<br><div class="gmail_quote">On Tue, Jan 22, 2013 at 10:05 PM, Matt Hessel <span dir="ltr"><<a href="mailto:matt.hessel@gmail.com" target="_blank">matt.hessel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Really good question, and on a subject I work very closely in..<br><br>
Firewalls are more of a security blanket than a guard dog. They<br>
normally do not validate the code you recieve, or the sites you visit,<br>
or even exploitable code that runs over the interfaces... they only<br>
look at source and destination ip addresses and the port for the<br>
traffic.</blockquote><div><br></div><div>If we want to do something more than a security blanket, what would you suggest?</div><div><br></div><div>I have an old reliable 500Mhz Dell machine I would like to put to good use. Perhaps you can recommend some specialized Linux/BSD distribution that we can use for a firewall/IDS, or an access point running hostap and freeradius?</div>
<div><br></div><div>A couple of years ago the Linux Journal Paranoid Penguin column suggested running a transparent firewall in front of your NAT device. And then it might be a good idea to run snort or some other IDS. In another Paranoid Penguin column it showed how to setup radius authentication so you could run WPA Enterprise to rotate the encryption keys rather than using the one pre-shared key.</div>
<div><br></div><div>Not that I am naturally paranoid, but what I worry about in terms of weak points.</div><div>0. What I don't know about!</div><div>1. Our NAT firewall sometimes allows people at least a glimpse inside the LAN.</div>
<div>2. Printers and wireless access points from vendors who rarely or never provide security updates, and it has been shown many times how vulnerable these kind of devices can be used.</div><div>3. Flash, Acrobat Reader and Java have a horrible record of keeping those applications secure, and the browser defaults to allowing any website to run those apps. Noscript can help with firefox, but it is just so annoying to use on all too many websites. Chrome and Chromium have a plugins "click to play" option which is not enabled by default.</div>
<div>4. Of course I try to keep everything up to date, but that isn't always enough.</div><div>5. DNS cache poisoning attacks. Running my own bind servers for the LAN helps, but DNSSEC and DANE enabled applications would be better for the Internet as a whole. </div>
<div>6. Cable Cards, our most recent addition. Supposedly they don't do two way communication on the cable side, but why should I trust the proprietary CableLabs and our local cable company when they are more concerned about treating customers as pirates... </div>
<div>7. Voip device.</div><div><br></div><div><br></div><div>Chuck</div></div>