J
John John - MVP
ToddAndMargo said:
From where was the probe launched?
John
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
From where was the probe launched?
John
J
John John - MVP
ToddAndMargo said:Hi Brian,
You are correct. You are missing that the probe can include an
internal address as well as the required external address.
An unsuccessful sample attack on my machine for you:
kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Translation:
SRC is my NAT router (192.168.1.1) on my 1st Ethernet port
RST is a virtual machine (192.168.1.46) on my second Ethernet
port that has not run for over three weeks (currently off)
SYN is a SYN packet
The probe got right through my NAT router (and got stopped by my
software firewall). NAT is a good idea in a lot of ways.
And it does stop tons of state=new packets. But, as I have
shown, you can poke through it. It takes a lot more skill,
so it does cut way down on the bad guys attempt to probe
you. But it does not stop all unsolicited state=new probes.
This is why I am tell everyone that doubts me that
*NAT is not a firewall*.
Let's forget the *NAT is not a firewall* business, this is not a
disputed point, we know that NAT is not a firewall but by its nature it
has firewall like qualities.
What we don't buy is your assertion that NAT is flimsy to the point
where it can be broken by the most simple scanning techniques, that
almost anything can just easily shoot through it. Many years ago when
NAT was designed the network engineers who put it together would have
had to have security in mind, they would have known about network
intrusions. These engineers knew that their design had to be robust
enough to keep the bad guys out, willingly or unwillingly it had to be
part of the design. If what you say is true NAT would not have made it
past the starting gate, the engineers would have presented their new
"baby" to the world and in less than 24 hours it would have been
completely hacked and the project would have fallen apart! There is
*absolutely* no way that NAT would have become accepted if it could have
been so easily broken, no one today would be using it, certainly
Microsoft's Internet Connection Sharing (ICS) would have never seen
daylight. Like Brian said, "probes are being performed 24/7 and have
been for years". If you log intrusion attempts the router log will
probably fill up rather quickly. Instead of logging at the router
perhaps you should use a third party firewall or a tool like Wireshark
and log on your computer on the inside of the NAT device and see what is
actually making it past the router to your computer.
I think that the point that you are leaving out of the picture is that
NAT only allows *solicited* traffic past the gate. It sort of works
like this:
"John John" sends a message to "ToddAndMargo", NAT forwards the message
and remembers this, it "waits" for a reply from ToddAndMargo and when
the reply arrives from ToddAndMargo NAT sends it to John John. While
NAT waits for solicited replies "TomDick&Harry" come by trying to send a
message to John John and NAT says: "John John didn't ask for anything
from "any Tom, Dick and Harry", NAT tells them to get lost and drops the
message, the unsolicited packets never make it any further than this.
Whether or not "any Tom, Dick and Harry" know that John John is home is
almost completely irrelevant, what matters is whether or not John John
invited them in, that invitation is next to impossible to fake!
NAT works like this:
*Outgoing Packet at the NAT*
The NAT will intercept this outgoing packet and create a port mapping
using the destination IP address (server), destination port, external IP
address of the NAT, external port, network protocol, and the internal IP
address and port from the client.
The NAT will maintain a table of these mappings, storing this port
mapping in the table. The external IP address and port are the public IP
address and port to be used by for this data traffic in place of the
internal client's IP address and port.
The NAT then "translates" the packet by swapping the source fields of
the packet from the private, internal IP address and port of the client
to the public, external IP address and port of the NAT.
The packet is then sent on the external network (the Internet) to
eventually reach the intended server.
*Incoming Packet at the NAT*
The NAT receives these packets from the server and compares them to its
table of port mappings. If the NAT finds a port mapping where the source
IP address, source port, destination port, and network protocol of the
incoming packet match the remote host IP address, remote port, external
port, and network protocol of the port mapping, the NAT will perform a
reverse translation. The NAT replaces the external IP address and
external port in the destination fields of the packet with the client’s
private IP address and internal port. This is an example of solicited
incoming traffic. The NAT silently discards unsolicited incoming traffic
that does not match a port mapping.
The NAT then sends the packet on the internal network to the client.
Overview of Network Address Translation (NAT) in Windows XP
http://technet.microsoft.com/en-us/library/bb457077.aspx
You are leaving out the part about port mappings, router tables and
*unsolicited* requests from your intrusion scenario. Of course without
these NAT would be next to completely useless, such a flimsy and
completely insecure setup could never be exposed to the internet, you
would have to place a firewall between it and the internet. But NAT is
not designed in such a flimsy manner.
Of course this brings a catch 22 or a chicken or the egg kind of
dilemma. If NAT only allows solicited requests how can anything move
about, somewhere along the line someone has to accept an unsolicited
request. That is what your ISP does with its servers and expensive
border routers, these systems are designed to accept unsolicited
requests, they use different methods to keep the unwanted out, your ISP
may require you to logon to a server or it may only accept unsolicited
requests from known IP or MAC addresses. Without expensive border
routers and elaborate security setups anyone else has to punch holes in
NAT to allow it to pass unsolicited requests, you have to open ports in
the router. If your router is properly secured outsiders cannot open
ports or punch holes in it. And for your simple probes to make it
through masqueraded as solicited traffic they would have to actually
break in to the router and hack the mapping tables! The only other way
that I can think that one may make it in under the guise of solicited
traffic would be by way of a "Man in the middle" attack, not such an
easy thing to to. Much easier to send in malware and have it open holes
from the inside for you.
John
T
ToddAndMargo
John said:Let's forget the *NAT is not a firewall* business, this is not a
disputed point, we know that NAT is not a firewall but by its nature it
has firewall like qualities.
What we don't buy is your assertion that NAT is flimsy to the point
where it can be broken by the most simple scanning techniques, that
almost anything can just easily shoot through it. Many years ago when
NAT was designed the network engineers who put it together would have
had to have security in mind, they would have known about network
intrusions. These engineers knew that their design had to be robust
enough to keep the bad guys out, willingly or unwillingly it had to be
part of the design. If what you say is true NAT would not have made it
past the starting gate, the engineers would have presented their new
"baby" to the world and in less than 24 hours it would have been
completely hacked and the project would have fallen apart! There is
*absolutely* no way that NAT would have become accepted if it could have
been so easily broken, no one today would be using it, certainly
Microsoft's Internet Connection Sharing (ICS) would have never seen
daylight. Like Brian said, "probes are being performed 24/7 and have
been for years". If you log intrusion attempts the router log will
probably fill up rather quickly. Instead of logging at the router
perhaps you should use a third party firewall or a tool like Wireshark
and log on your computer on the inside of the NAT device and see what is
actually making it past the router to your computer.
I think that the point that you are leaving out of the picture is that
NAT only allows *solicited* traffic past the gate. It sort of works
like this:
"John John" sends a message to "ToddAndMargo", NAT forwards the message
and remembers this, it "waits" for a reply from ToddAndMargo and when
the reply arrives from ToddAndMargo NAT sends it to John John. While
NAT waits for solicited replies "TomDick&Harry" come by trying to send a
message to John John and NAT says: "John John didn't ask for anything
from "any Tom, Dick and Harry", NAT tells them to get lost and drops the
message, the unsolicited packets never make it any further than this.
Whether or not "any Tom, Dick and Harry" know that John John is home is
almost completely irrelevant, what matters is whether or not John John
invited them in, that invitation is next to impossible to fake!
NAT works like this:
*Outgoing Packet at the NAT*
The NAT will intercept this outgoing packet and create a port mapping
using the destination IP address (server), destination port, external IP
address of the NAT, external port, network protocol, and the internal IP
address and port from the client.
The NAT will maintain a table of these mappings, storing this port
mapping in the table. The external IP address and port are the public IP
address and port to be used by for this data traffic in place of the
internal client's IP address and port.
The NAT then "translates" the packet by swapping the source fields of
the packet from the private, internal IP address and port of the client
to the public, external IP address and port of the NAT.
The packet is then sent on the external network (the Internet) to
eventually reach the intended server.
*Incoming Packet at the NAT*
The NAT receives these packets from the server and compares them to its
table of port mappings. If the NAT finds a port mapping where the source
IP address, source port, destination port, and network protocol of the
incoming packet match the remote host IP address, remote port, external
port, and network protocol of the port mapping, the NAT will perform a
reverse translation. The NAT replaces the external IP address and
external port in the destination fields of the packet with the client’s
private IP address and internal port. This is an example of solicited
incoming traffic. The NAT silently discards unsolicited incoming traffic
that does not match a port mapping.
The NAT then sends the packet on the internal network to the client.
Overview of Network Address Translation (NAT) in Windows XP
http://technet.microsoft.com/en-us/library/bb457077.aspx
You are leaving out the part about port mappings, router tables and
*unsolicited* requests from your intrusion scenario. Of course without
these NAT would be next to completely useless, such a flimsy and
completely insecure setup could never be exposed to the internet, you
would have to place a firewall between it and the internet. But NAT is
not designed in such a flimsy manner.
Of course this brings a catch 22 or a chicken or the egg kind of
dilemma. If NAT only allows solicited requests how can anything move
about, somewhere along the line someone has to accept an unsolicited
request. That is what your ISP does with its servers and expensive
border routers, these systems are designed to accept unsolicited
requests, they use different methods to keep the unwanted out, your ISP
may require you to logon to a server or it may only accept unsolicited
requests from known IP or MAC addresses. Without expensive border
routers and elaborate security setups anyone else has to punch holes in
NAT to allow it to pass unsolicited requests, you have to open ports in
the router. If your router is properly secured outsiders cannot open
ports or punch holes in it. And for your simple probes to make it
through masqueraded as solicited traffic they would have to actually
break in to the router and hack the mapping tables! The only other way
that I can think that one may make it in under the guise of solicited
traffic would be by way of a "Man in the middle" attack, not such an
easy thing to to. Much easier to send in malware and have it open holes
from the inside for you.
John
Hi John,
You made me do a lot of research to double check myself. For
an online firewall check to shoot through NAT would require
a full out spoof attach. Not something a free firewall checking
service would consider doing.
NAT makes it very, very hard to break through, but not impossible.
Here is a good articles on NAT vulnerabilities:
http://www.velocityreviews.com/forums/t201835-nat-router-being-hacked-.html
http://whirlpool.net.au/wiki/?tag=DSL_modemS02_04
I am also somewhat embarrassed as to not taking my own recommendations
as to not using 192.168.0.0/24, which I will change shortly.
What triggered my question is a customer who relies on NAT (only,
no firewall), and he is constantly getting tagged with one
v1rus or another. I am trying to get him off IE, get a
standardized decient antivirus, software firewall, and a *real*
firewall.
The reason I am suspicious of the NAT only router is the machines
that seem to get tagged are usually just sitting there not being used.
Not being used, as the users are afraid to use them -- threats
from the management and all. They are suppose to file a single
report once a day on the Internet. Otherwise, they just sit there.
(Sit there collecting v1ruses.)
I was looking for a way to show him he needed to upgrade to
a real firewall. I have been told that the SonicWALL TZ180 is
good. Any thoughts?
-T
L
Leythos
What triggered my question is a customer who relies on NAT (only,
no firewall), and he is constantly getting tagged with one
v1rus or another. I am trying to get him off IE, get a
standardized decient antivirus, software firewall, and a *real*
firewall.
NAT has nothing to do with him getting malware on his system.
With all of the issues that have been in the media, anyone getting
malware has just got to be stupid, at least for the most part.
If you want to secure a business, since they will never do the right
thing, at least with all my years of dealing with businesses....
Install a firewall that allows content filtering - block EXE, DLL,
etc... from all connections except the Server or a IT Admin's
workstation. You also AV/content filter SMTP, FTP, HTTP, HTTPS sessions
and you block all IN/OUT connections that are not explicitly needed for
business (which should be the standard for any firewall solution)
Install a managed, corporate type AV solution - like Symantec End Point
Protection - don't give users control of the settings or the ability to
disable it on their workstations.
Install IE settings via Group Policy that the users can't change...
Make all computer users LOCAL USERS, NOT Local Admins....
IE works fine, just make all updates automatic install.
With the above ideas and a little more, I've managed to secure networks
all over the USA and not had a single managed network compromised in my
entire history.
T
Twayne
ToddAndMargo said:Hi John,
It is a router.
The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)
NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.
NAT is *NOT* a firewall. You take you rear end in your hands
if you rely on NAT to protect you from port probes.
-T
You appear to be looking for an arguement here. First of all, if your
router is half-fast working, they'll never get a connect to you to even
see your internal IP.
I believe it was you intimated NAT was a firewall; so you reap what you
posted when people try to help you with your own words and apparent
understanding. There's a LOT more to it than NAT, and properly used, it
does do a pretty decent job of keeping drive-bys from ever even
realizing you're sitting there. I think you need to do a little more
research. Either that or you already know that you want to see as an
answer and want to insist on it.
Either way, you're wating ether IMO. Mental plonk imposed.
T
Twayne
A well written response, Leythos. Except I'd say "ignorant" instead of
"stupid" in your second para, otherwise it's spot on IMO.
The reason I say ignorant is the main targets of the
spammer/scammer/social scoundrels often hook the newbie and
inexperienced who haven't yet encountered the problems or had anyone to
lead them to the right areas for Security. There are so many different
things for them to learn, even as they start to pick up on security,
they often go right on inviting the malware in. The anonymity of the
'net sucks.
Twayne
"stupid" in your second para, otherwise it's spot on IMO.
The reason I say ignorant is the main targets of the
spammer/scammer/social scoundrels often hook the newbie and
inexperienced who haven't yet encountered the problems or had anyone to
lead them to the right areas for Security. There are so many different
things for them to learn, even as they start to pick up on security,
they often go right on inviting the malware in. The anonymity of the
'net sucks.
Twayne
L
Leythos
The reason I say ignorant is the main targets of the
spammer/scammer/social scoundrels often hook the newbie and
inexperienced who haven't yet encountered the problems or had anyone to
lead them to the right areas for Security.
I disagree. I had a clients wife get an email from her "Bank" talking
about doing a security update and needing her to send them her
user/password and SSN to verify it. This person had been warned many
times, they had also been sent emails multiple times about these things,
they had even seen them in the past and then commented on them (from
other banks).... The news media even did an article on this same type of
threat a month before, it was one several channels and even in the news
paper.
We've all, and I mean everyone, know that this is a threat and common
method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
falling for it.
T
Twayne
Leythos said:I disagree. I had a clients wife get an email from her "Bank" talking
about doing a security update and needing her to send them her
user/password and SSN to verify it. This person had been warned many
times, they had also been sent emails multiple times about these
things, they had even seen them in the past and then commented on
them (from other banks).... The news media even did an article on
this same type of threat a month before, it was one several channels
and even in the news paper.
We've all, and I mean everyone, know that this is a threat and common
method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
falling for it.
Hoo boy! Hard to argue with that, and in retrospect, I've come across
it myself just not to that extreme. That I know of anyway. Hope they
didn't lose their asses over it.
I do think however that it still fits the mold of the inexperienced,
although I can agree to disagree on that point. Hopefully she didn't
lose too much but got enough of a scare to remember it for next time!
But I certainly can't dispute the "stupid" part either.
Regards,
Twayne
L
Leythos
Hoo boy! Hard to argue with that, and in retrospect, I've come across
it myself just not to that extreme. That I know of anyway. Hope they
didn't lose their asses over it.
I do think however that it still fits the mold of the inexperienced,
although I can agree to disagree on that point. Hopefully she didn't
lose too much but got enough of a scare to remember it for next time!
But I certainly can't dispute the "stupid" part either.
She was lucky, I had just sent an email to clients about the increase in
FAKE BANK spam we were seeing and her Husband sent it home to her. She
called me and I had her call the Banks - they had already put a hold on
all of her accounts because of "suspicious" activity - she actually
provided them with her complete identity and account access. We sent the
information (complaint and email + headers) to the state's ATTY General
as well as the FBI. An interesting note: I traced the website and email
to a hacked server in Italy that was still online at the time.
T
Twayne
So tell me, why do you love pcbutts
Leythos said:She was lucky, I had just sent an email to clients about the increase in
FAKE BANK spam we were seeing and her Husband sent it home to her. She
called me and I had her call the Banks - they had already put a hold on
all of her accounts because of "suspicious" activity - she actually
provided them with her complete identity and account access. We sent the
information (complaint and email + headers) to the state's ATTY General
as well as the FBI. An interesting note: I traced the website and email
to a hacked server in Italy that was still online at the time.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
L
Leythos
So tell me, why do you love pcbutts
Do you really think it's a place to discuss that? This is a XP group and
should be limited to discussions about XP and solutions presented for
problems related to XP.
B
Brian A.
Brian said:Hi Brian,
You are correct. You are missing that the probe can include an
internal address as well as the required external address.
An unsuccessful sample attack on my machine for you:
kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Translation:
SRC is my NAT router (192.168.1.1) on my 1st Ethernet port
RST is a virtual machine (192.168.1.46) on my second Ethernet
port that has not run for over three weeks (currently off)
SYN is a SYN packet
The probe got right through my NAT router (and got stopped by my
software firewall). NAT is a good idea in a lot of ways.
And it does stop tons of state=new packets. But, as I have
shown, you can poke through it. It takes a lot more skill,
so it does cut way down on the bad guys attempt to probe
you. But it does not stop all unsolicited state=new probes.
This is why I am tell everyone that doubts me that
*NAT is not a firewall*.
-T
And what makes you think that's a probe instead of a real request? You
mention the DST is a VM, how is that connected to physical port on the
router? Being that it is a VM, what security measures are in place for it?
Being a VM does not make it secure. What is the VM used for, any type of
server or service?
--
Brian A. Sesko
Conflicts start where information lacks.
http://basconotw.mvps.org/
Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375
J
John John - MVP
ToddAndMargo said:What triggered my question is a customer who relies on NAT (only,
no firewall), and he is constantly getting tagged with one
v1rus or another. I am trying to get him off IE, get a
standardized decient antivirus, software firewall, and a *real*
firewall.
The reason I am suspicious of the NAT only router is the machines
that seem to get tagged are usually just sitting there not being used.
Not being used, as the users are afraid to use them -- threats
from the management and all. They are suppose to file a single
report once a day on the Internet. Otherwise, they just sit there.
(Sit there collecting v1ruses.)
I was looking for a way to show him he needed to upgrade to
a real firewall. I have been told that the SonicWALL TZ180 is
good. Any thoughts?
SonicWALL has a very good reputation, they are amongst the few that that
make reasonably affordable business class routers. But I can't give any
recommendations on any particular model because I don't have any
experience with their products and, more importantly, I don't know the
topology of the network where the product is meant to be installed.
Furthermore, you should listen to what Leythos told you, the virus
problems almost certainly have nothing to do with NAT or the router
being used! Installing a new router will not resolve any virus problems
that is going around on the internal LAN.
John
T
Twayne
Leythos said:Do you really think it's a place to discuss that? This is a XP group
and should be limited to discussions about XP and solutions presented
for problems related to XP.
No, I do not. That's the imposter at work; not me.
Twayne`
L
Leythos
No, I do not. That's the imposter at work; not me.
Twayne`
Sorry, you're right, I failed to check the headers to verify it was you
before I hit send in my reply.
T
ToddAndMargo
John said:Furthermore, you should listen to what Leythos told you, the virus
problems almost certainly have nothing to do with NAT or the router
being used! Installing a new router will not resolve any virus problems
that is going around on the internal LAN.
John
Oh I certainly am. A real firewall is only one of several parts I
want to implement. I think I said what they are in a previous post.
My only disagreement with Leythos was the stupid comment. All you
have to do is "visit" an compromised web site with Internet Explorer
and you are infected. The users has no control over it, except
stop using IE.
Thank you for the tip on Sonic Wall. I appreciate your input.
These guys with their 127.0.0.1 for compromised site goes
as long way to protecting you too:
http://www.mvps.org/winhelp2002/hosts.htm
-T
T
ToddAndMargo
Brian said:And what makes you think that's a probe instead of a real request? You
mention the DST is a VM, how is that connected to physical port on the
router? Being that it is a VM, what security measures are in place for
it? Being a VM does not make it secure. What is the VM used for, any
type of server or service?
Hi Brian,
Looking over that report, it is not a good example. It is my idiot
Verizon DSL modem probing my port 80 looking to see if I am running
a web page.
Searching through my logs, I have not found on this week. But
trust me, they are there. I have even hear Kim Komando say
she sees them occasionally on her firewall logs. I believe they
are spoofed packets.
Host: Cent OS 5.3
Guests: XP-Pro-SP3, Vista, W7rc, Kubuntu, LiveCD/Bart test
I am a busy guy. Interesting when you see/use several
OS's how the religious extremism melts away. They all
have their strengths and weaknesses. They only one
I really don't like is Vista. But, the good news is that
w7 really, really cleaned Vista up (except for XP program
compatibility, but they are working an an "XP" box).
-T
S
Shenan Stanley
<snipped>
Read the entire conversation:
http://groups.google.com/group/micr...p.general/browse_frm/thread/3c579a58e5ce5a68/
Leythos wrote:
<snipped>
ToddAndMargo wrote:
Seriously?
I am surprised (given your other comments) you can say something like, "The
users has no control over it, except stop using IE." Not all problems
center around Microsoft created anything. You can (and people do) get
infested/infected using all sorts of different browsers. ;-)
I do disagree with the Leythos quote (above - although I haven't checked to
confirm it was actually Leythos who posted it) in that people can be
intelligent and even careful and still get infested/infected; but for you to
say that the users have no control over such things except to stop using
Internet Explorer - that does show some level of at least self-inflicted
blindness on your part.
I personally use Firefox and Internet Explorer just about evenly. I use IE7
for the most part but have 'upgraded' to IE8 on several machines. In many
ways - some of the features others may find useful, I find a bit annoying -
but I am sure I will get used to them and even probably miss them eventually
on non-'upgraded' machines.
For the most part - users of the machines I help manage utilize IE7. They
have the option (always have) of using Firefox - but some (could because of
limitations of web pages and plugins they have to use) don't use it at all
and others only click on it infrequently (sometimes I think out of curiosity
or strange accident.) There are some that use it a lot, excluding when they
need to use the certain pages I alluded to.
*None* have become infected/infested. They've had scares (in both cases) -
but thanks to the setup (which consists mainly of them being 'user-level'
and protected by AV/AS with the built-in firewall enabled and most behind a
drawbridge firewall - the latter two of which has little effect in this
discussion of spyware/adware infection via web pages) they have not been
infested/infected in the years I have been around and helping to manage
them.
Read the entire conversation:
http://groups.google.com/group/micr...p.general/browse_frm/thread/3c579a58e5ce5a68/
Leythos wrote:
<snip>With all of the issues that have been in the media, anyone getting
malware has just got to be stupid, at least for the most part.
<snipped>
ToddAndMargo wrote:
<snip>My only disagreement with Leythos was the stupid comment. All you
have to do is "visit" an compromised web site with Internet Explorer
and you are infected. The users has no control over it, except
stop using IE.
Seriously?
I am surprised (given your other comments) you can say something like, "The
users has no control over it, except stop using IE." Not all problems
center around Microsoft created anything. You can (and people do) get
infested/infected using all sorts of different browsers. ;-)
I do disagree with the Leythos quote (above - although I haven't checked to
confirm it was actually Leythos who posted it) in that people can be
intelligent and even careful and still get infested/infected; but for you to
say that the users have no control over such things except to stop using
Internet Explorer - that does show some level of at least self-inflicted
blindness on your part.
I personally use Firefox and Internet Explorer just about evenly. I use IE7
for the most part but have 'upgraded' to IE8 on several machines. In many
ways - some of the features others may find useful, I find a bit annoying -
but I am sure I will get used to them and even probably miss them eventually
on non-'upgraded' machines.
For the most part - users of the machines I help manage utilize IE7. They
have the option (always have) of using Firefox - but some (could because of
limitations of web pages and plugins they have to use) don't use it at all
and others only click on it infrequently (sometimes I think out of curiosity
or strange accident.) There are some that use it a lot, excluding when they
need to use the certain pages I alluded to.
*None* have become infected/infested. They've had scares (in both cases) -
but thanks to the setup (which consists mainly of them being 'user-level'
and protected by AV/AS with the built-in firewall enabled and most behind a
drawbridge firewall - the latter two of which has little effect in this
discussion of spyware/adware infection via web pages) they have not been
infested/infected in the years I have been around and helping to manage
them.
T
ToddAndMargo
Shenan said:Leythos wrote:
<snip>
<snipped>
ToddAndMargo wrote:
Seriously?
I am surprised (given your other comments) you can say something like, "The
users has no control over it, except stop using IE." Not all problems
center around Microsoft created anything. You can (and people do) get
infested/infected using all sorts of different browsers. ;-)
I like to use several overlapping security features to protect
my users. One of them is to get off IE. IE has a L-O-N-G soiled
reputations for being security swiss cheese. And, yes, if a
user lands on a compromised site, he typically has no control
over it, depending on the virus.
By the way, Mozilla pays for security bugs last I heard. And,
they usually fix them in two days. Compare that with IE, which
is a week to never.
There is no religious extremism here. It is just the way it
is. IE is just bad (security) code. There are all sorts of
charts out on the Internet comparing security problems in
Firefox to IE. They will open your eyes. Microsoft makes
other good stuff -- don't get your nickers in a twist.
-T
S
Shenan Stanley
<snipped>
Read the entire conversation:
http://groups.google.com/group/micr...p.general/browse_frm/thread/3c579a58e5ce5a68/
Leythos wrote:
<snipped>
ToddAndMargo wrote:
Let's do clarify one thing - if Microsoft disappeared tomorrow completely -
I could care less. No celebration, no mourning - just a different day.
It was not that you were attacking Microsoft that prompted my response - it
was/is the inferrence of "you'll be safe if you don't use IE" in the
statement you made I was referring to. A little to specific to ring true.
If you had said the same thing about Opera or FireFox - the response would
have been no different.
Reputations (good and bad) are often exaggerated to ridiculous proportions
by such blanket statements such as the one you made. I just wanted to chime
in before someone read it and took it as gospel.
While I personally will (and have) recommend people use alternative browsers
(to Internet Explorer) for various reasons, including security - the
statement you made should have been broader, IMO.
'These days, all you have to do is "visit" a compromised web site and you
may get infected/infested.'
You may be using the latest Firefox, the latest Opera, the lates Internet
Explorer with the latest patches on each of them. You might even have other
protections in place beyond that afforded to you by the browsers themselves.
You can still be blind-sided and that changes every day.
Give and take.
Read the entire conversation:
http://groups.google.com/group/micr...p.general/browse_frm/thread/3c579a58e5ce5a68/
Leythos wrote:
<snip>With all of the issues that have been in the media, anyone getting
malware has just got to be stupid, at least for the most part.
<snipped>
ToddAndMargo wrote:
<snip>My only disagreement with Leythos was the stupid comment. All you
have to do is "visit" an compromised web site with Internet
Explorer and you are infected. The users has no control over it,
except stop using IE.
Shenan said:Seriously?
I am surprised (given your other comments) you can say something
like, "The users has no control over it, except stop using IE." Not all
problems center around Microsoft created anything. You can
(and people do) get infested/infected using all sorts of different
browsers. ;-)
I do disagree with the Leythos quote (above - although I haven't
checked to confirm it was actually Leythos who posted it) in that
people can be intelligent and even careful and still get
infested/infected; but for you to say that the users have no
control over such things except to stop using Internet Explorer -
that does show some level of at least self-inflicted blindness on
your part.
I personally use Firefox and Internet Explorer just about evenly. I use
IE7 for the most part but have 'upgraded' to IE8 on several
machines. In many ways - some of the features others may find
useful, I find a bit annoying - but I am sure I will get used to
them and even probably miss them eventually on non-'upgraded'
machines.
For the most part - users of the machines I help manage utilize
IE7. They have the option (always have) of using Firefox - but
some (could because of limitations of web pages and plugins they
have to use) don't use it at all and others only click on it
infrequently (sometimes I think out of curiosity or strange
accident.) There are some that use it a lot, excluding when they
need to use the certain pages I alluded to.
*None* have become infected/infested. They've had scares (in both
cases) - but thanks to the setup (which consists mainly of them
being 'user-level' and protected by AV/AS with the built-in
firewall enabled and most behind a drawbridge firewall - the latter
two of which has little effect in this discussion of spyware/adware
infection via web pages) they have not been infested/infected in
the years I have been around and helping to manage them.
I like to use several overlapping security features to protect
my users. One of them is to get off IE. IE has a L-O-N-G soiled
reputations for being security swiss cheese. And, yes, if a
user lands on a compromised site, he typically has no control
over it, depending on the virus.
By the way, Mozilla pays for security bugs last I heard. And,
they usually fix them in two days. Compare that with IE, which
is a week to never.
There is no religious extremism here. It is just the way it
is. IE is just bad (security) code. There are all sorts of
charts out on the Internet comparing security problems in
Firefox to IE. They will open your eyes. Microsoft makes
other good stuff -- don't get your nickers in a twist.
Let's do clarify one thing - if Microsoft disappeared tomorrow completely -
I could care less. No celebration, no mourning - just a different day.
It was not that you were attacking Microsoft that prompted my response - it
was/is the inferrence of "you'll be safe if you don't use IE" in the
statement you made I was referring to. A little to specific to ring true.
If you had said the same thing about Opera or FireFox - the response would
have been no different.
Reputations (good and bad) are often exaggerated to ridiculous proportions
by such blanket statements such as the one you made. I just wanted to chime
in before someone read it and took it as gospel.
While I personally will (and have) recommend people use alternative browsers
(to Internet Explorer) for various reasons, including security - the
statement you made should have been broader, IMO.
'These days, all you have to do is "visit" a compromised web site and you
may get infected/infested.'
You may be using the latest Firefox, the latest Opera, the lates Internet
Explorer with the latest patches on each of them. You might even have other
protections in place beyond that afforded to you by the browsers themselves.
You can still be blind-sided and that changes every day.
Give and take.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.