Securing Your Network

This article shows you how to secure your network against both external and internal threats. It discusses how to identify the points of weakness on a typical network and the best ways of securing them, and it provides in-depth coverage of how to secure wireless networks, which have additional security considerations.

Before deciding what measure you’ll take to protect your network, assess the threats to the network and determine what you’re trying to protect and the degree of protection it requires. This section suggests how you might approach these issues.

Why Would Anyone Attack Your Network?

For many home network and home-office network administrators, the main problem with network security is getting people- including perhaps you- to take it seriously. It’s tempting to believe that your computer or your network is unlikely to be attacked and that therefore you don’t really need to bother securing it. After all, if several hundred million computers are on the Internet, why should anyone pick on yours? Similarly, you might choose not to pay for home insurance on the assumption that your home will probably not be broken into. But unlike your home, which is vulnerable only to thieves in the neighborhood, a computer or network connected to the Internet is vulnerable to everyone else who’s online- and unlike thieves, hackers have automated tools with which they can scan millions of Internet addresses for unprotected computers and attack them automatically. People who have secured their networks often find in their firewall logs frequent attempts to access their networks from IP addresses all over the world. And if an attacker is subtle rather than destructive, they can access your unprotected computer, read your files, and steal your secrets without you being any the wiser.

What Do You Have to Protect?

Only you know what secrets you keep on your computer until someone hacks in to it, that is. But chances are that you have plenty of data you need to protect, from confidential documents and e-mail messages, personal details, online accounts, credit card data, bank records, tax files, and much more. Beyond the risk of having your data stolen and your identity perhaps impersonated, you probably also want to guard against indirect attacks such as an outsider using your computer to perform unsavory or illegal acts- for example, sending spam, posting offensive material online, or attacking other computers.

How Much Security Do You Need?

Just as there’s no sense in installing maximum security on an empty garden shed, you may well not need to turn your home network into a virtual Alcatraz. So when you’re thinking about securing your network, it helps to have an idea of what you’re trying to protect and what kinds of attacks you’re trying to thwart. Most likely, you’ll want to prevent casual access to your network- for example, by someone looking for a free wireless connection- and put enough easy-to-implement security into place to deter all but determined attackers. But someone determined enough will probably be able to circumvent sensible security measures, and you may need to restore data from backup to recover from a destructive attack. Similarly, if you’re protecting your house against break-ins, you probably secure your windows, doors, and other points of entry. But if a burglar brings a crane with a wrecking ball, or drops a bomb from a helicopter, your locks and bolts probably won’t withstand the attack.

Understanding the Points of Weakness on Your Network

A house has certain obvious points of weakness for an attacker: the doors, the windows, the chimney possibly, and any hole in the roof, walls, floors, or ceiling. An attacker could brazenly try to open a door or window. They could try to slip into the house undetected by weaseling through a mouse hole in the baseboard. They could simply smash their way in by using a bulldozer. Or they could try to persuade you or your house to open the door for them. Similarly, stand-alone computer has obvious points of weakness, the usual suspects being the floppy drive, the CD or DVD drives, and any other removable drives, any of which can be used to load infected files or malware onto the computer. The computer may also be open to physical attacks, such as cutting off the power supply either at the computer, at the wall socket or breaker box, or outside the building or trying to open it with a sledgehammer. As soon as you connect your computer to the Internet, you open another channel for attack or infection. In many cases, the Internet connection poses a far greater threat to the security of the computer than do the floppy, CD, and removable drives. When two or more computers are connected in a network, each point of weakness on an individual computer becomes a threat to the other computers on the network. And when you connect the network to the Internet, each computer connected to the network becomes vulnerable to attack and infection through the Internet connection. Unless the Internet connection is tightly protected, an attacker can take control of a computer on the network and use it to attack or infect the other computers on the network. To keep your network safe, you essentially want to make it the equivalent of a tightly controlled gated community surrounded by a high-risk area: Each computer attached to the network must be a known quantity, just as each house in a community must be houses outside the community can’t suddenly become part of the community. Users of networked computers have levels of access appropriate to their trustworthiness, just as community members do. For example, most community members will be allowed to access their own house but not other people’s houses. Most users on the network will be allowed to use their own computer or a computer they share with other people but not other computers. Just as the road into the community from the outside needs to be guarded so that community members can come and go freely, but unauthorized traffic is kept out, so the Internet connection needs to be firewalled and policed to prevent unauthorized data from entering the network. And the community leaders read: the Administrator users supervise what’s happening in the community, check periodically that the gatekeeper is doing its job read: examine the firewall logs, and generally keep an eye on things. Your home network is likely to have three main points of weakness:

• The network’s Internet connection or connections can give an attacker access to your network; can bring in viruses, malware, or inappropriate material; and can send out your private data.

• The removable-media drives on the computers can be used to introduce dangerous material to your network or to copy your private data.

• The users of the computers on the network can delete files, steal files, install dangerous software, or introduce malware or inappropriate material to the network.

If your network is a home or home-office network, as this article assumes, your users probably pose less of a threat than do the users of a corporate, governmental, or military network. But don’t discount them as a threat, because even well-intentioned actions can damage your valuable data. For example, if someone decides to, say, install Linux on the same partition as your data files, you’ll find yourself giving your backup and disaster-recovery strategy an impromptu workout- together with your central nervous system, most likely.

Normal Methods of Securing a Home Network

The typical methods of securing a home or home-office network are as follows:

• Secure the Internet connection with a firewall and configure the connection to prevent file sharing across it.

• Scan all incoming files for viruses. Monitor each computer for unusual activity.

• Choose browser settings to minimize the dangers of hostile web pages, scripts, and infected files. Choose high-security settings for programs that allow the execution of macros, scripts, and user forms.

• Implement user accounts actively to control which computers users can log on to and which actions they can take on them.

• Use permissions to prevent users from accessing files you don’t want them to access.

• Educate users about security risks and how to minimize them.

• Prevent untrustworthy users from physically accessing computers that contain sensitive or otherwise important data or that are mission-critical. For example, in a home setting, lock your office so that young children can’t access your files.

• For each computer that contains important data files or delivers services to other computers, keep the hardware and software maintained so that no computer stops working unexpectedly. You should maintain all your computers, of course, but if time is short, concentrate your efforts on those that contain important data.

• To make sure that no unauthorized traffic can enter certain parts of your network, implement Windows Firewall rules on key computers.

• Back up any and all data that could possibly be damaged, stolen, deleted, or otherwise cause problems if it were to disappear. Besides securing the network using these techniques, you need to have a disaster-recovery plan for when the network’s security is compromised. As with a stand-alone PC, that means backing up all the data files that you can’t easily re-create and knowing how to restore the files. The rest of this article discusses these steps in more detail, referring you to features covered in other articles where appropriate.