Creating a Secure System
ฝัง
- เผยแพร่เมื่อ 19 มิ.ย. 2024
- Security is a journey not a destination. Let's go over all the ways you aren't secure and how you can minimize your footprint.
Website Guide: christitus.com/creating-a-sec...
Chapters:
00:00 Hardware
03:50 Operating Systems
07:10 Browsers
07:50 Password Managers
09:45 Network
13:35 The Truth about VPNs .
►► Digital Downloads ➜ www.cttstore.com
►► Reddit ➜ / christitustech
►► Titus Tech Talk ➜ / titustechtalk
►► Twitch ➜ / christitustech - วิทยาศาสตร์และเทคโนโลยี
More security tips:
1. Unplug your Ethernet cable.
2. Remove your Wifi adapter.
3. Squirt glue into all your USB ports.
4. Wear surgical gloves and a mask.
dont forget to tape your webcam
@@Crying-Croc Ethernet is very much not rare on i486 systems. And if you have a PCI board you can have USB and Wi-Fi as well, although this is obviously not normal. In terms of actual data security reasons to use a 486 over a modern CPU, they lack out-of-order execution so they are immune to attacks like Meltdown and Spectre.
5. Get hammer
6. Smash your computer
@@musicalneptunian7. Don't own a computer or any modern technology for that matter. Get rid of your mobile devices and tablets, turn on the "DUMB" TV and watch your favorite programs.
@@musicalneptunian 7. Go under a rock and never come out
Port scan over the internet is not going to reveal much if you are behind NAT. You want to be running a scan on your local network, which matters in case there is another compromised device on your network by any chance, or if someone connecting to your wifi has a compromised device
Not to mention most people just use their ISP's equipment. They disable incoming as the quick way to keep from getting sued.
Very good comment! 🙏 Deserves a pin
And the problem is that any device with a working Intel ME or AMD PSP is a compromised device.
This is a good reason to put WiFi on a separate VLAN if possible with your equipment, or even have a 'secure' WiFi for trusted devices which can access your critical infrastructure and have a 'guest' WiFi network on a separate VLAN with access to the internet but firewalled off from your critical stuff. For security, wired is your friend. 😁
Also even with NAT, UPnP if active can be opening ports exposed to the internet so best to have that turned off, at least as far as the WAN interface is concerned.
@@dingokidneys That's a very good thing yes. You don't really need a VLAN, if you have two access points they can be on different subnets. Also there's a setting for hostapd that isolates each client so they can't directly talk to each other.
The most secure system is the one not connected to the internet
Yes, mostly.
Intel Management Engine is an NSA backdoor.
Yes
Hey Chris, Thanks, love what you do and your content.
Thank you coach.. ...im learning quickly doing my best to process all this info about systems and logically apply & amplify it ... 😂 who's ready to just give up 🤦🏽♂️🧙🏿♂️ keep pushing forward yall..take breaks when you need them.🙌🏽
Thanks, Chris! This's going straight to my TODO list!
Thank you for your honesty and keeping us aware of bad things that other youtubers don't do ....
A chain is as strong as it's weakest link. Being human I know that I am prone to making mistakes. I will not therefore keep all of my eggs in one basket. A great example of this is not creating backups of important files. You never know when you will fall victim to ransomware... and that is ok. It can happen to the very best. As long as you are doing your best within reason (not trying to go to unnecessary extremes) you will have your "conscience clear"
Intel Management Engine has to be disabled for system to be considered secure. Intel doesn't provide any easy to use method to disable it, you have to connect programmer to your motherboard, read BIOS chip contents, run me-cleaner script and write it back to BIOS chip. Otherwise when you have such low level backdoor all other higher level security measures are pointless. IME was in past exploited by hackers, and Intel still doesn't provide a way to disable it by average user.
Even then it's only (partially) disabled. Parts of it still exist because the system won't boot if fully disabled.
Get MNT Reform open hardware and firmware laptop
you gave me a new perspective on password managers, thank you
Chris, my migration from Roboform to Bitwarden was painless. Bite the bullet 🙂
Thanks for all your thorough analysis!
Great video like always, thank you!
Thank you for the education. I knew some of this but no where near enough to feel confident about online security.
We all get scared by the stuff people say about security and identity theft, which is real as I can attest to. However we very rarely get solid info about how to stop it by setting up a system in the first place. Most people just use Windows Defender and a password they repeat for everything, with perhaps a slight change by adding a number at the end. That we get bombarded without any help to understand, it's easy to see why most people just switch off and ignore it.
Great overview!
I love Journey, esp that song where they play air keyboards in the video
My favorite is the one that goes, "The wheel on my mouse keeps on turning!"
..Chris..thank U so Much for that Video..I keep folowing U for over 2yrs .. ReGaRds !!
I would like to see your video about Safing’s Portmaster.
I am already using it over simplewall. I really liked it.
If you make video on it, other people will also come to know about that amazing software.
I haven't used their portmaster, but it does look very good. Personally, I generally do a netstat -aon or use TCPView on Windows boxes.
I don't like to rely much on 3rd party software.
@@ChrisTitusTechI'll endorse your comment about 3rd party software. Use the existing basic tools and you can manage just about any system. You don't have to download a stack of other stuff before you can start to analyse a problem.
Thanks!
When I was working on establishing security in a bank system we saw there were 3 levels of security. Security level C gave you security but it could possibly be easy to breach. Security level B was more secure but required so much it slowed down the job. Security level A was the most secure (though I believe they also added minor additions/subtractions so you had A- A A+) that really you cannot do anything in the system because of the security.
thanks Chris, great info, I don't use firefox browser but I see the vivaldi and brave but I see also these also are checking you data and all time activated the camera; startpage hiden but evident track cookies, well pending of your recommendations, the best for you
Good job Chris :-)
Love your content, what IPv6 with ICMP ?
14:15 it is about privacy and security, because there is still games that leak your IP, like GTA V, and make you vulnerable to attacks as has been the case with GTA V, and some ISPs don't cycle your "dynamic" IP address either.
Security+ one of the chief tenants... keep stuff updated. Messer drills that in...
Hey there, I absolutely love your videos! However, I think it would be really helpful if you started adding links to the things you reference directly in your video descriptions. I understand the reason might be for SEO, and directing viewers to your website. While this does make it convenient when I want to revisit something you mentioned, there have been instances where I couldn't find the reference on the linked article from your video. For instance, I appreciated the in-depth details you provided on the Windows tool, but with your recent video, the article merely rehashed the same introduction and then linked back to the video itself. I see the strategy behind it, but it would enhance the user experience if the articles provided more detailed information for those seeking depth. By doing this, viewers who stumble upon the article first and want a summarized version can watch the video, while those wanting a deeper dive can read the article. This is similar to what you did with the Windows tool, and it worked brilliantly.
Hello Chris, I have a question: When you remove a big chunk of the windows OS be it 10 or 11, aren't you putting your OS at risc? I'm thinking intrusion and other online riscs?
First ad foremost: thanks for your tutorials. I've been learning and implementing a lot of your recommendations. However, I now have a question: I installed firejail & profiles, but did not run 'firecfg' on them. When i did, it broke a lot of my PC functionality. Then I found out that there is a debate on whether it is beneficial or not. I ended up just removing and purging it, and got back my desire functionality. -I would appreciate you opinion on if/how to use it, and your recommendations.
Bravo! Bravo! Bravo! Ohhh where did your shirts go I wanted to buy one bro?
I would add that, to my understanding, there are no mfa password managers. MFA only protects the cloud download of the encrypted blob. The security of that blob is always dependent on the chosen secret and protection method. I would be curious how consumers of used hardware can confirm whether their device has previously been configured for vPro management.
You should make a video on how to update Intels Management Engine. I've been looking for a guide or a video and anyone I see says to go to your PC manufacturer's website but mine is custom built. Would be really useful to show how to do it using the official tools and that Mesh Central thing.
Seconded. I just had a play with Mesh Central in an attempt to see if there was an update to my Intel ME on my H87 board. Granted it's an old platform, but after a fair amount of faff, I got to the screen where it displayed my systems info but Intel ME was not anywhere to be seen. Maybe it only works if the system is newer or has a CPU with AMT.
I've been studying infosec for the last year, and to date this is the best video I've seen on general cyber security for the average person. Nicely done Chris!
I have a question. What’s the best custom ISO to use for gaming
Hi Chris. I have a question that goes on the contrary road: how can I fully disable ELAM? I have made an image of my old laptop that had a AV application on it, I no longer have that AV license, I uninstalled it, but Windows won't boot straight away until I F8 and select "disable ELAM" everytime.
Thank you Kris
I'm completely paranoid because of this video
I usually find all these shell prompt customizations ridiculous. But I have to admit your's look really beautiful. I am tempted to ask - hell I have to ask - What is this?
Hi, if possible can you make a video on microsoft services which are safe to disable in msconfig ? I feel like quite a bit of them can be avoided
Hey Chris, If you see this is there any networking advice you would recommend? Like brand of routers, switches etc. maybe do them in like 3 tiers Tier 1 someone who’s a business/enterprise Tier 2 someone who wants to make a good networking experience Tier 3 someone who’s just starting out and only has a router with software firewalls
Pls make a video about ghost spectre 11 security.
Also, I'm trying to find a way to configure my firewall to overall stealth mode. As far as I can tell, the ufw doesn''t have this option (drop and not deny or reject). In this I would really appreciate you input as to what should I use - firewalld/iptables/nftables? -something cpletely different (not a monty python firewall..)
This is another video (like the debloat one) I'll keep coming back for the next years to come! Thanks for such comprehensive display of information!!!
I recently stumled upon dual boot os of the vista eara, where devices had a linux system installed, with very limited capabilites. The claim was, that those secondary os were safe.
Once you know better it's only logical to do better.. goodluck everyone📡💗
What I did to my "smart" camera is I blocked the API servers of it's cloud junk on the router side, now it only works via LAN only. And you can do the same to your :D "smart" toaster as well
Most people dont have a static IP, and open ports arent an inherent vulnerability. Especially something like SSH, as long as you dont have ot accept password auth.
Is there any way to disable vPro? I bought a Laptop on eBay which has vPro enabled😢
Tried GRC and I have a quandary: I would like to know how to still port 113. I've tried to search for a solution, but have come out more confused (I use ufw). What advise do you have regrading this port?
so is it safe to install amd psp or meshcontrol ?
Using openvpn on router. To disable response to pings it looks like VPN services have to be disabled. Not sure if its a limitation of openvpn or just some artificial limitation that my router has.
How secure would I be if I had my PC on a VPN and a proxy and run a VM inside and do the same vpn and proxy on the VM different vpns and proxys?
Hey Chris, Ive heard you say in a previous vid somewhere about when you make a custom iso, (MSMG, NT LITE) that it "reduces your attack surface", or something to that effect. Does creating your own ISO's with components like "Remoting, Privacy etc" stripped out go a long way to prevent hacking and helping security? You mentioned someone can still acces your intel even if its off!, they would need the "remoting" part of windows to do this correct? Thanks!
A little if you remove certain services that can be exploited. A better way to do it is with harden tools. This closes a lot of attack surfaces in windows. github.com/hardentools/hardentools
Just a FYI: It does disable powershell which my tweak script relies on. So, my script will not work if you lock it all down.
If I might suggest, start with your perimeter and work in. I.e. check and close off unnecessary access from the internet via your router and WiFi. Using the GRC Shields Up as Chris showed here is a great start to knowing what you are exposing to the world. Then check your router settings and shut off anything accessible from the WAN like "Remote Admin", UPnP and so forth. As for your WiFi, disable WPS, make sure you are using WPA3 if possible or at least WPA2 (not WPA or WEP) and a STRONG WiFi password. Use a password generator to make something up that is random and long; maybe 24+ characters. It's a pain to set up new devices but worth the security and you only have to do it once for each device. If you need others to have access to your network from time to time, set up a 'guest' WiFi on a different VLAN from your main stuff or at least only turn it on when you have people there who need it.
It is way too easy to crack simple WiFi passwords on WPA2 and WPA/WEP pose no obstacle to any script kiddie with a Kali install on even basic hardware. Hell, I cracked my neighbours passwords on a 2008 Dell laptop running Kali with a Core 2 Duo processor. Simple passwords leave you open to the world.
@@ChrisTitusTech legend thanks @christitustech
@@dingokidneys nice thanks mate :)
"you mentioned someone can still access your Intel if its off, they would need the remoting part of windows to do this, correct?"
No. The Intel Management Engine is a hardware based system. It's a secretive chip on the motherboard which runs in parallel to the CPU and has complete control over the system at the hardware level. If you have a vPro CPU with AMT enabled (generally enterprise features) your system can be controlled via Intel ME even when off as long as it has power. By controlled I mean even a remote format can be executed. The installed OS does not matter here.
Intel ME on consumer CPU's and motherboards is "supposed" to be less involved but nobody really knows for sure Intel has shared very little information on the management engine.
Browser: Firefox and set it as CIS lvl 1 and/or lvl 2 works great imo
iam unable to get copilot i used ur tool an made it basic set up windows in your tools menu
@Chris, Arch uses iptables, ufw is just a user interface frontend over iptables. Also, there is almost no mention about how many CVE's get marked as fixed for a Linux Distro but are not really fixed. Your video isn't really providing much value aside from the link to Meshcentral, and that only provides value in terms of additional visibility. Dbus (a requirement for any systemd init) is also not mentioned at all.
Can anyone help me? I have some issue while try to download nvidia driver linux on arch linux my specs is Quadro K4200
Using a Virtual Machine as an additional layer of security helps a lot (like having a VM just for Downloading things and kinda testing the downloaded stuff before getting it to your host).
yes it can be a little bit tedious but eh it kinda makes it worth it (depending on how much you care about security ofc)
Mesh central does not have capabilities, it's an ACL system. I bet it wouldn't be hard to enable access using SSH only.
As far as UPnP.. There are both cons and pros. Cons: #1 Open ports in the NAT router without asked first what the NAT router's control password is. #2 Maybe open on WAN Port depending on NAT router. Pros: As long as you have only one active (turned on and in use) game console (Xbox/Playstation), you do not need to use UPnP. But if you more than one and you have only one Public IP Address (as most people do not have more than one), good luck getting NAT Type 2 (or what ever it is on the Xbox) without the use of UPnP. Please note this is only based upon what I read/heard.
If you care about security and are minimally competent upnp makes zero sense. If you are going to open ports in your router do it yourself.
Dude! How old is you video? There are no way I could find this test ports page that easy like you do...
Once at that site, use the CSS drop down menu to select from Services.
Another primary use of a VPN is to protect your internet activity from ISPs snooping. So to say there is no privacy or security via VPNs is categorically untrue. It does give you *some* privacy and security especially if you can couple it with custom DNS with appropriate filters to block social media, porn, etc.
Yeah a now you vpn provider knows what webpages are you searching.
@@tostadorafuriosa69Except unlike most ISPs, VPN providers generally explicitly say they don't snoop on DNS or log it. That's at least better because there's additional deterrence in the legal liability that they'd know they'd be exposing themselves to if they ever deviated from those claims.
@@PrezVetoOne thing is what they say and other what they do.
@@tostadorafuriosa69 thats why you get mullvad, which swedish authorities raided but left empty-handed because mullvad genuinely doesnt log stuff
Call me crazy, but filtering all your traffic to 1-2 companies that own most of all the VPNs in the world sounds like a bad idea.
Create your own VPN if you want to filter it out of your network using a VPS.
No one should ever use their ISPs DNS.
Using something like NordVPN, ExpressVPN, PIA, etc. for security or privacy is just plain stupid.
"I never think I am secure..."
Sounds like paranoia
I have it too 😂
Spectrum OS is an interesting alternative to Qubes OS based upon Nix.
Thanks, the article on their website regarding flatpak was eye opening. I had this warm fuzzy feeling that my flatpaks were somehow more secure than the OS apps due to sandboxing, guess that's not the case at all and it's even worse with flatpaks running with known vulnerable dependencies that were patched months ago. Yikes!
@@flow5718 The sandboxing can be addressed (somewhat anyway) with a tool like flatseal or the flatpak permissions module in Plasma settings. At the very least you can fix bad defaults.
As for old dependencies, you have to keep track of who packages it. Official flatpaks by KDE/Gnome will be fine since it just ships the latest stuff your package manager would include. Flatpaks packaged by third parties are more risky, the bright side is it's all open so you can see what is being used.
Also, keep in mind that article is really old. Some other youtube channels have addressed these concerns.
That sounds very interesting. Been using Nix for a while now, I've been very impressed. My boot time dropped from ~30 seconds to under 10 coming from Fedora, being able to hop into a development environment instantly is amazing and the snapshots give it a big edge over Arch.
Pretty much the only annoyance is binary compatibility due to the directory structure compared to other Linuxes, but that's an easy fix using Distrobox.
Anyone know how I can change my NAT type without using a VPN and without changing it on router because im using a hotspot
It's not clear what you are asking. What is the limitation with your "hotspot" and what are you trying to achieve with NAT? What kind of 'hotspot' technology are you using? Is it like wireless broadband to a router that you then connect your devices to? Do you not have admin access to the router? In a domestic setting, you are generally limited to the PAT (port address translation) form of NAT meaning that you map a single port exposed on your WAN side to a single host:port combination on your LAN and this must be set up on the router.
Except iDrac doesn't have access to the Memory Bus and it runs as an actual separated embedded computer, not in the same microcontroller that the main chipset uses.
Intel used the same thing for everything to save cost it seems.
Security seems to be not being the low-hanging fruit. If you can't keep the harvesters away, it's better to be difficult to reach, so they will hopefully move on, before finding you.
end to end encryption?? Do we have that??
if i were i would try betterfox maybe?
Is a Ubikey is just second password?
Yubikey is a hardware USB device
How can system be accessed while turned off? Both Ethernet and WiFi are off, so how could there be any internet connectivity?
If the ethernet is plugged in and power is still supplied to the device, the chip in vPro Intel machines is never off. You can access it without being booted and can turn it on remotely.
Check out all the "Out of Band" access ways. Pretty cool stuff... unless you get hacked using it.
Fun tidbit: NordVPN had this happen in a data center and was exposed for months with the hacker having free reign.
Look again. On these types of systems an Ethernet link is usually maintained even when main power is off (obviously not if power is unplugged). This link when off can often be disabled.
Key takeaway from this video :
"Don't blame others as an excuse for you not working hard enough." 👍👍👍
Brave browser taming the laziness outta me. 👌👌👌
It will be impossible to be secure or have privacy if you live in the UK with the new online safety bill
I heard about that on Russell Brand's newest video. That thing is anti-privacy.
Rip to my Intel laptop.
Also, how overpowered is a pen and paper as a password manager for security?
If you have no friends its perfect.
even a password dairy is Op.
We in developing countries have to use cracked software due to high cost of licensed software. How can we protect our computers?
Maybe try using more open source software?
MS Office has more features than it's counter parts. Microsoft & it's friends want us to use their software.
Not using cracked software, instead open source as much as possible (note this assumes that alternative[s] exist).
Mr Chris can you get me one advice, I need to transfer/clone C: partition from HDD (HDD id 500 Gb, C: partition is 150 GB) to new SSD 240 Gb, what tool is the best for Windows 10?
Try Rescuezilla. It's worked great for me. Will work with just about any operating system.
If you have a router with firewall, why do you need a firewall on your host, both router and hosts are using the same iptables for a firewall. Let's say we have a wired only LAN, without wifi API exposing then LAN. I am talking about home labs, not a server environment.
Firewall should be present so that you can use an AP that is not yours (like in a Hotel).
Not really impressed. A base system doesn't have any ports to block, so ufw isn't needed on consumer stuff. By far most hacks happen via email, followed by compromised repos and ancient software/firmware. Screw networks, router exploits are a far bigger problem.
Agreed on VPNs though. They are overrated, except for specific use-cases.
Links for a browser
I have a raspberry pi with is still in the box never once plugged into anything. You can't get more secure than that. Checkmate.
Most secure: Cut off net heat lights air etc. Quantum information relay!
Guys 9:40 SMS is NOT A SECURE 2FA!!!!
Yep, security consists of layers.
Meanwhile the main developers of openSUSE microOS/Aeon (NOT the rest of openSUSE, I want to mention this here) thinks that a firewall is unnecessary for their OS.
That sounds like there might be more context to that story. I was worried for a moment then I saw "microOS" I think that OS is used as a basis for docker/containers. These containers are designed for running one or two apps. If software isn't running on that system there is nothing to listen on those ports. When you run a container for a web app you want those web ports open, which apache or nginx etc do.... this is only my take from the information in the comment. I do not know the rest of the story or even much about microOS.
@@readypetequalmers7360 I can somewhat understand microOS.
But Aeon is designed for Desktop usage (Gnome Desktop to be exact).
ah ok makes sense... I'd stay away from Aeon. :)@@kuhluhOG
Security is just common sense lol if u go downloading and clicking what ever and use public wifi then you get what u asked for.
I've personally haven't been infected in years last time i think installed a malware of some sorts when i was 12 years old barely knew anything about computers and still learning i'm now 27 lol using linux as my main os after windows 11 garbage came out.
the only secure computer is a broken one
But VPNs protect us from hackers and makes coffee...
Edward Snorten LUL
I don't trust password managers and use unique strong passwords for everything. I think that's the best of both worlds.
So you write them down on a notepad?
Kinda-sorta. I tape a sheet of paper to the keyboard. It doubles as a shopping list. and gets replaced often so I keep a copy on my mfp scanner.
@Crying-Croc Oh, I'm not worried about it, the laptop never leaves the house. If someone had the capability to engineer a way into my finances or other accounts it won't be through that.
Bitwarden is good and keepassxc also. Moving is not hard. Dump to csv, import csv with some tweaking of which field is which. Can't agree with not protecting your IP address. Too much tracking is based upon it.
You seriously installed a Linux in a non VM without a firewall? Were you drunk or is it just for illustration purposes?
Ohh he has been installing Linux drunk in a couple of streams now.
the best one was Ubuntu/ debian one where his liveUSB was failing but he was entertaining us live for a really long time.
I moved my data from LastPass to Bitwarden.
LastPass lost a ton of customers when they decided to change to a subscription system.
Most inconvenient, but physically secure is a note pad.
And a pen, not a pencil. 😆
Unless you're some human computer I fail to see how you can write on a physical notepad with something resembling the security of AES-256. Your person and personal objects have even less protection than your home or bank accounts as they can be seized and searched for any reason (even made up ones) by local law enforcement no less.
@@flow5718 I would rather trust law enforcement entering my home than some companies. There reasonably honest here in the UK. Plus you can salt the passwords.
A note pad actually isn't the most secure option. If you can't trust your government (nobody should), then you can't trust that they'll leave your property alone. God forbid they get a warrant and search your house, now all of your most sensitive information is exposed. The most secure option that's at least somewhat practical would be an airgapped, encrypted system that does nothing but store your critical information. Use it like a notepad and nothing else.
@@mgord9518 sounds like a yubi key
Your XBox is probably the most secure device in your home :V
Virtual machines are the answer. Know what you are doing 😄 virtual machines act as a router
Not having ufw means you can't have a firewall? Come on dude.
you can specify it in iftables / iptables, but for the layman, most use ufw on linux for simplicity.
Edward surrounded by mountains of cocaine? Edward Snowden
Edward uses said cocaine? Edward Snortin'
I am blind, but I can see
The snowflakes glisten on the trees
To be secure you just need to buy my internet snake oil. Rub it on your router and a VPN will magically appear.
I begrudgingly use brave on my machines because it's the best balance between usability and security, as long as you turn off the analytics.
I say begrudgingly because the CEO of brave is an open homophobe, in fact he was kicked out of mozilla as a former CEO for having those opinions (and websites were starting to block firefox users from viewing their site because of him)
so brandon eich chose to leave mozilla instead of apologizing for his bad takes. big yikes.
This is disinformation. He donated to religious organizations and those who attacked him claimed the homophobe idea.
@@readypetequalmers7360 no he legit is against gay marriage and donated for some of the worst anti-gay propaganda.
Just buy a Mac.
bruv I don't even have the intel management engine driver installed.
Gibson Research is awesome.
UFW to me is an Ubuntu firewall. That's just the feeling I get. Maybe I saw it there first.
Either way, I am using plain old iptables and have been for maybe a decade. I can set up which ports are open and who they are open to, usually machines on my LAN. And I do the same on those machines. Block everyone else. UFW is a simplified iptables/nftables firewall to my knowledge. Is iptables secure? Who knows. Pretty sure most routers run iptables too.
Theres others on the way. EBF I think is one. Then there's also rudimentary AI firewalls, monitor normal access and usage and react when something is different, in theory. Firewalls are a thing where I think AI would be very interesting, fast, efficient and mostly correct. Dave AI: "Someone is accessing your phone over the network, is it you?" -No ,Dave. Shut em down.
There is a book that talks about using AI... essentially it is what Prevention detection is all about. you have Network intrusion detection/prevention and host based. They are pretty much firewalls in the simplest sense. The trick to these systems is that they do not follow normal distributions, (this is also the problem with neural networks in finance..) so finding attackers often has a lot of noise and may not be reliable. The ip tables idea is really simple and effective without much effort in maintaining. Once you have that the packets on the open/available ports are the tricky part. The book i am thinking of is called "Network Traffic Anomaly Detection and Prevention"
@@readypetequalmers7360I ran the SELKS stack inside Docker containers for a couple months. Suricata and Co. Pretty sure I had it configured as IPS. So it would block packets that fit a certain pattern. And I only used the free patterns available. In total there was like 30 000 patterns for me. Some patterns I had to remove/allow because they would block traffic I wanted. Works via PCAP which I think is Packet CAPture in Linux. So it checks every packet. Uses a bit of RAM and CPU. I only have a Ryzen 5600X and I was playing games and the normal stuff at the same time, so it's not that heavy, the SELKS stack. In an enterprise situation, I expect it to be much worse. Think I saw some benchmarks of transferring 50 gbit/s maxing out Xeons. Just a normal transfer. I don't know if they used a firewall. I only have 500 mbit/s internet traffic.
I also tried a rudimentary/basic AI firewall. The difficulty with that is confirming it works and what it works on. How do I know what it does? False positives etc. If I send out a bunch of e-mails once a month, would it see that traffic as hostile? So you have to train it. I don't see the training period ever ending. Software changes, hardware changes, constantly.
Yeah I'd like to do that too. I've tried a few times but never put the time in to make it work well. By default they only cover known issues. The tricks that are more modern are not going to be covered by those systems. It's also likely there are a lot of false positives generated by those SNORT rules. While I like the idea of using more of those IPS like curicata and SNORT (I think these are rule based IPS) they require tuning which many normal users can't do. I like the AI idea and some have shown some good results, but same problem with false positives. The book I mentioned specifically pointed out one of the issues is the data to train on. Supervised learning models can easily miss what they have never seen, so unsupervised or statistical models are better to use at some point. Most of these are too slow to actually do the work live. One of the issues the book mentioned is that there is a lack of data on good and bad network packets. Ideally you'd have all known bad attacks in the data, but impossible to do. For good data each house has very unique situations and setups. This is where an open source network collection project might be helpful in making. People donate their packets to the cause. Just have to figure out how to anonymize that data.@@MrPunkassfuck