Test that Safeguards Are Working
Several ways exist to make certain that the safeguards you implement in your network are functioning properly and your network is secured as you designed it. First, you should already have password prompts on restricted areas of your personal Web site. Test your access to these restricted areas to be sure the passwords you set up are working and the areas are indeed restricted.
A simple and common mistake is to have the shared option on client machines turned on. With a personal, home network the need to share network drives or directories on client machines is minimal. Make sure shared drives and devices, such as printers or drives on a home server, are hidden or password protected. And, naturally, if you don't need a device to be shared on the network, remove it.
If home automation is your forte, perhaps you have home security cameras set up that can be viewed externally. You need to be sure the Web site you have set up through which to view your Web cams is secure and password protected. If not, anyone who knowsor browses tothe URL can view the inside of your home anytime your Web cams are running.
Your wireless network provides unprecedented convenience, but the security risks usually far exceed those of your wired network. To find where yours is vulnerable, turn yourself into a hacker and try to hack your own wireless network. Remove your wireless settings from your computer, then, using only the information that is broadcast from your wireless router, see how much of your network you can gain access to.
Additionally take your laptop outdoors and, using your wireless connection, try to get into your network from outside the perimeter of your house. Stand in your neighbor's yard or your neighbor's neighbor's yard, for example, and determine the range of accessibility of your own network from outside your home. While you have access from the outside, check for open shared drives as well. This is especially important in a densely populated neighborhood such as an apartment complex.
Securing Your Home Network
|Stand in your neighbor's yard or your neighbor's neighbor's yard, for example, and determine the range of accessibility of your own network from outside your home. While you have access from the outside, check for open shared drives as well.|
I've talked about some of the ports that are most commonly open, leaving your network open to malicious attacks and some basic security tests you can conduct to see if your wired and wireless networks are secure from the outside world. Now let's talk about some of the basic, overall measures you can take to ensure your network is off-limits to unwanted guests.
Installing and Setting up a Firewall
One of the most basic and obvious means of securing your home network is to install a firewall. Every vendor's firewall installation and setup is unique, however I will go over some general configuration guidelines as well as an example installation and configuration of an SMC Barricade Firewall.
Firewalls can be broken into two basic types: external hardware firewalls and software firewalls installed on individual computers. In general, hardware firewalls are the best solution. Not only do they provide an additional layer between your home network and the outside world, but as dedicated devices they are often more robust.
Installing a firewall is relatively straightforward. In fact, Microsoft and Macintosh operating systems both come with firewalls already installed and default options selected. If you are using a Windows-based network, the default firewall is Microsoft Internet Connection Firewall. Under Network Connections, Properties, Advanced, click the checkbox for the option to protect your computer from access via the Internet and make sure the firewall is enabled. As with most Windows software, missing a single security update can open a computer up to security threats and serious consequences.
The Mac OS X configuration is secure by default for private or public network communications by closing all the communication ports using its built-in firewall. Similarly, all native services are turned off by default, but authorized users may enable these servicessuch as personal file sharing, Windows file sharing, personal web sharing, remote login, File Transfer Protocol (FTP) access, remote Apple events, and printer sharing. By default, Mac OS X uses Secure Shell (SSH) for remote access since its communications are encrypted.
Numerous distributions of Linux exist, and some perform firewall functions while others do not. The following sections provide examples of installing and configuring an SMC Barricade firewall as well as general firewall configuration considerations.
On the hardware side, installing a firewall is merely a matter of plugging the firewall into the server or other external-facing computer that you are using. In a small home network, that’s all there is to the physical setup. Now it needs to be configured.
Configuring a Firewall
With a hardware firewall, be sure to change the default device name (if possible), the administrator user name and password, and ensure that remote administration is disabled. This way you are making it almost impossible for anyone outside to change your firewall settings.
If you are using only a software firewall, be sure to install one on every machine and device that is connected to your network. Alternatively, if you already have a server on your network you could set it up as a gateway machine through which all machines connect to the Internet. You should then install and configure the firewall on it.
Some general firewall settings are available in most firewallsboth hardware and softwareand can help you keep your home network secure. For example, you can set up your firewall to discard external pings on your system. If your system gets pinged routinely, your attacker likely will give up when the pings are discarded. Even if a hacker uses an automated system to ping computers, the IP address (your computer) associated with a discarded ping will appear as if nothing is connected at that addressmaking your gateway invisible to such unsolicited requests.
Configuring your firewall should also include an external port scan of your gateway, which will give you a list of externally open ports on your gateway. While port scans have already been discussed in detail in this article, remember to port scan your gateway and to close all external ports unless you specifically need them open. Remember that doing so should not, in general, affect your ability to access the Internet.
|You can set up your firewall to discard external pings on your system. If your system gets pinged routinely, your attacker likely will give up when the pings are discarded.|
Most, if not all hardware firewalls intended for home use will be combined to be a router and DHCP server that can allocate IP addresses to any clients connecting to your internal network. If you rarely have visitors who need to connect to your network, then you have a couple of options. You can either assign static IP addresses to each of your machines, then disable the DHCP server; or you can configure the DHCP server to allocate IP addresses only to specific MAC addresses. This is especially important if you have a wireless router or gateway because, in this case, physical access is not necessary to connect to your network.
Example: Configuring SMB Barricade Firewall
After installing a firewall, basic settings exist for most firewalls that you can implement for your own protection. For example, for the SMC Networks' Barricade firewall, after you log in, you should access the Advanced Setup page. A Status window displays, allowing you to check connection status, firewall status, and hardware information. You can easily find your external IP address, which should be static, under Connection Status. Your external-facing IP address should be static and not use DHCP, as this will prevent an external modem or other router from accessing your network. Under the Barricade Settings for the firewall, you can view your internal-facing IP address, and you can also see if DHCP is enabled. You also can view your DHCP client logs if you are using the firewall within a home network and you have DHCP turned on internally. For Barricade, you can view your network activity and security logs as well.
You also have the option to enable or disable remote access to your firewall. Under System, you can access Remote Management, and then click the Disable option. Under the Firewall settings, you can set parental controls and make sure the Pre-Defined Blocking Options, which designate specific external ports, are blocked. You also can set custom blocking options. Under MAC Filter, you can prevent specific MAC addresses from attempting to access your network by selecting Enable, and entering the MAC information in the Filter Table. Under Advanced Firewall settings, you can set Barricade to discard pings from a WAN and set up advanced firewall protection. Most home networks do not have a virtual private network (VPN) set up, so you should disable the VPN options.
You also can set up Barricade to alert you via e-mail in the event of a hacker attack.