dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
740
share rss forum feed

slajoh01

join:2005-04-23

Is this good Layered Security?

Many security experts will indeed tell you that they dont overload their systems with TONS of security software.
So I try to keep it toned down....

Running Win7 with the following:

*McAfee VSE with real-time On-Access scanner
*Win7 Firewall enabled
*SPI Router
*Keeping up to the latest with Windows and Software security updates/patches.
*Not visiting shadey websites

Now, do I need full disk encryption or not? I do have a file encryption program which does quite OK I guess with AES-128 with a long PIN code. I have a PC and a notebook which I ***DO NOT*** even travel with at all.

But other than this, will this be sufficient?

Thanks for the help in advance!


dolphins
Clean Up Our Oceans
Premium
join:2001-08-22
Westville, NJ
kudos:7
Reviews:
·Comcast
Your browser is the first and most important line of defense, IMO.

So many of my friend's and relative's computers become infected because they use an unprotected browser.
--
Stop The Mindless Killings Stop Over Fishing


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 recommendations

reply to slajoh01
I'd also run your browser(s), Java (if you have it enabled), and other frequently targeted software under Microsoft's EMET.

»Re: Microsoft gobbles up AV ground

Just another layer.
--
Don't feed trolls--it only makes them grow!

slajoh01

join:2005-04-23
I also do run Firefox with the DISA STIG extension.
Just google forge.mil Firefox add on or extension.
»forge.mil/Resources-Firefox.html

And Java is disabled.

So overall. Would this be suffient?


GILXA1226
Premium,MVM
join:2000-12-29
Dayton, OH
reply to slajoh01
said by slajoh01:

Now, do I need full disk encryption or not?

Full disk encryption only helps if the computer is stolen. If the computer is up and running and you get compromised it really doesn't do anything for you.
--
We don't give a d@mn for the whole state of Michigan... we're from OHIO! O!H! ... I!O!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
+1

Plus if you ever need to get into your own drive (offline) this may cause issues. I don't bother with drive encryption for that very reason. I've been burnt before.
--
Don't feed trolls--it only makes them grow!

slajoh01

join:2005-04-23
I dont trust full disk encryption. I only use file encryption if I need to.

And Browser is the first layer of defense and I agree. Its a vector of malware to get in. But I have been looking through all the DoD STIGs and those settings are really really locked down to the bone. So how do they bare with convinience versus security? Almost ALL of their Internet Zone Security Settings are disabled or set to HIGH setting.

But how could one lock down their browsers to that extent like from the DoD STIGs as most webpages will not work with those locked down settings?

But anyway - are my security settings so far average or sufficient enough?


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to slajoh01
(I only reply in a lighthearted way.)

> Win7 Firewall enabled

Good that it is on, but most likely does little or nothing for something trying to get out from your computer.

> SPI Router

I know what a router does. I've heard of SPI. Does "SPI" afford anything more? I disconnected my router a while back & have yet to turn it back on. Don't know that I'm missing anything?

> Not visiting shadey websites

What defines "shady"?
Is dslreport shady? Is Speedtest.net "shady".
There is no such thing as a "safe" site, so go without fear & visit your shady sites - so long as you do so with proper precaution.

> McAfee

Really?
Suppose it's no worse then any other.

slajoh01

join:2005-04-23
I guess u beat me to my post...

And Browser is the first layer of defense and I agree. Its a vector of malware to get in. But I have been looking through all the DoD STIGs and those settings are really really locked down to the bone. So how do they bare with convinience versus security? Almost ALL of their Internet Zone Security Settings are disabled or set to HIGH setting.
»iase.disa.mil/stigs/app_security···nce.html

But how could one lock down their browsers to that extent like from the DoD STIGs as most webpages will not work with those locked down settings?

But anyway - are my security settings so far average or sufficient enough?


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

2 recommendations

reply to slajoh01
OK, OK.

Common sense.

A Mozilla browser & NoScript.

Firewall.
Better that also blocks outgoing.

Router.

An anti-ex (which I have not used) is most likely an excellent addition.

Updates, of course.

A/V, if you feel you need it.

Do not install or at least block "plugins" that you do not actively need to be using.

slajoh01

join:2005-04-23

1 recommendation

But I have been looking through all the DoD STIGs and those settings are really really locked down to the bone. So how do they bare with convinience versus security? Almost ALL of their Internet Zone Security Settings are disabled or set to HIGH setting.
»iase.disa.mil/stigs/app_security···nce.html

So how do they browse the internet if IE is so locked down?
Most pages break and do not function with these STIG settings being to set at a maximun of HIGH.

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?
The reason I like to stick with the Win7 FW, because most of these bundled firewall programs come with AV and other stuff which I dont want.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
> So how do they browse the internet if IE is so locked down?
> Most pages break and do not function with these STIG settings
> being to set at a maximun of HIGH.

Ah, the 'ol catch-22.

> And what better firewall

Well of course Windows Firewall can block outgoing too.
Just that you need to be a rocket scientist to use it in that manner.

You might say, ah, the 'ol catch-22.

There are some "shells" into WF that could help. I've been exploring Windows Firewall Control but that has come with its own issues (for me) & the free version is more limited then the pay. Another is Windows7FirewallControl though I have not looked into it.

> a better firewall which blocks outgoing stuff.
> a decent firewall without any of the AV stuff. Only I want the firewall

Another good question. That's the way I would want it too - without AV stuff.
Suppose there's a firewall poll around these parts?


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to slajoh01
said by slajoh01:

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?

You should be able to create you're own outbound firewall rules in your router. I have. I allow most standard ports from LAN to WAN but everything else is blocked. Sites that want to use non-standard ports (e.g. 8080 for HTTP) get blocked while 99.9% of stuff works fine. That won't stop malware that uses standard ports but it's just another precaution. Also outgoing stuff is allowed/blocked by LAN IP.

Most people don't bother doing anything with outgoing traffic since most routers/firewalls don't provide any (default) rules for it. I've created my own (custom) rules.

As you know security must layered. Using browser plug-ins is just one layer IMO. I'd still use EMET to mitigate a browser vulnerability.
--
Don't feed trolls--it only makes them grow!


Rebrider
Been There Done That
Premium
join:2000-11-23

1 recommendation

reply to slajoh01
said by slajoh01:

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?
The reason I like to stick with the Win7 FW, because most of these bundled firewall programs come with AV and other stuff which I dont want.

I have been using ZoneAlarm free for years. I like to see what programs want out and be able to deny outbound connections.
I use only the firewall, no bundle with AV.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

1 recommendation

Firewalls only for W7

said by Rebrider:

said by slajoh01:

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?
The reason I like to stick with the Win7 FW, because most of these bundled firewall programs come with AV and other stuff which I dont want.

I have been using ZoneAlarm free for years. I like to see what programs want out and be able to deny outbound connections.
I use only the firewall, no bundle with AV.

»A free firewall for 64bit W7 like Kerio, Outpost 2009, etc.? might be useful, but outdated?
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

slajoh01

join:2005-04-23

2 edits
If I keep my Windows and Software up to date with security patches and updates, have a decent running AV on scanner, and a firewall router, then I would keep the bad stuff coming into my system in the first place. So why do I need to have outbound protection? This topic of concern has came up alot here in this forum and never know why if one keeps the bad stuff from coming into ones machine, then why do we need to worry about outbound firewall protection? Especially when I always keep my system up to date with patches.

Also ONE VERY IMPORTANT NOTE: Whenever I install Windows, I NEVER NEVER EVER install with the LAN or network being active. I just DONT!!!! And after I get everything on there like programs, and all my security software like AV, then I update Windows and Software and then make an image, and then finally, browse the network.

So whats the point if I dont have any malware in the first place, then why is outbound protection needed?

I tend to use the NETSTAT -B command once every while with first closing ALL running programs and to make sure no malware programs are "phoning" home.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
said by slajoh01:

If I keep my Windows and Software up to date with security patches and updates, have a decent running AV on scanner, and a firewall router, then I would keep the bad stuff coming into my system in the first place. So why do I need to have outbound protection? This topic of concern has came up alot here in this forum and never know why if one keeps the bad stuff from coming into ones machine, then why do we need to worry about outbound firewall protection? Especially when I always keep my system up to date with patches.

Also ONE VERY IMPORTANT NOTE: Whenever I install Windows, I NEVER NEVER EVER install with the LAN or network being active. I just DONT!!!! And after I get everything on there like programs, and all my security software like AV, then I update Windows and Software and then make an image, and then finally, browse the network.

So whats the point if I dont have any malware in the first place, then why is outbound protection needed?

I tend to use the NETSTAT -B command once every while with first closing ALL running programs and to make sure no malware programs are "phoning" home.

Do you like software to phone home and to other places? I don't.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to slajoh01

Re: Is this good Layered Security?

It is late so i will keep simple as well i am simple this late at night. Two things are run as limited user when just cruising the net. No full admin account when just cruising net and do not need it. McAfee is ick now. Many threads on what people like so will not go there. Just McAfee is ick.
Win7 has a pretty decent firewall. if you are behind a properly setup router so much the better.
Browsers many here know way more. But I have read ways to sandbox them.
Encryption unless you are afraid of theft is not needed. It can always be done on a folder basis like financial stuff can be encrypted and other stuff left open. i have a few encrypted folders on my computer (backed up) and everything else is unencrypted.
Always do backups even more so for encrypted. if an encrypted file goes bad almost zero chance of retrieval. Never put all you backups in the same place. That place burns down everything is still gone. So offsite backups for memories like photos or important stuff.
Plus most here will say disable java or disable it for everything but a known need.
More but I will stop rambling now.
one edit: malwarebytes free for an occasional on demand scan plus places like virus total exist online for scanning questionable files.


balloonshark
Lets Go Mountaineers

join:2006-08-11
WV
reply to slajoh01
What about your other internet facing programs? Is your only protection keeping them updated and McAfee's definitions?

It's important to know what your layers do. IF malware downloads on your computer it has to run somehow. It is important to focus on this part of your setup. When I look at my layers it always amazes me how many I have.

1. Updated OS and programs.
2. HOSTS file
3. Firefox with NoScript and ABP. NoScript can stop a ton malware by limiting java and flash.
4. All my internet programs run in a sandbox using Sandboxie. That means they are isolated from my computer. It also means I can put restrictions on the sandbox as to what can run, what can have internet access, where these programs have access to and what can get out of the sandbox such as my bookmarks. If I'm browsing and click on a pdf my reader opens and it is automatically sandboxed. When I'm finished browsing the sandbox is deleted "flushing" everything.
5. I'm using Avira free AV. I use it for the heck of it and to scan everything I remove from the sandbox.
6. I'm running Online Armor for the outbound firewall and to let me know if something runs without my permission. This is the backup incase Sandboxie fails or if my scanning of a removed program fails.
7. Returnil free (older version). I use this to virtualize my system partition when surfing the darkside or trying something new. I can turn this on anytime and a reboot deletes all changes.
8. MalwareBytes and SuperAntiSpyware free versions. I use these to scan anything I remove from the sandbox. I also use Virustotal and jotti.
9. I also have disabled some unneeded Windows services. Some that are known security risks.
10. My machines are behind a router.

All of that and most of the heavy lifting is done by NoScript and Sandboxie. Even then I have a backup if something would get through them. To be honest, I'm the biggest threat to my system.
--
If we quit voting, will they all just go away?


GILXA1226
Premium,MVM
join:2000-12-29
Dayton, OH
reply to slajoh01
said by slajoh01:

But I have been looking through all the DoD STIGs and those settings are really really locked down to the bone. So how do they bare with convinience versus security?

Keep in mind, those STIGs are guidelines, I've never ever seen a system with those settings fully in place.
--
We don't give a d@mn for the whole state of Michigan... we're from OHIO! O!H! ... I!O!