TechDigital HomeDocumenting A Secured Home Network

Documenting A Secured Home Network

-

- Advertisement -

Guest writer Bob Emptage documents his secured home network and gives you some advice on what you should do any why.

Documenting a secured* home network

Why?

Why document it? Because I need things to be that way! Partly because of a slightly anal nature and partly because I know my memory isn’t as good as it once was.

Why secure the network? Because I value my data, privacy, and me reputation (read “identity”).

* A note on “secured”: This is a multi-meaning and, almost always, relative term. One meaning of secured means “protected from loss”. If you want your data truly secure, make multiple copies on top quality media and store it in multiple high security vaults. Then plan on refreshing it occasionally to make sure the media is still OK! J In my case, I’m satisfied to have a few copies in places I know about and can recover from with relative ease.

Secured also means “kept from the wrong people”. In other words, keeping the bad guys from getting their grubby little paws on it. Once again, you could keep your data secure by never allowing it to be on a device that’s connected to the outside world. However, that’s rarely practical. Who wants to keep a separate computer available for accessing their photographs, music, or whatever? And what happens when you want to access it yourself, when you’re away from home?

So, my secured network is a compromise but, only a little one…

Backup

Securing data by backups has been covered so many times that I’m ignoring that here. Suffice to say that all my devices are backed up individually (smart phones to PCs, PCs to servers, servers to one another and offsite. It’s not that I can’t lose data but I’ve gone as far as my budget allows, down the path of “perpetual data storage”.

Protecting the network and devices

So, to the matter in question: how to keep your networked devices safe from miscreants and reprobates? While I’m about it, also keeping them safe from ignorance and incompetence! A layered approach is easiest to implement and hardest to defeat. However, never forget that no machine is secure if physical security is breached. A few minutes with a screwdriver and your hard drive is gone, giving someone as much time as they need to scour it for whatever they can find. So, top of the list is never leave a computer where it can be taken. Obvious isn’t it? Except that governments, big business, police and armed forces fail at this every day!

So what other layers of security could we, and should we, use? Here’s my approach…

Anti-Malware

Every machine (that can!) is running anti-“malware” software. No longer just anti-virus (and what constitutes a “virus” anyway?), this now includes monitoring for spyware (key-loggers, data harvesters, etc.) and Trojans (don’t become part of a botnet!). Some machines have real-time monitoring in place (any computer that is used to access the internet), others are scanned regularly (servers and others that are only used for local applications). I also run a variety of software solutions for this. Duplicating work done by others (thanks to Fred Langa for being the first I came across) I’ve used Microsoft’s Security Essentials for a while now on several Windows 7 PCs, alongside the built-in Windows Firewall. To date, I’ve found no evidence of infection on any of them. However, to be safe,

I also scan them with other (free and paid for) tools occasionally too. I run Sunbelt’s Vipre (premium) for work machines, and take advantage of that to scan network drives regularly too.

Software updates (Patching)

It helps that I’m fastidious about keeping my machines patched. That way there are fewer avenues for attack available. All my “home” machines run Secunia’s PSI which alerts if any software is “Insecure” or “End-of-Life”. This doesn’t cover all software, of course, but I’ve found it to be very good at keeping an eye on the main culprits. All those applications that we normally take for granted like Flash player, QuickTime and Java. Also the tools that I run all the time because they make life easier: a password tracker, Notepad replacement, and all those plug-ins for browsers. When I’m alerted to one being a potential threat, I can make an informed decision on whether/when to upgrade, patch, or uninstall something that really is just too dangerous.

Email

Do you have your own domain registered? For a variety of reason I have several but I keep one purely for email purposes. It costs a few dollars a year to do this and that domain is hosted alongside the others. It allows me full control over the email addresses I use and give out. When I first deal with any new person (or company, government department, or whatever) they get a unique email address.

That way, when their security breaks down (or they sell my details L), I know exactly who to talk to about offers of “personal enhancement” or unbelievably good home-working opportunities! More

importantly, I simply delete it and the problem goes away. I do the same for other members of the household. It’s surprisingly cheap and easy to do but resolves almost all my spam issues.

On the subject of Spam, the remainder of mine is dealt with by MailWasher. There are other similar tools out there but this works really well in my situation. It allows me to monitor a “catch-all” mailbox for all my domains. In the last two years, I’ve only had a handful of unwanted emails actually get as far as my inbox!

DNS

Whenever you access the internet, you use a DNS service. Whether using a browser, an auto-update feature in an application, or whatever else, something needs to tell the computer what to connect to via the internet. This is another of those services that “just happens” in the background. Most internet users take it for granted, or don’t know it exists. Fundamentally, this is the bit that turns http://www.pick-a-domain-name.com into something that computers are more comfortable with – and IP address. This is called the Domain Name System. Unfortunately, this is also open to abuse: directing you to the wrong IP address means you’re downloading content from the wrong place and who knows what’s coming with it!

Your ISP normally configures you to use their own DNS server(s) by default but there’s no reason to stick with theirs. In fact there are a number of alternatives which can bring many benefits. My favorite is OpenDNS (www.opendns.com). They have a free service, as well as paid-for options which are more suited to larger organizations. Using this brings (according to their own website):

· Fast and reliable DNS resolution

· Web content filtering

· Security: Phishing, botnet and malware protection

· Smart navigation features like typo correction

· Detailed reporting and statistics about Internet activity

I can personally vouch for most of these but, even if it were all it gave me, I would use the service for the filtering and botnet protection.

Firewall(s)

Everyone runs a personal firewall on their computer now. You do, don’t you? This serves two purposes:

· it stops connections to you computer from unwanted sources

· it stops your computer making unwanted connections

The first is (fairly) obvious. You don’t want someone else connecting to your computer and looking at your files, or deleting things, without your permission.

The second might not seem relevant. After all, you know what you tell your computer to do, right? But think about it for a moment. What about all those applications that check for updates when you start them, or when they think they need to? Others can report back on “how you’re using the software” or, worse, keeping track of what you do. Information like that can be used by lowlifes to pretend to be you (identity theft). A worse situation again is when a malicious application scans your PC for interesting information (your contact list, or banks details, for example) and reports it back to the author of the nefarious software.

A second layer

A good firewall works in both directions and allows you control over what is, and isn’t, allowed through. The standard Windows firewall has improved with successive iterations but still lacks some of the fine control and logging/reporting that is really useful. As a consequence, I prefer to run a two-layer firewall approach. This brings other advantages too…

There are a number of ways to achieve this. Most broadband modem/routers include a fairly simple firewall. However, most of these also lack the logging and configuration options I wanted. I want to say which computers can connect to the internet, and at what times of the day. I want full control of which ports (application services) can connect from which computers and where on the internet. I want a fully configurable DHCP server to track and configure all the devices on my network. OK so I’m anal and a control freak. But not without reason!

In short, I wanted a firewall gateway server. One that gives me a good second firewall layer but also adds control and reporting to my network. A few years back I tried a number of alternatives and finally decided on SmoothWall Express (http://www.smoothwall.org/). Installation is quick and (fairly) simple, and it’s easy to find plenty of helpful write-ups on the web. There are alternatives (IPCop is another popular one) but this works well for me.

SmoothWall Express runs on a very old (or very low power) PC – mine is an old 386 based box with 512MB of ram and a 10GB disk drive, a CD drive to install from and a floppy drive to make backups of the configuration. It wouldn’t even run Windows XP properly but is more than adequate for this. For a basic firewall, you need two network interfaces but you can install more. I have a third installed, which is dedicated to wireless devices. I allow less in and out of this network than the hardwired LAN, as it is inherently less secure. Which leads, like a radio DJ’s link spiel, to…

Wireless security

If you run a wireless network, don’t let that be the crack in your network armor. Make sure you enable the best encryption features that your network devices will support. If you have older equipment, this is often a case of configuring for the lowest common denominator but something (anything) is better than nothing.

Beware of routers that have both wired and wireless options as the wireless is probably running by default, even if you’re only using a single wired PC!

Leaving a wireless network unencrypted is like putting a network port on the back of your house. In a dark corner where you can’t watch it. With a sign on saying “please steal my data here”. OK, you get the picture.

42?

Is this the answer to life, the universe, and everything? No but it might make your life more peaceful. And definitely more secure!

Some of the measures I’ve taken may seem extreme to some people, and insufficient to others. Other things I’ve done may seem wildly over the top to everyone. My purpose in writing all this down is not to tell anyone what to do. That’s for your parents and interfering governments to do! It is simply to start a thought process which begins with “Why”, passes through “What”, and ends with “How?” If anything I’ve written also helps with the last part, that great. If not, I hope it’s at least got you on the right path.

My network

For what it’s worth, here’s a component diagram of my network. It would be near impossible to show all the configurations involved on a single picture so I’ve not tried. Most of the important information is above. For my own purposes, I keep a simple document of configurations too. This is printed and kept (locked J) away should I ever need it. It’s also on my personal home PC. This is backed up to my HomeServer. That is duplicated on another, and also written to an off-site backup service too.

Nice and secure!

clip_image002

Andrew Edneyhttps://moviesgamesandtechcom.wpcomstaging.com
I am the owner and editor of this site. I have been interested in gadgets and tech since I was a little kid. I have also written a number of books on various tech subjects. I also blog for The Huffington Post and for FHM. And I am honoured to be a Microsoft MVP since January 2008 - again this year as an Xbox MVP.

3 COMMENTS

Comments are closed.

Stay connected

7,137FansLike
9,250FollowersFollow
27,500SubscribersSubscribe

LATEST REVIEWS

Review: Encased: A Sci-Fi Post-Apocalyptic RPG

https://www.youtube.com/watch?v=Ou6MElt_sig After about 2 years of Early Access on Steam, Encased finally released its 1.0 version into the wild back in September of 2021. This...

Review: Klang 2

You might also likeRELATED
Recommended to you