Network Security Measures
There are several SOHO LAN security measures that help ensure that SOHO LAN data is secure, its PC hosts are protected from viruses, and that the impact of DoS attacks are mitigated. To have a secure SOHO LAN all these measures must be implemented and monitored continually. If they are implemented and not monitored, then the SOHO LAN rapidly loses its protection from viruses and other external security threats.
Virus Scanning Programs
The most important SOHO LAN security measure is virus scanning programs. On several occasions virus attachments have been sent to me. Some have contained viruses themselves, while others no doubt directed my PC host to sites that contained virus-laden Web pages and software downloads. In these cases virus scanning software examined all files downloaded into my PC host, detected the virus, and quarantined the file so that it would not be inadvertently executed and infect my PC host with the virus.
Of the security measures identified and explored here, probably the most important for a SOHO LAN is implementing and maintaining virus scanning software. Figure 7.8 shows the Norton antivirus software included in Norton SystemWorks system status. The Live Update icon in the middle of the icons at the top of the figure links to the Norton Web site, where new virus signatures are downloaded into the PC host to update the antivirus software.
Figure 7.8. Virus scanning software maintenance.
Norton antivirus software uses primarily virus signatures to detect potential PC host virus infections. Here a virus is used in its most general sense to represent all malevolent software. Norton antivirus also uses some heuristics to perform added virus detection for new “in the wild” viruses that have not yet been sampled and their signature extracted. Figure 7.9 shows the Norton Antivirus software heuristics configuration panel.
Figure 7.9. Antivirus heuristics.
The heuristics work to provide both automatic and manual protection.
The live signature file update feature can be performed automatically or by notifying the PC host user to permit him or her to manually perform the update. Virus signature file updates should be manually scheduled on a weekly basis to provide the most effective protection. Automatic updates help novice users maintain an effective level of virus protection without requiring their attention. Nonetheless an administrative procedure to check each PC host monthly to ensure that virus signature files are updated should be implemented. Even though such an administrative procedure is time consuming, it is much less time consuming than trying to recover a SOHO LAN from a virus infection. Figure 7.10 shows the Norton antivirus automatic update configuration panel.
Figure 7.10. Automatic virus signature file live update.
The most popular antivirus software is equally effective when it comes to preventing a virus infection. Selecting one specific product over another is not as important as implementing virus protection with one antivirus software package and keeping it updated.
Windows Update
The next most important security procedure is to run periodically the Windows software update. Figure 7.11 shows the link to the Microsoft Windows update site in the Windows XP Start menus.
Figure 7.11. Windows XP update.
When Windows Update does not appear in the Start menus, it can be accessed directly using the Windows update URL:
Windows critical updates deal primarily with resolving Windows security vulnerabilities that have been exploited by malevolent software. Effective security requires that these updates be implemented in both SOHO user PC hosts and in SOHO Windows servers. This is because Windows is the primary target of hackers and crackers. Other software is also a target, but the impact does not get the press coverage that Windows virus attacks get.
Brain Teaser: Windows UpdateRun Windows Update on a PC host to see if any critical updates need to be installed. If there are missing critical updates, install them. What other Windows updates did you find? If the DirectX 8.1 software needs to be installed, download the installation file from www.microsoft.com/windows/directx/downloads/drx81.asp. Once the file is downloaded and saved on a server, it can be installed without running Windows Update. |
Automatic download and notification of critical updates is provided in Windows XP and other Windows software and provides automatic notification when new critical updates are posted at the Windows Update Web site. Figure 7.12 shows the Windows XP automatic update configuration settings. Performing a Windows update once a week is probably best to provide the most effective SOHO LAN security.
Figure 7.12. Windows XP automatic critical update notification.
Similar to antivirus protection, an administrative procedure to check all SOHO LAN user PC hosts and network servers to ensure that Windows critical updates have been installed should be implemented. Following such a procedure can avert the critical downtime that would occur if a SOHO LAN were infected with a virus.
Unlike virus protection, there are no competing Windows update products. All Windows updates are provided by Microsoft, as well they should.
Firewalls
The third component in implementing effective SOHO LAN security is a firewall. Firewalls are either hardware components or software running in routers, PC hosts, or network servers. A firewall protects a network from external probing by matching packets sent from the Internet with legitimate requests for those packets generated by internal SOHO LAN PC hosts. Firewalls may also stop packets from Trojan horse and worm software from leaving the SOHO LAN. This is more difficult and technically sophisticated filtering. Finally, firewalls can detect unusual traffic activity from the Internet and from within the SOHO LAN and using traffic logs alert network administrators to potential security threats.
Router Firewall Devices
A basic SOHO LAN firewall is typically implemented in a cable modem/DSL router. This hardware device may incorporate router/gateway functions, quality of service functions, LAN switching, and firewall functions. They provide good security for small home-office and smaller-office LANs. Larger-office LANs may require a more sophisticated firewall device that requires constant monitoring and updating. Most such firewall products are better than no firewall products. However, more commonly implemented and less expensive devices are more likely to be compromised by hackers and crackers because of their availability for study and testing. The more popular a device and the more it is sold, the more attractive a target for hacking and cracking.
Linksys and D-Link make some popular hardware cable modem/DSL routers that incorporate firewall capabilities. When using one of these devices, the most important security consideration to implement is to immediately change the administrator ID and password from the default settings. Manuals for these devices are published on the Internet. These manuals contain the default settings for the administrative user ID and password. Consequently, any hacker or cracker encountering such a cable modem/DSL router will immediately try to access and determine the device configuration using these published administrator IDs and default passwords.
Software Firewalls
Software firewalls are some of the hottest-selling software today. This software implements firewall functions in SOHO LAN-attached PC hosts. This is personal firewall software. Several packages are popular sellers, including ZoneAlarm Pro, Norton Personal Firewall, McAfee Personal Firewall Plus, and BlackICE Defender.
All such personal firewalls have similar features that continually improve over time. Typical personal firewall protection features include the following:
E-mail attachment protection
Packet filtering to block external Internet intrusions
Logging to track hacker and cracker attacks
Blocking Internet performance and pop-up ads
Controlling cookies
Controlling internal PC host programs to prevent unauthorized Internet access
PC hosts connected 24/7 to the Internet are potential hacker and cracker targets. Crackers and hackers randomly send PING packets and attempt to scan a PC host's well known ports or any other of its 65,000 ports to find unprotected access to the PC host. When an open port is found, a hacker or cracker compromises the PC by sending a Trojan horse, spyware, or a malicious worm to the PC through the compromised port.
Personal firewall software protects PC hosts from intrusions and hostile attacks by rejecting packets received from the Internet that do not match legitimate requests coming from within the PC host. A personal firewall provides complete port blocking for all PC host ports. Personal firewalls protect against known and unknown Internet threats by monitoring all outbound traffic to the Internet. Only programs that have been specified as authorized for Internet access are permitted to send packets to the Internet. Malevolent programs attempting to transfer personal data, user IDs, passwords, e-mail addresses, and sensitive data to the Internet are thus detected and prevented from accomplishing the transfer. With a personal firewall the PC host user specifies which programs are trusted to access the Internet. See Figure 7.13.
Figure 7.13. McAfee Firewall configuration.
Every personal firewall program provides the same basic features. As their development continues, the unique features of one product are incorporated into the competing products. So, using any personal firewall for a home-office LAN should provide effective security. Further, small-office LANs should consider personal firewall software for each PC client as a means of augmenting antivirus and other firewall security products.
Brain Teaser: FirewallsCheck to see if your SOHO LAN uses hardware or software firewalls or both. What configuration options are there for hardware firewalls? Are there added configuration options for software firewalls? Generally software firewalls can be configured to limit PC programs from accessing the Internet while hardware firewalls do not generally support that feature. |
SOHO Security Administration
Every SOHO LAN depends on a variety of detection mechanisms to protect PC hosts, servers, intranet Web sites, extranet Web sites, and Internet Web sites from malicious attacks and security breaches. One of the most important and more challenging tasks for an administrator is developing a tracking and detection system to alert him or her when a security breach or malicious attack is happening. Often, to determine when systems are compromised, log files must be sifted through to detect where and how the system was compromised and what damage was done.
This can be a very tedious process and may require a good knowledge of TCP/IP and the network monitoring tools employed. Consequently, preventing problems is the best defense. Some simple security measures for monitoring and securing Web traffic are the following:
Ensure well known default Windows accounts are safe— Windows comes with Administrator, Guest, and a variety of other built-in user accounts. Windows 2000 built-in accounts are shown in Figure 7.14. Ensure that these accounts have good passwords, their access to network resources is strictly limited, or they are disabled. Since everyone knows of these accounts and anyone can use these accounts to access a PC host, they should be checked to ensure effective SOHO LAN security.
Figure 7.14. Windows 2000 built-in accounts.
Control directory browsing— When a Web browser follows a URL to a folder, a listing of files in the folder is displayed unless an INDEX.HTM is present in that folder. Web site security is increased when directory browsing is disabled in the IIS property sheet for a Windows IIS Web site or each folder has an INDEX.HTM file that controls access to that folder.
Auditing— Use Windows' resource auditing features to monitor critical server resources. Setting an audit policy is performed using the Microsoft Management Console (MMC). Running the MMC (Start button-Run-MMC) permits adding the Microsoft Group Policies Snap-in. Under this Snap-in audit policies can be set, as shown in Figure 7.15. Audit policy settings enable auditing and permit choosing which events to monitor. Be cautious because auditing too many things can overload the Windows event viewer making it difficult to focus on critical security events.
Figure 7.15. Setting auditing policies.
Once auditing is in place monitoring the event logs should identify an attack. An attack on a SOHO LAN is generally an attempt to violate or compromise system security on a server or other PC host connected to the Internet. As we have discussed, hackers or crackers have many different options for hacking into a SOHO LAN, so it's imperative to monitor system activity and logs regularly to maintain a secure environment. If a server is compromised, a hacker or cracker might control the machine enough to install software that makes the SOHO LAN server an acting participant in a denial-of-service attack.
When a SOHO LAN is secured, and logging and auditing are enabled and actively tracking any and all security violations, what happens when you detect suspicious activity on a SOHO LAN PC host or servers? Investigating security compromises can be frustrating. Knowing effective investigative steps saves considerable time. When hacking or cracking activity is suspected, first check the event viewer. Obvious traces of an attack are most likely discovered there. They may be a cluster of logon or other errors occurring in a short time interval.
After inspecting the event viewer, search the log files. The log files can be searched manually or by special software to find the IP address where the attack originated. Use the time clustering of the event log events to narrow the search. When you find a suspicious IP address, use www.checkdomain.com to find the name of the ISP from which the attack originated. Document every piece of information that you have found. Use listed e-mail addresses to report to the ISP the hacking abuse.
The TRACERT command can be used to trace the route that the hacking or cracking path followed. The log files provide details on the hacking or cracking attempt. Logging Internet activity is essential for securing a SOHO LAN. Logging does not keep attackers away—it only tells when they have attempted attacks.
Some added sources for SOHO LAN server security are the following:
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Default.asp
www.cert.org/tech_tips/intruder_detection_checklist.html
www.usdoj.gov/criminal/cybercrime/reporting.htm
These Web site links may change. However, they provide additional security information, and some offer free one-time virus scanning and port scans.
Brain Teaser: Security AdministrationCheck the Windows Event Viewer. The Event Viewer is found by selecting the My Computer icon, clicking the right mouse button, and then selecting the Manage menu option. The event logs can also be reached using the Control Panel. Look at Security and System Events. What warnings and errors were found? Do any events look like malicious activity? Can you disable Windows services not used to reduce warnings and errors in the event logs? |