Home » Questions » Computers [ Ask a new question ]

How to safely connect a Windows machine that CAN'T have anti-virus (due to real time demands) to the internet via a Windows machine that is

How to safely connect a Windows machine that CAN'T have anti-virus (due to real time demands) to the internet via a Windows machine that is protected?

I have a Windows-based machine that cannot have anti-virus installed due to the performance impact that would have on the machine's role as the controller in a live radio studio mixing console. This setup is a commercially available system not one I am building myself.

Asked by: Guest | Views: 83
Total answers/comments: 4
Guest [Entry]

"I would use a hardware firewall to protect the machine from both the Internet access and intranet access. I hardware firewall will give you reliability and speed.

I would start with the machine having all the traffic blocked and then only allow those IP address, ports, protocols and directions that are needed for it to work. For example, if there will be no web surfing, then I wouldn't add a rule to open port 80 out. If you have a remote administrator, I would allow the ports for VNC in from their IP address. The same for FTP. This way if you aren't talking from the right IP address you are blocked. Also, if someone tries to go out on the machine and check their email they are blocked.

I would also set these rules up for the rest of the intranet. I would only create rules to allow communication to those computers/ports/protocols needed. This way if a machine on the intranet gets compromised, it will have a harder time to spread to the unprotected machine.

Basically, this machine would be in a DMZ configuration.

I would also run Spybot Search & Destroy and SpywareBlaster and immunize the machine. There is no real time cost to this because it isn't a scan, but just a configuration setting. All this does is basically blacklist ActiveX controls and bad sites in the Hosts file. This can prevent a machine from being infected by preventing some bad things from being executed. Of course, you would have to allow via the hardware firewall the ability for the machine to update. You can do this manually or white list those sites.

The firewall you choose should be able to alert you of problems. I would flag some rules to see if anyone is attempting to do anything they shouldn't (i.e. checking email, surfing the web, someone attempting access to the FTP port (especially if left on the default ports)). I use a Zywall which has all the above features, but there are many companies. One thing you should consider is hardware firewall have specifications on throughput. You want to get a firewall that can process the information fast enough.

The remote users could also VPN in to some firewalls, that way you don't have to publicly expose some things like VNC or FTP.

Also, some VNC software will allow you to use certificates to authenticate. This could help because it will allow better security because no username/password to guess and the end user could run the software and it would just work (less for the end user to remember). If not, I recommend using Keepass and having it generate a high entropy password that would be difficult for machines to break.

I hope these tips help.

(Also, because this is a business critical machine, I would image the system so if something did happen, you could get back to a known good state.)"
Guest [Entry]

"I wouldn't bother. Antivirus doesn't help too much so long as you're not opening dodgy email attachments or downloading a lot of executable files. For example, Steve Gibson of Security Now don't run any antivirus.

Having a router between the computer and the internet is far more important."
Guest [Entry]

"If it is not possible to install any antivirus software, even something as lightweight as Panda Cloud Antivirus which does not have definition updating, you would be best investing in a dedicated hardware firewall with content filtering subscription. This will ensure that all packets are scanned for nasties before they enter your internal network, regardless of the method they are being transmitted.

An example list of such hardware firewalls with rough costs can be found here. There is also a handy product selector on SonicWALL's website to give you an idea of what products may be suitable."
Guest [Entry]

Antivirus is generally the last line of defense. A good firewall is more important in stopping infections that could occur without any user intervention. If a hardware firewall is not an option, Windows Firewall is better than nothing, and would of course have to be configured to allow access to the desired network apps.