Agreed, but that still misses the point that you can't defend against every eventuality - with limited resources you defend against the ones that are most likely to happen and cause you problems. Yes, a single point of defence is a bad thing; but in many situations it might be quite sufficient - the average home user probably being one of those.

It certainly isn't the only thing that can be done. For any reasonable-sized company, merely having a firewall to protect the business is madness. I've spent a big chunk of my time over the last few years helping some large companies implement just that defence in depth. For home users or small businesses with no expertise in security, nor the money to buy that expertise, a simple, preconfigured firewall may be the most appropriate level. There is a risk in not providing defence in depth; but there is also a cost to do so. For larger companies, the risk clearly outweighs the cost. For small companies and home users, it is not clear to me that this holds true.

Of course, even big companies have to decide where to spend a limited security budget and you can never do everything.

Well, yes and no. The total spend might relate to the assets, but how you allocate the money must surely relate to the threats. For example, if the threats were mostly physical (gangs breaking in and stealing your hardware), it would be sensible to spend more money on physical security and less on network security. If the threats are mainly script kiddies, it makes more sense to spend more on measures which will keep them out.

Yes, threats will change over time, but of course security is hardly static either. Big companies have a security budget to spend each year. They have a selection of security products to consider, of which they can afford to implement only a small proportion.

My problem (and the initial point of the thread) is that it is very difficult to determine what the threats are; and as a consequence many companies are spending money on security which might be wasted and could be better spend elsewhere (e.g. maybe spending less money on securing the firewall and more on internal defence layers would be better; or maybe the reverse is true : without the data, how can you know?).

Agreed, but that still misses the point that you can't defend against every eventuality - with limited resources you defend against the ones that are most likely to happen and cause you problems.
Yes, of course you can't defend against everything. The conclusion that means you only defend against things you know of though is a choice you would make based on criteria that don't sound solid. But of course that was your initial question... If I had to reason stuff I've gotta defend against I'd choose have each networked device get the same basic hardening treatment to get security to a certain level. No questions asked and no discussion needed. Then, depending on the purpose of the box, I'd have to add/tweak/lessen security features to make things work. I'm perfectly aware this doesn't work at all times and certainly not if you don't have the knowledge and discipline or aren't forced to comply with policies. BTW, are you familiar with stuff like security policies?


For home users or small businesses with no expertise in security, nor the money to buy that expertise, a simple, preconfigured firewall may be the most appropriate level.
The problem here is education and awareness. SOHO users usually don't understand the power a Linux box really has, sys admin basics let alone want to educate themselves wrt that and enhancing security. That's where the real problem starts.


My problem (and the initial point of the thread) is that it is very difficult to determine what the threats are
Even tho I ain't no fan of stats cuz stuff usually will happen outside of what them stats try to predict, I think we should ask around/hunt the 'net for statistics. Maybe that'll help paint a picture. I know SF has a yearly Bugtraq stats page, and I'm sure the various honeypot projects have stats.

I hadn't thought of that conclusion. My conclusion was that organisations will put more resources into defending against threats they perceive to be higher (e.g. the spend on anti-virus sofware increases greatly in times of high virus infection). Given this, it seems sensible for that perception of risk to reflect the reality of risk as closely as possible. Which gets the highest share of the budget : desktop, Unix, Windows servers, network, mainframe,...? The most precious assets are almost certainly on the Mainframe and Unix but I'll bet that in most organisations, Windows gets more security money.

Sounds like very good advice - thanks. I'm painfully familiar with security policies; the good, the bad and the ugly :)


I think that's a very interesting debate that's starting out. My take on it is that, as Linux grows in popularity on both servers and desktop, it is going to be used increasingly by people who have little knowledge of or interest in security. Either basic security on Linux is simple enough that it works well enough out of the box and keeps on working, or Linux will get discredited with floods of new attacks.

Of course, the more awareness and security knowledge the better; I don't dispute your aim. I just think that in the real world it isn't going to happen to the extend necessary so we need to deal with what is going to happen before the bad guys do. Given the struggle I sometimes have getting a basic level of security awareness amongst Unix administrators, my hopes for the general population are not high :(

Thank you for the leads. I will check those out and post back to the forum with anything useful I come up. Stats aren't perfect; but they are better than anecdotes where your conclusions get wildly skewed by who you happen to talk to and 10 people have 10 totally different views based on equally valid anecdotal evidence.

You know, it's interesting to say you (320mb, vi0lat0r) had Windows boxes connected directly to the Internet and never hacked--how would you know? Win98 doesn't have much logging to speak of, very weak process monitoring (unless you install third party software), and it was prone to crashing even if not hacked so people thought that was normal. So tell me, how would you know if Win98 had been hacked?

Now I'm not saying it can't be done, because I know a few things about networking and security and I still have a Win98 box that has never been compromised, but that's because I knew what I was doing and took a lot of extra steps to protect it.

There is one big difference between larger companies and SOHO/home users. Larger companies need to allow some traffic inwards through their firewall. They have VPN setups, web servers, mail servers,DNS servers and so on. An attacker looking at a big company's firewall is almost guaranteed to find open ports.

For many small businesses and home users, there is no need to have any ports open at all on the firewall. Their website (if any) is hosted elsewhere. They might run a mail server with port 25 open, but more likely they use POP3 to pull mail in. They won't have VPN or DNS servers.

So, for all these low-end users, a firewall which blocks every single port, dropping all connections, means that they would have to be pretty unlucky for a port scan to turn into an attack. An attacker would have to decide that a host with no ports open and nothing suggesting it has any special interest was more worthy of attack than lower hanging fruit. Yes, an attacker could target them but for this sort of user a closed firewall probably makes the odds of any more than port scan attacks low enough to not make it worth worrying about (taking the low risk would be the rational approach, given limited time, money and expertise).

Of course, there are other threats; principally viruses/worms and fraud (phishing etc.) for which other defences are appropriate. For low-end users with a firewall, I think these are the more serious (and more difficult to defend against for the security-unaware user). For example, my mother's Win 98 PC was recently infected by a very nasty virus despite running an up-to-date virus scanner, a firewall and being careful about opening attachments. Our best guess is that it came through a bulletin board for which she has specialist software (i.e. not browser access); but who knows.

I have now done some research (though I could do more, there are not too many honeypots making their findings public). I looked at the honeynet project, a few other sites and had a very helpful email from Anton Chuvakin.

My tentative conclusions are

1. Large organisations need defence in depth; no excuses. First, any large organisation will have open ports on their firewall and second they will almost certainly attract attackers who are targetting the organisation and so will not be turned away merely by a secure firewall (e.g. they will look for alternative routes in, for bugs in the firewall etc.).

2. Anyone who has an open port onto the Internet will attract exploits common to that port, and lots of them. Anyone in this situation must ensure that they are up to date with security patches and have a secure setup. Many home/SOHO users in this situation have owned computers but don't know it.

3. Normal users who have no open ports on the Internet have least to fear. In Anton's honeynet, systems which were fully firewalled had no attacks at all beyond port scans. Of course, if such a user were to attract the attention of a serious attacker for some reason, they would still be vulnerable, but this is reasonably unlikely. Other threats such as viruses and web exploits are still effective.

I guess the lesson is that, if at all possible, having a firewall with no ports exposed is highly beneficial. Exposing any ports at all dramatically increases the risk of attack. In addition to this, running an up-to-date virus checker, or a non-Windows OS, is a Good Thing. It does seem to be that for the normal user, a good closed firewall + virus checker + basic security understanding is probably sufficient for all but the most risk-averse.

Dunno if this applies, but I like formal procedures anyway. Here's an oldy (pub 1999), still interesting, but kind of advanced, and it needs lotsa research: http://www.schneier.com/paper-attacktrees-ddj-ft.html