Home vs. university computer security
November 10, 2005 4:22 PM   Subscribe

Probably about the same overall. The campus possibly has a firewall of some sort, but in that case there are still plenty of people behind the firewall, and probably many of them have a false sense of security.
posted by kindall at 4:25 PM on November 10, 2005

The security of the machine remains constant, though it would be marginally safer on a typical administrated network.
posted by Ogre Lawless at 4:29 PM on November 10, 2005

From what ive seen viruses spread like wildfire on a campus network, but is has some sort of protection from the internets via a firewall.

A PC at home doesnt have the hundreds of infected PCs looking to infect it, but home PCs dont usually have a firewall.

In either case, something like a software firewall, Zone Alarm for example, would be a good idea for either situation.
posted by lemonfridge at 4:30 PM on November 10, 2005

A lot of people specifically target network blocks owned by large ISPs like Comcast, looking for clueless home users to take over.

Otoh, a lot of people specifically target network blocks owned by universities, looking for juicy targets they can use to get a foothold in the university's network.

Probably about the same overall, as kindall says.
posted by agropyron at 4:31 PM on November 10, 2005

Same.
posted by ori at 5:22 PM on November 10, 2005

I agree with the comments above, though the exception to this is the sort of intrusion which first attacks through a local network, the way many Internet worms do.

I can think of a slurry of protocols across UNIX, Apple, and Windows that 'trust' computers in the same subdomain as yours by default. The most insecure of these have been exploited in the past, and caused chaos on large business and campus networks.

It really depends on the University. Some schools exhibit great defensive policies and properly monitor their traffic. Others are trainwrecks waiting to happen. I think the same could be said for ISPs. I'm sure there are at least a few ISPs out there that protect their netizens with some level of diligence.
posted by onalark at 5:38 PM on November 10, 2005

In either case, something like a software firewall, Zone Alarm for example, would be a good idea for either situation.
posted by lemonfridge at 4:30 PM PST on November 10 [!]

Software firewalls don't do shit. Make sure you have at the very least a linksys, d-link, netgear or other consumer hardware firewall/router product. It provides another layer of security (a local LAN). You just can't trust a Windows box to sit directly on the Internet.
posted by angry modem at 5:46 PM on November 10, 2005

University IT staff is usually (not always, though) close to incompetent, so no, there's really no difference.
posted by cmonkey at 5:51 PM on November 10, 2005

Same.

"Software firewalls don't do shit"

Well, they do something. I think what Angry Modem is after here is the primary directive of "defense in depth". Castles didn't just have moats, they have hot oil, archers, strong doors, etc. I.e., one solution isn't enough when it comes to computer security. Throw everything you've got at the problem: firewall at your cable modem, firewall at your computer; WPA at the MAC layer (or actual wires); a VPN to your place of work if available for the network layer; SSL/SSH when typing passwords at the transport layer; and passwords or other authentication at the application layer.
posted by about_time at 5:56 PM on November 10, 2005

"Software firewalls don't do shit"

see, i'm in the line of thought that a packet filter, if properly used, is going to protect against everything but unpatched exploits, which, if they are so new that microsoft has not released a security pack for them, are probably only going to be in the hands of your knowledgable folks, who've probably got better targets than your shitty home computer. Am i incorrect in thinking this? Is there a exploit so common for a fully patched and well-filtered windows machine that it is available to the script kiddies?
posted by fishfucker at 7:38 PM on November 10, 2005

cmonkey: You made me cry. :( (I am a university network administrator. I'm one of the good ones that keeps up with their boxes, I swear!)
posted by chota at 7:59 PM on November 10, 2005

Assuming that the university just provides connectivity and nothing more, like a cable ISP, you're in slightly more danger at school. You're a high-value target for other people there, and some of them will know exactly how to hack you. And most viruses try to infect machines that are 'nearby' from a numeric standpoint before ones that are far away, so you're a bit more at risk from clueless users as well. (University networks, from what I've been told, seem to have a large preponderance of both very smart and very stupid computer users, for whatever reason.)

In both networks, you have Rest Of World out to get you. This is where the university can potentially be much safer. If they run a high-grade net with firewalls, intrusion detection, and active internal traffic monitoring, your risk would be enormously lower. But those services are brainpower-intensive to apply... they take smart people to implement and then monitor. Labor is cheap for universities, but it's not free, and many of them are very stingy.

On average, an unprotected, unpatched Windows PC will last under five minutes directly connected to the Net. This is NOT long enough to get patches and get safe. You NEED a firewall. The built-in XP one is adequate for most uses, but because it's configurable by programs you install, you can open security holes without realizing it. Having an external firewall is usually the best idea, IMO.

Assuming you don't have the ability (or a friend with the ability) to hack together an OpenBSD firewall, the best of all possible worlds, the Linksys WRT54GS is a nice router/firewall/wireless access point that's based on Linux, and gets regular firmware updates. If you install that between your network drop and your computer(s), you'll be reasonably well protected. You can just turn off the wireless network if you don't need it... make sure you do so if you're not using it! They run about, oh, $80 or so, if you look around.

A firewall alone will not make you safe or secure. You can still do stupid things. But it helps protects from configuration mistakes on your part, and security problems on Microsoft's.
posted by Malor at 8:06 PM on November 10, 2005

I disagree, btw, that software firewalls 'don't do shit'. If you don't have access to a hardware firewall, the XP internal one is at least decent, and WAY better than nothing. Do a hardware one if you can, but the software one is OK in a pinch.

You just have to be careful not to allow anything through it, particularly when you're first patching up to current release code.
posted by Malor at 8:11 PM on November 10, 2005

I have fixed a lot of spyware infested Winboxen for a lot of people, and I must also disagree that "software firewalls don't do shit". In my experience, the good ones do perfectly adequate shit, and the trouble with the bad ones is that they do too much shit.

If your aim is to set up an Internet-worthy Winbox, and your connection is a modem (DSL or dialup) rather than a NAT router, you need a software firewall. The Windows XP firewall is fine if properly set up, but has some gotchas.

The worst of these is that if you have both a LAN card and a modem in your box, Windows XP will allow a firewall exception (hole) for file and print sharing, by default. This is of course completely stupid.

Turn off ALL the exceptions. Under NO circumstances should you EVER use Windows file and print sharing over a plain WAN connection - if you're going to do it, you need to tunnel it through a VPN to make it safe.

If you're going to share files across your LAN, you can turn the file and print sharing exception back on for just the LAN card - this is hidden behind an Advanced tab somewhere but it can be done.

In my experience, installing a fancier software firewall into Windows XP is a waste of time and money. Most of the fancy ones have application-level control - you get to choose which applications are allowed to establish WAN connections and which are not. The troubles with this are (a) unless you know what you're doing, it's fairly easy to break things you didn't intend to - like printing - by accidentally blocking loopback network access for obscurely-named system processes and (b) if you're running apps on your machine that you need to keep under control this way, you're basically hosed anyway.

The best way I know to keep a Windows XP box clean, whether it's connected directly or indirectly to the Internet, is to set the box up with a single Computer Administrator user account that ONLY gets used for administrative tasks (installing/modifying software, printers and whatnot) and using Limited user accounts for day to day work. That way, if something nasty does crawl in through your web browser or email client, it doesn't get enough privileges to do serious damage to your Windows installation; at most it will inconvenience the user who cops it.

If you check your firewall settings after each software installation, you can be confident that you won't break them unexpectedly just by using the software; Windows doesn't allow limited users to modify firewall settings.

Most college computers are set up with limited rights for most users, which makes them harder to infest than most home computers (which, unfortunately, are not). Most college computers are also kept up to date with security patches and service packs. You should do that, too. If you have Windows XP, install Service Pack 2.

Ditch Internet Explorer and Outlook Express. Using Firefox for web browsing (preferably with the Adblock Plus and Adblock Filterset.G Updater extensions installed), and Thunderbird for email, will stop your box from actively trying to infest itself with nasty diseases.

Windows 98 boxes can be adequately firewalled using the SoftPerfect Personal Firewall. This is a small, free, plain-vanilla stateful packet filter. The only gotcha with it is that its default filter rules allow your machine to respond to Ping requests by default; to fix that, replace the default ICMP rule with a pair, one of which allows outgoing ICMP traffic and the other of which blocks incoming.

Windows 98 doesn't have any notion of limited-rights users, so it's doubly important to avoid Internet Explorer on a 98 box.

Look, I used to believe all that stuff you hear about Windows being so insecure it would catch fire and burn your house down if it heard a modem dialling two rooms away, but in my experience that's only true of the standard out-of-box configuration supplied by most PC vendors. If you take the time to set it up properly before going online with it, it's fine.
posted by flabdablet at 9:10 PM on November 10, 2005

Software firewalls don't do shit.

i've used zone alarm, firefox and mozilla mail for years and no one's owned me yet
posted by pyramid termite at 9:27 PM on November 10, 2005

i've used zone alarm, firefox and mozilla mail for years and no one's owned me yet

i ran a box with no firewall and no administrator password (!) connected directly to the internet on a public IP and it took several weeks for me to get hit by a worm (this was 2002), and even THEN, it was just a worm -- no one hacked the box.

if someone wants in, sure, they're probably getting in, if not, well, you're probably gonna be ok. personally, i think it's a little bit alarmist.
posted by fishfucker at 12:23 AM on November 11, 2005

Trust me, software firewalls at least do a little bit to stop it. I think it's important for people to have at least sp2 for XP and ad-aware that they can run once a week (or every few days).

When I go to a client I run Autopatcher. www.autopatcher.com and install Ad-Aware and explain how to use it. Less work for me later :) but it protects the customer and that makes me feel content.
posted by Dean Keaton at 3:46 AM on November 11, 2005

Alternately, at least some universities have the budgets to buy items like mondo firewalls (or site licensed software firewalls), TippingPoints, layer 3 switches (with access control lists applied for every Ethernet port; some of these boxes can prevent ARP poisoning, too), centrally managed antivirus software, and to enforce patch levels and antivirus updates while under quarantine. Once we installed our TippingPoint, we placed an unpatched Win2K box behind it for a month and it never got touched. Some scanning of the resnet-l listserv will give you a sense of how many schools are using these various strategies.

Keep in mind that students (and their parents) at universities are in a position to complain about getting hacked that tends to provoke a far greater response than complaints from faculty or staff, or from home cable modem users.
posted by kimota at 4:01 AM on November 11, 2005

Oh, yeah, layer 3 switches and Packeteers can help rate-limit (or throttle) throughput, which can help constrain the ability of an infected machine to infect others. (Usually, though, such rate limiting is for allowing a large dorm network to use a fairly small connection to the outside world, sometimes by constraining P2P apps or blocking them altogether).
posted by kimota at 4:06 AM on November 11, 2005

Most universities are run with most incoming ports open in the name of research. It's a different job than running a company, who will run with hopefully just 80, maybe 22. Your ISP is going to run with every port open.

Again, even if admins at ISPs or Univ's did something, you'd still need to practice defense in depth. Patch you system, run malware detection (aka virus software), run a firewall, and use encryption at all layers possible (i.e., WPA and SSL, if not IPsec also).
posted by about_time at 5:20 AM on November 11, 2005

i've used zone alarm, firefox and mozilla mail for years and no one's owned me yet

That you know of.

ps, e-mail your mother, it's been weeks.
posted by phearlez at 8:40 AM on November 11, 2005

While campuses obviously vary, at UC Berkeley, there is a System and Network Security Office (roughly five people, I think) focused solely on security. There are minimum campus security standards; the SNS office scans all computers on the network for vulnerabilities; and, in general, security incidents have been decreasing over the past two years.
posted by WestCoaster at 12:02 PM on November 11, 2005

« Older Help me plan a post-Thanksgivi...   |   Capturing IR signals, and send... Newer »

This thread is closed to new comments.