internal security
If I have setup my firewall with the best iptables rules in the world I know that that will only protect your network but so much. I believe that through http and smtp is where most of todays headaches occur (instant messaging,spware, e-mail and etc..) Once you go on the internet it is just a matter of time before something slips through as well as e-mail. Here is my setup:
dsl | | linux /firewall/proxy/squidguard | | 2 - windows 2k wireless cpu's If my system is secure externally on my firewall end then what would be the best way to protect my internal network from lets say YAHOO Instant Messenger,Internet Explorer comming in and infecting my linux server and or sacrificing security internally? |
With the firewall, you should be secure against direct attacks to your computer, however, as you say you are still vulnerable to viruses via email, web browsing etc.
The best advice I can give is: - keep your boxes patched - run anti-virus software - use firefox instead of ie - use some form of anti-spyware, passive or active As for mail, you could run an internal mail server, otehrwise configure your AV software to scan incoming mail. |
Remember that a computer is not a living organism: the phrases "virus" and "infect" are really misnomers. They imply that rogue-programs are somehow magic. They are not.
The first and most basic thing that you must always do is to keep your operating system up-to-date. Various root-exploits exist for Linux just as they do for Windows, and while they are fixed as fast as they are found, you must still apply the fixes. Distributors are pretty good about getting these out quickly. The next thing you must do, as previously discussed, is to make sure that your ordinary everyday account is not "root" and does not have special file-access rights. Your personal account should have access to nothing more than "your things." Always remember backups: current, maintained. USB 2.0 disk drives that hold many gigabytes and fit in your pocket, or in a safe-deposit box(!), are dirt cheap now. Buy several. Use them. You can also use tools like Amanda, using her only to make on-disk backups with no regard for tape. (In my experience, if you rely simply upon your own memory and schedule to make current, reliable backups, "the backups won't be." The initial backing-up step needs to be "set it up and fuhgeddaboudit.") Make sure that your computer is only running the servers (daemons, services) that you actually require, and that you know why each one is there. Make sure that all default accounts are firmly shut-down and cannot be logged into. For system maintenance activities other than rootly things, set up a normally-disabled separate user-ID for that purpose. This user, while not root, has the ability to enter a group (such as wheel) that gives it access to more things. But even then, it doesn't have access to the system... /usr/local yes, but not "the" system. Your primary goal is to make your system even "slightly more" protected than the average Joe's. Your primary assailant will be a totally-automated script-kiddie troll, which will find your computer entirely by-accident. As mentioned, the reason why Windows gets assaulted so much is, imho primarily the simple fact that the default installation ships with only one user, who is an [all-powerful] Administrator. Thus, when a rogue program slips in and tells the system, "Kill yourself," the computer obediently points its wand at its own forehead and shouts "Aveda Kadavra!" The computer has been told to obey any orders that are given "in Administrator's (aka Root's) name." Rogue programs, in that situation, have the authority to tell the computer to do anything and be obeyed. And that is the root ;) cause of the problem. |
Is there anything that can be done that can help with controlling AOl instant messager,Yahoo instant messenger on the linux firewall/proxy/squidguard end? I have had pop up viruses and stuff being sent through those messenging services! Also, I am using squid and squidguard together, under what log file can I view what wesites they have been to and vice versa?
|
Quote:
Really if Yahoo IM is letting through viruses and popups thats something you should deal with on the Windows end. Squid isn't magic - it can't see whats a popup and whats part of the page. You might want to google for 'squid and clamav' to see if you can integrate virus scanning into it, but I'm not sure how well this works, if at all. |
what is your opinion on CLAMAV and VIRALATOR. With this utility I can run an anti-virus on my proxy service!
|
Biggest potential hole in your setup is the wireless.
|
What about RADIUS?
|
Radius-type technologies make a large and complex setup easier to administer, and they do so with reasonable security (which is actually saying a lot!), but they do not add to the security in the sense that "you should use them even when their use is not otherwise indicated." If you are feeling the pain that Radius is designed to address, then Radius will make you feel a lot better, but if you are not, it is overkill.
The most common rogue that you must defend against on the Internet is simply a cat-burglar; simply an opportunist. He's the one who'll probe for available wireless networks just to see if he can find one (haven't you? ;) ...), and he'll abuse one if he can find one, but if the network is protected even by the simplest application of WEP he'll pass it by. (There are plenty of unsuspecting, clueless fish in that pond... why bother with one who has a clue?) The configuration I suggest is a simple, basic application of VPN... and toss WEP in on top of that ("why not?")... and you can be sure that no one will spend too long assailing the walls of that castle for very long, let alone get inside. It's the same reasoning that makes me say, "if you need to use SSH, for pete's sake use certificates!" The very slightest effort on your part will instantly transform your house into "the one who has its doors locked," and thus, the one least likely to be burgled. (As they say, and it is true, "the most important component of your home security system is the sign in your front yard.") |
I was thinking of using FREERADIUS.
|
Look into ClamWin [clamwin.com] for a free Windows anti-virus application.
|
I presonally use f-prot! ClamAV is a little to much to configure and the documentation sucks! The only problem with f-prot linux edition is that it doesnt have a daemon running do detect viruses instantly. I have to schedule runs. On the wireless side is where my problem lies along with instant messenger and etc.. I am going to run RADIUS and authenticate using WPA2 when there is support from the linux community.
|
I will try these suggestions thanks.
|
All times are GMT -5. The time now is 12:40 AM. |