- Joined
- Jan 2, 2004
-- Under Construction -- (Needs: links to firewall types)
Disclaimer. This guide is intended to make it so that you're above the so-called "low hanging fruit" and make your network harder for script kiddies and amateurs to crack into. This is not a definitive guide to securing your network against all intruders, as a determined intruder will eventually gain access to a home network through any means required. I am also mostly addressing Windows users with this -- you *nix people already know how to be secure since by definition most of you are marginally more technical.
Introduction If you have a broadband connection to the Internet (and demographics show that most OCF members do), you are both blessed and cursed. You are blessed and cursed for the same reason -- namely:
1) It's a big pipe leading to and from your computer, and
2) It's an instantly available connection to the outside world.
Both of these, if there were no evildoers in the world, would be just fine. Regrettably, there are 3vildoers in the world--most notably script kiddies and hackers who think that having a botnet or group of zombies for fun and profit is cool. So why should you care?
First: You've got a responsibility that comes with owning the computer to keep it secure so that you *don't* get roped into a botnet. *Especially* because you're reading here, I assume you're fairly technically inclined and use your computer a lot.
Well, if I were to peek at your computer, I'd probably find lots of Personally Identifiable Information, some of which I'm sure you'd rather not have shared. And you certainly don't want to contribute to global spam, right? Or get a virus and have to start from scratch. This is a short guide about defense in depth.
And before we get started -- a statistic. The average time it takes for an unprotected Windows box on the Internet to be pwnt by Johnny Q. Hacker is about two minutes.
Securing The Pipes There are really two very important things to do on your Windows home network:
1) Run at least one firewall (one software, one hardware is a better thing to do)
2) Keep your WIndows updates, well, up to date.
3) Run and keep current your antivirus signatures.
These three alone will elevate you above the low-hanging fruit on the Internet. SANS has a good guide on how to build your own firewall for the network inclined. I would recommend buying an out-of-the-box solution, however, like these ones. Once you get one, make sure you change the default name and password for control of the system.
If you own an nVidia nForce4 mainboard, you also have a hardware firewall built-in that can be used under Windows. Use it, as it works fairly well.
Microsoft makes very public knowledge of vulnerabilities and exploits in their software--once they acknolwedge that there is a problem. The first Tuesday of every month--Patch Tuesday--is the normal patch-release date for security and updates.
Don't run Windows if you can possibly avoid it I'm not saying *nixen or Macs are immune to attack (quite the opposite is true0, but they do have a smaller attack surface since Microsoft owns 95% of the desktop market and most attackers looking to borg you for a botnet won't bother. Not running Windows is not an option for most people, so this is a moot point. If you are going to run Windows, though, do not run 95 or 98 in a network environment as no provisions for network security or access controls are provided.
The reason I hate on Windows so much for secure networks is that Windows machines tend to actively advertise their presence to everyone else on the network, and it's very clear and immediately obvious upon running a scan of a Windows machine (thank you Microsoft for your flagrant disregard of the TCP/IP standard!) that the machine *is* running Windows and has such-and-such services available. The average, default-configuration Windows box (sans firewall) can be identified easily due to the ports that are open and available, and even when firewalled, Microsoft's reckless disregard of the TCP/IP RFC has enabled tools such as nmap to easily ferret out Windows boxes. Windows protocols are also fairly chatty. The integration ofInfernalnet Exploiter Internet Exploder Internet Explorer into the operating system has also substantially weakened the security of the system.
If you can avoid using it (your old hardware should run [Free|Net|Open]BSD or Linux if it's on the network!) then don't use it. I bought my mom a Mac.
If you don't need it turn it off! Services running on your machine, unless you know for a fact you need them, should be stopped (use services.msc or Control Panel > Computer Management (or Admin Tools? Someone fill me in -CN) > Services to switch 'em off). If you can avoid it, don't share files (this includes p2p sharing, which is verboten at most big organizations for a number of very good reasons!), locally or via peer-to-peer.
Securing The Data Password security on Windows is also something of a lost cause as the Security Access Manager (SAM) database breaks the password hashes, or encrypted versions of the passwords, into an appropriate number of seven-character hashes, rather than one long hash (such as md5 passwords on *nix). Not using SAM is, as you may guess, not an option either. A weak NT/XP/2000 password may be cracked in under 45 seconds on a Pentium 3M machine.
Use strong passwords. A minimum of eight characters, one non-alphanumeric, one numeric, and mixed case, is the best solution.
On wireless Off off off off off off off off TURN IT OFF! Well, alright, maybe that's too extreme. Wireless is an inherently insecure method of network operations simply because you don't own the media--everyone, the folks next door and someone with his lousy little Sharp Zarus wireless-enabled PDA owns the media and can access it. There's a fairly good guide to security of wireless operations already written so I won't re-iterate all of it here. I still think it's a stupid way of doing anything that is reasonably confidential. Finally, a non-secured WAP can give unauthorized users the keys to the kingdom, since it's already beyond the first firewall (and most folks only run one).
Once a machine has been compromised you cannot trust anything that your OS or antivirus software is telling you, so keep regular backups of the stuff that is truly important to you. When the machine's compromised, you must start from scratch.
More as I think of it, but all that should give you at least a start against John Q. Hacker.
Disclaimer. This guide is intended to make it so that you're above the so-called "low hanging fruit" and make your network harder for script kiddies and amateurs to crack into. This is not a definitive guide to securing your network against all intruders, as a determined intruder will eventually gain access to a home network through any means required. I am also mostly addressing Windows users with this -- you *nix people already know how to be secure since by definition most of you are marginally more technical.
Introduction If you have a broadband connection to the Internet (and demographics show that most OCF members do), you are both blessed and cursed. You are blessed and cursed for the same reason -- namely:
1) It's a big pipe leading to and from your computer, and
2) It's an instantly available connection to the outside world.
Both of these, if there were no evildoers in the world, would be just fine. Regrettably, there are 3vildoers in the world--most notably script kiddies and hackers who think that having a botnet or group of zombies for fun and profit is cool. So why should you care?
First: You've got a responsibility that comes with owning the computer to keep it secure so that you *don't* get roped into a botnet. *Especially* because you're reading here, I assume you're fairly technically inclined and use your computer a lot.
Well, if I were to peek at your computer, I'd probably find lots of Personally Identifiable Information, some of which I'm sure you'd rather not have shared. And you certainly don't want to contribute to global spam, right? Or get a virus and have to start from scratch. This is a short guide about defense in depth.
And before we get started -- a statistic. The average time it takes for an unprotected Windows box on the Internet to be pwnt by Johnny Q. Hacker is about two minutes.
Securing The Pipes There are really two very important things to do on your Windows home network:
1) Run at least one firewall (one software, one hardware is a better thing to do)
2) Keep your WIndows updates, well, up to date.
3) Run and keep current your antivirus signatures.
These three alone will elevate you above the low-hanging fruit on the Internet. SANS has a good guide on how to build your own firewall for the network inclined. I would recommend buying an out-of-the-box solution, however, like these ones. Once you get one, make sure you change the default name and password for control of the system.
If you own an nVidia nForce4 mainboard, you also have a hardware firewall built-in that can be used under Windows. Use it, as it works fairly well.
Microsoft makes very public knowledge of vulnerabilities and exploits in their software--once they acknolwedge that there is a problem. The first Tuesday of every month--Patch Tuesday--is the normal patch-release date for security and updates.
Don't run Windows if you can possibly avoid it I'm not saying *nixen or Macs are immune to attack (quite the opposite is true0, but they do have a smaller attack surface since Microsoft owns 95% of the desktop market and most attackers looking to borg you for a botnet won't bother. Not running Windows is not an option for most people, so this is a moot point. If you are going to run Windows, though, do not run 95 or 98 in a network environment as no provisions for network security or access controls are provided.
The reason I hate on Windows so much for secure networks is that Windows machines tend to actively advertise their presence to everyone else on the network, and it's very clear and immediately obvious upon running a scan of a Windows machine (thank you Microsoft for your flagrant disregard of the TCP/IP standard!) that the machine *is* running Windows and has such-and-such services available. The average, default-configuration Windows box (sans firewall) can be identified easily due to the ports that are open and available, and even when firewalled, Microsoft's reckless disregard of the TCP/IP RFC has enabled tools such as nmap to easily ferret out Windows boxes. Windows protocols are also fairly chatty. The integration of
If you can avoid using it (your old hardware should run [Free|Net|Open]BSD or Linux if it's on the network!) then don't use it. I bought my mom a Mac.
If you don't need it turn it off! Services running on your machine, unless you know for a fact you need them, should be stopped (use services.msc or Control Panel > Computer Management (or Admin Tools? Someone fill me in -CN) > Services to switch 'em off). If you can avoid it, don't share files (this includes p2p sharing, which is verboten at most big organizations for a number of very good reasons!), locally or via peer-to-peer.
Securing The Data Password security on Windows is also something of a lost cause as the Security Access Manager (SAM) database breaks the password hashes, or encrypted versions of the passwords, into an appropriate number of seven-character hashes, rather than one long hash (such as md5 passwords on *nix). Not using SAM is, as you may guess, not an option either. A weak NT/XP/2000 password may be cracked in under 45 seconds on a Pentium 3M machine.
Use strong passwords. A minimum of eight characters, one non-alphanumeric, one numeric, and mixed case, is the best solution.
On wireless Off off off off off off off off TURN IT OFF! Well, alright, maybe that's too extreme. Wireless is an inherently insecure method of network operations simply because you don't own the media--everyone, the folks next door and someone with his lousy little Sharp Zarus wireless-enabled PDA owns the media and can access it. There's a fairly good guide to security of wireless operations already written so I won't re-iterate all of it here. I still think it's a stupid way of doing anything that is reasonably confidential. Finally, a non-secured WAP can give unauthorized users the keys to the kingdom, since it's already beyond the first firewall (and most folks only run one).
Once a machine has been compromised you cannot trust anything that your OS or antivirus software is telling you, so keep regular backups of the stuff that is truly important to you. When the machine's compromised, you must start from scratch.
More as I think of it, but all that should give you at least a start against John Q. Hacker.
