Cost-effective Firewall ?

10:10

10:10

Expert Member
Joined
Oct 9, 2022
Messages
1,696
Reaction score
830
Location
Ogies Mpumalanga
Not too long ago, we learned that both AMD and Intel can be rooted at pre-bois levels. This means if our computers get infected now, it will cost actual money because the motherboard will need replacement. Granted that those attacks isn't easy, it is possible and as more scripts gets automated and third party installations do a bad job protecting their software's updates. It is now possible to get infected even from a trusted source.

Everyone knows where this is going. It will only take one single Microsoft update that is compromised to infect essentially all computers globally. That is scary, and I doubt even a firewall can protect against this. One low level attack was done to the point that the person lost his physical drives, but this was due to hack-ware or a RAT that he installed on his computer, essentially willingly/unknowingly.

But again, we also know that Stuxnet happened.

As a noob developer, as someone that doesn't have a lot of money, losing my computer to something like this would end me. I would lose what little income I have, and I would lose all my accounts and everything else. It is scary and we should not downplay this. I am not the only South African noticing that the rand dollar is over R18 from posting this. Replacing stuff is going to be crazy expensive.

I know VM is a thing, but it is impractical because I need essentially 2 OS running on my computer. I need direct access to my GPU, as Unity doesn't like VM on my system. I tried it, it was slow.

So I grabbed a very old laptop, installed a SSD for boot speed and Linux Mint. This is my main Window into the internet now. My main laptop is isolated. I don't even want to run updates on it. I just want to keep it offline. And physically disconnected. But this doesn't always work.

So my thinking, will a firewall stop anything? Is it useless? I don't know, so what hardware are you using to protect yourself? I tried Pi-hole but it is useless. It can't even block adds.
 
The security controls you need are determined by your threat model. This is also risk related, risk being a function of probability and impact - you have identified that malware is a concern to you and would have a high impact.

For example, regardless of the delivery method, the impact of a root kit on your PC would be the same but I would suggest there is a lower probability of you getting infected from an official Windows update than getting infected because you had an un-patched vulnerability in your OS or an application. It is therefore more risky to you to not apply patches.

You want defense in depth - multiple layers of defense. If one control fails, hopefully another one will stop or contain the breach.

Based on what you have described above I would suggest some controls you might consider:
  • Not specifically for Malware but network and host based firewall are good controls in most (all?) situations
  • Keep your OS and applications up to date with security patches
  • Makes sure all your software comes from trustworthy, official sources
  • Anti-virus on your devices, including Linux and Mac. You may want to invest in one with more advanced EDR/XDR features as Malware is a particular concern to you
  • You have already implemented compartmentalisation with your spare laptop - using a VM for browsing might be more convenient than a separate device. Windows also has Windows Sandbox and Applcation Guard browser windows. Also take a look at QubesOS which is designed for this.
  • Separate your home network into trusted and untrusted VLANs. So if your browsing computer gets infected it can't affect the data that you care about.
  • Enable secure boot which is deigned to prevent untrusted software loading during the boot sequence
  • Do what @Willie Trombone said above so you learn to recognise social engineering and any unsafe browsing habits you might have.
  • Back up data you care about
 
The chances of a 0 day in Microsoft update that affect the world is slim and a kernel exploit would be wasted on some guy doing a bit of dev work. Those takes 100s of hours to develop and only 0.1% of the population have the know how to program at that level.

If you want to be safe keep you work up to date with the owasp top 10. Learn of to code without being susceptible to those. Many programers have no idea that just because code works doesnt mean its safe.

Keep up to date with the things that are new and easy to exploit like log4j. So many systems are still susceptible to this it's crazy.

Create a github account make it private and make as many commits as you can to not lose you code. Can't lose it if it's online or you can make a daily backup to a hard drive if you don't trust the internet.

Please update everything as soon as you can NOT updating is a mistake, when facing a system that has maybe 10 ports open a scan is done to check service versions, the one that is outdated is almost always checked first as it has a greater chance of being vulnerable.

Do some research on ufw see what you can and can't disable there are many things enabled that are easy points on a Linux that you can turn off. The thing is I doubt a hacker is going to spend 4-5 days messing around for no gain.

www.infosecurity-magazine.com

The Top Security Vulnerabilities of 2022 and Their Workarounds

Harman Singh outlines the top security vulnerabilities organizations should be aware of from 2022
www.infosecurity-magazine.com www.infosecurity-magazine.com

owasp.org

OWASP Top Ten | OWASP Foundation

The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
owasp.org owasp.org
 
Last edited:
Step 1 - take a breath.

You will unlikely be compormised by a malware infecting your BIOS.

The majority of attacks come from social engineering. Do not click links or open attachments on untrusted mails. Even treat trusted mails as suspicious.

The standard things that every organization should be doing still holds true. Make sure you have backups, strong password policies, use a proxy with content filtering is possible, OS and application patches up to date, AV running and up to date (The number of times I've seen IT departments roll out AV and not keep it up to date is surprising)

A firewall is far from useless is still a requirement for protecting devices in a network. Without firewalls it would be chaos.
 
SauRoNZA said:
Buy a Mac.
Click to expand...
Apple » Mac Os X : Security Vulnerabilities

So here is what I did, grabbed a ISO file burned it to a CD Took the hard drive out of an old laptop and just boot from the CD. If it restarts, it is essentially a new installation. Set up a VLAN on my router so that the laptop can't see my other devices or network. Setup A VLAN for my phone.

I will update my Windows at midnight and all my software is light so keeping it all up to date isn't a problem. I created a script that access my Network adapters on my main laptop so that I can disable the network adapter. I will only turn it on when I want to update something.

I run Microsoft antivirus, it has malware protection. I also use Microsoft Safety Scanner and scan my laptop every third day. And do a fast scan every day when I boot up and when I power down. I have Antivirus on my phone and tablet.

I will look into setting up my own firewall soon.
 
Romy_ said:
Apple » Mac Os X : Security Vulnerabilities

So here is what I did, grabbed a ISO file burned it to a CD Took the hard drive out of an old laptop and just boot from the CD. If it restarts, it is essentially a new installation. Set up a VLAN on my router so that the laptop can't see my other devices or network. Setup A VLAN for my phone.

I will update my Windows at midnight and all my software is light so keeping it all up to date isn't a problem. I created a script that access my Network adapters on my main laptop so that I can disable the network adapter. I will only turn it on when I want to update something.

I run Microsoft antivirus, it has malware protection. I also use Microsoft Safety Scanner and scan my laptop every third day. And do a fast scan every day when I boot up and when I power down. I have Antivirus on my phone and tablet.

I will look into setting up my own firewall soon.
Click to expand...
Your original concern was being routed pre-BIOS.

Nobody said MacOS doesn't have vulnerabilities, nothing is quite perfect....it's still a **** load more secure than anything else.

Also, search for the word "fixed" in your own link....it tells an amazing story.
 
Romy_ said:
Apple » Mac Os X : Security Vulnerabilities

So here is what I did, grabbed a ISO file burned it to a CD Took the hard drive out of an old laptop and just boot from the CD. If it restarts, it is essentially a new installation. Set up a VLAN on my router so that the laptop can't see my other devices or network. Setup A VLAN for my phone.

I will update my Windows at midnight and all my software is light so keeping it all up to date isn't a problem. I created a script that access my Network adapters on my main laptop so that I can disable the network adapter. I will only turn it on when I want to update something.

I run Microsoft antivirus, it has malware protection. I also use Microsoft Safety Scanner and scan my laptop every third day. And do a fast scan every day when I boot up and when I power down. I have Antivirus on my phone and tablet.

I will look into setting up my own firewall soon.
Click to expand...
You're just making your life more complicated by trying to prevent a VERY unlikely problem from occurring.
 
Romy_ said:
Not too long ago, we learned that both AMD and Intel can be rooted at pre-bois levels. This means if our computers get infected now, it will cost actual money because the motherboard will need replacement. Granted that those attacks isn't easy, it is possible and as more scripts gets automated and third party installations do a bad job protecting their software's updates. It is now possible to get infected even from a trusted source.

Everyone knows where this is going. It will only take one single Microsoft update that is compromised to infect essentially all computers globally. That is scary, and I doubt even a firewall can protect against this. One low level attack was done to the point that the person lost his physical drives, but this was due to hack-ware or a RAT that he installed on his computer, essentially willingly/unknowingly.

But again, we also know that Stuxnet happened.

As a noob developer, as someone that doesn't have a lot of money, losing my computer to something like this would end me. I would lose what little income I have, and I would lose all my accounts and everything else. It is scary and we should not downplay this. I am not the only South African noticing that the rand dollar is over R18 from posting this. Replacing stuff is going to be crazy expensive.

I know VM is a thing, but it is impractical because I need essentially 2 OS running on my computer. I need direct access to my GPU, as Unity doesn't like VM on my system. I tried it, it was slow.

So I grabbed a very old laptop, installed a SSD for boot speed and Linux Mint. This is my main Window into the internet now. My main laptop is isolated. I don't even want to run updates on it. I just want to keep it offline. And physically disconnected. But this doesn't always work.

So my thinking, will a firewall stop anything? Is it useless? I don't know, so what hardware are you using to protect yourself? I tried Pi-hole but it is useless. It can't even block adds.
Click to expand...

Limited to 6gb ram for the free version. I recommend a pc or something with 2 or more network adaptors. Running it as a VM means your host is still WAN facing unless you disable the hosts network adaptor and only let the VM NAT through it:

www.sophos.com

Sophos Home Firewall

Download the Free Sophos Home Firewall on that extra computer. Turn it into a fully functional security appliance.
www.sophos.com www.sophos.com

Sophos Firewall Home - Recommended Reads - Sophos Firewall - Sophos Community

Table of Contents OVERVIEW Limitations Central Management Hardware Requirements Links & Guides Where to Download Creating a bootable
community.sophos.com community.sophos.com

Also the web filter will be on off the bat and it's an ad blocker as well. Good luck.

If you know what you're doing it's pretty powerful stuff.

SauRoNZA said:
Buy a Mac.
Click to expand...

How long did OSX Sierra run with no password on its admin account?
 
Last edited:
As an average person, unless you work with government, company or military secrets, you have absolutely no need for this level of isolation.

I have big doubts that any red-teamer would use a day-0 RCE EUFI vulnerability on the mass internet as opposed to using it to target a bank or something. In which case, the economy is screwed anyway. :D

A plain layer-4 firewall isn't going to assist you in any way, shape or form with regards to bios-level attacks.
Anything of that kind will most likely be a zero-day, for which the is no protection anyway.

If you turn off UPNP on your bog standard home router you end up with a zero-inbound network.

As an average user, just make sure you have a decent AV that is up to date.
If you want to be a bit more advanced, deploy a NGFW like Sophos Home, it's pretty good and gives you nice visibility on traffic.
On top of that using something like PiHole works wonders once you've correctly configured it with the required blocklists. (Not sure why yours wasn't working?)
Also keeping some good backups, because if you are compromised you'll probably be hit with ransomware.

As a security solutions architect, that's all I use at home.
NGFW Gateway + Pihole + Antivirus

Even with all of this, you're more likely to be compromised by accidentally falling for a phishing SMS and handing your bank account details out.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X