How is the out of box security?
-
I'm more interested in the idea then anything. I've heard about folks running some kind of firewall between their network and their modem, and never needing an av.
I don't think i'll ever actually remove my av (too paranoid [just 'cause I think they're out to get me, doesn't mean they're not]), but the idea of being able to run a more secure network (if only just slightly) is an awesome one.
-
In that case: the entry point will be a box like this: http://store.pfsense.org/c2758/ and I hope it will handle the load.
-
They are in fact out to get you (and everyone). Paranoia is just good common sense.
People who run windows behind pfsense with clamav and no AV on the windows machine just have no idea what they are doing. Its BAD.
clamav running in a proxy scanner simply won't get everything.
-
You can also install an IDS (Snort or Suricata) in pfSense and also block known malicious IPs with pfBlockerNG.
Other good practices are to use a separate computer for Banking etc, or atleast use Different Browsers.
-
fair enough, but lets start with the first step. Get an addon to scan and block what it can. where can I get a hold of that clamav addon?
Then I can try and setup suricata (saw a thread around here, where someone was bashing snort).
-
Virii are contracted by computer users through ignorance and stupidity. No virus scanner can fix stupid. At least not 100% of the time. You are better off putting in place a rigorous patching/updating policy - servers too.
-
lol, too true.
Was that a stupid question to ask, asking about where to get that clamav addon? because I never got a response to that question.
Also, gertjan, were you saying the box i'm running pfsense on would need to be as powerfull as that rack-mounting thing you linked?
-
I've heard about folks running some kind of firewall between their network and their modem, and never needing an av.
I wouldn't do that. Security is not a product, it's a methodology. Security is done in layers like an onion. Having a firewall is a must, but it's not a replacement for other attack mitigation technologies like Snort on the firewall, plus local AV on the clients. And even then you're still not fully covered because you can never be.
-
where can I get a hold of that clamav addon?
System menu > Packages is where the various package add-ons are located (if I'm remembering correctly; not at home to check).
Personally? Windows without some kind of malware detection on the computer is just not smart. I will always have at least some kind of free malware detection installed, if not something better.
There are plenty of other ways malware can get onto a computer than over the internet. USB flash drive? memory card from a friend's camera (did you remember that there used to be malware that took advantage of JPEG exploits?)? How about someone's computer connected to your WiFi? That wouldn't go THROUGH the router, because it would be within your own network (unless you set up a separate network for wireless access).
Even if it's Microsoft Security Essentials/Windows Defender - which is about as basic as you can get for Windows malware scanning - you should still have some kind of malware detection on your computer.
-
Out of the box, PFSense has great remote security. It can protect you from the outside world trying to get into your network, but it won't stop your network from trying to get to the outside world.
-
The way that I have been trained to look at it is security in layers. Even though you can beef up your security on pfSense and make it a proxy/IDS/Firewall, host based firewalls are a must for zero day exploits, take in point the SCADA exploit which was aimed at the spooler service. If the computer is not sharing a printer, then block that port at the host. While there are services like snort that covers the network traffic, physical access is not covered, anything like a USB drive to a file that got through pfSense could wreak havoc. Now if you are wondering what kind of protection you need after pfSense this is what I recommend. If you have pfSense running squid to filter out malicious ads, the firewall configured to lock down traffic, and SNORT on the WAN with balls to the wall security enabled then Windows firewall correctly configured is perfect. Now if the units are leaving your managed network(laptops), that is where you would consider an intrusion detection and firewall combo. Antivirus is a must regardless or firewall. Remember, if you are patching and updating your AntiVirus other things on the top of the pyramid are nice but not required. Everything helps security it starts with basic though.
-
Some thoughts.
Anything capable of running software of sorts, beit your computer, firewall, mobile phone, printer, photocopier, TV's, vehicles's etc with the ability to update it with new versions of software has the potential to be hacked.
With that in mind, the next question is how easy is it to update? TV's can be updated over the air, some vehicles & phones similarly; now in the case of computer networks, you need to isolate everything otherwise something like stuxnet & other rogue software can be hiding in your network printers or photocopiers or switches.
One way is to isolate everything into its own unique sole vlan with firewalls blocking everything thats not permitted.
Permission should only be granted when you want to, like for example allowing access to update sources during dates & times of your choosing, none of this allowing anything to touch base unneccesarily like windows desktops phoning home to MS in the US when you log on for example, same for switches.
Bear in mind all isp routers and firewalls all have a default allow out to the net rule including pfsense, what an easy way to walk out with your data.
Audit all PC's where possible so you know what the contents of your computers hd's are frequently becuase the flaw with AV software is simply this, the AV companies need to find the virus first before they can add it to their signature database of known viruses. In other words your AV software can not protect you unless the AV company has found the virus.
For point of reference, AV companies can spot variations of the same virus automatically in most cases which are the updates we receive hourly, daily weekly etc, its the new viruses that can take weeks, months, years to reverse engineer before they consider something a virus or not and thats before we get into polymorphic software.
Bear in mind its entirely possible for app stores including MS updates to serve unique files just for you if you want to be really paranoid and how do you know that dll coming down the wire is what it says it is?
Bear in mind its also possible to hide software in the less used parts of spin disks which no longer get formatted when reinstalling your windows OS as it does a quick NTFS format which just resets the FAT (disk index) not blank the contents (the chapters of the book).
Log all traffic data in and out and have something to analyse the data so it flags up anomalies or unaccountable network traffic. Get to know the data patterns by day, week, month & year much like you would know when your car is not running quite right.
In some cases block ssl traffic out of your machine as you dont know what data is being lifted/sent that could incriminate you, even your windows os tracks the files like what you send to the recycle bin and that is part of the forensics built into windows.
Be careful of Google, its very machiavellian and will serve you data which can land you in court, be careful of websites you visit as some dont allow you to report questionable data, again setting you up for a fall if the authorities so desire.
Work on the basis if you can think it so can they, but they will have beaten you to it in ways to access that data, and remember a request from one country to another is not always immediately illegal except where the conspiracy to commit a crime is punishable like here in the UK, which means every request GCHQ sent abroad to foreign spooks is commiting a crime even though they like to portray they dont break the law, dontcha believe it. They will even employ phishing techniques in major online news media via comments and other websites to find out the information they want to know like how easy it is to evade their detection. ;D
FWIW.
