Layered Security - Why this is the only way forward!?

[Guest]

[Melih]

Well, we all know (or should know), that there is no 100% security! (of course people might try to take this out of context and apply this to tiny subsets of an overall problem and claim it can be 100% secure but its a futile attempt as you have to look at security in a holistic manner otherwise you will run the risk of false sense of security) Anyway, so there is no 100% security. So what you have to do is to utilise a layered architecture, eg: use different Security systems in case one of them fails. The question is which ones and where do you stop?

Which ones: it has to be synergestic and avoid duplication unless you are looking redundancy (but sometimes its not a good idea: eg Firewall, having two of the same is a no-no.)

Where do you stop: Its all about what you are trying to protect and how much you are prepared to spend to protect whatever you are trying to protect. The higher the value that you are trying to protect the more you spend in security. "Value of the Asset" and "Cost of Security" is proportional. 
 


 Value of the asset
        |                    x
        |                x
        |            x
        |       x
        |  x
        |-----------------------Cost of Security

But of course, for your PC Security the Cost of Security is ZERO thanks to Comodo

 

Melih

[Little Mac]

Cost as in $$ = zero, true.  Cost as in time for configuration, not true.  Granted, time for install/config will never = zero, and that's reasonable. 

What I think would be MOST beneficial as we look at the development of v3 (which you wonderful folks may have already thought of and have/are implementing) is a set of predefined profiles based on user-types.

This way perhaps we can have a "zero-touch-firewall" for users who want security but no configuration hassle, no/minimal popups, etc.  I realize there are aspects of this in v3, but what I'm thinking is a "global," one-button approach.  One click, you're done.  No muss, no fuss.

LM

[wilpower]

What I think would be MOST beneficial as we look at the development of v3 (which you wonderful folks may have already thought of and have/are implementing) is a set of predefined profiles based on user-types.

LM

Interesting point LM> I agree in concept....but pragmatically, where do you start and where do you end. I mean just reading through users basic problems with configuring Comodo programs....I've observed different people(including myself) installing....configuring the same software on basiclly the same environments but with conflicting/different problems and finding similar/or different solutions!
My point being> what might be a workable "set of predefined profiles" and a group of "user-types" will enevitably disclude some user-types with different "profiles".
Holy crap...that confused me
Could something like what u are suggesting even be done
Mmmmm...I don't know.

[Little Mac]

Could something like what u are suggesting even be done

Well, I don't know either, but that's a job for "ComodoMan"! (or woman)  (V)

The programmatically-challenged (such as myself) cannot answer such questions.  We can only suggestion crazy ideas and expect the experts to complete them...

There's no doubt that no matter how "one-touch" the configuration is made, there will be users for whom it will not work.  Realistically, the best overall results would probably come from an interactive wizard that asks the user questions and configures the FW based on their response.  Things like, "Do you share files, folders, printers, or other resources?"  "Do you play online games?"  "Do you use... ICQ, IM, p2p...?" and so on.  These questions would start at the foundation with questions about how they connect, if they're behind a router, ICS, and work outward to establish the connection rules.  Then address specific applications/usage issues.  Then provide a diagnostic for testing problems to identify the source.  More complex than just push one button, but also probably a more solid result.

But, even with one-touch configurations not working for 100% of the users, you're still looking at an improvement (for the majority) over manual configuration; if you can hit 90 - 95%, that's probably a good goal.

LM

[wilpower]

Point well taken LM..... I think you are probably on to something ..
And as far as the COMODOMAN/WOMAN.... you've got that right.

Wil 

[Chuck]

There's no doubt that no matter how "one-touch" the configuration is made, there will be users for whom it will not work.  Realistically, the best overall results would probably come from an interactive wizard that asks the user questions and configures the FW based on their response.  Things like, "Do you share files, folders, printers, or other resources?"  "Do you play online games?"  "Do you use... ICQ, IM, p2p...?" and so on.  These questions would start at the foundation with questions about how they connect, if they're behind a router, ICS, and work outward to establish the connection rules.  Then address specific applications/usage issues.  Then provide a diagnostic for testing problems to identify the source.  More complex than just push one button, but also probably a more solid result.

But, even with one-touch configurations not working for 100% of the users, you're still looking at an improvement (for the majority) over manual configuration; if you can hit 90 - 95%, that's probably a good goal.

LM

I have to say that your idea of a "configuration wizard" during setup or selectable at a later time by clicking on options (or something similar) is a really neat idea.  It could start by asking if one desires loose, moderate or paranoid settings in general, and then go from there with specific configuration questions regarding ISP type, software used, etc.  Awesome idea.  CHUCK   

[Little Mac]

It could start by asking if one desires loose, moderate or paranoid settings in general, and then ...

Or even just stop there, for those users that want a more automatic deal, instead of answering further questions.  In other words, there would be a "default" group of rules/changes/config for loose, moderate, paranoid; if the user desires, they could build off of those with the full set of questions.

Some other security "hardening" applications have some things like this.  You can choose to accept all proposed changes, or pick & choose.  It gives explanations of each setting, why it's important, and so on.  Specifically, I'm thinking of Samurai for Windows and Bastille for Linux.  Bastille is more interactive, which I think is preferable.  This allows users that want to be paranoid but don't know how, to achieve a very decent level of paranoia with minimal fuss...

LM

[AnotherOne]

I had the idea that the installation program could scan for installed software and processes and configure the program being installed to work with what's there.  If you are talking about average users, a lot of them won't know what they have installed, especially the pre-loaded trial stuff or the utilities that came with the system.  Of course, when you start talking about on-line gaming and other internet-intensive stuff, the variations are so many that a "Wizard" might be a better method of handling that.

[Info-Sec]

Well the general rule for layered security is never use 2 products from the same vendor.  E.G use COMODO firewall but not COMODO anti virus.  Because there is usually ONE stand out product, COMODO's firewall.  This is all true except for Zone Alarm, because their anti virus is kaspersky's engine which is prob the best engine of them all. 

See i use Zone Alarm for my firewall and i use spy sweeper for my antispyware.... I would never use spysweepers anti virus (SOPHOS kind of sucks)

Thats usually the best way to judge layered security.

[Melih]

Well the general rule for layered security is never use 2 products from the same vendor.  E.G use COMODO firewall but not COMODO anti virus.  Because there is usually ONE stand out product, COMODO's firewall.  This is all true except for Zone Alarm, because their anti virus is kaspersky's engine which is prob the best engine of them all. 

See i use Zone Alarm for my firewall and i use spy sweeper for my antispyware.... I would never use spysweepers anti virus (SOPHOS kind of sucks)

Thats usually the best way to judge layered security.

Well the idea is to use best of breed. If one company has all the best of breed, then its reasonable to use that company. It would not be wise not to use best of breed, just because they are from the same company.

Melih

[Info-Sec]

Exactly, but of course layered security is very subjective and im not putting down COMODO, it was just my two cents. 

[wackysystems]

If you wanted the one-touch config, then it could be like this. First, it gives you a choice of automatic, or manual. If you chose manual, you would just have it let you configure it like normal. However, if you wanted it to be automatic, it would first scan for theinstalled programs, like "AnotherOne" said. Then, it would compare the programs against a massive database that says info like if it is internet-intensive, or doesn't need internet, stuff like that. Of course, you would need to build up the database, so if the software didn't know what a program was, it would send it to Comodo so it can be put into the database. And when it finshes scanning, it will automatically make rules for itself. Say you used wireless network/router. It would detect the software/driver/device, and automatically use the wireless rule.

[gibran]

Knowledge is another priceless security layer

If you agree with this then you can also agree that a wizard is a nice idea but it should be implemented in a way that will not make it a double-edged sword.

Just voicing my concerns here as I have no real example to blame .

Wizards add a great deal of user-friendliness in order to overcome tedious tasks but users should be encouraged to learn the product and to check wizard-created rules.

In fact one thing is to rely on a wizard and another is to use a wizard.

While a wizard could provide a bottom-line security level it is important to encourage users to learn about the threats and how effectively use the products in order to protect themselves.

As far I understand security is always a compromise between user training, policies and available resources so in order to not cause undesired effects is better to enforce the idea that is needed to develop an awareness of the risks/limits/issues in order to have a good security.

[wackysystems]

Very true. If you don't know what the wizard is doing and just rely on it to do the right thing, many things could go wrong.

[AnotherOne]

About the "best-of-breed" plan - I have been having recurring problems with one such program because it does not work with other layers of my protection very well.  It has been responsible for slowing my system down - freezing it at times and intermittent BSOD's.  The push to get high detection rates has resulted in conflicts and worse.  In fact, I have had zero problems with actual infections, but several false positives.  If I did not know about the false positive problem, I would have not been able to run any number of common programs (Thunderbird, eg) because the scanner would have deleted critical files.  There is a case to be made for a suite of security layers that work well together, even if they have some components that are weaker than the best of that type.  Given that the on-going battle with my "best-of-breed" software consumes more time and effort than it has saved me, my criterion of what is crucial has been shifting.  I am now leaning toward a more basic class of software that is less intrusive and demanding of resources and my time and energy.  This requires a regular program of backups, but that can be run in the background or when I am not using the computer.  A security system that cripples my computer is almost worse than having an infection.  I ran my computer for over a year with no antivirus protection at all without trouble (a few email viruses were received, but not opened due to my suspicious nature).  I have been securing my system over the last year, but the result is far from satisfactory when I consider what I have had to spend in cash and time to get a crippled system for my pains.  The only thing that keeps me from just uninstalling the offending software is the growing prevalence of commercial-grade trojans, scripts, spoofs and viruses that are profit motivated and thus slicker and more capeable than the stuff that has been circulating before now.  Once I have some certainty that I can be alerted to the presence of malware on my system, and that it cannot use my internet connection, I will consider the solution adequate.  If I cannot remove the infection, I will have to fall back on my backups, but that may be required no matter what security solution I choose.

[Tags:]