Amelith's environment

[Amelith Nargothrond]

This is my hardware/software setup. I am not using all the time VMs for malware testing, i also have an isolated network with 2 PCs. I'm protecting my entire network with pfsense firewall, my isolated network with another pfsense box.

I think prevention, backups and safe habits are a mandatory part of "the best protection". In an isolated environment you can do whatever you want though, "know you enemy" is a must. I'm using my isolated environment to "try before i buy" anything i need for my clients or myself, and then implement in production. Trying to keep everything simple enough though.

I recently updated this setup with a new product, Ranstop, which is a dedicated anti ransomware software with great potential. I had another one in mind (Appcheck), but it has no file versioning inside the backups, where Ranstop does.

 

[Amelith Nargothrond]

Sorry, i do use a password manager, but it's a custom solution and not a very handy one.

 

[Xsjx]

This is my hardware/software setup. I am not using all the time VMs for malware testing, i also have an isolated network with 2 PCs. I'm protecting my entire network with pfsense firewall, my isolated network with another pfsense box.

I think prevention, backups and safe habits are a mandatory part of "the best protection". In an isolated environment you can do whatever you want though, "know you enemy" is a must. I'm using my isolated environment to "try before i buy" anything i need for my clients or myself, and then implement in production. Trying to keep everything simple enough though.

I recently updated this setup with a new product, Ranstop, which is a dedicated anti ransomware software with great potential. I had another one in mind (Appcheck), but it has no file versioning inside the backups, where Ranstop does.

Great setup!
If you want add https everywhere

 

[Winter Soldier]

Very nice setup and explanation

A controlled environment is absolutely necessary in order to perform malware operations and equally important it is to isolate the network to prevent malware spread by protecting your real IP.

 

[Deleted member 178]

Nice to see a Pfsense user;

p.s: i edited the title of your thread (adding your name) and shifted to 3rd party FW (which is what you are doing with Pfsense)

 

[Amelith Nargothrond]

Thank you guys, happy that you like it. Yes, "https everywhere" should be a standard... also VPNs for specialists. Btw, i'm a very happy user of "Let's encrypt", i'm using it on my VPS and client's VPS as well.

P.S. I'm also referring to the chrome extension "https everywhere", not just by design any http communication

 

[shmu26]

I see you have Macrium Reflect for system backups. That's smart.
If you keep up-to-date backups, and you keep them offline (you need to disconnect your external hard disk or NAT, except for the moment when you are running a backup), then your files are always protected from ransomware.
This is important because even if Ranstop prevents the attack, you could still lose some files until the protection kicks in. Also, MT in-house testing shows that these solutions usually don't prevent all strains of ransomware.

 

[Amelith Nargothrond]

I see you have Macrium Reflect for system backups. That's smart.
If you keep up-to-date backups, and you keep them offline (you need to disconnect your external hard disk or NAT, except for the moment when you are running a backup), then your files are always protected from ransomware.
This is important because even if Ranstop prevents the attack, you could still lose some files until the protection kicks in. Also, MT in-house testing shows that these solutions usually don't prevent all strains of ransomware.

The truth is that Synology uses a very nice solution for protecting itself. It keeps it's backups (and versions) inside the NAS where you don't have access to them except from the Synology interface. I am storing my Macrium system backups there. I do admit that it is always on, but with this in mind.

Actually, what i like about Ranstop is that it scans your PC after the installation and stores a first version of the backups. Later it will create other versions, as long as you edit the files. The backups are protected at kernel level (a driver) and i really couldn't temper with it in any way. The driver is used to detect ransomware as well. So even if something goes wrong and it cannot detect the ransomware, you still have your files to manually restore them. Even if you have to pull out the hdd and recover the files from another PC, if the attacked PC is unusable. I tried to do my homework as best as possible because otherwise, if i do implement something untested at my clients, i risk receiving many unhappy phone calls from them. And a lot to work after...

 

[shmu26]

The truth is that Synology uses a very nice solution for protecting itself. It keeps it's backups (and versions) inside the NAS where you don't have access to them except from the Synology interface. I am storing my Macrium system backups there. I do admit that it is always on, but with this in mind.

Actually, what i like about Ranstop is that it scans your PC after the installation and stores a first version of the backups. Later it will create other versions, as long as you edit the files. The backups are protected at kernel level (a driver) and i really couldn't temper with it in any way. The driver is used to detect ransomware as well. So even if something goes wrong and it cannot detect the ransomware, you still have your files to manually restore them. Even if you have to pull out the hdd and recover the files from another PC, if the attacked PC is unusable. I tried to do my homework as best as possible because otherwise, if i do implement something untested at my clients, i risk receiving many unhappy phone calls from them. And a lot to work after...

Thanks much for the explanations. It does sound very interesting, and I personally was not so familiar with those solutions.

 

[Amelith Nargothrond]

Thanks much for the explanations. It does sound very interesting, and I personally was not so familiar with those solutions.

Actually, this is one reason i created my user, to talk with specialists, hear them out, learn from them, maybe if they can test my thinking would be awesome. I would very much like to hear your opinion about my setup while testing it out

I'm not sure if you do have access to a Synology NAS, but if you do, try out their "Hyper Backup" app. That's their backup feature i was talking about. It has backup versioning. This is a costly solution though for many, and depends on RAID arrays, which we all know to be sensitive... Recently a Synology NAS crashed at one of my clients but they were lucky (and me as well) that i only had to replace the NAS and move the HDDs from one to the other in the same order to save their data.

The other idea would be trying out Ranstop in your testing environment. They have a fully working trial version. Much cheaper solution for backups, quick recovery and protection in one product.

 

[shmu26]

Actually, this is one reason i created my user, to talk with specialists, hear them out, learn from them, maybe if they can test my thinking would be awesome. I would very much like to hear your opinion about my setup while testing it out

I'm not sure if you do have access to a Synology NAS, but if you do, try out their "Hyper Backup" app. That's their backup feature i was talking about. It has backup versioning. This is a costly solution though for many, and depends on RAID arrays, which we all know to be sensitive... Recently a Synology NAS crashed at one of my clients but they were lucky (and me as well) that i only had to replace the NAS and move the HDDs from one to the other in the same order to save their data.

The other idea would be trying out Ranstop in your testing environment. They have a fully working trial version. Much cheaper solution for backups, quick recovery and protection in one product.

Thanks for the compliments... I am not set up to test these solutions properly, but others might want to do some testing.

Maybe you should start a separate thread about these interesting technologies you are using.

 

[Amelith Nargothrond]

Thank you for your advice!
I saw many setups with more than two security apps active. Wondering if they are not a hit on performance...

 

[frogboy]

Looks like a great set up to me, nothing to add here.

Had to look up some it, had not aware of some of your set up. All the wiser now though.

 

[shmu26]

Thank you for your advice!
I saw many setups with more than two security apps active. Wondering if they are not a hit on performance...

They need to be combined wisely, or yes, they will impact the performance.
More than one real-time scanner is going to slow down the machine.
Usually, you can add a default/deny app to your AV without a noticeable hit to peformance.
Default/deny solutions are pretty popular on MT, because the testers here have consistently shown how unreliable signature-based solutions are.

 

[Amelith Nargothrond]

They need to be combined wisely, or yes, they will impact the performance.
More than one real-time scanner is going to slow down the machine.
Usually, you can add a default/deny app to your AV without a noticeable hit to peformance.
Default/deny solutions are pretty popular on MT, because the testers here have consistently shown how unreliable signature-based solutions are.

What default/deny solutions are popular on MT please?

 

[Amelith Nargothrond]

Looks like a great set up to me, nothing to add here.

Had to look up some it, had not aware of some of your set up. All the wiser now though.

Makes me wonder why my solutions are not that popular. Can you please elaborate? Which ones you had to look up please?

 

[frogboy]

Makes me wonder why my solutions are not that popular. Can you please elaborate? Which ones you had to look up please?

I had to look up Pfsense , Synology and inside the NAS.

 

[shmu26]

What default/deny solutions are popular on MT please?

A lot of people like Voodooshield. It is not very configurable in the free version, but if you send a email to the dev and tell him you are active in beta testing and security forums, he might give you a license.

And a lot of people like Comodo firewall (without the AV component), especially Comodo 10. The autosandbox feature is pretty popular.

check out these two threads:
Compare Protection - Which default/deny solution wins, and why?
Default/Deny comparison -- the results

 

[Amelith Nargothrond]

I had to look up Pfsense , Synology and inside the NAS.

Pfsense might not be that popular indeed... Synology on the other hand is very popular around here, and very reliable with a very good disaster recovery should that occur. Had serious issues twice in my life with them (one with the device itself and one with failing hard drives), but both occasions I could easily recover the data and settings. I personally have two devices from them and a lot more out there at my clients.

Thank you for your feedback

 

[Amelith Nargothrond]

A lot of people like Voodooshield. It is not very configurable in the free version, but if you send a email to the dev and tell him you are active in beta testing and security forums, he might give you a license.

And a lot of people like Comodo firewall (without the AV component), especially Comodo 10. The autosandbox feature is pretty popular.

check out these two threads:
Compare Protection - Which default/deny solution wins, and why?
Default/Deny comparison -- the results

Never used Voodooshield but I am familiar with Comodo. Will look into it, many thanks.
I have somehow a personal preference for dedicated stuff. For example, when I'm outside my testing environment, i'm having my currently implemented security solutions do their work and trying not to click on anything I found on the internet or receiving via emails/other electronic means. This speeds up my work without having to struggle with security alerts that much, as I try to keep them away. On the other hand, when i'm using my testing environment, I really don't care what happens there, actually the focus is to try to destroy it while analyzing how it does the destroying. But then again, I need tools to slow some processes down and log the work, so tools like Comodo (or Voodooshiled) are very handy

Thanks again!