Short course on network security

By jobeard
Apr 28, 2005
  1. StormBringer

    StormBringer TS Rookie Posts: 2,244

    You left one very important thing out. When using all those things together, you better know how to properly configure them to work together and to allow for the communication that you need, such as local networking(filesharing, etc...) being able to access secure sites that may become blocked by default with some security software, and complete network lockdown.

    I've seen it hundreds of times, especially with wireless users, the user thinks he's all protected, then goes to where a "hotspot" is supposed to be and can't connect because his very secure system is now blocking him from connecting to the network because it is not on the list of allowed addresses.
    This isn't a problem for those who know a bit about security, but then again, that article wasn't intended for people who already know how to secure their systems...
  2. jobeard

    jobeard TS Ambassador Topic Starter Posts: 9,160   +599

    Outline of PC Online Security

    Both Security and Personal Safety have two ways of being achieved
    1) Passively
    like an air bag, it requires the user to do nothing and
    it responds to the conditions at hand.
    2) Actively
    like a seat belt, the user must engage it or it does
    nothing to help you

    In addition, there are Reactive tools (like anti-virus and IDS
    scanners), as well as Proactive tools to avoid contamination altogether.

    Lastly, there's no silver bullet that 'kills all vampires'. Like a
    carpenter's tool box, there are special tools for each job and sometimes
    multiple variations for the same task (ie a framing hammer versus a tack
    hammer). You can NEVER have too many tools!

    Dialup users get a new IP address every time they connect. This implies
    that if I want to attack you specifically, it can only be done during
    the life of your existing connection (else how can I find YOU next time).

    This makes the attacker's life more difficult and they will usually look
    for easier targets (ie: a machine with a fixed IP address).

    Broadband and ISDN users have significant exposure. If you do nothing at
    all, your computer sets on the Internet begging to be attacked. Without
    some protective techniques, your computer can easily become a remote
    robot used to infect other users too (very much like infectious diseases).

    What are the steps to secure your system?

    1) Get a Router - cheap, hardware-passive solution (ok, you have to buy
    one, install it, and turn on) which is ~75% effective. Your system is
    no longer visible to the Internet and the chances of direct attack are
    greatly reduce (notice: not 100% protected). WHY? The modem will have
    a Public IP address and this is visible. When the computer is connected
    to a Router (and then to the modem), your system as a Private IP address
    (ie: a non-routable address like 192.168.*.*) An Internet attack can
    not be made directly against a non-routable address and your computer is
    much safer. This is all done be a router technique called NAT (network
    address translation).

    2)Install Windows XP with SP2. This Service Pack reconfigures Windows
    to be very much like Apple Macintosh has always been; all ports closed.
    Without an open port, the system is exactly like not even being
    connected at all and thus is much more immune from attack.

    3)Get a Software Firewall - several are available, not expensive and
    there is at lease one or more that are Freeware (ZoneAlarm, COMODO).
    Windows XP users have a freebie from Microsoft which is a half/firewall solution;
    half because it only controls inbound connections and has very little
    configuration control
    -- the whole object of a firewall in the first place.

    A configurable firewall will allow you to control inbound access very
    effectively. For example, all of your local network (other computers
    also connected to your router) can be allowed to enable File and Print
    Sharing). Then inbound traffic from the Internet can be restricted by
    default. You have control and the bad guys are locked out.

    A firewall increases your protection level to ~95% effective. Why not
    100%? Because you the user still 'invite' visitors into your system
    with Email and Web pages!
    If you never read Email nor browsed the web
    for information, then you would be secure, but then you've paid for
    access that is useless to you too :)

    Here are some specific tools to assist you in keeping your system safe
    and sane:

    ActiveX control
    Spyware Blaster @

    Keylogging protection, hijacker control, system modification
    monitoring all leading to Identity Theft
    Spybot Search & Destroy
    love this one, as you can disable startups
    without fussing with the Registry!
    Popup control
    Popup Stopper

    Spam control
    a) don't use the Preview Pane,
    it allows access before you even get to delete it.
    b) use a spam filter like
    which was just acquired my Microsoft
    c) another choice is Mozilla Thunderbird which avoids
    ActiveX and VP scripting code altogether

    AntiVirus Software
    Reactive measure to fix the damage already active on your system. Some
    products perform scans on files as they are being opened, which is a
    Proactive approach to avoiding contamination.


    edit: Add a host file to block well known sites with various contaminations!
    access this online text file,
    then SAVE AS \windows\system32\drivers\etc\hosts\ (notice no extension and allow the replacement).
  3. jobeard

    jobeard TS Ambassador Topic Starter Posts: 9,160   +599

    network security PART-2

    StormBringer make a good point, so I'll complete the exercise.

    Internet Security with Systems on a Local Lan

    So you have your system secured from outside, but now access to Lan file
    and print sharing is all restricted. How do you restore Lan-to-Lan

    { there are many variations in configuring a firewall and this is NOT an
    exhaustive guide - - rather, its intent is to get you a reasonable
    degree of protection with minimum effort on your part. For now, let’s
    focus on Lan-to-Lan - - wireless is another level and I’ll add that
    information in the next installment. Also, the actual grammar used to
    configure a firewall varies by vendor. The point here is to identify
    the sequence of ALLOW/DENY rules to achieve a secured system}

    Let’s first get graphical to see the layout and understand what we’re
    dealing with.
    A LAN system might look like:

    ...............Public | Private
    ....Modem ---> router +---> one or more systems

    The bad boys are to the left side of the ‘router’ and your systems are
    on the right. Our goal is to make the Public side behave as if it looks
    ...............Public | Private
    .............Modem ---> router

    Notice the modem sees the router and nothing else!

    And the Private side to look like
    ...............Public | Private
    ...............................|---> one or more systems
    Notice the Private systems see each other

    The first thing is to
    ..... DENY all INBOUND access all IP addresses onall PORTS.
    This becomes your DEFAULT firewall rule and is the LAST
    entry of the rule list. (Let’s be clear; if you use a software firewall,
    then each and every system needs one!) Notice that we allow all
    outbound traffic (not the best, but it will do for now ). This
    simplifies things like accessing secured sites via HTTPS(443).

    There are a few other rules you will want (above the default) as your
    system needs these for internal operations as well as access to the
    ....# a service on your system accessed by an application
    .... ALLOW inbound/outbound on All Ports
    .... # needed for connection to ISP
    .... ALLOW ICMP inbound/outbound from all
    .... ALLOW ALL inbound Port 53 #dns requests
    With this configuration, you have maximum safety and no one has access
    to your systems – not even your own LAN systems!

    So how do we get the Lan running again?

    We get control of the Lan by noting that the IP addresses of your
    systems are in the private, non routable address ranges of
    .... -
    .... -
    .... -

    An attack from the public Internet will not be routed to any device
    which has an address in these ranges. For illustration purposes, let’s say the
    private side of the router is at address (very common).
    Each of our systems will get an
    address using DHCP which is also in the same subnet (192.168.0.*). The
    additional information we know is the ISP will give us an public IP
    address which is *NOT* in the ranges of table-1 above (otherwise we
    can’t access even the ISP).

    Firewalls execute rules in the order listed and stops processing rules
    when the first matching rule is found. To enable our Lan systems to
    talk to each other, we need a special PERMIT rule to precede the default

    With our Lan systems in the private non routable range and the external
    world *NOT* in this range, we can add
    .... LAN ACCESS PERMIT ALL inbound/outbound from 192.168.0.* all PORTS.
    Move this rule to be immediately above the DEFAULT rule and all Lan
    systems are re-enabled for File and Print Sharing and all other services
    on any of our lan systems - - SMTP, POP3, FTP, and even Oracle

    Just to introduce you to another level of control a firewall *may*
    exploit is the discrete control of specific ports. For example, Email
    services are standardized on ports 25(smtp-outbound) and 110(POP3
    inbound). Other Ports might be used, but the sender and receiver must
    change the service configuration on both ends. Most admins will leave
    the Port numbers alone, unless they need extra security. I make the
    point on Port usage as prior to XP-SP2, Ports 135, 137-139 and 445 were
    easy targets for hackers. Our LAN ACCESS rule above allows full access
    to the Lan systems internally, but excludes all access from the outside
    world. If you need to permit file sharing to and from a selected set of
    systems but deny access to the others, then you need a more specific
    rule than the one shown above - - something like
    .. LANSPECIFIC PERMIT 192.168.0.{2,4} inbound/outbound ...
    ........TCP/UDP PORTS {135,137-139,445}
    You should notice that the system at is not shown and
    therefore will not have access.

    There are several other tweaks possible, and as I’m paranoid, I
    implement what is know as hardware provisioning - - only known MAC
    addresses are mapped into my private Lan. The MAC address is unique to
    every Network Interface Card (NIC) in the world. { you can see the MAC
    using IPCONFIG /ALL on each system}. When you have a Lan with many
    systems (eg >15-20) this gets to be a pain to keep configured properly,
    but with a small home-based network, this is worth the effort - -
    especially when we get to discuss WiFi (wireless access).

    To implement hardware provisioning, the ROUTER is setup to force
    mappings like
    ........mac-1 to
    ........mac-2 to
    and so on to the last known MAC on you network (eg:
    You then change the LAN ACCESS rule to read
    .... PERMIT ALL inbound/outbound all PORTS.

    This rule is very specific and will protect you from rouge wireless
    devices, and works well for your KNOWN systems. I make an issue for
    KNOWN vs UNKNOWN, as life gets interesting with a wireless router and
    someone setting down the street trying to use your network for free.

    I’ll add that information in the next installment.

    ====== example rules =========

    ........ALLOW inbound/outbound on All Ports # system local
    ........ALLOW ICMP inbound/outbound from all # allow Echo*
    ........ALLOW ALL inbound Port 53 # dns requests
    ....LAN ACCESS: PERMIT ALL inbound/outbound from 192.168.0.* all PORTS
    ....Default: DENY all INBOUND from all IP on All Ports

    (*) ICMP Echo is very useful to debug routers and Tcp. It also allows
    the whole world to know your system is on the net. Frequently,
    professional admins will disallow ICMP Echo as a means to avoid making
    the system easily visable and subject to Denial of Service(DoS) attacks.
    Removing this rule however, will not ensure you never have a DoS
    attack, so you might as well have the facility to assist you later.
  4. jobeard

    jobeard TS Ambassador Topic Starter Posts: 9,160   +599

    network security PART-3

    Network Security using Wireless Access

    Recall a LAN system might look like:

    .............Public | Private
    ...Modem ---> router +---> one or more systems

    If you don't like the idea of poking holes in walls and ceilings to wire up Cat-5
    cabling, the natural choice is a Wireless Router. The cables from the Router
    to the system(s) are replaced with high frequency radio waves(RF) which can
    be received in the 100-300ft radius of the Router. The modem-router
    connection is hard wired and the router-system(s) is RF. As RF does not
    respect property lines nor even the hard walls of your home, it travels until
    reception is no longer <useful>. If we are not careful however, we can
    unknowingly allow a network like

    .............Public | Private
    ...Modem ---> router +<---> one or more systems
    ....................................+<---> some rouge system
    If you can connect to the router with RF, so can anyone else!

    We have two levels of protection available:
    1) the connection to the wireless router
    2) our firewall on each Lan system
    The Wireless connectivity is strictly handled in the setup of the Router.
    Here are some guidelines to make it as difficult as possible to create a
    rouge-system connection to the Router.
    ..a) change the default SSID and write it down
    .....(use something you know+one or two digits; eg 12nickname43)
    ..b) if your router has the feature, DISABLE SSID Broadcasting
    ..c) if your router supports hardware provisioning
    .....(ie mapping MAC addresses to IP addresses) use it!
    ..d) enable ANY level of encryption available on the Router AND your
    .....system's wireless adaptor.
    .....Select a KEY (sometimes a pass phrase) and write it down too.
    These steps make it very difficult to create a connection to your router
    without knowing the exact steps you took. You will, by the nature of getting
    your systems to talk to the router and making typos, prove this can be
    frustrating. And that's the goal; make the bad guys give up before they get
    any thing meaningful off your systems.

    (You should be aware however, there is no such thing as perfect or absolute
    security. If someone wants into your system bad enough, it can be done - -
    it take a great deal of effort, time and $$$ to do so and usually the give up
    early ).

    OK, we have made the Router as difficult as reasonably possible, but some
    bright <person> gets thru and connected - - now what? Our second line of
    defense is the firewall configuration!

    In Part-2 of this discussion I noted
    ..To implement hardware provisioning, the ROUTER is setup to force
    ..mappings like
    .... mac-1 to
    .... mac-2 to
    ..and so on to the last known MAC on you network (eg:
    ..You then change the LAN ACCESS rule to read
    .... PERMIT ALL inbound/outbound all PORTS.

    ..This rule is very specific and will protect you from rouge wireless
    ..devices, and works well for your KNOWN systems. I make an issue for
    ..KNOWN vs UNKNOWN, as life gets interesting with a wireless router and
    ..someone setting down the street trying to use your network for free.
    This is the key to keeping rouge-systems out of your Lan. The rule
    .... PERMIT ALL inbound/outbound all PORTS
    in combination to the hardware provisioning ensures that even if a
    connection is made, we will have two facts in our favor:
    1) the DHCP address given to the rouge will *not* be in our range of
    supported addresses {}
    2) the firewall rules are set to PERMIT only known systems and DENY all else.

    Under the premise that the rouge has a connection, at least there's no
    access to your systems. The very most the rouge gets is a free network
    connection from the router to the Internet - - and this is a low probability

    So what happens when you take your laptop to a hotspot?
    First, it's not your router any longer so the hardware provisioning is gone and
    you get a random IP address (not really random but also not very likely to be
    one your firewall will allow). The rules that allow File and Print Sharing are
    dependent upon the IP address being
    ... You get outbound access and everything else is
    DENIED - - and that's exactly what I want when I go public.
  5. Samstoned

    Samstoned TechSpot Paladin Posts: 1,018

    Ill save this one for my website
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...