My roommate is a security risk!

whatthehell

Hello All
Some advice needed here --- my roommate is a bit of a security risk--- as he refuses to use anti virus because, in his own words, it's a "pain in the ass", takes up sys resources, and is expensive.
I agree with the resources, and sometimes "pain in the ass" but I told him about free alternatives like AVG.
He always mentions system performance issues to me, and even has told me about a couple virus like systems (like that nasty Facebook virus of recent) he has experienced.

He is a good guy though, and we are moving to a new place soon --- the whole point is --- this gives me an opportunity to design some type of network where I will be safe and he can still have internet access ---

What do you all think?
Vlans?
network segmentation?

What do you all do for secure systems? In other words, the systems you keep your financial data, check your bank accounts, etc on?

Thanks for any recommendations in advance.:D

unsupported

Setting up security measures will have no effect if you do not have a sound security policy in place. When you sign the lease on the new place, make him sign a network user security policy saying he needs to install anti-virus and patch his machine if he wants it to be on the network.

Nist is a good resource for templates.

networker050184

Put him in a dmz and only allow access to the internet.

Slowhand

The simple solution is to put him on a seperate layer 3 broadcast domain. Get yourself a Catalyst 2950 switch from eBay and something like a Cisco 1721 router, (they're cheap,) and set up two VLANs. One is yours, where you allow whatever access you want. The other is his, which allows him free-reign to go on the internet, but no access to your machine at all.

The hardware recommendation is just an example. You can pick up a used SonicWall and do zones, which will accomplish the exact same thing as VLANs, and there are a slew of other routers/switches out there that can accomplish the same thing. The important thing is to get the two of you off the same wire, and put him in a DMZ (a router with three ports - one for your connection, one for his, and one for the internet - would do the trick as well). The only other alternatives would be to have seperate internet connections or spend a whole lot of time securing your machine and double/triple-checking it for viruses every time he downloads something nasty.

maumercado

Format his computer and say it was a virus... works like a charm! hehehe

No, but seriously most people would only learn the hard way, me included!

msteinhilber

You can download virus and/or malware archives from Offensive Computing for analysis purposes, you could always just "analyze" viruses on his computer over and over until he finally uses some A/V software.

Offensive Computing | Community Malicious code research and analysis

petedude

I didn't use one for many years. I think an experienced IT pro could get by without one for a while if they operate behind a good firewall and they're VERY careful. Doesn't sound like the roomie in question falls into this category, though.

I've seen enough nasty spyware, though, that I now have to at least run ClamAV at home.

Anybody who complains about an AV product should be using something low-end like NOD, AVG or ClamAV.

jibbajabba

Well if you are concerned about your system then you don't even need vlans .. two different subnets should be enough ... but if you router supports vlans then that is obviously the best solution ..

UnixGuy

change your roommate, he seems to be a real "pain in the ass"

kalebksp

I would grab a Linksys router that supports DD-WRT and create separate VLANs. You can even create separate wireless VLANs if you both use wireless. It would cheaper and less noisy than buying Cisco equipment.

tiersten

petedude wrote: »

Anybody who complains about an AV product should be using something low-end like NOD, AVG or ClamAV.

I wouldn't call any of them low-end. I guess you mean that they're not bloated like NAV?