Norton Internet Security - Imperial Death Star?

Discussion in 'Computer Software & Operating Systems' started by kolabere, Aug 3, 2006.

  1. kolabere

    kolabere
    Active Member

    Joined:
    Feb 8, 2005
    Messages:
    419
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Ratings:
    +7
    I've been a Norton user for the best part of a decade, and have stoutly defended it here and elsewhere on many occassions. But even I have a limitation to my patience. The final straw came this week following a system crash - a critical error has occured, Norton Internet Security must be uninstalled and then reinstalled :mad: .

    Well this is a Sony VGX-XL 100 and I have no discs, a reinstall requires a restore of the initial image. Strangely after a reboot everything is working again!

    The bottomline is that I'm not going to purchase NIS when the trial runs out. So what do I go for insteed?

    I have listed below what I think are the best (red) and the best freeware (green) of the available choices from my browsing around. No suites have been included, I want individual pieces.

    FIREWALL. . . . ..Agnitum Outpost Pro 2.5. ... .Zone Alarm 6.5

    ANTI-VIRUS. ... .F-Prot Anti-virus . . . . . . . .. AVG Anti-virus

    SPYWARE . . . . .Webroot SpySweeper. . . . . . MS AntiSpyWare; Adaware SE Pro

    SPAM FILTERING InBox v2. . . . . . . . . . . . . .. SpamBayes

    The best in breed selection comes in a just short of £100, which makes NIS seem cheap :eek: .

    Any comments? And what do you have or would go for?

    ----------------------------------------------
    Edit: Its nearer £80, but that's still 3 times NIS!!
     
  2. drummerjohn

    drummerjohn
    Active Member

    Joined:
    Sep 2, 2001
    Messages:
    2,497
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    66
    Location:
    South Derbyshire
    Ratings:
    +205
    Like you I used NIS for 3 years until it missed a keylogger.

    I then tried Bitdefender AV and found it to be superior in every way.

    My Bitdefender is just about to expire after 2 years of use so I tried other AV software...

    Kaperski - wouldn't even update from their website properly.

    Zone Alarm - Basic compared to BD

    I did try another but forgot what it was.

    In short - as a standalone AV program Bitdefender I still found to be best.
     
  3. The Dude

    The Dude
    Distinguished Member

    Joined:
    May 21, 2004
    Messages:
    6,772
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beverley, East Yorkshire
    Ratings:
    +3,241
    FIREWALL. . . . ..I don't bother with SW firewalls (providing you have a HW firewall on your router)

    ANTI-VIRUS. ... .AVG and Avast are both excellent, and free, AV products

    SPYWARE . . . . .Windows defender(new name for MS AntiSpyWare) and also run Ccleaner 1.3 nice and often

    SPAM FILTERING Try Thunderbird, the spam filtering is getting really quite good.

    :)
     
  4. kolabere

    kolabere
    Active Member

    Joined:
    Feb 8, 2005
    Messages:
    419
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Ratings:
    +7
    I thought it was best to have both. I do have a router with firewall.

    There does seem to be universal concensus about AVG.

    I'll check Ccleaner - not heard of it before.

    Can't remember exactly why, but when I tried Thunderbird, during a foray into Linux, I just prefer Outlook, also the rest of the family prefer it too.


    I thought I'd get a little more discussion on this, but maybe the title is wrong. Thanks for your ha'penth worth :smashin: .
     
  5. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
    I use AVG (free)
    Kerio (free) - had to do a few tests and write some packet filter rules to make sure everything was in stealth mode.
    Ad-aware (free version)
    Spybot (free)
    Privoxy (free) with some extensive rules especially covering/disabling the tracking code that is everywhere (e.g. Red Sheriff) and javascript naughties.
    A good hosts file (free)
    Opera as main browser (well configured and free) (e.g. use the privoxy proxy) No Java, No ActiveX, .swf disabled, other stuff...)
    Firefox as secondary browser (also configured and free).
    Thunderbird for email (free)
    Okay - I'm cheap....
    I don't apply windows updates (after getting system stable and uptodate after initial install).
    I do keep the products listed above up to date though.
    Hace CCleaner installed but only use it when I spot it in programs list and decide to 'just make extra sure'.

    Its a setup that has worked for me for some time - no bad boys yet (but still I run the checks..).

    YMMV
     
  6. wywywywy

    wywywywy
    Active Member

    Joined:
    Feb 16, 2006
    Messages:
    2,097
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    48
    Ratings:
    +68
    Hi,

    Have a look at NOD32, very good AV and at the same time using very little memory.
     
  7. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    Don't bother running a SW or HW firewall. Just run NAT on the broadband router - this will hide you from all but the most agressive hackers. (If they are that determined, they'll get in anyway.)

    Problem with Firewalls is that you'll open up the worst offending ports to access the internet! (i.e. http/https/ssh/telnet ). SW firewalls are better as they can restrict applications to ports (i.e. restrict only IE to http/ftp etc) but many of the spyware and viruses will Hijack IE (or other web browser). Good Spyware software will protect you from this type of attack.
    Note that I'm not stating that https or ssh protocols are flawed, but the fact the ports are open means a hacker can use this port for communication off your box!

    I've been running Norton Virus SW (I get this free from work), Webroots SpySweeper and NAT on the router for the last year and pleased to say my computer is still squeeky clean. (I also check with other Spyware tools to see if anything had got through)
     
  8. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
  9. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    I agree that NAT is not the best protection, but it does give enough for hackers to pick someone else. It's a bit like a house alarm.. For the serious thief this will offer no protection (unless you've seriously spent some cash), but it does make the thief pick someone else's house.

    At home, there's very little gain to be had to hack someone's home computer, so generally only amateurs will bother. As for the h/w firewalls built into routers, they have more holes than Swiss cheese, so offer little protection from the serious hacker. Thats why if you are serious about security (as there is something to loose) you need to think about implementing Firewalls that really do offer protection...something like a Juniper Netscreen (http://www.juniper.net) that can do packet level scanning of the for popular protocols (a bit like virus scanning, but at a packet level), but even these $50K Firewalls won't be able to spot tunneling attacks over the standard "ssh" of "https" ports (due to the encryption). Note that you are not restricted to using ports for their intended use. i.e. you can run http over port 443 and 23. Or run your IE or Netscape "homebrew hacker application" over port 80. And don't think IE is the least secure browser. It's probably the most secure browser, but also most popular, hence most exploited.

    The problem with firewalls is that unless you are blocking the most vulnerable ports (e.g. 80/http, 443/https) then you've lost the battle before you've began. i.e. most people know that these ports will be “open” on the firewall, so these will be the ports that will give them the best chance of access, hence the ones they will try to use.
     
  10. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
    "don't think IE is the least secure browser. It's probably the most secure browser, but also most popular, hence most exploited."

    this is related to Risk not software engineering. Risk increases with frequency which is why Broadband user need to run a tight ship.

    Can't say I agree with the comment either. Security has to be designed in to be effective. that means a rewrite of IE and a new design - and probably a new development and testing method. highly unlikely on their own but factor in that IE is a an extension of Explorer Desktop and its obvious there is no likelihood of a sea change.
    M/S tried (at least twice) to rewrite Word. Code base around 2000 percent bigger than it needs to be (last time I read about it) and with that extra complexity comes all kinds of problems. Not just the raw ones that error/bug rate is proportional to lines of code and that software testing only removes the minimum number of bugs to pass the tests (some clever population studies about this from Oxford IIRC).
    Now is the Word code base indicative of M/S code or contra-indicative I wonder...

    Lots of browsers to choose from -
    e.g.
    http://mywebpages.comcast.net/SupportCD/FreewareBrowsers.html

    Or check out Bruce Schneier's views at Counterpane.
    http://www.counterpane.com

    CERT currently shows Current Activity that includes Multiple Vulnerabilities in I.E 6.
    http://www.cert.org

    or flip the coin and look at

    http://metasploit.blogspot.com/2006/07/month-of-browser-bugs.html

    which can lead you to

    http://browserfun.blogspot.com/

    --------------------------------
     
  11. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    I'm not disagreeing but as you said security is related to risk, and this is risk to the average "joe blogs" user. The risk of hacking is minimal as long as you are not the "lowest hanging fruit". People spend too much time worrying internet security when it's not really nessessary. I have a PC with no local data, etc and but do not use it for any data critical tasks (online banking etc)
    It has disk imaging s/w bult-in to the BIOS, so I just reimage it once a month to get the install back to a known point. To be honest, I'm interested in what the PC does pick up to better understand the threats that are out there. I'm not suggesting that other people should implement this policy, but it's a good example of a very low impact system can be administered using policies that "goes against the grain".

    I speak to far to many people who go overboard with internet security but do not take on the other critical tasks that are also a threat. i.e backups, etc

    I have 3 PCs on my house, and I can say that if I lost any one of the PCs (or the house burned down), I would be able to recover from this disaster.

    People get to bogged down with security and forget about the basics. Also there are far too many people out there who do not know what they are doing. I knew a guy who locked down every port on this router to secure his network, and then put his main PC (which he used for Banking etc) in the DMZ!

    Take security seriously, but also put it in prospective. We do not have "infinite resources" for home PC support, so look at the risk or potential loss, and implement security based on these parameters.
     
  12. The Dude

    The Dude
    Distinguished Member

    Joined:
    May 21, 2004
    Messages:
    6,772
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beverley, East Yorkshire
    Ratings:
    +3,241
    Springtide, are you sure you've understood how Firewalls actually work? :confused:


    There's no need to start opening up any ports on your Router's firewall, the only reason you'd open up a port is to let inbound requests through.
    If you've gone and opened up port 80, then I can understand you thinking that HW firewalls are full of holes! :devil:


    You're wrong about IE too, whether due to it's popularity or not, it's probably the most hacked piece of software in History.

    On that basis alone, running IE is the biggest single security risk to your PC, basically. :thumbsdow

    The reason your PCs are OK, is because you are using the HW firewall on your router.
     
  13. kolabere

    kolabere
    Active Member

    Joined:
    Feb 8, 2005
    Messages:
    419
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Ratings:
    +7
    Some more good advice here - as always with this topic some contradictory ;) .
     
  14. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    I'm not using a FW on my router, just using NAT (there is a big difference) . ... and yes I do know how Firewalls work. Unless you open up port 80 then you will not be able to surf the Web, as thats the port for http requests (hence the most commonly used port for hacking!)

    Yes you can restrict inbound requests to a restricted host set, but this becomes unmanageable if you use the internet for surfing a lot.
    Because the port is open, it can be used for just about anything - unless you are doing very advanced packet filtering (available on high-end FWs).

    Port 443 is a very special port as its used for https (basically encrypted http), so very likely to be open on a router. Its very special since on most ports you can do packet filtering and check that the port isn't being used for anything else apart from it's intended purpose. 443 is very special since you can't do any packet filtering as the data will be encrypted, so it's pretty easy for someone to create a homebrew app (with ssl encryption) to run whatever he likes on this port without trace.

    FYI - Fact. There are more vulnerabilities released by Redhat on a monthly basis than by Microsoft!
     
  15. andrew1810

    andrew1810
    Active Member

    Joined:
    Apr 4, 2004
    Messages:
    1,180
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    51
    Location:
    North East
    Ratings:
    +55
    I have only one open inbound port on my router, and that is for me to dial into my htpc, before that they were all closed and everything works fine
     
  16. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    Sounds like the "popular ports" (http, https, ftp etc) are "always open" on your router. This sometimes implemented to aid easy configuration for non technical users. You can sometimes override this setting in an "advanced menu".

    The only way to receive traffic over port 80 (default http port) is if the port is open. i.e. "http" will by default communicates over port 80, hence it has to be open for "http" to work. You can easily check this by "telnet"ing on port 80 to an external Web server...

    e.g.

    telnet www.plus.net 80

    <enter a few charecters and press return>

    And you'll get something like.....

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>301 Moved Permanently</TITLE>
    </HEAD><BODY>
    <H1>Moved Permanently</H1>
    The document has moved <A HREF="http://www.plus.net/">here</A>.<P>
    </BODY></HTML>
    Connection to host lost.

    Before the Web server decides your being stupid (or malicious) and disconnects you!

    This is a very good example of a protocol communicating over it's non-default port. i.e. telnet which is usually on port 23, on port 80!

    I'm not saying you shouldn't worry about security, obviously you should! But you should understand what you are protecting yourself from (Viruses, Spyware, Hacking etc), look at the risks and implement accordingly based on all the facts.

    The main potential impact from the security threats to Joe Average will be Data Loss and Personal Information (for online banking etc). This is much different to companies who have to also worry about IP (Intellectual Property). These threats will be mostly Spyware and Viruses (Spyware now being the highest risk). Firewalls provide little or no protection to the most common threats that will have at home (Viruses and Spyware), since Spyware and Viruses will communicate over commonly used ports that they know will be open on a Firewall - port 80 being the most common, as very few people will block standard Web traffic!

    So, if you run a Windows based system....

    1) Always keep your PC up-to-date using Microsoft's Windows Update. Most exploits occur within days of the MS patches being released. Very few attacks occur before the patches are in the public domain. One problem with running a third party Web browser is that Windows Update will not keep this software up-to-date, hence requires additional management.

    2) Run a good Virus program and make sure the virus definitions are always kept up-to-date.

    3) Run active Spyware software that has active "shields" (e.g. SpySweeper) and make sure the Spyware definitions are always kept up-to-date. Note that most "free versions" of the Spyware tools do not include the active shields. Active shields are the most useful part of Spyware tools, since they stop the Spyware being implanted onto your machine in the first place, and also stop browser hijacking etc.

    Good Spyware tools implement what has been lacking with Hardware and Software based Firewalls for a number of years, as well as the protection provided by the Firewall.
     
  17. kolabere

    kolabere
    Active Member

    Joined:
    Feb 8, 2005
    Messages:
    419
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Ratings:
    +7
    Thanks for this useful summary.

    Is Ad-watch consistent with this - since I already have Adaware SE Plus?
     
  18. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
    Many Routers fail to 'stealth' all the ports they should. this means your machine/router is visible on the internet. the result is that the script kiddies will find you. It is not a question of if you will be attacked but how often.
    All the ports on my system come up as 'stealth' mode on a probe (e.g from grc.com).
    there seems to be a lot of confusion between a port being open, closed and visible. my ports are open (how else would I use this board..) but they are not visible. big difference.

    On the point of regular windows updates - the jury is definately 'out' on that. Check all the usual software engineering sources and you will find that updating a stable, protected windows system is just as likely to introduce vulnerabailities/problems. Its to do with the state of the code base (see my point about the Word re-writes that failed) and some well known facts about software behaviour/changes. the house of cards effect if you will.

    If you are a Joe Bloggs user you may as well go AOL - can't believe I said that I wouldn't let it anywhere near my system.

    The problem is that Windos as setup/shipped is the low hanging fruit. Log on (as an Administartor probably as most are setup like that because of a windows default) without installing protection first and it takes around 20 minutes before you will be 0wned.

    Each to his own though.
     
  19. The Dude

    The Dude
    Distinguished Member

    Joined:
    May 21, 2004
    Messages:
    6,772
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beverley, East Yorkshire
    Ratings:
    +3,241
    Springtide, you're missing the point about firewalls.
    NAT is only a part of a firewall.
    A Firewall uses TCPIP with NAT to differentiate between devices on the home network, and devices on the internet.

    The Firewall's rules (settings) determine which ports are available in which direction.

    Every PC connected to the internet has to have an open outbound port (80)
    If this port wasn't 'open', then nobody here would be doing much surfing. ;)


    My router (along with 99.9% of people sitting behind a router) has,thanks to it's firewall, ALL TCP ports open for outbound requests. -ie from your PC :smashin:

    It has NO TCP ports open for inbound requests. -ie somebody trying to access your network from the outside world :thumbsdow


    If I wanted to use bittorrent etc, I'd have to create an open inbound TCP port for filesharing to work properly.
    If I wanted to create a VPN, I'd have to create an open inbound port or I would be unable to dial-in.

    But by default, a firewall will allow any outbound attempts on any ports, and will deny any inbound attempts on any port.. ie all ports are 'closed'

    This is essentially what a firewall is and does, SW or HW, they're both just the same.
     
  20. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    Network Address Translation (NAT) and a Firewall are totally different and seperate. NAT is used to allow address translation of private TCP/IP addresses (Home Network) with public TCP/IP addresses (Internet Network). Among other things, NAT also makes direct addressing of private TCP/IP addresses from the public network (internet) difficult.
    NAT is a great for security and will make those DOS attacks just disappear!

    A Firewall is generally based on the Restriction and Filtering at a protocol level, sometimes referred to as port blocking or port restricting (since protocols are mainly based on ports)

    The main difference between S/W and H/W firewalls is that a S/W Firewall can also (sometimes) restrict applications to particular ports or protocols. i.e. A S/W Firewall could restrict only IE to access port 80 (which was later combated by the hacker by &#8220;application hijacking&#8221;). Where as a H/W Firewall (on your router) would not know the source application of the protocol.
    Advanced firewall packet filtering is very CPU intensive and only workable at present on dedicated hardware. What this advanced packet filtering does is actually look for signitures within the TCP/IP packet for known Spyware and/or viruses at a protocol level. It's a bit like virus scanning on files, but done at a network packet level. This type of network packet filtering requires dedicated hardware which at present is very expensive. (we had a quote for the add-on card for our ISG2000, and it was about $20K on top of the price of the $35K Firewall)
    Other cool Firewall features include reverse DNS lookups (to check for valid DNS entries for IP Addresses) - makes sure the website you are talking to has some form of registration - rather than unknown IP addresses.
    The problem with all of these cool/useful features is that they are not currently implemented on cheap DSL routers or S/W based Firewalls.

    As for the statement regarding all outbound ports being open and all inbound closed, you obviously do not understand networking!
    Lets take a http request (in it's simplest form)..when you click on a Web page the browser sends a request to the Web server requesting the data on the page. The Web server then replies with the requested data. If this was configured unidirectional, then you would request the data, but the return packets would be blocked by the Firewall.

    The statement of the ports being open but not visable is in fact the functionality what NAT is giving you (see above) and not the functionality of the Firewall.

    As for "the jury is definately 'out' " regarding patching, I have no idea where you have got this information from. Maybe you could expand? Large corporations are investing $$M in patching tools and security scanning for both UNIX, Linux and Windows to make sure systems on the corporate network are kept up-to-date, and are not open to attack. Unpatched systems are the brunt of my life at work, as they are the vectors for spreading viruises and Spyware within the company which I work for. Not patching a systems that has access to the intenet is just asking for trouble. The monthly outbreaks ALWAYS originate and distribute to unpatches systems.

    Regarding P2P applications, if possible use these applications on a separate computer that you regularly rebuild and is only used for "low risk" applications (i.e. do not run P2P apps on the same machine as you do your online banking). If you do not have a separate computer, then try using a virtualisation product like VMWARE (http://www.vmware.com/) to run the P2P apps on a virtual computer. P2P software by it's nature will collect all sorts of nasties. i.e. if you are looking for an "application" on a P2P network, you have no idea where this application has come from, who's modified it (i.e. added a couple of keyloggers for good measure) and you are happy to execute this application on your computer!

    The only secure computer is a switched off computer. And good security is all about seperation. If you want to run any high risk applications, keep it seperate and scan the data if you transfer it from unknown to the trusted.
     
  21. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
    "The statement of the ports being open but not visable is in fact the functionality what NAT is giving you (see above) and not the functionality of the Firewall."

    My ports are open but not visible. In reality this is not privided by NAT in my router - as I don't use one. It is provided by my firewall. This IS a fact.

    Not a great believer in Google but suggest you search for these words
    windows updates causing problems
    and then read some of the almost sixty million hits.

    lso you need to be able to distinguish between 'unpatched' and 'stable'.
    I did not suggest NO updates. I do advocate getting a system reasonably up to date and stable. Have applied far too many fixes that went PE later to do it any other way.

    For more formal reading just one author to start you off. read:

    Zhu H, A formal interpretation of software testing as inductive inference, Journal of Software Testing, Verification and Reliability, UK, Vol. 6, pp3~31.

    Zhu H, A formal analysis of the subsume relation between software test adequacy criteria, IEEE Transactions on Software Engineering, Vol. 22, No. 4, pp248~255.


    Zhu H and Jin L, Software Quality Assurance and Testing, Academic Press, Beijing.

    Zhu H, Hall P and May J, Software unit test coverage and adequacy, ACM Computing Survey, Vol. 29, No. 4, pp366~427.

    Jin L, Zhu H and Hall P, Adequate testing of hypertext applications, Journal of Information and Software Technology, UK. Vol. 39, No. 4, pp225-234.

    Jin L and Zhu H, On adequacy criteria of testing hypertext applications, Chinese Journal of Software, pp130~136, (In Chinese).


    Zhu H and Jin L, The axiomatic approach to the foundation of software testing: an informal review, Post-Conference Proceedings of International Symposium on Computing and Microelectronics, Beijing, (in press).

    Zhu H, Toward a relationship between software reliability estimation and computational complexity, Chinese Journal of Software. (In Chinese)

    Not that Bugs are inevitable. see
    http://ieeexplore.ieee.org/iel5/6/32236/01502527.pdf?isnumber=&arnumber=1502527

    IBM used Z to very good effect when re-architecting CICS into a domain structure.

    But as complexity grows bugs are inevitable.

    I suspect you must not have done much software engineering so suggest you look at a simple but valid presentation which can be found at.
    http://www.thomas-associates.co.uk/2005 Lecture 4.ppt
    which contain some interesting things, for example.

    --------------------
    Software dies when a typical fix introduces more errors than it corrects

    If your average error rate is 1 error/50 LoC, your software dies when the size of your average bug fix exceeds 50 LoC.

    Debugging maximises the number of bugs remaining, for a given reliability.
    ------------------------------

    Now I wonder how big the average Windows bug fix is....

    The author quotes Dijkstra which is something I always like to see,

    As for large corporation spending large amounts of money updating windows (and their own applications) - yep I know. And many of them do it badly as well as at high cost. 50 percent pf them are below average - and the bar level at average ain't that high...

    The attributes that Change must have are that a Change must be 1) Controlled, 2) Responsive and 3) Predictable. A lot of major corporations fail on all three and if they get 1) sorted they fail at 2) and 3). There are myriad resons for these failures so won't go into a Service Delivery lecture here. but will say that the nature of Windows and the fixes to it make 3) a very very difficult task and can only be done with extensive time consuming and expensive testing if 3) is to achieved. And even then it will only be achieved if you have real Configuratuon Management control of your desktops - which I have never seen in the corporate environment. In the UK CM is poorly understood.

    it is a similar story with roll-outs of nw windows versions, corporate reluctance isn't solely tied to expense of the softare licences - everyone knows what a small percentage of the TCO they represent.

    E.g.
    Annual cost to US economy of poor quality software: $60B source: US NIST Report 7007.011, May 2002.

    Can't lay my hand to Oxford study on testing and bug populations - so I need to do a reorder of my documents... when (if) I find it will post a link, It is a fascinating study and the maths not too hard to follow.


    With the bloated code base of Windows (and Word et al) I am always reminded of Hoare's wonderful statement.
    "There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
    As for
    "The only secure computer is a switched off computer. And good security is all about seperation. If you want to run any high risk applications, keep it seperate and scan the data if you transfer it from unknown to the trusted."

    The role off security is to protect and enable the path to data. Separation is used in secure designs but secure designs have both normal and covert channels covered. e.g. The possibility of invalid shared memory accesses can be eliminated by locating function in different footprints. - this is an example of a normal channel the covert channel stuff gets well weird, but interesting if you like puzzles.

    Turning off a computer does not make it secure - as the RAF guy who got his switched off laptop stolen from his car in London. the laptop that contains the IRAQ invasion/battle plans. or the numerous other government employees who have had the equipment stolen - when it was switched off'

    FYI transferring data upwards in a tiered structure is allowed (Write Up it is called). Check out the B1 level Specs.

    You are right in that separation is used - but its all a lot more detailed and subtle than people think.

    Thats enough for now or I have to start charging
    -------------------
    And later you can tell me how I am getting the NAT functionality you describe without a NAT...



    Phew - hands tired now. Anyone reading to the end gets a medal I reckon. :)
     
  22. The Dude

    The Dude
    Distinguished Member

    Joined:
    May 21, 2004
    Messages:
    6,772
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beverley, East Yorkshire
    Ratings:
    +3,241
    So how the hell are we both reading and posting in this thread? Magic? :rotfl:

    So tell me, as I'd love to hear your explanation, how does network address translation make a TCP port 'open', yet still 'closed' ;)


    As I've already said, you've clearly missed the point, and clearly don't understand TCP networking, even in it's 'simplest form'. You've set off on the wrong foot completely...

    Re-read my post #19, it's the simplest explanation I could come up with, but it still tells pretty much the whole story of 'how firewalls work'
     
  23. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    OK, can you explain how once you've requested the Web page the data was transfered from www.avforums.com to your home PC?
    And are you able to telnet to www.avforums.com on port 80?

    i.e.

    telnet www.avforums.com 80

    <type a few random characters and hit return>

    If you get a reply (ie. text back) you have port 80 open for inbound.

    As I explained, this is not all bad as you are probably running NAT. Your computer is not directly addressable if you are behind a NATed subnet. This is because there is no direct route to your IP Address. So if we think of both of our routers, the WAN side of our router will have a valid public internet address, but the LAN side of our router most probably has the IP Address of 192.168.0.1 and our PCs will have an allocated IP address on this subnet (lets say for argument 192.168.0.2).

    If you are on the internet, you will not be able to route directly to 192.168.0.2 even if you add a static route for the WAN side of your router.
    To cut a long story short, once a connection is initialised from your PC, NAT will manage this connection by "encapsolating" the packet (basically adding additional information), but without giving too much information out regarding the connection. The problem with NAT is that it is possible to spoof the encapsolated packets.
     
  24. The Dude

    The Dude
    Distinguished Member

    Joined:
    May 21, 2004
    Messages:
    6,772
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beverley, East Yorkshire
    Ratings:
    +3,241
    Yep, My home PC requested data from the internet, so the data it requested was allowed through. - It's not exactly rocket science.


    Are you Comer in disguise? :hiya:

    Home network requesting data from Internet =:smashin:
    Internet requesting data from Home network = :thumbsdow
     
  25. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    This sounds like the functionality of NAT managing your connections.

    Take a look at:
    http://www.cisco.com/warp/public/556/nat-cisco.shtml

    What make/model Firewall/Router are you using?
     
  26. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
    "The statement of the ports being open but not visable is in fact the functionality what NAT is giving you (see above) and not the functionality of the Firewall."

    My ports are open but not visible. In reality this is not provided by NAT in my router - as I don't use one. It is provided by my firewall. This IS a fact.

    Bump.

    Oh and telnet to port 80 doesn't get anywhere on my machine.

    No NAT or Router anywhwere in my setup.

    Still haven't found that doc from Oxford Uni - not looked that hard though yet to tell truth.
     
  27. The Dude

    The Dude
    Distinguished Member

    Joined:
    May 21, 2004
    Messages:
    6,772
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beverley, East Yorkshire
    Ratings:
    +3,241
    Springtide, Right now I'm sitting behind a Watchguard X700, I could just as easily be sitting behind a Netgear DG834... it really makes absolutely no difference at all.

    Like I say, you've missed the point. You don't even properly understand what a firewall is, or even what your friend NAT is..... NAT doesn't 'manage' anything, it's a translation mechanism used by firewalls, and nothing more than that. NAT only occurrs as a result of a firewall doing it's thing.... no Firewall, no NAT, geddit?? :lease:

    Go ask one of the network guys at work to explain things to you, but don't be suprised (I won't) if they 'don't understand networking' either... :suicide:
     
  28. springtide

    springtide
    Well-known Member

    Joined:
    Oct 7, 2005
    Messages:
    6,701
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +1,943
    I apologise, been doing a little &#8220;manual&#8221; reading on the latest offerings from Dlink, and yes only outbound ports need to be opened for connections. What I have noticed is that the some of the NAT and Firewall technologies have merged and that the latest offerings from Dlink appear to be using a table similar to the &#8220;translation table&#8221; implemented by NAT for opening up Inbound ports for known connections. Looking at the article at: http://www.vicomsoft.com/knowledge/reference/firewalls1.html#3 then I would assume this would be classed as a &#8220;Circuit level Gateway&#8221; Firewalls.

    Note that NAT was invented not for security but for the limited number of IP Addresses available within IP v4 and is an extension of the routing and not Firewalling.


    NAT has to manage connections, since multiple hosts within the private network could be talking to the same host on the public network.&#8230;
    http://www.cisco.com/warp/public/556/nat-cisco.shtml#hw
    From the document...
    &#8220;NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client and to put them through.
    The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches up the person's name and extension. The receptionist knows that you requested this call, therefore the receptionist forwards the caller to your extension&#8221;
    And&#8230;..
    &#8220;The NAT router checks the routing table to see if it has an entry for the destination address. If the destination address is not in the routing table, the packet is dropped. If an entry is available, it verifies whether the packet is travelling from the inside to the outside network and checks if the packet matches the criteria specified for translation. The router then checks the address translation table to find if there is an entry existing for the inside local address with a corresponding inside global address. If an entry is found, it translates the packet by using the inside global address. If static NAT alone is configured and no entry is found, it sends the packet without translation.&#8221;
    NAT is not Firewall but has the advantage of hiding inbound requests from the public network, since you have to initiate the request from the private network for the mappings/translations to be managed by NAT, and hence passed to the private network.

    From the same Website.. http://www.cisco.com/warp/public/556/nat-cisco.shtml#hw

    &#8220;Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. So you can browse the Internet and connect to a site, even download a file. But somebody else can't simply latch onto your IP address and use it to connect to a port on your computer.&#8221;

    Reading this paragraph is it not clear whether Cisco are classing NAT as a Firewall or not. I read this as it's an &#8220;added advantage&#8221; rather than a stating NAT could be classed as a Firewall. The reason why I say NAT is not a fully fledged Firewall is that is not capable of blocking outgoing requests.


    Anyway, I was wrong, but I'm still putting up a fight to hold my corner&#8230; :)
     
  29. kolabere

    kolabere
    Active Member

    Joined:
    Feb 8, 2005
    Messages:
    419
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    21
    Ratings:
    +7
    That's the sound of this thread going way over my head.

    I've used computers for 4 decades, but never actually in IT, so I think I have a little understanding of what is going on, but this . . .

    It's aways fun to watch some heavy-weights have an 'intellectual' slug-fest :D , but can some of you smart cookies address the original thread, :lease: .
     
  30. Steve.J.Davies

    Steve.J.Davies
    Well-known Member

    Joined:
    Nov 14, 2004
    Messages:
    2,995
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    83
    Ratings:
    +199
    Kolabere,
    I considered myself approriately chastised. Early in thread I/we answered
    Norton=bad they somehow this thread got routed down a different path.. :)

    Springtide, big mistake to read the vendor documents and believe they are engineering based. They are not, they are commercially based. Heck, believe the vendor spiel and Big Bill would have achieved Sainthood some time ago....

    best bet is to read the Internet Engineering Task Force RFC documents e.g.
    for NAT http://www.ietf.org/rfc/rfc2663.txt

    Or other documents written by vendor neutral engineers. The big boys Like IBM et al do have pure engineers (and some brilliant ones at that) who write some great stuff - but it doesn't see the light of day in public unless and until the legal and marketing considerations are taken into account.

    or read the early 'classics' such as Dijkstra or Lorin. It is the design principles and the engineering that count. Why do thing flying is safest form of transport ? for sure its not related to the Name of the Airline of whatever it is they are trying to push. Unless you step on a 'third world' airline that uses poorly maintained planes and counterfeit parts, poorly trained engineers etc.. thats when the label on the plane counts but only because the big players are heavily monitored and regulated by the FAA etc and forced to follow the engineering needs.

    Which brings me back to Norton - their blurb says its a great product. plenty of real world use indicates that you don't want to step on their plane.
    When the accountants/marketing build it the quality suffers e.g. Mercedes.
     

Share This Page

Loading...