Chuck,
Well, on to security issues! I'll have two types of set ups to address.
1. Work: We have a dial up connection (at least until I can talk my boss
into DSL ;-)
It shows on the dial up connection that there is a little firewall lock...
is that enough? Can I put a password lock on a folder or just files? I've
only done files up to now. Didn't know if you can password a folder or
drive, etc.
2. Home: I have 2 computers networked plus a laptop. The computers are on
an ethernet connection, and the laptop is on a wireless. I have a DSL
modem... Linksys router with each computer hooked to a hub connection and the
laptop uses a PC card for wireless connection to the router. My concerns on
my home set up are:
A. Is the router protection enough from outside intrusion? I have the XP
SP2 firewall on, but do have Exceptions set for file sharing. Is there a way
I can keep people outside my home network out, but allow full sharing on the
computers inside my home network?
Those are the big concerns for now.
Thanks, Chuck!
Kass,
Interesting questions. Not easy to explain, but I'll keep this as brief (not
very) as possible. ;-} Please see the part at the end about wireless security!
1) I have experimented with encrypting files, but haven't done anything with
folders. I would imagine that, if your encryption program will do folders, then
do one. I would guess you could zip a folder up, then encrypt the zip file.
Can you encrypt in place? I think I'll leave you to see, and let us know what
happens.
2) A NAT router will protect you from unsolicited incoming traffic. An SPI
firewall (which not all NAT routers have) will additionally protect you against
maliciously crafted incoming traffic. But, where NAT routers fail (and don't
talk about NAT routers and firewalls in the same breath in
comp.security.firewalls) is:
a) Hostile solicited incoming traffic.
b) Hostile outgoing traffic.
http://www.firewall-software.com/firewall_faqs/what_is_a_firewall.html
http://www.microsoft.com/athome/security/protect/firewall.mspx
http://www.homenethelp.com/router-guide/features-firewall.asp
With a NAT router, the only incoming traffic that gets to your computer is
traffic that you've asked for. So no problem with unsolicited worms like
Blaster, Sasser, etc. But if you setup a Kazaa server, surf over to
www.warezrus.com, or open Usenet articles with titles like "Use this critical
package", you may get traffic with unexpected content.
Read the SANS article "Follow the Bouncing Malware" (in 2 parts).
http://isc.sans.org/diary.php?date=2004-07-23
http://isc.sans.org/diary.php?date=2004-08-23
Or read an Eric Howes article about spyware analysis:
http://spywarewarrior.com/asw-test-guide.htm
NAT routers are not application aware, that is, a NAT router will simply pass
outgoing traffic to the internet. Which is not bad if you're surfing the web,
and just asking for web pages. But, if your newly installed copy of Kazaa
includes a trojan that installs a spam distribution server on your computer,
you'll know nothing about your new capability until your ISP cuts your service
off (if they ever do).
The bottom line is that a NAT router is a good outer layer in your defense
strategy. One NAT router protects your entire LAN. Just the outer layer
though.
The second layer is a software firewall, or a port monitor like Port Explorer
(free) from <
http://www.diamondcs.com.au/portexplorer/index.php?page=home>. See
various discussions in comp.security.firewall for good advice on choosing a
firewall. A software firewall can selectively block incoming or outgoing
traffic, and a port monitor can at least let you know what's going on.
You need a software firewall on each computer in your LAN; in case one computer
gets infected, a software firewall on the others could save you a lot of
trouble.
A software firewall, with filters setup to allow file sharing only between
computers on your LAN, will complement the protection from your NAT router, and
allow you to share files between your computers safely. See below (end of this
article) for additional notes re wireless protection!
The third layer is good software, also on each computer. This layer has
multiple components.
AntiVirus protection. Realtime, plus a regularly scheduled virus scan.
Regularly updated. AV protection is not all that's needed today.
Adware / spyware protection. Realtime, plus a regularly run adware / spyware
scan. Regularly updated.
Complete instructions, using Spybot S&D and HijackThis (both free) are here:
<
http://forums.spywareinfo.com/index.php?showtopic=227>.
Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/
Block Internet Explorer ActiveX scripting from hostile websites (Restricted
Zone).
<
https://netfiles.uiuc.edu/ehowes/www/main.htm> (IE-SpyAd)
Block known dangerous scripts from installing.
<
http://www.javacoolsoftware.com/spywareblaster.html>
Block known spyware from installing.
<
http://www.javacoolsoftware.com/spywareguard.html>
Make sure that the spyware detection / protection products that you use are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/
Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).
Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter <
http://www.accs-net.com/hosts/get_hosts.html>
Hostess <
http://accs-net.com/hostess/>
Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.
The fourth layer is common sense. Yours. Don't install software based upon
advice from unknown sources. Don't install free software, without researching
it carefully. Don't open email unless you know who it's from, and how and why
it was sent.
The fifth layer is education. Know what the risks are. Stay informed. Read
Usenet, and various web pages that discuss security problems. Check the logs
from the other layers regularly, look for things that don't belong, and take
action when necessary.
#######
Please use special protection for a wireless LAN - this includes each computer
connected to the wireless LAN, too!
Here's a story about somebody's very stupid wireless neighbor. Don't expect all
wireless neighbors to be this stupid.
<
http://www.canoe.ca/NewsStand/LondonFreePress/News/2003/11/22/264890.html>.
The point is, you need to protect a wireless LAN with more precautions than just
the NAT router / firewall.
Change the router management password, and disable remote (WAN) management.
Enable WEP / WPA. Use non-trivial (non-guessable) values for each. (No "My dog
has fleas").
Enable MAC filtering.
Change the subnet of your LAN - don't use the default.
Disable DHCP, and assign an address to each computer manually. Please do this.
Install a software firewall on every computer connected to a wireless LAN. Put
manually assigned ip addresses in the Local (highly trusted) Zone. Open the
following ports for file sharing, only in the Local Zone: TCP 139, 445; UDP 137,
138, 445.
Don't disable SSID broadcast - some configurations require the SSID broadcast.
But change the SSID itself - to something that doesn't identify you, or the
equipment.
Enable the router activity log. Examine it regularly. Know what each
connection listed represents - you? a neighbor?.
Use non-trivial accounts and passwords on every computer connected to a wireless
LAN. Disable or delete Guest, if possible (XP Home is a bad choice here).
Rename Administrator, to a non-trivial value, and give it a non-trivial
password. Never use the Administrator renamed account for day to day
activities, only when intentionally doing administrative tasks.
Stay educated - know what the threats are. Newsgroups alt.internet.wireless and
microsoft.public.windows.networking,wireless are good places to start.
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.