Home Computer Security
May 7, 2003 &
January 22, 2003
http://eden.creighton.edu/homesecurity
General Principles
Once you've allowed access to your server through your firewall or proxy server, you need to carefully configure the computer running the service. Although the serving computer isn't entirely exposed to the Internet, even one port can be all that a good cracker needs to mess with your data and network. If you think of your server as being directly connected to the Internet, you'll have the right mindset toward properly locking it down.
The server computer should be locked up tight and watched closely. Here's a list of ToDo's:
Run only the services that you need to run and don't run anything that you don't understand the purpose of.
Have strong password protection on any administration interfaces or access control login screens. This is the easiest, yet most often overlooked protection against getting broken into.
Share only the data you need to share. Yes, sharing your entire hard drive is quick and easy and anyone who breaks into your system will be glad you did! If you must share an entire drive, then create a separate drive partition, put the files you want to share there, and share that drive, not your main drive!
Be careful with File and Printer Sharing. Turn it on when you need to update the server and off otherwise. It that's not practical, at least unbind it from TCP/IP and bind it to NetBEUI or IPX/SPX (see this page).
Back up at least the server's data files regularly and periodically back up the entire machine.
Enable logging on any services and review the logs on a regular basis for any suspicious activity.
Run good, current version, anti-virus software and update the virus data files regularly.
There are entire Web sites devoted to security (some of which are listed here), so we've just put a tiny scratch in the surface of the subject. But if you use the above information correctly, you should be able to serve safely!
Finding out if you are exposed
Steve Gibson's Site - http://www.grc.com - An excellent site to go to in order to check to see what ports you have open and other general SOHO security issues. His Shields Up page will allow you to test your firewall and also test to see what ports you have open to the outside world.
Here is the result of the probe of my office computer and here is the result of the probe of my ports on that computer
Here is the result of the probe on a computer INSIDE my home network and here is the result of the probe of my ports on that INSIDE computer - this is from a Cox cable modem, off of a Windows 2000 server running RRAS.
CERT's recommendation on home network security
Cable Modem Routers
Linksys routers and related Linksys products
PracticallyNetworked.com and How To Secure Your LAN and their review of LAN Security Tools
Wireless Configuration
To match Creighton: SSID is "101" and the mode needs to be set to infrastructure. If you have a Linksys, you should also set it to channel six as the default channel.
New product! A wireless signal booster - should be good for those with multi-story residences and those that want to provide Internet access to the whole neighborhood
Setting up wireless encryption and another article on securityfocus.com on securing wireless networks
Things to do to secure your wireless network:
Change the default SSID. Most people don't even bother to change the default SSID provided by a wireless access point. If your neighbor knows that you are using a Linksys wireless access point (say, by seeing the boxes you throw away), they could easily try the default SSID. Always change the SSID to something obscure, and never try to use your company name or your personal name. These names are too easy to guess.
Disable SSID broadcast. By default, most wireless access points will broadcast the SSID to all wireless devices; anyone with a wireless network card can detect the SSID you use in your network and gain access to your network.
Use MAC address filtering. If you have a small number of users in your wireless network (which is usually the case), you can use MAC address filtering. With MAC address filtering, you enter the MAC address of your network card and manually enter this number into your wireless access point. Only MAC addresses that have been registered with the wireless access point are able to gain access to your network. You can usually locate the MAC address of your network card on the device itself.
Always change the default user name and password for your wireless access point. It's too easy for people to guess the default user names and passwords used in wireless access points.
Turn off DHCP. Use static IP addresses if the number of users on the network is small. Turning off DHCP will prevent wireless sniffers from seeing the IP addresses being used.
Refrain from using the default IP subnet. Most wireless routers use the default 192.168.1.0 network. It is easy for people to guess the IP addresses used and illegally gain access to the network.
Use WEP for encryption of packets. If you are concerned about the confidentiality of information transmitted by your wireless network, you may wish to enable WEP encryption. Though WEP has been proven to be "crackable," it still acts as a deterrent against packet sniffing for everyone but ardent hackers.
Another Option - Routing and Remote Access or IP Masquerading
Routing and Remote Access can be used on a Windows 2000 server and provide TCP/IP connectivity to your private internal network. All the machines on the inside of your home network are unreachable from the outside, unless you configure RRAS to allow connections.
IP Masquerading is a form of Network Address Translation which allows a private network of computers to communicate via one computer, running some form of Unix (Linux, BSD).
Other Related Websites
Creighton University Help Desk (http://www.creighton.edu/helpdesk) and the Helpdesk Virus Information Page (http://www.creighton.edu/helpdesk/virus)
Ad-Aware (http://www.lavasoft.nu)
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/zonealarm/znalm_details.jsp)
This page last updated on Tuesday, May 06, 2003 16:16:44