On our Gnomies.com TeamSpeak server the other day, Gnomie Phil Horton said that he’d like to share some more of his knowledge with the overall LockerGnome community; we were thrilled! So here’s what he’s come up with. Enjoy!
You may remember a LockerGnome article from a few days ago in which I suggested my top five tools a technician shouldn’t do without. Well, that was a guide for dealing with a computer after it gets infected with malicious software. This is a guide to successfully securing your home network using a layered defense strategy for the best performance and reliability in mind.
Step 1: Start at the networking level. The most important area to secure on your network is the network itself! Everyone should be connected behind a router, which is a device that enables you to share your Internet connection with multiple sources by wired or wireless access. What some people might not realize is that a router is your best consumer firewall. Every consumer grade router includes a stateful packet inspection (IPS) firewall, which blocks or ignores most incoming attacks toward your connection. For this very reason, you should run behind a router even if you don’t use wireless and only one computer is connected to the Internet.
If you plan to use the wireless capability most routers give you, be sure to follow these steps to ensure your wireless is secure:
- Disable Wi-Fi Protective Setup (WPS) and enable WPA2 Personal security using AES encryption.
- Make sure the key you provide when setting up wireless security is a good password.
- Change the default administrator password for the router. Every Wi-Fi parasite out there knows the default usernames and password combination according to the brand of your router, so don’t give them an easy hint! Change the UUID to include something unrelated to your personal life or router model, again making it difficult for people to gain information about your equipment. Don’t be that person who has “Linksys-184721” on the wireless list.
- Disable remote management for your router, unless you need access to it from outside your network. It is never a good idea to give the whole Internet an easy opportunity to get into your network; keeping it within your home makes it magnitudes more difficult for attacks to be successful.
- Look into a service like OpenDNS to give you control over the content on your network. OpenDNS is an excellent DNS provider that blocks phishing, adware, and other malicious websites from resolving by using crowdsourced community support to identify sites quicker. It also enables parents to block inappropriate websites on the networking level, making it more difficult to circumvent as it applies to all computers, smartphones, etc. OpenDNS can also speed up your browsing experience and it requires no resources from your router to work, so there is no trade off.
Step 2: Now that we have locked down your home network, we can begin to focus on computer side security. Whether you’re running Windows, Mac OS X, or Linux, it is critical that you keep the operating system and its third-party applications up to date. Software companies are constantly battling vulnerabilities in their programs that adversaries poke holes into. They fix these problems in the form of updates; some are automatic while others require you to routinely check on the Web. No amount of security will protect you from outdated software, so be vigilant.
Follow basic security habits despite your operating system environment. You’ve heard people say it before: “Don’t open email attachments, or download files on the Web you were not looking for, and stay away from adult content.” Well, your brain is the first line of defense for anything, so use it! Sometimes we forget or think that it only applies to Windows — think again. OS X has, on average, a new exploit or piece of malware out every week. Even Linux has problems; keep in mind that many websites rely on Linux and hackers love tearing them up.
This one is important for Windows users and more and more for OS X users by the day: Run a trustworthy anti-malware application like ESET , which is both Windows and OS X compatible. For those of us looking for a free Windows solution, Microsoft Security Essentials works great.
Most operating systems have a built-in software firewall to protect you from network-bound worms. Beyond your router, be sure that firewall is enabled just in case one of your computer gets infected — you wouldn’t want malware to spread to all of your connected systems. If you would like an additional layer of protection, check out the MVPHOSTS file. This community-built HOSTS file contains a list of most of the major attack vectors on the Web. The HOSTS file allows you to control where a domain name directs — like your personal DNS system. MVPHOSTS works by directing all the listed sites to the IP 127.0.0.1 (localhost), which basically terminates the connection before it even attempts connecting to a malicious site. Like OpenDNS, this method of security requires no additional computer or networking resources, involving zero overhead.
Step 3: Always keep yourself educated on the latest security news so you can stay safe and educate others, like we do here at LockerGnome. I recommend staying tuned into Steve Gibson’s Security Now podcast, which not only alerts you to new threats but also brings you into the world of fundamental principles about technology.