Securing the Home Network
In this day and age, it has become critical for those of us who run our own servers at home to secure those systems as if they were housed in a corporate data center. It has been too easy for today’s hackers to compromise home computers and servers for their own purposes—usually to launch distributed denial of service attacks or to store and forward their own or stolen warez. Our lack of security on our own networks or the networks we set up for our clients can have major consequences not only for ourselves but possibly on a global scale.
We are all guilty of it at one time or another. In the quest for knowledge, and that all important certification, we built our servers, connected the hubs and created our own test labs where we could get hands-on experience with the software and hardware we wanted to work with.
Along came high-speed Internet, DSL, cable and even T-1 if we could afford it. We realized that we could use our test labs as actual servers. I can host my own Web pages, set up my own e-mail server and do pretty much everything that the big boys do. Well, almost everything.
The litany of attacks brought us back to earth. Denial of service attacks, Code Red, Nimda, and even distributed denial of service attacks. Where was all of this evil coming from? The media would have us think that it is the 13-year-old teenager in his mother’s basement. Well, they’re half right. For the other half, we only had to look as far as the server in the corner of our own garage.
Hackers and crackers discovered that they didn’t need to expend huge amounts of effort to break into corporations to steal data or deny them services. It was easier to hack the poor soul who put his own systems up for grabs. Script kiddies were born.
It has become our responsibility as Internet citizens to become our own security officers. We put these servers up to learn about operating systems, applications and networks. Now we need to learn security and learn it fast, otherwise we’ll be responsible for our own demise.
Personal firewalls, like those from Zone Labs and Symantec, are decent enough for personal computers, especially those that are not on all the time. But for those of us who maintain Internet-facing servers, the need for security is much greater. We need depth to counter all of the crafty tricks of the hacker.
Layered defense is the key to the kingdom. A good defense will not depend on a single barrier. In the old days, anti-virus software was enough as long as you kept your definitions up to date. This is no longer true. A layered defense should have at least the following:
- Network Intrusion Detection: Software or hardware designed to analyze incoming traffic and determine whether or not it is malicious or harmful. If budget is a concern, Snort is a free network intrusion detection system (NIDS) that can be found at www.snort.org. Also, you might research the offerings from Symantec and ISS. I must warn you though, NID software by its very nature generates a lot of data, some say too much data. You will need to be thoroughly versed in TCP/IP and packet analysis or have a tool to do it for you if you want to use these tools effectively. Otherwise, you will just ignore the reports after trying to wade through the first 80 or 90 MB.
- Firewall: A firewall is designed to block unwanted traffic in or out of your network. Sonicwall makes a relatively inexpensive hardware solution. The CiscoPix or Nokia IPSOs are nice if you have the money or need to protect a lot of bandwidth. There is a lot of this hardware for sale on auction sites as a result of the dot-com shakeout. If you are looking for a free firewall, many distributions of Linux come with firewall software. Again, a thorough understanding of TCP/IP is needed to be able to set up an effective firewall perimeter.
- Anti-virus: This software is usually a given, but most of the software in use today is either out of date or was only meant to be used on a single personal computer. You should invest in server-class anti-virus protection if you can afford it. And don’t forget to keep the signatures up to date.
- Data Integrity: This is the final and most forgotten piece of the layered defense. Most of the tools I have mentioned above are signature-based, so they rely on a constant flow of updates. However, that does raise the specter of something new slipping through and into your network. Data integrity tools like Tripwire allow you to baseline your file system and then detect any changes to the files, directories and registry entries on your systems.
- Hardening: Part of the security process is making sure you are up to date, not only with the signatures for the tools above but also hardening the servers themselves. Keep up with patches and hot fixes. Visit Web sites for SANS (www.sans.org), CERT (www.cert.org) and CERIAS (www.cerias.org), and read the best practices on hardening your operating systems and applications.
- Knowledge: This is generally free. Each of the sites above and a huge number of books often go into detail about various exploits and hacks someone might use. Even as far back as Sun Tzu, the idea was the same. Know your enemy.
Security is not an easy practice. Not only do you have to understand your network and systems, but you also have to understand all of the things that can go wrong with these components and be prepared to deal with the issues. If you are not prepared, there are consequences. The very least that can happen is embarrassment when your ISP shuts down your connection because your servers were used as zombies to attack another computer. Possibly the worst that can happen is that you can be held criminally or civilly liable if your computers are used to commit a crime. Paranoid yet? Remember, just because you’re paranoid doesn’t mean they’re not out to get you.
An interesting side effect of all of this paranoia may be an increase in your own skill set. Isn’t this why we built the network in the first place? With security becoming an ever-increasing concern, the need for experienced security administrators is growing. Who knows, if you discover an affinity for securing your own network and outguessing the hacker, you may find yourself on track for a new career. There are plenty of areas that may interest you: forensics, incident response, disaster recovery, etc.
There is plenty of training available now to formalize what you learn on your own network. SANS has the Security Essentials track which is as good a place as any to get started. It can even be taken entirely online, although if you have a chance to attend one of their live courses around the country, it is quite an experience.
Even if you don’t become a security professional, you can at least become a white hat, which in hacker circles refers to someone who uses their knowledge of hacking and security for good as opposed to the black hat who usually has mischief on his mind. Spread the word. Help your friends secure their networks. See if the company you work for has a security policy in place, and help them get one if they don’t.
Chris Orr works for Tripwire Inc., an information security software company. He is a SANS GSEC and has a number of other alphabet certifications.