types of traffic to
only being able to contact specific IPs on the outside. The same is true
for inbound traffic.
But mostly, I happen to think that simply switching from Windows to
Linux--and not screwing with the Linux install--will more than handle most
issues regarding financial transactions on line for most folks. Password
compromise on the site due to lousy passwords or reused passwords is a far
more likely occurrance. Password length, for example, provides far better
password security than complexity of short passwords.
---
Scott
On Fri, Jan 17, 2014 at 2:48 PM, Sandy Harris <sandyinchina@xxxxxxxxx>wrote:
> On Fri, Jan 17, 2014 at 10:18 AM, Chuck Norcutt
> <chucknorcutt@xxxxxxxxxxxxxxxx> wrote:
>
> > Moose's last post about building a new fire-breathing computer and
> > equipping it with the Zone Alarm firewall causes me to ask a question
> > that has been on my mind the last couple of weeks.
> >
> > Independent of OS and real/perceived vulnerabilities do we really need
> > software firewalls if our machines are talking to the internet through a
> > router? One of the functions of a router is to hide our real IP
> > addresses from the outside world.
> >
> > (1) Assuming we haven't deliberately established ports for peer-to-peer
> > connections (?) are we not safe from outside probing given that we're
> > hidden behind the router?
>
> Yes, but with exceptions.
>
> First, there might be an attack on the router. Among the things Snowden
> revealed were a number of those from NSA's TAO (Tailored Access)
> group. The ones I've read about were for high-end routers used in
> corporate & gov't networks. but there may be some for lesser routers
> as well.
>
> > (2) If not, what function does the software firewall provide that the
> > router doesn't?
>
> It is basically the other way round; a router or other hardware
> firewall can do things that software cannot. Still, defense-in-depth
> or belt-and-suspenders are good ideas; using both is OK.
>
> > (3) Is the distinction even important now that most security breaches
> > are passing through our browsers? (maybe Apple guys should pay
> attention?).
>
> Yes.
>
> > Now some other security related questions having to do with Linux
> > because, after following "Krebs on Security" recently
> > <http://krebsonsecurity.com/> , I've become paranoid about doing banking
> > and financial transactions on Windows. According to Krebs and others
> > the most secure way to operate is by using a Linux distribution on Live
> > CD. Since the CD is not writeable the OS cannot be modified.
>
> The downside of that is that neither OS nor browser can get updates,
> including security upgrades.
>
> > My wife's
> > old Dell laptop is still running XP and needs to be replaced with
> > something more modern. My thought was to repurpose the old laptop as a
> > dedicated Linux machine whose only purpose is financial transactions and
> > the only websites it ever visits is those of the financial institutions.
>
> I'm a Linux user and trust it more than I would Windows/ Here's an old
> post of mine on a foreigners-in-China forum on the differences:
> http://raoulschinasaloon.com/index.php?topic=2460.0
>
> The key here, I think, is having a dedicated financial machine.
>
> However, given that. I'm not entirely certain a Linux system is going to
> be noticeably more secure than a carefully managed Windows system,
> starting by wiping it, re-installing Windows fresh and doing all of
> Microsoft's updates.
>
> > But I have a few questions about such a configuration.
> > (4) Since a Live CD is not writeable how is configuration data saved
> > (such as URL favorites for the browser and other stuff)? Does that not
> > require at least some other small storage device? How is it selected?
> > (5) That question doesn't arise if Linux is installed on a USB memory
> > stick or flash card on USB adapter. That should also improve boot time
> > but seems to undo the security of the unwriteable Live CD.
>
> Yes. It would be possible to build a file with the required bookmarks
> and include it on the CD, but I doubt that would work well over the
> long term.
>
> > I had
> > thought that maybe an SD card could be used with its write protect
> > switch set to prevent writing but my understanding of that is that it's
> > not really a hardware prevention but a software convention providing no
> > real security. Anyone know for sure?
>
> My understanding is that is hardware, but I could be wrong.
>
> > (6) If the Linux machine is residing on a (mostly) Windows LAN is the
> > Linux machine still vulnerable through the LAN?
>
> Some attacks, like getting other machines to monitor what the
> Linux box does or sabotage it with bogus network traffic, are
> possible, at least in theory. They don't even need Windows;
> a Postscript printer is capable of running them. That said, they
> do not look likely unless your opponents are both professional
> and determined.
>
> If it is a wireless LAN there are other problems. Avoid that if possible.
>
> > If so, is it possible
> > to isolate the Linux machine by installing it behind a second router?
>
> Yes, or just on a different router port.
>
> > If so, how are two routers installed behind a single cable modem? Can
> > one simply install a switch and plug both routers into the switch?
>
> The more usual setup would be one router with a switch either
> built into it or placed behind it. Most switches manage the traffic
> so one client cannot see things sent to another client. Check
> the switch manual and try a web search to see if there are
> attacks on the switch, but in most cases a switch should give
> adequate isolation.
>
> > (7) Am I overly paranoid?
>
> No.
> --
> _________________________________________________________________
> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
> Themed Olympus Photo Exhibition: http://www.tope.nl/
>
>
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|