Saturday, July 31, 2010

Internet security - when should you pay?

People often ask me about what security software I use. I'm of the opinion that you want solutions you don't have to think too much about. OpenDNS fits that bill entirely but here are some other thoughts;
  1. Firewall - ten years ago before Windows XP and when your broadband connection was probably via a USB modem (and you had an internet-facing, routable IP address) it made a lot of sense to have a software firewall - Zone Alarm or somesuch. Since XP SP2 (when the Windows firewall is on by default) and hardware NAT routers there is no good reason to spend money on yet another firewall. Your NAT router acts as a very effective hardware firewall because any packets that aren't a direct response from outgoing connections (from one of the machines on your network) are ignored. You could quite happily run Windows (or Mac or Linux) behind a NAT router with no firewall.

  2. Web filtering software - Cybersitter etc. You may well want to filter your incoming traffic but having a piece of software on every machine is not the way to do it. By far the best solution is to use a DNS filter - every DNS lookup that your router sends out goes not to your ISP's server but to OpenDNS who (based on their database and your settings) will return null DNS entries for sites you might not want accessed. I've been using it for a year and it's excellent - nothing needs to be done to new machines as the router has the IP addresses for OpenDNS in it's settings. OpenDNS also blocks all known phishing and malware sites and since they have a worldwide userbase of tens of thousands they are more likely to block new threats before you try and go to them.

  3. Web filtering pt.2 - NoScript is an excellent plugin for Firefox that stops active content from running on pages. It's a bit of a pain when you first install it as you're constantly clicking on the settings icon and allowing a domain (BBC iPlayer isn't much use without Flash!). But after a while you get used to it an the sites you visit often where you need active content soon outnumber those that you visit occasionally (and you may not want them to run JavaScript, Flash, ActiveX etc - common vectors of infection).

  4. Antivirus - Microsoft Security Essentials sneaked out earlier this year with little fanfare but has been getting excellent crits with detection scores near the top of the test tables. Definitely better than Norton, Panda, and AVG. It integrates well with XP through Windows 7 and I found it to be very unobtrusive. It's what I'm using on all my Windows machines.
  5. Spybot etc AntiMalware - Windows now has the Malicious Software Removal tool - MRT.exe (you can run it from Start>Run whenever you like). It updates itself silently on patch Tuesday and is as effective as anything else at removing malware. It's free and unless you've deselected it from Windows update any machine running Win 2K or later has it.
So there it is - not paying for security, far from being the cheapskate option is, I think, the best policy. Have you sat down to use a machine that had a full-up Norton or McAfee install and realised how cumbersome and slow this computer (which five years ago would have been considered workstation-class) now is. The firewall is fighting the Windows firewall, the antivirus is popping up reminders to renew the subscription ('cause you only got 90 days with Dell!) and you can't access files on your server for some reason.

The dirty little secret the anti-virus industry never mention is that once your machine has been compromised they can't be sure they've rid you of whatever nastiness crawled in. Root Kits and other techniques mean it is nigh on impossible to ever trust a PC that has been virus infected. You need to reformat the hard drive and re-install Windows. It's not hard and you'll find your machines feels like new again as you will have lost the detritus that Windows picks up along the way.

1 comment:

laura said...

Hi Phil,

Thanks for highlighting OpenDNS as the best free option for people to use. One thing that's great about the service is you can use it in conjunction with other products -- so use OpenDNS for safer, faster, more reliable Internet, and then apply an anti-virus program if you like :)

Laura Oppenheimer