Posted: 8/15/2007 12:56:36 PM EDT
|
OK, guys...there are some seriously smart dudes here, so I know this will be a good thread. You actual experts in the field, what would YOU use for really hardening two computers running XP on a home network? I want to be as close to impenetrable from outside attacks as I can get. I also want to be able to track an attacker back, and counterattack if I want to. What's a good tool for that? Hardware firewalls, software firewalls, secure wireless router, what? Hardwire everything? |
|
You know what, nothing, really...but I don't need Medeco locks on my doors, either, I guess...but I have 'em. I think this stuff is very interesting, and if I can keep a malicious teenager, Chinaman, or errant .gov type from easily walking in and looking at my shit, why not? |
|
There are a lot of good opinions out there, I am sure someone will be along shortly to offer more detail but: 1. Hardware software firewalls - Yes. 2. Avoid wireless 3. Trackback of attackers - don't bother 4. counterattack - don't just don't, doing this carelessly will cause unpleasant people to come to your house for a visit. |
Can you elaborate on point 4 a little bit? |
|
Then if you must lock it down as much as possible, then I'd go with a hardware firewall, and lock everything down, only allow the two IP's to access resources, only open a few ports for required things, and then lock down every resource on your machines only allowing the two accounts on each computer to access them... ... but have fun entering usernames and passwords all day to access stuff. -d |
Do you have a recommendation for a good hardware firewall? |
Well, at the very least any hostile traffic will typically violate your ISPs acceptable use policy. Most ISPs also reserve the right to monitor and log every packet that traverses their network. The legal ground of scanning legality is still a grey area, and if you are determined to "access" a computer without authorization you have now violated the computer fraud and abuse act of 1986. There are several different levels of punishment in the statute but the max is 20 years. It is also trivial for one to attack you from an address not owned by them, so if you were careless, you could end up counterattacking a third party who might have valuable data and unpleasant people in dark blue sedans. Even if you have the right person, there is no provision in the computer abuse act for "but he did it first" opening yourself up to criminal and civil liability. So, focus on a good defense, and forget counterattacking. |
|
I don't want to wrap my house in tinfoil, but I do believe in security. Here's another question: I have a Toughbook 73 that doesn't seem to be capable of WPA. Do I need to get a new 802.11 card for this thing, or am I not doing something right? I can't get it to talk to my router unless it's in WEP mode. thanks! |
|
Thanks again, guys! Panasonic didn't have new drivers, but Intel did, and I'm ticking away on WPA2 now! With regard to the physical security, I can just put my computer in the safe before I leave. I go in there anyway to lock up whatever I have out while I'm home. |
|
Dang you guys are paranoid! Why not just hardwire a file server in a steel encased room, with an ax suspended in the air over the power and network cables... throw a baseball at the target on the wall, the ax falls, cuts power and network access.. and viola! No one can get to it! -d |
I've had good experiences with Sonicwalls and Cisco stuff. I know one of our offices uses a Checkpoint firewall and they have been happy with it. -d |
|
You can lock a system down pretty good by just using what comes with XP and VISTA.. Just start unchecking exceptions on the firewall.. crank IE7 Security and Privacy to the max.. enable popup blocker.. clear all the history and cookies... Disable your network connections when you aren't using them.. check out the security solutions on Microsoft Technet.. and on.. and on..and on... |
If the OP wants to do it like the NSA you can get the guides here: NSA Security Guides. They have baseline security configs for most operating systems and devices. On our .gov systems we also use the Security Technical Implementation Guides (STIGS) from DISA IA as a guide along with a Master Gold Disk to check compliance. Here are some security checklists. If you don't want to use these for home use (I wouldn't because it's overkill) then due diligence and the advice of the previous posts should be enough. |
|
Unplug it. Not an option? No problem. Just always remember, nothing is secure. Firewalls are good to keep mass amounts of obviously bad traffic out, anyone with a few minutes of time can circumvent one or anyone that knows enough about the target system to send a crafted packet with a malicious payload. Make sure all software is updated - and KEEP it updated (including the OS). Change passwords frequently. Ensure you never keep passwords saved on a computer. They should be of sufficient length and complexity to hinder dictionary and brute force attacks. I wrote a paper on scanning, enumeration, and exploitation if you are interested. I also have several crafted documents I wrote up about hardening servers, but they really don't apply to your every day PC. Your best bet is to keep yourself updated on the latest and greatest vulnerabilities, security updates, and 0day code. You could always set up a cheap, barebones system with a couple NIC cards passively sniffing traffic right after the gateway. This will allow you to see ALL traffic incoming and outgoing. This can take up a lot of disk space. This still does not mean you are secure. Anyone that wants something bad enough will find a way. My solution - don't keep anything you wouldn't want the whole world seeing stored on any computer connected to any network. You could always set up an honeynet/honeypot. |
Do you have an old box lying around? How about Smoothwall? |
Or better yet don't use IE; get Firefox. And for that matter, get rid of Windows too. Run a *nix box. For firewalls/routers (physical hardware ones) - block incoming traffic, put your IP in stealth mode (i.e. ignore ping requests), disable SSID, enable WPA2, set it up so that only certain mac addresses can access the network, etc. If you want to be truly secure, move away from the MSFT. There's a reason most enterprises run *nix servers and not Windows servers. 
|
|
I work information security for a living, so here's my take. First off, you're pretty well nuts for trying to do this. No one wants to hack your home computer for profit....and unlike when I was learning the ropes, that's unfortunately the primary motivator now. If a home computer gets hacked, rootkitted, or whatever else, it was either completely random and the end user was stupid and invited the attack, usually by clicking pop up links, opening up unsolicited attachments, etc. TheStig is right in that almost nothing is secure. Seriously. New vulnerabilities and exploits are discovered every day, and often not patched for weeks or months. However, if you really want to make recreational use of your home network a pain in the ass. The recommendation for the NSA config guides is spot on. In addition, you'll want a host-based firewall, anti-virus, and Intrusion Prevention System on each machine, with the rulesets configured to only allow the bare minimum of communication ports to specific IP addresses or ranges. Between the cable modem and you, you'll want a hardware firewall and Intrusion Prevention System. Again, the firewall ruleset needs to be anal retentively configured. You'll also want to go enterprise-class on each of these. Total cost, at least $5000, probably over 10K for the firewall device and software licenses . Plus yearly support. And of course the ongoing log monitoring, rule-base configuration, and attack correlation....which is a full-time job. You'd also want to TEMPEST secure the infrastructure, as you wouldn't want people reading the EM emissions from your monitor, computer or keyboard....no idea how much that costs either. Don't use wireless, cause wireless security is a joke, even WPA2. Don't use email as it can never be fully encrypted....same with any form of instant messenging. You won't be able to definitely trace back an attack. You sure as shit won't be able to counterattack. Any attempts to do so is a crime in itself anyways, not to mention you don't have the technical savvy and skillset to do so....not meant as a slam, just stating facts. Now if you want a common sense approach? Keep your machines patched up. Toss an antivirus, anti-spyware, and firewall package on each of them. Still go with a consumer based firewall product, or for more security, something like a Safe@Home wireless point/router which has CheckPoint's software on there. feel free to hit me back if you've got more questions. Ben72227- There' hasn't been a company yet I've worked for or known of that hasn't run Windows-based servers. Linux are still in the minority and even actively dissuaded by regulators, auditors, and similar such nuisances, necessary in today's world of SOX, GLBA, FFIEC, and the rest of the alphabet soup of regulations mandating security in publically traded company infrastructures. |
I'd recommend Firefox as well, to reduce the number of spyware infections, etc. But I'd definitely stay away from Unix or Linux for a home user. It doesn't sound like the OP has a ton of experience with computers, and should probably stick with XP or Vista. Definitely stay wired if possible, you take a lot out of the equation by just staying away from wireless. As for most enterprises using unix, I'd have to say that isn't true. Every large company that I've worked for or done contract work with, have been using Win2000 or Win2003. -d |
|
Good stuff. I already use firefox, and I'm hardwiring my network tonight. For those of you who aren't 'getting it', let me try to put this another way: Why do you civilians want high-capacity magazines, assault rifles, and rifle plates? You don't need any of that stuff. You're silly. All you need is a single-shot 12 gauge, and what do you need armor for anyway? |
I keep my stuff updated religiously. Regarding a honeypot, I have a couple of spare boxes around here. What's the basic method? I understand the principle, but not the implementation. |
| Educate yourself. Find some good sites on hardening Windows and become familiar with current threats and vulnerabilities. There are a bunch of sites and podcasts on the topic. I really enjoy PaulDotCom Security Weekly. |
I would be interested in those papers... |