Re: How save is a Windows PC on a Linux network.

John Hastings <jh@xxxxxxxxxxxxxx>:
Kind of OT, but I sure can't ask a Windows newsgroup about a Linux
network.

Few things are OT in .misc :-)

I have a small Linux network of 3 machines at home with a Smoothwall
firewall between the dialup and the internal lan. All ports are closed
except for 80, 113 and 441 (I think - I am not there at the moment). Also
on the lan is one XP machine with SP2 but no antivirus software or any
anti wormware patches except for what came with the service pack. It is
used for an occasional game, but mostly for being able to access and
convert Windows specific files that I get from other users, like Excel and
Corel Draw files or whatever. No exe programs are loaded that don't come
on an OEM CD so I have never picked up a malware load (yet). Actually,
there is very little on it except for Word, Excel and Civ II and IV.

Being of sound mind and body, I never surf with the Windows machine and
always have it turned off or disconnected when I access the Internet.

Assuming you trust your firewall, and you know what's running on the
box, this is likely needlessly paranoiac, but see below (be careful
opening Office documents while connected).

I have used Linux since before the real 'Net trouble started with Windows
so have very little experience with fending off malware and never had to
learn the ins and outs of TCP firewalling other than what it takes to set
up a basic firewall.

I liked Arno's iptables-firewall (shameless plug: http://linuxgazette.net/114/keeling.html).

My question is, how vulnerable is XP in a setup like mine if it is turned
on (but not used) during a connection session to the 'Net? I ask because
I have to have it on the lan to access the Linux servers but sometimes it
is inconvenient to turn it off or disconnect it just because I need to
surf for a moment.

i. It wouldn't be all that difficult to blow it away and recreate
it anyway, what with the limited list of installed software
(considering OOo, are you sure you need it except for Civ?).

ii. I've seen many horror stories from admins trying to lock MS
chat out (or from getting out) of their networks. Close one
port, it jumps to another, ... That sort of thing raises my
hackles. Active-X, Passport, ... Of course, if you're the
only one who uses that box and you don't do that stuff, this is
likely irrelevant. On the other hand, Word documents with
embedded external URLs will call out to those URLs when the
document's opened (see comp.risks archives).

iii. XP "phones home", yes?

iv. Subnet it.

v. Frankly, as long as you've decent backups, I'd consider it your
personal honeypot. Enjoy it if/when it's discovered! Have fun
with it. Just make sure nothing can get from it to the rest of
the LAN. There have been Linux based Zombie nets
(see shadowserver.org). Just because Linux CAN be secured
doesn't mean any individual Linux box WILL be secure.

vi. Windows is always vulnerable, by design. It's a designed-in
feature.

vii. I'm an admitted anti-MS zealot; no apologies. Windows is a
pollutant on the net, enabling Spammers, Russian Mafia, & etc.
Security-wise, it's a senile, arthritic, mostly blind old
fart. The occasional jump start is to be expected.

Enjoy your honeypot. :-)


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html
Spammers! http://www.spots.ab.ca/~keeling/emails.html
.

Relevant Pages

  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... For example, there are some differences in the way distributions handle updates, configuration, root access, etc. - bbgruff is probably used to other distributions and was a little inaccurate about the way sudo is used in Ubuntu and Mint. ... It's probably easier for you to understand if I translate things roughly into windows terms. ... They are not entirely equivalent - MS didn't get things quite right when they copied user access from Linux for use in NT, or when they copied sudo as "user account control" in Vista. ... I don't normally configure a firewall on desktop or laptop Linux machines, and only do so on servers if they are internet-accessible. ...
    (comp.os.linux.setup)
  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... as opposed to in Windows. ... this is not a software firewall as in Windows. ... firewalling code in GNU/Linux is actually part of the Linux kernel ... Kubuntu, Xubuntu et al, the first user account created at installation ...
    (comp.os.linux.setup)
  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... In Linux, there are three sorts of users - root, system users, and ... non-administrator users on Windows. ... I have a postgresql database server running on this system. ... especially if you have a hardware firewall ...
    (comp.os.linux.setup)
  • Re: [fw-wiz] Recommendation needed for a firewall appliance
    ... >>I was unsuccessful in getting an IPSec VPN going with a Win2K ... >There are several firewall specific linux distros, Astaro, Coyote ... >There are some small firewall units, and there are small Managed Security ... >> for Windows, OSX and Linux. ...
    (Firewall-Wizards)
  • [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
    ... It functions the same on Windows ... Many firewall products have this feature. ... Firefox does this on Linux. ... Intrusion Detection systems have nothing to do with viruses. ...
    (SuSE)