Computer on network connected to the Internet - Security

This is a discussion on Computer on network connected to the Internet - Security ; This is actually a Windows firewall problem, but I am asking it here because with Windows, one simply clicks a button. Under Linux, one knows and understand why we click the button. I have a router connected by Ethernet to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Computer on network connected to the Internet

  1. Computer on network connected to the Internet

    This is actually a Windows firewall problem, but I am asking it here because
    with Windows, one simply clicks a button. Under Linux, one knows and
    understand why we click the button.

    I have a router connected by Ethernet to my Linux box (Mandriva Spring) and
    by wireless to my wife's laptop running Windows XP. Both XP's own firewall
    and the installed CA Security suite claim that for maximum security, the
    Windows box must be totally isolated from the network, because it has
    access to the Internet. This means that it can't be part of Samba, or it
    may infect my Linux box (don't laugh), so it can't use my printer (which is
    the only reason I installed Samba.)

    I decided that this setting was too extreme and idiotic, so I dropped the
    security level there sufficiently to allow networking and SMB. Her box
    still can't send emails, and her firewall is blocking them. Apparently it
    is still in the "cotton-wool" zone - there, but deprived of all usefulness.
    What I probably need to do (but I haven't yet) is to move emails or OE into
    the same intermediate zone. And I have been cursing Windows for something
    that wasn't their fault.

    I know that everything in life is compromise. What is a reasonable way of
    tackling this?

    BTW, CA has an anti-zombie setting. If it detects that mass emails are
    going out, it blocks them, but that isn't what is stopping my wife's one
    email a month. OE says it can find the SMTP server, but can't connect to
    it. Totally disabling the firewall allows the connection.

    Doug - he who must obey.
    --
    Programming is like sex: One mistake and you have to support it for your
    lifetime.
    -- Pinched from another's sig. Only a programmer could empathise.


  2. Re: Computer on network connected to the Internet

    Doug Laidlaw wrote:

    > This is actually a Windows firewall problem, but I am asking it here
    > because
    > with Windows, one simply clicks a button. Under Linux, one knows and
    > understand why we click the button.
    >
    > I have a router connected by Ethernet to my Linux box (Mandriva Spring)
    > and
    > by wireless to my wife's laptop running Windows XP. Both XP's own
    > firewall and the installed CA Security suite claim that for maximum
    > security, the Windows box must be totally isolated from the network,
    > because it has
    > access to the Internet. This means that it can't be part of Samba, or it
    > may infect my Linux box (don't laugh), so it can't use my printer (which
    > is the only reason I installed Samba.)
    >
    > I decided that this setting was too extreme and idiotic, so I dropped the
    > security level there sufficiently to allow networking and SMB. Her box
    > still can't send emails, and her firewall is blocking them. Apparently it
    > is still in the "cotton-wool" zone - there, but deprived of all
    > usefulness. What I probably need to do (but I haven't yet) is to move
    > emails or OE into
    > the same intermediate zone. And I have been cursing Windows for something
    > that wasn't their fault.
    >
    > I know that everything in life is compromise. What is a reasonable way of
    > tackling this?
    >
    > BTW, CA has an anti-zombie setting. If it detects that mass emails are
    > going out, it blocks them, but that isn't what is stopping my wife's one
    > email a month. OE says it can find the SMTP server, but can't connect to
    > it. Totally disabling the firewall allows the connection.
    >
    > Doug - he who must obey.


    I cured the problem by creating a special rule enabling SMTP. At least the
    graphical wizard saved me the intricacies of whatever takes the place of
    iptables. But my basic gripe remains: what is the use of a network if the
    computer is firewalled off from it? Why have email capability then stop it
    from working? Only lawyers do anything so ridiculous. I was one - and
    hated it for that very reason.

    Doug - living inside a social firewall, a retirement village, "God's waiting
    room."
    --
    Husbands are like the fire on the hearth - likely to go out if left
    unattended.
    - W.G.P.


  3. Re: Computer on network connected to the Internet

    On 30 Jun, 04:13, Doug Laidlaw wrote:

    > I cured the problem by creating a special rule enabling SMTP. At least the
    > graphical wizard saved me the intricacies of whatever takes the place of
    > iptables. But my basic gripe remains: what is the use of a network if the
    > computer is firewalled off from it? Why have email capability then stop it
    > from working? Only lawyers do anything so ridiculous. I was one - and
    > hated it for that very reason.
    >
    > Doug - living inside a social firewall, a retirement village, "God's waiting
    > room."


    Many, if not most, Linux systems to nightly cron jobs to rotate logs,
    check for updates, scan for weird messages in the system logs, etc.,
    etc. These are normally emailed to the cron job owner, who is normally
    "root". The SMTP server is used on these systems to deliver the log
    messages somewhere useful: the normal restrictive firewall does allow
    that server to transfer the email *out* to a remote target, while
    refusing all non-local email. On such a system, you may as well block
    port 25 incoming, because nothing should be sending to that system
    from elsehwere until you're bothered to turn it on.

    Does that make more sense?


  4. Re: Computer on network connected to the Internet


    "Doug Laidlaw" wrote in message
    news:kcugl4-nna.ln1@dougshost.douglaidlaw.net...
    > Doug Laidlaw wrote:
    >
    >> This is actually a Windows firewall problem, but I am asking it here
    >> because
    >> with Windows, one simply clicks a button. Under Linux, one knows and
    >> understand why we click the button.
    >>
    >> I have a router connected by Ethernet to my Linux box (Mandriva Spring)
    >> and
    >> by wireless to my wife's laptop running Windows XP. Both XP's own
    >> firewall and the installed CA Security suite claim that for maximum
    >> security, the Windows box must be totally isolated from the network,
    >> because it has
    >> access to the Internet. This means that it can't be part of Samba, or it
    >> may infect my Linux box (don't laugh), so it can't use my printer (which
    >> is the only reason I installed Samba.)
    >>
    >> I decided that this setting was too extreme and idiotic, so I dropped the
    >> security level there sufficiently to allow networking and SMB. Her box
    >> still can't send emails, and her firewall is blocking them. Apparently
    >> it
    >> is still in the "cotton-wool" zone - there, but deprived of all
    >> usefulness. What I probably need to do (but I haven't yet) is to move
    >> emails or OE into
    >> the same intermediate zone. And I have been cursing Windows for
    >> something
    >> that wasn't their fault.
    >>
    >> I know that everything in life is compromise. What is a reasonable way
    >> of
    >> tackling this?
    >>
    >> BTW, CA has an anti-zombie setting. If it detects that mass emails are
    >> going out, it blocks them, but that isn't what is stopping my wife's one
    >> email a month. OE says it can find the SMTP server, but can't connect to
    >> it. Totally disabling the firewall allows the connection.
    >>
    >> Doug - he who must obey.

    >
    > I cured the problem by creating a special rule enabling SMTP. At least
    > the
    > graphical wizard saved me the intricacies of whatever takes the place of
    > iptables. But my basic gripe remains: what is the use of a network if the
    > computer is firewalled off from it? Why have email capability then stop
    > it
    > from working? Only lawyers do anything so ridiculous. I was one - and
    > hated it for that very reason.
    >
    > Doug - living inside a social firewall, a retirement village, "God's
    > waiting
    > room."
    > --


    Perhaps I have misunderstood some of the security issues in networking, but
    as I understand it, you want a firewall to protect windoze from hostile
    outside forces. Therefore you place the firewall at the line between trusted
    and hostile areas. To me, that is at the router or internet gateway. I use a
    hardware firewall/router/gateway for that.

    I see no value in protecting windoze from other windoze or linux machines in
    the local network. Inside my lan, all the windoze machines have the firewall
    turned off. All can send and receive e-mail through smtp and pop3, and all
    can access shares and printers. For convenience, I have the printers
    attached to the linux file server.

    Windows firewall and the new windows live one care (or whatever it is
    called) really mess up connecting to the file server and printers. My son
    and daughter each have laptops which have the firewall on by default. This
    is appropriate for 'travelling' machines. They turn the firewall off when
    they connect here.

    Stuart




    > Husbands are like the fire on the hearth - likely to go out if left
    > unattended.
    > - W.G.P.
    >



  5. Re: Computer on network connected to the Internet

    On 1 Jul, 19:37, "Stuart Miller" wrote:

    > Perhaps I have misunderstood some of the security issues in networking, but
    > as I understand it, you want a firewall to protect windoze from hostile
    > outside forces. Therefore you place the firewall at the line between trusted
    > and hostile areas. To me, that is at the router or internet gateway. I use a
    > hardware firewall/router/gateway for that.


    This approach to security is known as "hard crunchy outer shell, soft
    chewy underbelly". It's relatively easy, but once an attacker is
    inside, you are prey to whatever they can scan and infest your
    machines with. Firewalling individual hosts, especially potentially
    vulnerable services such as SMTP, can protect such attacks from
    infesting your entire network and spreading back out to attack others,
    or leaving root kits in place for attackers.

    Please examine the history of the Morris Worm, circa 1988, for what
    can happen to unsecured UNIX systems. The lessons learned then still
    apply to internal networks.

    > I see no value in protecting windoze from other windoze or linux machines in
    > the local network. Inside my lan, all the windoze machines have the firewall
    > turned off. All can send and receive e-mail through smtp and pop3, and all
    > can access shares and printers. For convenience, I have the printers
    > attached to the linux file server.


    Then your Windoze boxes are vulnerable to whatever root kit a script
    kiddie can install through a hacked website when you reach out, or
    anything they succeed in reprogramming your router to allow, or any
    unsecured laptop that shows up on your network.

    > Windows firewall and the new windows live one care (or whatever it is
    > called) really mess up connecting to the file server and printers. My son
    > and daughter each have laptops which have the firewall on by default. This
    > is appropriate for 'travelling' machines. They turn the firewall off when
    > they connect here.


    And I hope all your machines are running good anti-virus and software
    updates, because those laptops can be a Typhoid Mary in your home
    network, with the wrong viruses or rootkits in place. This applies to
    all operating systems, including Linux. Traveling laptops are a
    serious attack vector.


+ Reply to Thread