ost people would never leave home with their doors and windows unlockedleaving an invitation for someone to steal their valuable possessions. Neither should they leave the entrances to their personal home network open and unsecured for their private, personal data to be taken.
A common statement in network security is that the only secure computer is one that is turned off, unplugged, not connected to any other device, locked in a vault, and buried underground in a secret location. Understanding a few tricks of the security trade to protect your home network means you do not have to go to such extremes. In this article, I'll walk you through these basic tricks; even if you think your home network is well protected, there's always something more you can do to tighten security.
| Author's Note: For the purposes of this article, I will use the generic term 'home network,' though the ideas presented can just as easily apply to a single computer connected to the Internet, or two or more computers sharing an Internet connection.
Determining the Openness of Your Network
You cannot know how to secure your home network if you do not know where it is most vulnerable. If you were securing your home, you would identify all doors, windows, and other access points. You need to do the same for your network: Where can a hacker get in? What ports have you left open?
Conduct an External Port Scan
You want to begin with an external port scan. You can conduct one from your own internal computer by using free services provided by various Web sites. To make this task easier for you, these services, when launched, scan your ports from a server outside of your own internal network, even though you are invoking it from your own computer. In a matter of minutes, you get a report of what ports are open. DSLReports.com is one such provider, whose applet, called Port-scan, determines from an external view the ports that you have open on your network. Later in this article, I'll show you some of the most commonly-open ports and tell you the function of each port and the security vulnerabilities each presents.
If you have access to an external computer along with a good port scannersuch as nmapyou could simply perform your own scan against your own home network. This has the benefit of giving you more control over the ports scanned and what kind of scan to perform. However, to do this, you obviously need to determine your router or network connectivity device’s external IP address. You can attain this by looking through your router configuration or you can utilize a free service for this purpose.
After you have successfully determined which ports are open and vulnerable, you should determine what purpose each port serves, the security risk that each open port poses, and whether you really need them open in the first place.
There are two types of ports you should be concerned about, Transmission Control Protocol (TCP) ports and User Datagram Protocol (UDP) ports. TCP and UDP are both protocols that compose the Internet Protocol suite. Below is a list of some of the most commonly open TCP and UDP ports and their vulnerabilities. Note that unless you specifically need any of these ports open externally, you can generally close all ports and still have full Internet access. You only need open external ports if you intend to host certain servicessuch as a Web server. Bear in mind that many more ports exist that should be checked, but covering all of them is beyond the scope of this article.
TCP Port 139
TCP Port 139 provides the service commonly used for starting NetBIOS sessions. It requires that you take measures to screen the port from outside access. The NetBIOS services allow file sharing over networks, and when configured improperly, they can expose critical system files and make your system vulnerable to full file system access. Malicious intruders connected to your network can gain access to your system files and can perform run, delete, copy, upload and download functions. Generally this port should be closed to the outside world.
UDP Port 137
NetBIOS Name Service
UDP Port 137 provides name registration and lookup for NetBIOS. Windows machines provide the nbtstat command, which is used to query other Windows NetBIOS name server ports. This port is not a security threat directly, but if it is open, it usually means that TCP Port 139 is open. We discussed the implications of TCP Port 139 being open in the previous section.
UDP Port 138
NetBIOS Datagram Service
UDP Port 138 provides NetBIOS datagram service and is used to broadcast information on browse lists. It also is used to broadcast elections from a Windows Master Browser to Windows workstations. If you block Port 138 on your LAN, your may have limited ability to browse other machines on the LAN. You can filter Port 138 and still access the Internet with no problems.
UDP Port 67
The Bootstrap Protocol server is used by Dynamic Host Configuration Protocol (DHCP) servers to communicate addressing information to remote DHCP clients. You will need this port open on the internal interface if you use DHCP on your home network, but you should disable it to ensure no DHCP server is running on the external interface. Why? Hackers can use another computer, namely yours, as a slave computer to make illegal activities seem as if they originated from your computer. Further, a hacker could waste your computer's disk space, CPU power, and bandwidth by installing a peer-to-peer server for instance.
UDPT Port 68
UDP Port 68, the bootstrap protocol client, is used by client machines to obtain dynamic IP address information from the DHCP server. Tightly administering DHCP permissions can help keep DHCP ports from being used for malicious attacks. Obviously, UPD Port 68 should be disabled just as its partner Port 67 if DHCP is not being used in your network to dynamically assign IP addresses. This is especially important with wireless routers where someone outside of your house could gain an internal IP address, and hence, internal access to the machines and services you have running internally.
RPC Service for Windows NT-based machines
Remote Procedure Call (RPC) service for Windows NT machines is used in a client/server environment and is used to support distributed applications with components located on different machines. Because Windows NT relies heavily on RPC for COM, COM+, and .NET communications, you can't simply disable it entirely.
Further, Microsoft Exchange clients such as Outlook and Outlook Express use Port 135 to connect to Exchange servers. If you access your home computer remotely using a Virtual Private Network (VPN), Port 135 must be open on the firewall to allow you to access the Exchange server. Note that this is the opposite of using your home computer to access something like your work computer via a VPN. For Outlook Web access, you obviously will use Port 80 instead of Port 135.
TCP Port 80
Basic Web Traffic
Port 80 is the default Web server port, and is used by Web servers such as the popular Apache Web server, Microsoft's IIS, and Personal Web Server. However, if you do not run a Web server intended for external users, you should close Port 80; if you do not close it, you may have an open proxy running on your network, which makes it vulnerable to outside access.
Universal Plug and Play
Known vulnerabilities exist in Universal Plug and Play (UPnP), and Port 5000 that it uses should be disabled unless absolutely necessary. UPnP, part of Microsoft Windows Millennium Edition (ME) and later, supports peer-to-peer plug and play functionality for network devices. The UPnP specification, which is a driverless, standards-based protocol, is designed to simplify the discovery of network devices and network service installation and management. UPnP devices can configure network addresses automatically, announce their presence on a subnet and enable the exchange of description devices and service descriptions. Beware, a Windows ME computer can act as a UPnP control point, allowing an intruder to access and exploit the devices through a Web or application interface when Port 5000 is exposed.
TCP Port 1025
Simple Service Directory
The Simple Service Discovery Protocol uses port 1025, and it is used to find UPnP devices on your home network. For security reasons, externally you should disable Port 1025 along with all other UPnP services.
| Author's Note: Again, DSLReports provides details about numerous ports and their vulnerabilities. Further, CERT.org provides critical and timely information about the latest security attacks and how to counter them. While specific to Linux in some areas, this "Linux Security How-to" has some good general information about physically securing your network and other basic security information.