Networking Security ... How to do it

[PCBruiser]

There has been a significant increase over the last few months in port scanning and other network invading issues. I started a "sticky" thread on another forum with a great deal of info on how to protect yourself from this increasing threat on the internet. Given the rapid increase in attempts to invade my own LAN over the last few days I have copied over the first 3 of 6 of my most important postings on this subject. So here goes with the posts:

Number 1:

Network Security Warning ..... How to Protect Yourself On The Internet
I just wanted to warn members that there has been a significant increase in the number of port scans worldwide over the last week or so. And, these port scans are becomming increasingly sophisticated. I am now personally seeing about 25+ attempts per day to compromise my home LAN. So, beware, tighten up your LAN security, buy a good router/firewall (if you don't already have one) with Stateful Packet Inspection, and surf safely. It is getting even more dangerous out there.

Decent router/firewalls with SPI are NOT a big investment. You can find several major brands at places like NewEgg for only about $45. Remember, if you use a broadband connection, you have a LAN whether you think so or not.

One final note. If you are not familar with the consequences of a successful port scan, here they are in a nutshell: If a scanner can get to your system, they can mount your hard drives just as if they were connected to their system. They can read EVERYTHING on your hard drive - every file, all your data, whatever, and when they are finished, they can reformat your hard drives, or otherwise completely hose your system. If you think viruses and trojans are bad, successful scanners are your worst nightmare.


Number 2:

In addition there are a number of sites which test your security, GRC is one. Click on the ShieldsUp link in the middle of the page here:

http://www.grc.com/default.htm

In a prior thread, I posted some general rules to follow when setting up a firewall/router, worth repeating here:

1. Block everything you can at the hardware level before it reaches your system, i.e., at the router.

2. Close everything, all ports, all protocols as default. Open only those ports/protocols that you actually need to have open.

3. Prohibit all inbound connections entirely unless you are running a secure VPN.

4. To protect open ports/protocols, always get a hardware router/firewall that has Stateful Packet Inspection.

5. If your router provides MAC address selection, exclude all MAC addresses except those MAC address actually on your LAN.

6. Do exactly the same with software firewalls, but add to that outbound program control.

7. Limit the NAT address range at the router to only enough internal IP addresses to accomidate the systems on your LAN.

8. If your firwall has a "stealth" setting, use it.


Number 3:

For those unfamilar with SPI, here is a brief, simplistic description.

In order to use the internet, you do have to open some ports and protocols on your firewall router to outbound packets. And, in return, you need to be able to receive return packets back from the internet in order to, say, get your email. That means that there is an open vunerability to attack via those open ports and protocols that can be exploited IF a hacker is sophisticated enough to be able to break through your NAT protections, and there are ones that certainly can do exactly that.

What SPI does is create a "one way door" so to speak. It "remembers" requests that have been made, again say for your email, and will permit entry only for those packets which are being received in response to that request. So, unrequested packets, spoofing say, a response to a request for your email will not be permitted entry, because there was no corresponding outbound request. Thus, it protects necessary open ports and protocols from inbound attacks.

As to the question of WHICH router/firewall, I personally use a commercial grade SonicWALL SOHO, which I have had for a number of years. It isn't inexpensive, that's for sure, but it is a very solid well made absolutely dependable unit. And, at the time I purchased it, just about the only one available within reach of a home/small office user. Today, there are others available

Yesterday, I found a Netgear one at NewEgg for another member looking for exactly this kind of thing. Now, I am NOT playing favorites here, nor have I personally tried the Netgear, but its SPECS are what I would be looking for if I were buying now. Although personally, I would buy another SonicWALL despite its' considerable price. Here is a link for the Netgear at NewEgg:

http://www.newegg.com/app/ViewProduc...122-120&depa=0

Whichever brand is your favorite, fine, go for it. Just look for one with similar specs.

Edit: Please, don't turn this thread into an discussion about brands, there are pleanty of other threads discussing that issue. Get any brand you like, but just get something to protect yourself.

I'll tell you from personal experience. I do ALL my personal accounting on my computer. Years ago, before I knew anything, and still accessing the Internet via dial up, with NO protection at all - I had no idea that was even needed, I had all my personal info stolen by a cracker from Russia. Before I knew it, my accounts were raided, my credit cards compromised, and AMEX taken for over $50K. While I was completely protected by my bank and credit card companies, and lost no money, it took me over a year to get everything straightened out. I learned FAST how to protect myself, and haven't had any problems since, even though there are hundreds of attempts a week to gain access to my LAN.

[PCBruiser]

And finally the last 3 of the 6 postings:

Number 4:

Some More Ways To Secure Your LAN
OK, I am very pleased that members are taking this seriously. So I thought that it would be good to add some additional ways to protect yourself and your network. Now, for obvious reasons, I learned a hard lesson, and have locked myself down even further than what I indicated in earlier posts. Since, of course I'm downright paranoid on this subject.

Here''s the next step. OK. WOW. I bought one of those routers I'M PROTECTED!!!!!!!!!!! Right, you are, but there is still more that you can do to protect yourself even better.

There are 2 critical Clients that you must have in order to run an internal LAN. Client for MS Windows, and File and Printer Sharing. These two clients are ABSOLUTELY UNNECESSARY if you only have 1 machine connecting to the Internet via your router and DSL/Cable Modem. You can simply delete them from your network if you only have 1 machine. And those Clients are inherently dangerous!

But, more than 1 machine on your LAN, those clients are essential. But, if they are so dangerous, isn't there some way to secure them too? Answer, for a SMALL LAN YES. For a larger one, not without giving up some network efficiencies. To understand how to do this, you need to understand a couple of more things about networking. This is a very complex subject, so what follows will be simplistic again, sacrificing technical accuracy for understandability.

There is a Difference Between A Client and a Protocol: You have Clients to do something on YOUR machine. Client for MS Networks manages the LAN interface on YOUR machine. But, natively, these clients do not communicate themselves over the LAN/Internet. To communicate they need a network protocol, like TCP/IP, for example. Now, TCP/IP works very well - that's the protocol used by the entire Internet, of course. IT IS NOT THE ONLY NETWORK PROTOCOL THAT YOU CAN USE ON YOUR LAN. You do NOT need to use TCP/IP to service your LAN clients. But, having said that, Windows assumes that since you will use TCP/IP to communicate on the Internet, you might as well use this modern, efficient protocol to manage clients on your LAN. BAD ASSUMPTION! Correct for large LANs because TCP/IP is efficient, and running more than 1 protocol does add inefficiencies.

So, here's what I do on my SMALL LAN. I do not use TCP/IP for my LAN at all. I use IPX/SPX, a different, and somewhat less efficient protocol. But, since IPX/SPX is incompatible with the Internet, nothing that passes in my LAN other than TCP/IP packets intended to pass through my router to the Internet can even be seen or routed over the Internet. In fact, the WAN side of my router cannot even recognize an IPX/SPX packet, and discards any that get that far (none do anyway) as junk packets because they are formatted totally differently from TCP/IP packets, AND CONTAIN NO IP ADDRESS INFORMATION.

Furthermore, and here I am really simplifying, because IPX/SPX does not use IP address info to identify my machines, I can disable broadcasting my netBIOS names completely. What is a netBIOS name, you ask? It is a second way to identify your individual machines needed to link TCP/IP to Client for MS Networks. But, if you are using IPX/SPX it is unnecessary, and you can disable netBIOs in your network properties completely, and stop it from broadcasting your "name" over your LAN. Well, who cares if it does? Well, without a router to block netBIOS packets from exiting and entering your LAN, YOU ARE BROADCASTING YOUR MACHINE'S NAME ALL OVER THE INTERNET SAYING HERE I AM, COME GET ME! This, BTW, is one way a cracker can bypass NAT and find your machine behind a router lacking SPI even though the IP address is strictly an internal one.

So, by using IPX/SPX, although somewhat less efficient, over my LAN, I can disable netBIOS, and I also block both inbound and outbound netBIOS packets in ZoneAlarm as well. And, in my router also.

Why use IPX/SPX and unbind TCP/IP from the two clients? By unbinding TCP/IP from the two clients a cracker cannot use TCP/IP to connect to your machine or see your hard drives even if they somehow are able to bypass all of your other firewall/NAT/router protections. And they cannot get to your LAN over the internet by using IPX/SPX. So, by doing this, you have made it even harder to crack your system, if not virtually impossible, even for a really professional cracker.

Now, here's how you do it. To use IPX/SPX internally, you need to "Add" the protocol in the Network Properties Control Panel for all machines on your network. Then you have to unbind TCP/IP from these clients also. Right click on Network/Properties. Advanced Menu/Advanced Settings. There you will see a bindings tab, with both clients listed and bindings checked for both TCP/IP and IPX/SPX. Simply uncheck (i.e.,unbind) TCP/IP from these clients, and you have SUBSTANTIALLY INCREASED YOUR SECURITY, for a minimal price of using a somewhat less efficient LAN protocol. That's a reasonable price to pay IMHO.



Number 5:

I always recommend having a software firewall as well, although I do not use the Norton one myself anymore. That issue is a personal preference one though.

Here's why I recommend them. By their very nature, a hardware firewall like we have, should be really good with blocking things that are arriving from outside, and at blocking outgoing ports and protocols. But, also by its' very nature, a hardware firewall cannot tell what program has created individual outgoing packets. It can only see what ports and protocols the outgoing packet uses. If the outgoing packet is using a permitted outgoing port, 80 say for html, it will allow that packet to leave your LAN. If the packet was created by malware that somehow got on your machine, a trojan say, it will get out. But, a software firewall integrated into your system CAN tell which program is attempting to send that packet. And good ones with program access controls, will stop that from happening. Good reason for continuing to use a good software firewall. Also, given my "belt and suspenders" philosophy on protecting myself, the added comfort it gives me is good too.


Number 6:

And now ... for the truly paranoid!
Well, here is my next installment on locking down your system. This one is for the truly paranoid, those not content with "only" the networking lock down procedures I have posted earlier in this thread. Encryption.

Encryption encodes files/folders/drives with one of several mathematical algorythms to make them impossible to read or decypher without access to the same encryption technology and encryption keys. There are two major ways to encrypt files, one-time encryptions and real-time. One time requires that the files be unencrypted before use because software cannot understand an encrypted file. Real-time permits files to be encrypted and unencrypted on an as needed basis by a resident service which intercepts the request for a file and unencrypts it "on the fly". The major advantage of real-time encryption is that the hard drive image of the file is never resident on the hard drive in an unencrypted form. Thus, if a scanner is able to bypass all of your network precautions, all they can actually see is the encrypted file. And, it is more convenient.

Files can be encrypted at 5 levels:

- as individual files,
- as folders of files,
- as a virtual hard drive or "container",
- as an entire hard drive, or
- hidden inside of another file, an innocent looking mp3, wav or video file for example, using a technique called steganography.

There are freeware encryption packages like PGP ("Pretty Good Protection"), and shareware/commercial ones offering more more encryption algorythms, higher levels of encryption and real-time alternatives. While Windows XP does offer encryption at the OS level, just as it offers file compression, the algorythms used are, while better than nothing, relatively "weak" mathematically in terms of their encryption techniques, as compared to other free-standing packages.



Here is the link to the complete thread:

http://www.abxzone.com/forums/showth...1&page=1&pp=15

[Paragon]

Thanks PCB for some incredibly nice information and now you have a sticky thread on this forum

[marksmith]

With respect to the details, you can google and do your own research. But generally, most of us want to keep out networks secure so no one else can use our bandwidth or otherwise get into our networks.

[jounkarry]

Thank you PCB for your nice post .Most people go to google and become confused what is the best ? it will help them