Absolutely Wayne. Anybody that would connect an unprotected system to the internet is either very bold or very stupid. If you don't already, I recommend you subscribe to the CERT notification system. The issue regular messages regarding OS and application vulnerabilities as well as the recommended fixes to keep your server protected from new exploits. Much of my working hours are spent making sure the 300 servers that I share responsibility for are protected from the latest expliots. A firewall will protect you from a lot but not everything, you have to keep the system patches up to date too.

There are a lot of script kiddies out there with too much time on their hands and have nothing better to do but makes others miserable. It doesn't matter what OS you are running you are still a potential target. Microsoft products just happen to be targeted the most often because they have the largest market share. If Apple held 95% of the market it would be targeted too.

just my .02

Rick

You admining linux boxes or winderz???

Yep, firewalling is your friend, updates are also your friend..

Because we don't share the server that aafo is on, (I'm the only person with access) I can lock it up pretty tightly via the firewall.. use only ssh for command access and ssl for the control panel.. yea, I cheat and use a box with a panel.. Sort of like using an html editor or an auto transmission.. I can shift but I really like just putting my foot down and goin'...

What part of the woild you operating out of ?

Wayne

Windoze and Solaris actually.

I personally work in Northern California but the systems are split between California and Texas. It's a large telco whose initial begin with S and end with C.

The systems I support do LAN\WAN monitoring for a number of Fortune 500 companies so security is very critical, especially if any financial transactions go across our customers network. The last thing that we want to have happen is for a customers network to be exploited because we were neglegient with our systems.

It is a never ending battle.

We should probably be talkin this stuff via PM....

Wayne

Uh, yeah. Maybe for your own benefit you may want to remove that last post, or at least the portion that says anything specific about the OS.

I get requests all the time from sales people who want to tell potential customers what were running because they asked. Some even what specifics about patch levels and IOS levels on the routers. I give them a generic statement about security policy and leave it at that.

noted and changed

Off to work...

Wayne

IRONY?

Re: try again


Good idea, Bad Idea... er... umm... yeah. That's really is what I meant to say

Rampaging diseased wildebeests couldn't make me use an MS web browser or E-mail client. I do occasionally use the Windows operating system, but only on embedded systems that don't connect to the 'net (and don't do E-mail, for that matter). I use MS Word, Excel and Office on my Mac, but they're pretty harmless when kept properly restrained by a Unix OS. I've never had a virus or worm, and haven't lost any data in probably 5 years (yeah, I know- I'm jinxing myself.... better kick off a backup right now...)

Re: OS X Firewall..

My two centavos...

Yeah, any networked machine can get hacked if it is directly targeted. So sure, Firewalls are good for any machine.

BUT...

The big problem with MS products is that they are sieves of vulnerabilities, mainly induced by features that are supposed to be "convenient" and with the underlying assumption that the whole world is MS-based. Example- MS Outbreak^H^H^H^H Outlook coming set up to automatically run ".exe" files attached to an E-mail. The fact that Word and Excel "macros" can be used to spread viruses. Everything defaulting to showing HTML in-line, which the spammers love because the get a hit on their website as soon as you load the spam E-mail. That kind of thing. As a result, there are literally hundreds of virii out there that target MS machines and use them to further PROPAGATE themselves... which is virtually unheard of with any other operating system.

Re: OS X Firewall..

The most effective solution I've found to protect the networked computers (mostly Macs, but some PCs) that I admin both local and remote, is to spend the bucks for an external router/firewall/detection appliance at the choke point to the world. Even in the $400 range, it's cheaper than rebuilding, reformatting, or that most dreaded remedy, a trip to the shop.

Use the individual firewalls in addition to the appliance's virus and attack detection. Most hacks try to open a port, then send for the rest of the payload. If the virus is successful in opening the port on the infected machine, the external appliance traps the attempt to send, sets off the hooter for attention by the admin, and shuts off access to and from the infected machine, essentially isolating it from contaminating any other unit on the local or external net. Doesn't do much for the destructive payload designed to trash your hard drive and that's already doing its thing, but sure lets you know right away of the virus already in and raising hell.

Kinda sad that some pre-pubescent anti-social pimple-farmer in a windowless room somewhere gets his jollies doing this kind of thing...

Here's a great site for info useful to the common man and not just for geeks; they have a free newsletter sent daily with the latest problems and suggested remedies:




MAE - Comments@Reno-SteadAirport.com

Re: OS X Firewall..

I agree, to a point. I have never used MS "Lookout" (my nick for Outlook) due to the problems you've mentioned. I've always used Eudora Pro and have it set to only show text based emails, html mails are hard to read because you have to dig through the formatting but, much safer.

I've also got Norton set to automatically check EVERY MS Office file prior to opening. Not totally safe if the virui can spoof Norton but so far, it's kept me safe.

M.A... do you think that a hardware firewall is absolutely necessary? I mean, that much better than a software firewall?

I've found Zone Labs product to work pretty well over the years. I've got it locked down pretty tight, so much so that sometimes I have problems getting new programs to work..

Anyway, interesting discussion! I doubt that MS products will go away any time soon, nor will the millions using them make any large scale OS swaps. Making what we do use safer is the best short term route I guess.

Wayne

Re: OS X Firewall..

Absolutely. I won't take on a client that refuses. The problems are not just from the outside looking in, but from within as well. You and other knowledgeable users that limit your critical machine's physical access to yourself only, use all the prophylactic software, do routine backups, change your passwords religiously AND stay current in all that shouldn't have a problem. BUT, with the proliferation of $40 SOHO networks installed by the cable company or telco that share Little Jane and Johnnie's laptops, wifey's PDA, a few whizbang gadgets as well as your home business server and remote office Virtual Private Network apps machine, you can bet that the pencil-necks are going to find a way in there somehow. Though DSL uses upper frequencies on a dedicated copper pair, cable drops are common all the way back to the head end's router. With a little creativity and some cheap software, you can see everyone that shares that leg of the cable. Add a little more software and a $20 part, viola, every unsecured wireless node is there for you and everyone else. Most users aren't going to be as meticulous as you are in protecting your equipment and data...

Things weren't like this as short as a year ago, but now, without absolute hardware separation, control and programming limited to one support guy from the reputable contract support supplier, the owner, and the onsite (or company available) IT guy, somebody, somewhere, somehow is gonna get into your knickers. Dedicated attempts to hack are easily identified and stopped with the external hardware regardless of the origination point. Repeated attempts get a 'honey box', an old machine salted with stuff too cool for the hacker to pass up. Get him in, give him something to get him back and sooner or later his identity will bubble up somewhere. Same thing goes for 'throw-down' passwords. A power user is usually eight passwords deep, with the highest password reserved for absolutely critical, non-net access. Lower levels for financial, backup, encryption, etc. The lowest are used for bulletin boards, and stuff than can be easily intercepted or distributed by the unscrupulous operators, porn sites being notorious for suckering folks to give up their one and only password.

Now, with all that, would YOU feel comfortable if you're responsible for corporate nets with home office users and home nets without that little piece of relatively inexpensive hardware? Not me. Sooner or later, I'll get hacked for real... but until then, I want to try and stay a few steps ahead, sucker punch the little dweebs as they think they're pulling a fast one.

Sorry that's a bit more than the $.02, but this year is gonna get ugly with the stuff going around, and most users only get upset AFTER they get the bill from the local computer house to fix a machine and being told that all those pictures and files and programs and documents, along with the 160gb disk they were on, are vapor now... After all, you can restore it from your weekly backup, can't you?

I'd much rather spend my time on fixing old greasy machines that go fast and makes lots of noise than in a dim room in front of a screen fixing some absolutely avoidable problem, even if the bucks are good.


MAE - Comments@Reno-SteadAirport.com