lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401171856.i0HIu1gb008441@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Re: January 15 is Personal Firewall Day,help the cause 

On Sat, 17 Jan 2004 10:20:56 PST, Jim Race <caferace@...l.com>  said:
> Since the ping-pong game is far past 21 points...
> 
> How safe would you consider:
> 
> A WinXP box with all current patches
> A properly configured HW firewall
> ICF enabled, web services ONLY enabled and all ICMP requests disabled
> Apache (latest) installed with no add'l modules (static pages only)
> NOT running Outlook or OE
> Mozilla with Java and JS disabled in email
> An "admin" who knows not to run attachments
> No add'l (hated) SW firewalls
> No AV stuff running, except when scanning known executables

What's your threat model?  Does it have to be "safe" against just the random
crap that is background noise on today's networks, or are there other considerations?

What's your trade-off model?  If it *does* get whacked, what are the
consequences? Remember to *NOT* spend more time/money/effort on securing it
than you would lose if it was in fact compromised.

There's two main classes of attacks to worry about:  the "random noise" of all
the worms and viruses, and targeted attacks by opponents of varying skill and
resources.  The hardening you describe is probably quite sufficient to repel
most of the "random noise", so it's the second category you need to worry
about.

If it's a personal machine, you're just using Apache to serve up photos of the
barbeque to your friends, and the worst that happens is you have to reload your
'My Documents' folder off a CD-ROM backup, you're probably *very* safe. Just
remember to not piss off a script kiddie on IRC. ;)

If you're using the machine to access a corporate database, you probably want
to do some more policy-level and ACL hardening on the inside - the biggest
threat to your HR database is still an underpaid secretary in Accounts
Receivable.

If you're using the machine in a true life-or-death environment (medical
monitoring, processing classified data, launch codes, etc), you're nowhere near
hardened enough.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040117/e2248ee6/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ