Re:Re: Virus infect on single user

["Ian Latter" <Ian.Latter () mq edu au>]

Hello Steffen,

> he dont say anything about this. But, if there are no open Ports there
> is nothing to protect on a single user machine.(or i'm wrong?) The only

This is dependant upon which layer of the OSI model your attack
vector is targetted at, and its offensive characteristics.  


NB - waffle below is probably preaching to the converted.  Ignore the
rest of this message if the previous comment was all too familiar.


For example, "closing ports" tends to suggest that the layer-4 listeners
are removed, but this doesn't stop a user from SYN flooding your LAN.
It also doesn't stop the user from accidentally introducing malware that
establishes its own listerners (possibly both layer-8 issues ;-).

If you go down a layer you get network level examples like IGMP 
attacks, ICMP redirects/floods, etc.  If you go up a layer you get 
session level examples like RPC discovery/enumeration, etc.

I'm not sure how far down the stack any of the personal firewall 
products go (I'm not sure that they even focus on anything outside
of TCP, UDP and/or ICMP), but the two biggest advantages that I've 
seen PF's provide, are;

  -  on/off control on applications seeking outbound connections,
     and seeing that service provided independantly of the OS 
     (allowing regulation of the OS components also).

  - traditional firewall-style packet filtering that prevents access to
    "accidental" TCP/UDP listening services (where a deny-default 
     policy has been applied).  This second feature is often redundant
     due to the first anyway, as listeners can also be accepted/
     rejected upon the socket call.

  I'm not a big fan of personal firewalls, but for users that fall into
the "my mom" category (directly connected to the internet, think a 
byte goes with a sandwich, etc) I don't think it can be avoided.



  Speaking of which - on the topic of what to do with educating all
of the home users with cable/dsl internet access and no clue as
to what computer security is (it *is* locked in the office, Ian), I
quizzed my poor/dear old mom -- who finds her XP machine a slightly
more convenient way to play solitaire than using a deck of cards -- to
see what she thought of being labelled one of the world's greatest 
technological/"cyber" threats - her response;

    "Good.  Its nice to know I'm important"     ;-)  Eh, good one mom.


  Ah, and before I get flamed on "why does she need Internet access
to play solitaire?" - she's supposed to be using it for email, but she has
a lot of trouble keeping track of email addresses (she calls everyone
instead).  Revenge for all the Xmas presents I played with once and left,
I guess ;-)



Regards,



--
Ian Latter
Internet and Networking Security Officer
Macquarie University

 Meet me at the Australian Unix and open systems
   User Group (AUUG) Security Symposium; 2004
  http://www.auug.org.au/events/2004/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html