PC as a firewall?

[Jody Thornton]

@JorgeA

If you want to stay (almost) totally protected, you should be looking into transforming a PC into a proxy server. This is what I did at work to filter and monitor the VPN connection to the internet, using ClearOS as the operating system.

nitroshift

I find it hard to gather from the website. Is ClearOS an xNix type system? What is it based on? When it says it's web-based, do they mean akin to ChromeOS?

[bphlpt]

From https://en.wikipedia.org/wiki/ClearOS:

ClearOS (formerly named ClarkConnect) is a Linux distribution, based on CentOS and Red Hat Enterprise Linux,^[3] designed for use in small and medium enterprises as a network gateway and network server with a web-based administration interface.^[4] It is designed to be an alternative to Windows Small Business Server.^[5] ClearOS succeeds ClarkConnect. The software is built by ClearFoundation, and support services can be purchased from ClearCenter.^[6] ClearOS 5.1 removes previous limitations to mail, DMZ, and MultiWAN functions.^[7]

As of the ClearOS 6.1 release, the distribution is a full-featured operating system for servers and workstations built from source packages for Red Hat Enterprise Linux.^[8][9]

Cheers and Regards

[ROTS]

The only problem with this setup, if somebody is trying to target you, and decides to extreme force against that setup. Like the Nixon Watergate scandal.

[jaclaz]

Like the Nixon Watergate scandal.

A very good example of a hacking attack to a firewall protected PC.

jaclaz

[submix8c]

ROTS, you really are getting borderline political, aren't you?

http://www.msfn.org/board/index.php?app=forums&module=extras&section=boardrules

2.b Topics devoted to political or religious debate, unless technology related, are prohibited. MSFN is a technology forum and both political and religious debates have caused many problems and distractions in the past. Political or religious links in signatures or polite, courteous comments in non-political or non-religious topics are allowed, but we cannot allow any topics in which the sole purpose is to debate political or religious issues.

Why are you trolling the MSFN Forum to voice opinions? Can you not contibutesomething useful? This topic was NOT about anything BUT

A (hopefully) quick question here: is there any security or privacy benefit to using a dedicated PC, either before or after a NAT router, as a firewall for a network of other local computers?

Please stop as you are becoming an irritant. Your rant has NOTHING to do with the Topic and holds no relevance and IMHO you are instigating.

Not cool, dude!

[JorgeA]

u might like this. Its the most anonymous way to search the internet that I know. https://www.torproject.org/projects/torbrowser.html.en . This browser (firefox 24.3) is the most secure way I know of browsing

Much appreciated, it looks promising!

--JorgeA

Edited March 2, 2014 by JorgeA

[JorgeA]

I've read in a nunber of places that you can't really totally protect your PC from an attacker who's determined enough to get into your system and has enough resources to try it, so the first part of ROTS's post may be germane to the discussion. If the assertion is true, then the best you can hope for is to raise the cost of hacking you to a high enough point that it will deter some percentage of would-be attackers and they'll move on to a softer target. Sort of like putting locks on the house door and windows, and installing an alarm system. A determined enough attacker can still set off a bomb to blast a hole in your house wall, and get in.

Any thoughts on that? Am I being too pessimistic about the prospects for true (and not just relative) PC security?

--JorgeA

[bphlpt]

"True (and not just relative) PC security"?

As you say, it all depends on security from whom. From a determined enough hacker with enough resources, I don't think there is any true total security. I think it is always relative. But assuming you are an ordinary user and have not done something to make yourself a target of such a hacker or organization, then I believe that in most cases a good router, a decent and updated software firewall, an up to date anti-virus / anti-malware package, and most importantly good common sense should protect you at least 99.9999% of the time. (And yes, I pulled that number out of my ... ear.)

I don't know that using a separate computer provides that much more security, but what it does do is take that job out of your main computer, assuming that was what used to be handling the job, so I would think you should get less of a performance hit and better system response as a result.

Cheers and Regards

[jaclaz]

I don't know that using a separate computer provides that much more security, but what it does do is take that job out of your main computer, assuming that was what used to be handling the job, so I would think you should get less of a performance hit and better system response as a result.

Actually yes/no.

An external firewall (be it "firmware based" or a "real PC" with a "firewall oriented OS") is in any case an additional layer (unless of course you set it to be plain "pass-through") or, if you prefer a further "hop", which will at least delay or make more complex the intrusion.

How much more safe it is of course depends on the settings (and quality/robustness) of the "external" device and of course on the quality/robustness of the on-PC firewall with which the setup is compared.

To reply to JorgeA, there are generally speaking two different kind of attacks:

1. the ones specifically targeting "you" that "they" will attempt
2. the ones targeting the masses that "common" hackers perform

For those of type #1, it depends greatly on who are the "they", as said a Government agency or a multinational may have means that we cannot even imagine, if "they" are after you, they ALREADY got you.

For those of type #2 instead there is the good old bear strategy:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

http://www.forensicfocus.com/Forums/viewtopic/p=6567580/#6567580

it is not so much important that you are safe, the important thing is that you are safer than a large amount of people.

jaclaz

[epic]

If I lived in a country where the government seeks to monitor Internet users' activities , would it help to set up such a firewall PC in addition to a router, or not really?

You mean like in Communist Russia?

http://www.msfn.org/board/topic/155290-windows-8-deeper-impressions/page-151#entry1047135

I'm sure he means the United Dumbasses. They asked for the "monitoring" of activities after 9/11 but now they're crying about how "unconstitutional" it is.

[JorgeA]

(And yes, I pulled that number out of my ... ear.)

Thanks for the thoughts about "true" vs. "relative" PC security. You confirmed my leaning in that direction.

--JorgeA

[JorgeA]

An external firewall (be it "firmware based" or a "real PC" with a "firewall oriented OS") is in any case an additional layer (unless of course you set it to be plain "pass-through") or, if you prefer a further "hop", which will at least delay or make more complex the intrusion.

How much more safe it is of course depends on the settings (and quality/robustness) of the "external" device and of course on the quality/robustness of the on-PC firewall with which the setup is compared.

To reply to JorgeA, there are generally speaking two different kind of attacks:

1. the ones specifically targeting "you" that "they" will attempt
2. the ones targeting the masses that "common" hackers perform

For those of type #1, it depends greatly on who are the "they", as said a Government agency or a multinational may have means that we cannot even imagine, if "they" are after you, they ALREADY got you.

For those of type #2 instead there is the good old bear strategy:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

http://www.forensicfocus.com/Forums/viewtopic/p=6567580/#6567580

it is not so much important that you are safe, the important thing is that you are safer than a large amount of people.

jaclaz

That was good reading. I see you had something to contribute in that thread.

Two questions:

A.

An external firewall (be it "firmware based" or a "real PC" with a "firewall oriented OS") is in any case an additional layer (unless of course you set it to be plain "pass-through") or, if you prefer a further "hop", which will at least delay or make more complex the intrusion.

How much more safe it is of course depends on the settings (and quality/robustness) of the "external" device and of course on the quality/robustness of the on-PC firewall with which the setup is compared.

For the security of the network being protected, does it matter whether the "firewall PC" is placed before or after the hardware firewall (the router)? Or not really? (maybe a case of M x N = N x M)

B. (a separate, independent question)

For those of type #1, it depends greatly on who are the "they", as said a Government agency or a multinational may have means that we cannot even imagine, if "they" are after you, they ALREADY got you.

Suppose that "they" haven't targeted you yet, as you haven't popped up on "their" radar. Let's say that you have been a good obedient serf all along but are getting fed up. Can a dedicated firewall PC (on top of a hardware firewall) somehow help to protect you from getting hacked?

--JorgeA

Edited March 2, 2014 by JorgeA

[jaclaz]

A. No, a firewall (PC or the like acting as firewall) is a device that has two NIC's , it goes between the LAN and the DSL modem/router (the router basically has a DSL connection to the land line and a NIC connection for the LAN).

B.No, the sheer moment "they" get you on "their" radar, all your bases are belong to "them" .

jaclaz

[JorgeA]

Thanks, jaclaz.So if I do this, I'll put the firewall PC between the DSL router and the LAN. Now I get to study the best firewall configurations for this purpose!

Too bad about "B".

--JorgeA