Surf and Spyware Protection on OpenBSD - BSD

This is a discussion on Surf and Spyware Protection on OpenBSD - BSD ; Are there (or will there be) total network solutions (like Surf and Spyware Protection) on OpenBSD? Regards, Lars....

+ Reply to Thread
Results 1 to 17 of 17

Thread: Surf and Spyware Protection on OpenBSD

  1. Surf and Spyware Protection on OpenBSD

    Are there (or will there be) total network solutions (like Surf and Spyware
    Protection) on OpenBSD?

    Regards, Lars.



  2. Re: Surf and Spyware Protection on OpenBSD

    On Thu, 22 Sep 2005 16:58:45 +0200, Lars Bonnesen wrote:

    > Are there (or will there be) total network solutions (like Surf and Spyware
    > Protection) on OpenBSD?


    Why would OpenBSD require such crapware?


  3. Re: Surf and Spyware Protection on OpenBSD

    Dave Uhring wrote:
    > On Thu, 22 Sep 2005 16:58:45 +0200, Lars Bonnesen wrote:
    >
    >
    >>Are there (or will there be) total network solutions (like Surf and Spyware
    >>Protection) on OpenBSD?

    >
    >
    > Why would OpenBSD require such crapware?
    >


    spyware is just an program witch installs itself onto target computer by
    exploiting remote holes. those apps are normal programs, but webpages
    delivering them have malicious code that breaks browser's protection.
    those crap involves mostly windows. openbsd is secured-out-of-the-box,
    so i dont think that anyone is interested in making unix program and
    exploiting remote holes on the system that has no remote holes whatsoever.

    surf protection is also unimportant. if you refer to popups and stuff,
    mozilla (and firefox) have good popup blockers. use lynx and you wont
    get popups good sysadmin has everything he needs to set up excellent
    security on openbsd, such as packet filtering and iptables. so that surf
    and spyware crapware is really out of the question for openbsd.

  4. Re: Surf and Spyware Protection on OpenBSD

    "Lars Bonnesen" writes:

    > Are there (or will there be) total network solutions (like Surf and
    > Spyware Protection) on OpenBSD?


    Since there are so many context in which this question could be
    answered, I'd need to know more about just how the question popped up.
    (After that, I, and probably many more, might be able to answer.)

    Are you contemplating using OpenBSD on a client machine instead of
    something else for security reasons? Are you trying to convince
    someone that OpenBSD is ok to use as a server, even if people are
    using the save box running web clients at times? Are you looking for
    something specific, like a firewall, a popup-blocker? Do know any
    technical details at all about how viruses and worms spread? Or, are
    you just curious?

    Staffan

  5. Re: Surf and Spyware Protection on OpenBSD

    zarko bulatovic wrote:
    > good sysadmin has everything he needs to set up excellent
    > security on openbsd, such as packet filtering and iptables. so that surf
    > and spyware crapware is really out of the question for openbsd.


    zarko,
    why would you one use iptables instead of pf on an OpenBSD box?

  6. Re: Surf and Spyware Protection on OpenBSD


    "Lars Bonnesen" wrote in message
    news:4332c71f$0$58105$edfadb0f@dread16.news.tele.d k...
    > Are there (or will there be) total network solutions (like Surf and
    > Spyware Protection) on OpenBSD?


    Ok, I see I have to be more specific about this.

    I want to set up a firewall box running some sort of *NIX. Clients on the
    lokal net are mostly Windows. It is these boxes I would like to protect with
    the OpenBSD thing.

    Astaro claims to have what I want:
    http://www.astaro.com/

    But I find OpenBSD to be more secure (?) than Astaro, and... Astaro is not
    free of charge.

    Can anyone tell me if there are any OpenBSD solutions with the above
    possibillities?

    Regards, Lars.



  7. Re: Surf and Spyware Protection on OpenBSD

    On Fri, 23 Sep 2005 07:55:11 +0200, Lars Bonnesen wrote:

    >
    > "Lars Bonnesen" wrote in message
    > news:4332c71f$0$58105$edfadb0f@dread16.news.tele.d k...
    >> Are there (or will there be) total network solutions (like Surf and
    >> Spyware Protection) on OpenBSD?

    >
    > Ok, I see I have to be more specific about this.
    >
    > I want to set up a firewall box running some sort of *NIX. Clients on the
    > lokal net are mostly Windows. It is these boxes I would like to protect with
    > the OpenBSD thing.
    >
    > Astaro claims to have what I want:
    > http://www.astaro.com/
    >
    > But I find OpenBSD to be more secure (?) than Astaro, and... Astaro is not
    > free of charge.
    >
    > Can anyone tell me if there are any OpenBSD solutions with the above
    > possibillities?


    OpenBSD does not provide an application layer firewall; it has a packet
    filter, PF, and can do nothing to provide your requested protection to
    idiot users of Internet Explorer.

    PF can and does protect your Windows boxes from external attacks arriving
    on Microsfot's NetBIOS ports but it cannot protect from stupid users.


  8. Re: Surf and Spyware Protection on OpenBSD


    "Dave Uhring" wrote in message
    newsan.2005.09.23.06.14.12.3452@yahoo.com...
    > On Fri, 23 Sep 2005 07:55:11 +0200, Lars Bonnesen wrote:
    >
    >>

    > OpenBSD does not provide an application layer firewall; it has a packet
    > filter, PF, and can do nothing to provide your requested protection to
    > idiot users of Internet Explorer.


    (-;

    > PF can and does protect your Windows boxes from external attacks arriving
    > on Microsfot's NetBIOS ports but it cannot protect from stupid users.


    Q: "Do you want to install the comet cursor and have a great time?"
    A: "**** yes!".

    Ok, then if I want to run OpenBSD as a firewallbox, what do I do to protect
    the LAN for spyware as well (on a centrallize basis, not on the client side
    like Ad-Aware and such).

    Regards, Lars.



  9. Re: Surf and Spyware Protection on OpenBSD

    On Fri, 23 Sep 2005 08:27:59 +0200, Lars Bonnesen wrote:

    > Ok, then if I want to run OpenBSD as a firewallbox, what do I do to protect
    > the LAN for spyware as well (on a centrallize basis, not on the client side
    > like Ad-Aware and such).


    Disabling the FTP proxy on the firewall will prevent the spyware from
    sending its collections to "wherever". It will also prevent your clients
    from using FTP.

    Replacing Internet Explorer on those Windows boxes with Firefox is a more
    reliable alternative. Even so, stupid users will download arbitrary *.exe
    files and execute them.


  10. Re: Surf and Spyware Protection on OpenBSD


    "Dave Uhring" skrev i en meddelelse
    newsan.2005.09.23.06.56.31.85883@yahoo.com...
    > On Fri, 23 Sep 2005 08:27:59 +0200, Lars Bonnesen wrote:


    > Disabling the FTP proxy on the firewall will prevent the spyware from
    > sending its collections to "wherever". It will also prevent your clients
    > from using FTP.


    Well this is only possible if the spyware uses FTP to send it. Couldn't
    they use other protocols?

    And it will still be a problem if the PC is infected with some kind of
    malware.

    > Replacing Internet Explorer on those Windows boxes with Firefox is a more
    > reliable alternative. Even so, stupid users will download arbitrary *.exe
    > files and execute them.


    I do not find Firefox to be an alternative to Internet Explorer allthough I
    am aware the the security is better on Firefox.

    Regards, Lars.



  11. Re: Surf and Spyware Protection on OpenBSD

    On Fri, 23 Sep 2005 10:02:01 +0200, Lars Bonnesen wrote:

    >
    > "Dave Uhring" skrev i en meddelelse
    > newsan.2005.09.23.06.56.31.85883@yahoo.com...
    >> On Fri, 23 Sep 2005 08:27:59 +0200, Lars Bonnesen wrote:

    >
    >> Disabling the FTP proxy on the firewall will prevent the spyware from
    >> sending its collections to "wherever". It will also prevent your clients
    >> from using FTP.

    >
    > Well this is only possible if the spyware uses FTP to send it. Couldn't
    > they use other protocols?


    The spyware I have seen in operation uses FTP.

    > And it will still be a problem if the PC is infected with some kind of
    > malware.


    If you do not permit the PC to get infected in the first place then you
    have no problems. Indeed, the newsreader which *you* are using is one of
    the most notorious vectors for malware ever invented. Only Internet
    Explorer is more efficacious.

    >> Replacing Internet Explorer on those Windows boxes with Firefox is a more
    >> reliable alternative. Even so, stupid users will download arbitrary *.exe
    >> files and execute them.

    >
    > I do not find Firefox to be an alternative to Internet Explorer allthough I
    > am aware the the security is better on Firefox.


    Then you are doomed.


  12. Re: Surf and Spyware Protection on OpenBSD


    "Dave Uhring" skrev i en meddelelse
    newsan.2005.09.23.08.28.57.533387@yahoo.com...
    > On Fri, 23 Sep 2005 10:02:01 +0200, Lars Bonnesen wrote:


    > If you do not permit the PC to get infected in the first place then you
    > have no problems. Indeed, the newsreader which *you* are using is one of
    > the most notorious vectors for malware ever invented. Only Internet
    > Explorer is more efficacious.


    Never the less, I have myself never been infected with any malware or virus.
    But I understand your point.

    Regards, Lars.



  13. Re: Surf and Spyware Protection on OpenBSD

    "Lars Bonnesen" writes:

    > I want to set up a firewall box running some sort of *NIX. Clients on the
    > lokal net are mostly Windows. It is these boxes I would like to protect with
    > the OpenBSD thing.


    Using OpenBSD for a firewall is certainly a good idea. I suppose what
    Astaro has to offer over a straightforward OpenBSD install is some sort
    of point and click administrator interface. IIRC a couple of such PF
    GUI interfaces are available - pfw (http://www.allard.nu/pfw/) is one,
    typing "OpenBSD PF GUI" into your favourite search engine will turn up
    others. Probably nice if you want it, I must confess I prefer "doable
    over ssh" myself.


    You might find my PF tutorial http://www.bgnett.no/~peter/pf/
    instructive. It's substantially similar (a few pending updates)
    to what will be presented at AUUG2005 next month.


    > Can anyone tell me if there are any OpenBSD solutions with the above
    > possibillities?


    A default deny policy will at least limit the amount of damage stupid or
    careless users on your LAN can do to themselves or others.
    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

  14. Re: Surf and Spyware Protection on OpenBSD

    On 2005-09-23, Dave Uhring wrote:


    > Then you are doomed.


    LOL!....

    Well, maybe not quite that bad, but you're definitely putting yourself
    in harm's way unless you take great pains to harden IS/OE. One other
    good practice is to use ip filtering (software firewall) on each host
    on your lan. I use host filtering on my lan behind my firewall/router
    and have discovered it's pretty effective at preventing spy/malware.
    Without it, my M$ box lasted one day before total corruption from
    drive-by downloads. This using Netscape and no email at all. It
    really has gotten bad out there. But, with my ancient copy of Conseal
    (Signal9), no probs for years. Newer firewall apps w/ stateful
    filtering should work even better. Just make sure you set up
    "stop all" by default and allow only necessary services through.

    nb

  15. Re: Surf and Spyware Protection on OpenBSD

    prodigal1 wrote:
    > zarko bulatovic wrote:
    >
    >> good sysadmin has everything he needs to set up excellent security on
    >> openbsd, such as packet filtering and iptables. so that surf and
    >> spyware crapware is really out of the question for openbsd.

    >
    >
    > zarko,
    > why would you one use iptables instead of pf on an OpenBSD box?


    don't know what's the better solution for some specific problem. i just
    listed both as security features.

  16. Re: Surf and Spyware Protection on OpenBSD

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    In comp.unix.bsd.openbsd.misc, Lars Bonnesen dared to utter,
    > I want to set up a firewall box running some sort of *NIX. Clients on the
    > lokal net are mostly Windows. It is these boxes I would like to protect with
    > the OpenBSD thing.
    >
    > Astaro claims to have what I want:
    > http://www.astaro.com/
    >
    > But I find OpenBSD to be more secure (?) than Astaro, and... Astaro is not
    > free of charge.
    >
    > Can anyone tell me if there are any OpenBSD solutions with the above
    > possibillities?


    No solution is going to be 100% effective, but I think with careful
    planning you can achieve something much more secure than your current
    setup. The key things to do here I think are:

    1) Default deny. You've got to limit what your Windows PCs can do. If
    they can simply connect out to any and all hosts on the internet on
    any ports, you've already lost.
    2) Identify what websites, mail servers, etc your clients need to
    connect to, and allow your clients access only to those.

    This will eliminate quite a lot of problems with spyware, but might
    introduce quite a lot of complaints. Workers like to check up on the
    weather or news at work and if company policy doesn't prevent that,
    they'll probably scream.

    The easiest answer to that problem is a local proxy server than can
    filter out extensions from websites. You could prevent users from
    downloading archive files, executable files, etc through the use of
    squid and dansguardian for example. If your ruleset is sufficiently
    tight, allowing only your filtering proxy server to access "hostile"
    websites, then you'll achieve a much more secure LAN (though of course,
    not completely secure) than what you currently have.

    Additionally, you would need to impliment virus scanning on your mail
    server, or perhaps as a POP3 proxy for your clients. Remember,
    security is proactive. You'll need to be constantly looking at new
    avenues that malware can take to enter your LAN.

    - --
    It is better to hear the rebuke of the wise,
    Than for a man to hear the song of fools.
    Ecclesiastes 7:5
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.7 (GNU/Linux)

    iD8DBQFDNFHzzLTO1iU1uO4RAm37AKDbhhQfkl3VQ9PgHZCfd/Ssd+zegQCdEU/I
    BCaYFvGffZxfeGVaAScHf2A=
    =2spH
    -----END PGP SIGNATURE-----

  17. Re: Surf and Spyware Protection on OpenBSD

    Lars Bonnesen wrote:

    > Never the less, I have myself never been infected with any malware or virus.
    > But I understand your point.


    Lars!
    Where can I find you?
    I want to shake your hand...and then go out and buy a lottery ticket! ;-)

+ Reply to Thread