Jump to content


Photo
- - - - -

Most secure web browsing without sacrificing functionality?


  • Please log in to reply
25 replies to this topic

#16 NeverDie

NeverDie

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1018 posts
  • Hardware:Custom
  • Tech:X10-RF, Z-Wave, Custom
  • Video:Windows Media Center
  • CCTV:ip
  • Phone:Ooma, POTS

Posted 05 January 2015 - 12:09 PM

After looking into it further, I decided I was going to try VirtualBox instead of Hyper-V, since Hyper-V requires running Windows 8 Pro (= $100 upgrade per computer).  This article outlines the method I was going to try using VirtualBox:

http://lightpointsec...iruses-for-free

 

Then I notice at the end of the article that the company offers a service where they let you use their virtual machines for this exact purpose at a cost of $6/month.  If it works, it's a sensible model, as the cost of VM's could be amortized over a user base.  They offer a free trial, so I'll probably try it.  I don't know if that particular company will do a good job at it, but if not, maybe some other company does.  If it turns out to be too laggy, though, it won't be worth it.  In that case, having some kind of in-home "server of virtual machines" that could be shared among all the home's computers would perhaps make more sense than putting VM's on every computer, and it would likely minimize the lagginess.  In theory, Microsoft wants an additional license for every virtual machine that runs Windows (even if the host computer already has a license for windows!), so the cost of spreading it around could be quite high, though lagginess close to nil.

 

Anyone here tried doing that?  I don't imagine it would be much different than connecting to a remote desktop using XVNC or the like.

 

P.S.  When I put ESET Internet Security (which used to be known for its low impact on performance) on the little Zotac box, the browsing speed slowed down noticeably.  So, I would guess that was the difference all along.   You guys are right: running naked is a lot faster!


Edited by NeverDie, 05 January 2015 - 12:56 PM.


#17 video321

video321

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 959 posts
  • Location:NJ
  • Hardware:Elk M1, Mi Casa Verde Vera
  • Tech:Z-Wave
  • Audio:Custom
  • Video:Custom
  • CCTV:analog, dvr
  • Phone:Ooma

Posted 06 January 2015 - 07:15 AM

having some kind of in-home "server of virtual machines" that could be shared among all the home's computers would perhaps make more sense...

VMware offers that feature - they call it shared VMs in workstation. For ESXi, just install the client or use RDP/VNC for machine console access. Be sure to plan out how you're going to give the users an easy and enjoyable experience - plan for Internet favorites, file downloads, file upload access, being able to open/run everything they normally need from within the VM, ability to install new plugins for their favorite sites, etc. Otherwise, they won't use it!



#18 NeverDie

NeverDie

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1018 posts
  • Hardware:Custom
  • Tech:X10-RF, Z-Wave, Custom
  • Video:Windows Media Center
  • CCTV:ip
  • Phone:Ooma, POTS

Posted 06 January 2015 - 09:06 PM

Here's yet another idea: utilize an "instant restore" backup, such as is allegedly offered by some of the "continuous data protection" backup software packages.  For instance, Rollback Rx does require a reboot, but aside from that, it claims the time to rollback to whatever time you pick is instant.  I can't vouch for that, as I haven't yet tried it, but the reviews on amazon are very high (so high that I'm wondering whether they were rigged):  http://www.amazon.co..._pr_product_top

 

For present purposes, the problem with most backup/restore products is that restore is very lengthy, so it probably wouldn't get used as often as it should.

 

However, doing an "instant restore" might be an acceptable alternative to running everything in a VM, as the results might be similar.

 

Anyone here have experience with any high quality "instant restore" CDP software?



#19 Work2Play

Work2Play

    Cocoonut

  • -=Gold Supporter=-
  • 4954 posts
  • Location:Colorado
  • Experience:guru
  • Software:Elve
  • Hardware:Elk M1, RUC-01
  • Tech:X10-RF, UPB, RadioRA2
  • Audio:AirPlay
  • Video:XBMC
  • CCTV:ip, dvr
  • Phone:3CX, Asterisk, FreePBX, Grandstream, Ooma

Posted 07 January 2015 - 02:45 AM

So if you're going the RDP route, a fun little terminal I tried out (have one downstairs) is this:

http://h10010.www1.h...4230.html?dnr=2

 

Powered by POE with a wireless kb/mouse and there's only one single wire on the whole desk.  And performance is pretty decent.



#20 NeverDie

NeverDie

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1018 posts
  • Hardware:Custom
  • Tech:X10-RF, Z-Wave, Custom
  • Video:Windows Media Center
  • CCTV:ip
  • Phone:Ooma, POTS

Posted 08 January 2015 - 01:35 PM

It turns out Ubuntu and its derivatives like Lubuntu will boot with UEFI set to boot Windows 8.1.  Many other Linux's won't, at least not without non-trivial effort.  Anyhow, I'd just as soon not set the UEFI to legacy, just in case the secure boot really does work at preventing rootkits from taking over the MBR (or whatever the MBR equivalent is called these days).

 

So, I got VirtualBox working last night (actually more like a proof of concept) with Windows 8.1 as the host operating system and Lunbuntu as the guest operating system.  VirtualBox  doesn't seem to release the hard drive space it reserves for the virtual machine, even after I discard the VM and instruct it to delete all associated files, so I eventually ran out of hard drive space after creating and destroying a bunch of virtual machines.  I thought I would go through Windows to reclaim the space, but it seems well hidden, even after setting Windows "folder options" to reveal everything.

 

So, the usual two steps forward, one step back.   B)   I'll also need to buy more memory if I go this route.


Edited by NeverDie, 08 January 2015 - 01:38 PM.


#21 pete_c

pete_c

    Cocoonut

  • -=Gold Supporter=-
  • 10019 posts
  • Location:House
  • Experience:average
  • Software:Main Lobby, Open Source Automation
  • Hardware:HAI OmniPro II, Mi Casa Verde Vera, Ocelot
  • Tech:X10-PLC, X10-RF, UPB, INSTEON, Z-Wave, ZigBee, 1-Wire, xAP, xPL, ALC
  • Audio:Russound
  • Video:MythTV
  • CCTV:analog, ip, dvr
  • Phone:Asterisk, FreePBX, Ooma, POTS, VoIP via ISP

Posted 08 January 2015 - 03:21 PM

Here I have one Wintel tablet which boots up showing W80, W81, iOS, Android and Linux.  I never paid attention and it does fine.

 

I use it more for just touchscreen stuff.

 

On one laptop just went to installing W81 leaving some space for an Ubuntu 14.04 LTS partition and here I just utilize Grub2 to boot.  Each OS boots from its own small easy to replace parition.  I enabled the OS stickyness such that it remembers which OS booted last and default to said OS.  Thinking it just replaces the WIntel MBR stuff with Grub stuff; then also utilize a tiny 4Gb boot stick which default boots if I leave it in place.  I utilize the tablets mostly to surf the web but not to type anything.  I do also shut them off when I am not using them.

 

For Homeseer HS Touch designer I have one WIntel server designated as just an RDP server and use one profile for HSTouch designs that I can get to from anywhere on the network.

 

My wife's desktop computer is just a net top shuttle with a baby Wintel build on it that is just an image that takes 5 minutes to install. I try to keep it pretty light but still utilize a light Antimalware (Malwarebytes) and a light AV. 

 

I also built a PFSense firewall running in BSD.  Its free, support is great and you can do all sorts of things with it lessening the load on the browser clients a bit.  You can also go with physically separate networks and VLANs inside and do load balancing and or failover outside.

 

Think of your home network like an onion where you have a core piece(s) and layers from the outside in to the core parts of your network.



#22 NeverDie

NeverDie

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1018 posts
  • Hardware:Custom
  • Tech:X10-RF, Z-Wave, Custom
  • Video:Windows Media Center
  • CCTV:ip
  • Phone:Ooma, POTS

Posted 08 January 2015 - 09:29 PM

I also built a PFSense firewall running in BSD.  Its free, support is great and you can do all sorts of things with it lessening the load on the browser clients a bit.  You can also go with physically separate networks and VLANs inside and do load balancing and or failover outside.

.

Nice.  What kind of CPU is needed for the PFSense firewall to process packets at a sustained 1gbps without dropping any?  Also, what do you use for load testing it?



#23 pete_c

pete_c

    Cocoonut

  • -=Gold Supporter=-
  • 10019 posts
  • Location:House
  • Experience:average
  • Software:Main Lobby, Open Source Automation
  • Hardware:HAI OmniPro II, Mi Casa Verde Vera, Ocelot
  • Tech:X10-PLC, X10-RF, UPB, INSTEON, Z-Wave, ZigBee, 1-Wire, xAP, xPL, ALC
  • Audio:Russound
  • Video:MythTV
  • CCTV:analog, ip, dvr
  • Phone:Asterisk, FreePBX, Ooma, POTS, VoIP via ISP

Posted 08 January 2015 - 10:45 PM

Today running PFSense on a core duo / 4Gb of memory with 6 Gb Intel NICs. It does fine.  Years ago firewall utilized an old 386. 

 

Just about any PC will do.

 

Never load tested any of my software firewalls.

 

That said never had an issue relating to dropping packets.  You can graph / log any data you want in or out of the device / software.

 

See here.



#24 NeverDie

NeverDie

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1018 posts
  • Hardware:Custom
  • Tech:X10-RF, Z-Wave, Custom
  • Video:Windows Media Center
  • CCTV:ip
  • Phone:Ooma, POTS

Posted 11 January 2015 - 10:13 AM

Today running PFSense on a core duo / 4Gb of memory with 6 Gb Intel NICs. It does fine.  Years ago firewall utilized an old 386. 

 

Just about any PC will do.

 

Never load tested any of my software firewalls.

 

That said never had an issue relating to dropping packets.  You can graph / log any data you want in or out of the device / software.

 

See here.

Thanks!  In that case I think I'll simply buy another J1800 board to run it on.  I'm not a fan of ECS, but they're now selling for a mere $32 with free shipping.



#25 NeverDie

NeverDie

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1018 posts
  • Hardware:Custom
  • Tech:X10-RF, Z-Wave, Custom
  • Video:Windows Media Center
  • CCTV:ip
  • Phone:Ooma, POTS

Posted 14 January 2015 - 02:54 PM

As a near-term solution, I think running openSUSE 13.2 may be a viable answer.  I can boot into snapshots, so I can quickly rewind to the time before a browser session.  It also comes with a Hypervisor built in, offering another way to eradicate malware by browsing in a virtual machine.

 

I also now have other, unrelated reasons for trying openSUSE (namely, it both runs BTRFS by default and is deemed "stable"), so I'll probably try it fairly soon.



#26 markophillips

markophillips

    Newbie

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2020 - 02:38 AM

Very helpful discussion.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users