ost people would never leave home with their doors and windows unlocked?leaving an invitation for someone to steal their valuable possessions. Neither should they leave the entrances to their personal home network open and unsecured for their private, personal data to be taken.
A common statement in network security is that the only secure computer is one that is turned off, unplugged, not connected to any other device, locked in a vault, and buried underground in a secret location. Understanding a few tricks of the security trade to protect your home network means you do not have to go to such extremes. In this article, I’ll walk you through these basic tricks; even if you think your home network is well protected, there’s always something more you can do to tighten security.
| Author’s Note: For the purposes of this article, I will use the generic term ‘home network,’ though the ideas presented can just as easily apply to a single computer connected to the Internet, or two or more computers sharing an Internet connection. |
Determining the Openness of Your Network
You cannot know how to secure your home network if you do not know where it is most vulnerable. If you were securing your home, you would identify all doors, windows, and other access points. You need to do the same for your network: Where can a hacker get in? What ports have you left open?
Conduct an External Port Scan
You want to begin with an external port scan. You can conduct one from your own internal computer by using free services provided by various Web sites. To make this task easier for you, these services, when launched, scan your ports from a server outside of your own internal network, even though you are invoking it from your own computer. In a matter of minutes, you get a report of what ports are open. DSLReports.com is one such provider, whose applet, called Port-scan, determines from an external view the ports that you have open on your network. Later in this article, I’ll show you some of the most commonly-open ports and tell you the function of each port and the security vulnerabilities each presents.
If you have access to an external computer along with a good port scanner?such as nmap?you could simply perform your own scan against your own home network. This has the benefit of giving you more control over the ports scanned and what kind of scan to perform. However, to do this, you obviously need to determine your router or network connectivity device’s external IP address. You can attain this by looking through your router configuration or you can utilize a free service for this purpose.
After you have successfully determined which ports are open and vulnerable, you should determine what purpose each port serves, the security risk that each open port poses, and whether you really need them open in the first place.
There are two types of ports you should be concerned about, Transmission Control Protocol (TCP) ports and User Datagram Protocol (UDP) ports. TCP and UDP are both protocols that compose the Internet Protocol suite. Below is a list of some of the most commonly open TCP and UDP ports and their vulnerabilities. Note that unless you specifically need any of these ports open externally, you can generally close all ports and still have full Internet access. You only need open external ports if you intend to host certain services?such as a Web server. Bear in mind that many more ports exist that should be checked, but covering all of them is beyond the scope of this article.
TCP Port 139
NetBIOS Sessions
TCP Port 139 provides the service commonly used for starting NetBIOS sessions. It requires that you take measures to screen the port from outside access. The NetBIOS services allow file sharing over networks, and when configured improperly, they can expose critical system files and make your system vulnerable to full file system access. Malicious intruders connected to your network can gain access to your system files and can perform run, delete, copy, upload and download functions. Generally this port should be closed to the outside world.
UDP Port 137
NetBIOS Name Service
UDP Port 137 provides name registration and lookup for NetBIOS. Windows machines provide the nbtstat command, which is used to query other Windows NetBIOS name server ports. This port is not a security threat directly, but if it is open, it usually means that TCP Port 139 is open. We discussed the implications of TCP Port 139 being open in the previous section.
UDP Port 138
NetBIOS Datagram Service
UDP Port 138 provides NetBIOS datagram service and is used to broadcast information on browse lists. It also is used to broadcast elections from a Windows Master Browser to Windows workstations. If you block Port 138 on your LAN, your may have limited ability to browse other machines on the LAN. You can filter Port 138 and still access the Internet with no problems.
UDP Port 67
BOOTP Server
The Bootstrap Protocol server is used by Dynamic Host Configuration Protocol (DHCP) servers to communicate addressing information to remote DHCP clients. You will need this port open on the internal interface if you use DHCP on your home network, but you should disable it to ensure no DHCP server is running on the external interface. Why? Hackers can use another computer, namely yours, as a slave computer to make illegal activities seem as if they originated from your computer. Further, a hacker could waste your computer’s disk space, CPU power, and bandwidth by installing a peer-to-peer server for instance.
UDPT Port 68
BOOTP Client
UDP Port 68, the bootstrap protocol client, is used by client machines to obtain dynamic IP address information from the DHCP server. Tightly administering DHCP permissions can help keep DHCP ports from being used for malicious attacks. Obviously, UPD Port 68 should be disabled just as its partner Port 67 if DHCP is not being used in your network to dynamically assign IP addresses. This is especially important with wireless routers where someone outside of your house could gain an internal IP address, and hence, internal access to the machines and services you have running internally.
TCP 135
RPC Service for Windows NT-based machines
Remote Procedure Call (RPC) service for Windows NT machines is used in a client/server environment and is used to support distributed applications with components located on different machines. Because Windows NT relies heavily on RPC for COM, COM+, and .NET communications, you can’t simply disable it entirely.
Further, Microsoft Exchange clients such as Outlook and Outlook Express use Port 135 to connect to Exchange servers. If you access your home computer remotely using a Virtual Private Network (VPN), Port 135 must be open on the firewall to allow you to access the Exchange server. Note that this is the opposite of using your home computer to access something like your work computer via a VPN. For Outlook Web access, you obviously will use Port 80 instead of Port 135.
TCP Port 80
Basic Web Traffic
Port 80 is the default Web server port, and is used by Web servers such as the popular Apache Web server, Microsoft’s IIS, and Personal Web Server. However, if you do not run a Web server intended for external users, you should close Port 80; if you do not close it, you may have an open proxy running on your network, which makes it vulnerable to outside access.
TCP 5000
Universal Plug and Play
Known vulnerabilities exist in Universal Plug and Play (UPnP), and Port 5000 that it uses should be disabled unless absolutely necessary. UPnP, part of Microsoft Windows Millennium Edition (ME) and later, supports peer-to-peer plug and play functionality for network devices. The UPnP specification, which is a driverless, standards-based protocol, is designed to simplify the discovery of network devices and network service installation and management. UPnP devices can configure network addresses automatically, announce their presence on a subnet and enable the exchange of description devices and service descriptions. Beware, a Windows ME computer can act as a UPnP control point, allowing an intruder to access and exploit the devices through a Web or application interface when Port 5000 is exposed.
TCP Port 1025
Simple Service Directory
The Simple Service Discovery Protocol uses port 1025, and it is used to find UPnP devices on your home network. For security reasons, externally you should disable Port 1025 along with all other UPnP services.
| Author’s Note: Again, DSLReports provides details about numerous ports and their vulnerabilities. Further, CERT.org provides critical and timely information about the latest security attacks and how to counter them. While specific to Linux in some areas, this “Linux Security How-to” has some good general information about physically securing your network and other basic security information. |
Test that Safeguards Are Working
Several ways exist to make certain that the safeguards you implement in your network are functioning properly and your network is secured as you designed it. First, you should already have password prompts on restricted areas of your personal Web site. Test your access to these restricted areas to be sure the passwords you set up are working and the areas are indeed restricted.
A simple and common mistake is to have the shared option on client machines turned on. With a personal, home network the need to share network drives or directories on client machines is minimal. Make sure shared drives and devices, such as printers or drives on a home server, are hidden or password protected. And, naturally, if you don’t need a device to be shared on the network, remove it.
If home automation is your forte, perhaps you have home security cameras set up that can be viewed externally. You need to be sure the Web site you have set up through which to view your Web cams is secure and password protected. If not, anyone who knows?or browses to?the URL can view the inside of your home anytime your Web cams are running.
Wireless Accessibility
Your wireless network provides unprecedented convenience, but the security risks usually far exceed those of your wired network. To find where yours is vulnerable, turn yourself into a hacker and try to hack your own wireless network. Remove your wireless settings from your computer, then, using only the information that is broadcast from your wireless router, see how much of your network you can gain access to.
Additionally take your laptop outdoors and, using your wireless connection, try to get into your network from outside the perimeter of your house. Stand in your neighbor’s yard or your neighbor’s neighbor’s yard, for example, and determine the range of accessibility of your own network from outside your home. While you have access from the outside, check for open shared drives as well. This is especially important in a densely populated neighborhood such as an apartment complex.
|
I’ve talked about some of the ports that are most commonly open, leaving your network open to malicious attacks and some basic security tests you can conduct to see if your wired and wireless networks are secure from the outside world. Now let’s talk about some of the basic, overall measures you can take to ensure your network is off-limits to unwanted guests.
Installing and Setting up a Firewall
One of the most basic and obvious means of securing your home network is to install a firewall. Every vendor’s firewall installation and setup is unique, however I will go over some general configuration guidelines as well as an example installation and configuration of an SMC Barricade Firewall.
Firewalls can be broken into two basic types: external hardware firewalls and software firewalls installed on individual computers. In general, hardware firewalls are the best solution. Not only do they provide an additional layer between your home network and the outside world, but as dedicated devices they are often more robust.
Installing a firewall is relatively straightforward. In fact, Microsoft and Macintosh operating systems both come with firewalls already installed and default options selected. If you are using a Windows-based network, the default firewall is Microsoft Internet Connection Firewall. Under Network Connections, Properties, Advanced, click the checkbox for the option to protect your computer from access via the Internet and make sure the firewall is enabled. As with most Windows software, missing a single security update can open a computer up to security threats and serious consequences.
The Mac OS X configuration is secure by default for private or public network communications by closing all the communication ports using its built-in firewall. Similarly, all native services are turned off by default, but authorized users may enable these services?such as personal file sharing, Windows file sharing, personal web sharing, remote login, File Transfer Protocol (FTP) access, remote Apple events, and printer sharing. By default, Mac OS X uses Secure Shell (SSH) for remote access since its communications are encrypted.
Numerous distributions of Linux exist, and some perform firewall functions while others do not. The following sections provide examples of installing and configuring an SMC Barricade firewall as well as general firewall configuration considerations.
On the hardware side, installing a firewall is merely a matter of plugging the firewall into the server or other external-facing computer that you are using. In a small home network, that’s all there is to the physical setup. Now it needs to be configured.
Configuring a Firewall
With a hardware firewall, be sure to change the default device name (if possible), the administrator user name and password, and ensure that remote administration is disabled. This way you are making it almost impossible for anyone outside to change your firewall settings.
If you are using only a software firewall, be sure to install one on every machine and device that is connected to your network. Alternatively, if you already have a server on your network you could set it up as a gateway machine through which all machines connect to the Internet. You should then install and configure the firewall on it.
Some general firewall settings are available in most firewalls?both hardware and software?and can help you keep your home network secure. For example, you can set up your firewall to discard external pings on your system. If your system gets pinged routinely, your attacker likely will give up when the pings are discarded. Even if a hacker uses an automated system to ping computers, the IP address (your computer) associated with a discarded ping will appear as if nothing is connected at that address?making your gateway invisible to such unsolicited requests.
Configuring your firewall should also include an external port scan of your gateway, which will give you a list of externally open ports on your gateway. While port scans have already been discussed in detail in this article, remember to port scan your gateway and to close all external ports unless you specifically need them open. Remember that doing so should not, in general, affect your ability to access the Internet.
|
Example: Configuring SMB Barricade Firewall
After installing a firewall, basic settings exist for most firewalls that you can implement for your own protection. For example, for the SMC Networks’ Barricade firewall, after you log in, you should access the Advanced Setup page. A Status window displays, allowing you to check connection status, firewall status, and hardware information. You can easily find your external IP address, which should be static, under Connection Status. Your external-facing IP address should be static and not use DHCP, as this will prevent an external modem or other router from accessing your network. Under the Barricade Settings for the firewall, you can view your internal-facing IP address, and you can also see if DHCP is enabled. You also can view your DHCP client logs if you are using the firewall within a home network and you have DHCP turned on internally. For Barricade, you can view your network activity and security logs as well.
You also have the option to enable or disable remote access to your firewall. Under System, you can access Remote Management, and then click the Disable option. Under the Firewall settings, you can set parental controls and make sure the Pre-Defined Blocking Options, which designate specific external ports, are blocked. You also can set custom blocking options. Under MAC Filter, you can prevent specific MAC addresses from attempting to access your network by selecting Enable, and entering the MAC information in the Filter Table. Under Advanced Firewall settings, you can set Barricade to discard pings from a WAN and set up advanced firewall protection. Most home networks do not have a virtual private network (VPN) set up, so you should disable the VPN options.
You also can set up Barricade to alert you via e-mail in the event of a hacker attack.
Securing Your Personal Web Server
If you host a Web site from within your home network, you also should secure your personal Web server. First, you should make sure your Web server?Apache, IIS, or whatever you use?has the latest security patches applied. This is particularly important for IIS, as service patches are routinely distributed.
Next, you should disable unused features and functionality within your Web server, such as the use of CGI scripts or server-side scripting. For example, IIS leaves many host access configurations automatically enabled, so you need to be cautious to disable all features you are not using. For the Apache Web server, the httpd.conf file often includes plenty of comments detailing security risks you should be aware of. For more information, see the Security Tips page on the Apache Web site.
Just as with securing network drives and other restricted areas of your network, make sure you password protect restricted pages and directories on your Web server.
Also, you should check for common exploits. Defending your home network against security threats requires constant research and offensive strategies. A primary threat lies in denial of service (DoS) attacks, which overwhelm a server or a network by flooding it with useless network traffic, entirely blocking genuine service requests. Cross-site scripting attacks followed suit, where hackers use dynamically-generated Web pages to launch scripts to change user settings, hijack accounts, and access restricted areas of the site.
The first step in defending against these attacks is to ensure your firewall is installed and configured properly. If you plan to host a Web site on your internal server, you should take this seriously and subscribe to security newsletters to be notified of new exploits, such as those from CERT.
Securing Your Wireless Network
The least you can do to secure your wireless network is to access your wireless settings and hide the SSID. This makes your wireless network invisible to casual browsers, although still open and vulnerable. This is considered an extremely weak form of wireless network security, because the network still is available to hackers with the right tools. You should use a secondary plan in addition to hiding your SSID, such as encryption and authentication.
You should ensure maximum encryption is enabled. There is a common misconception among wireless users, however, that this makes the wireless link secure. But, beware, that even this is not hacker-proof.
Other Considerations
If you use any of the newer networking or Inter-networking technologies such as HomePlug , HomePNA, MOCA , or others, then be aware that they too have security considerations. For example, it is possible that HomePlug signals used within your house could “leak” out through your main electrical cables to your neighbors. Therefore, consider encrypting your network.
Never Truly Secure
As a developer, you should be familiar with some of these configuration settings that help make your home network secure, be it wired or wireless. It’s crucial to remember that some hardware, such as Web servers, automatically have services enabled that can make your network vulnerable. It’s also imperative to become familiar with the common ports, and to disable those that you do not need and that make your home network susceptible to intrusion. Finally, make sure you have a firewall installed and that all passwords and restricted areas are functioning as they should.
Do not fall into the common trap?thinking that you do not store information on your computers that a hacker would be interested in. Or, why would anyone want to access your machines? It doesn’t matter what information you have on your network; your computer could easily be used as a slave machine to disguise attacks, and that may be a hacker’s only goal. No matter how many or how few computers and devices you have attached to your home network, and no matter what technologies you use to connect them, just remember that no connected computer is truly secure. The responsibility lies with you to make certain your home network it as secure as possible.
