# SOHO Information Security {{< snippet "obsolete" >}} ----- With the advent of more widespread broadband (cable modem, xDSL) Internet access and the greater proliferation of SOHO (Small Office/Home Office) and Virtual Offices, Information Security is becoming more important at home as well as at work. ----- ## Home Network Designs Recently the question about how to design a relatively secure home network has been coming up a lot. So rather than trying to draw the same thing on whatever napkin happens to be handy, I diagrammed the four most common home network designs, and wrote some text that fleshes out the details. See [home\_networks.html](home_networks.html). *[Zone Labs](http://www.zonelabs.com/)*, now part of *[Check Point Software](http://www.checkpoint.com/)* has a similar sort of *[PDF document](http://download.zonelabs.com/bin/media/pdf/homeNetwork_datasheet.pdf)*. **If you do nothing else, at least grab the free versions of *[Zone Alarm](http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp)*, *[Ad-aware](http://www.lavasoftusa.com/software/adaware/)* and *[Spybot](http://www.safer-networking.org/)*.** ----- ## Why **YOU** as a home user need a firewall Do these sound familiar: "There is nothing on my computer I care about." "Why would anyone want to hack **me**?" "I'm using dial-up so I'm safe." "Who cares?" I hope not, but if you do not have a firewall and you believe any of the above, you are **wrong\!** Here's why. - It is possibly true that there is nothing worth stealing on your PC. But... Do you use Quicken or MS Money? Turbo Tax? The encryption in those programs is a joke, and if you fill in all the forms them your entire financial status is a wide open book to anyone who wants to look. Is your name, address, phone number, credit card information or Social Security number on your PC? Anywhere? Hum, not so worthless any more, huh? - Do you have any kind of perr-to-peer or other file sharing software installed? That would include things like Kazza (AKA KaZaA), Morpheus, or even distributed computing programs like SETI@home? Even if you did not install anything like that, did your kids? If so, your entire hard drive may be open to the Internet. It may not too. The point it, DO YOU KNOW? - Why would anyone want to hack you? Good question. No reason--they wouldn't. It's purely a numbers game. IP Addresses to be precise. If your IP Address (kind of like your computer's "phone number") is in the range that some random attacker is scanning, and you are running a PC that is vulnerable to whatever exploit he's running, and you are not otherwise protected (like by a firewall), then you are hacked. Period, end of story. And you probably don't even know it. - But so what, right? Wrong. If your machine is hacked in the right (or perhaps wrong) way, the attacker can do anything he wants. Including launch denial of service attacks against the Whitehouse, bounce (redirect) web surfing to terrorist sites though your computer, use your computer hard drive space for storage of illegal software--or worse, use your computer and bandwidth (Internet connection) to send spam, and the list goes on. - Don't believe the problem is that bad? I used to have a page that tracked how often my home internet connection was attacked. I stopped a long time ago because the scanning is relentless. - *[Hackers steal from pirates, to no good end](http://news.com.com/2100-12-5116130.html)*. The people who design rogue programs that take over computers from afar are now applying the tactic that made music pirating programs so effective--and the Internet may never be the same. - *[A third of spam spread by RAT-infested PCs](http://news.com.com/2100-7355_3-5113080.html)*. Nearly one-third of all spam circulating the Web is relayed through PCs that have been compromised by malicious programs known as Remote Access Trojans, according to Sophos, an antispam and antivirus company. ----- ## SOHO Security Links See also my (obsolete) {{< xref "/infosec/gnatbox" >}} page. - US-CERT's *[Home and Business](http://www.us-cert.gov/home-and-business/)* security resources. - US Government's *[OnGuardOnline.gov](http://www.onguardonline.gov/)* site to "help you be safe, secure and responsible online." - *[Home Network Security](http://intel.com/technology/itj/2002/volume06issue04/art04_security/p01_abstract.htm)*ABSTRACT: Home computers that are connected to the Internet are under attack and need to be secured. That process is relatively well understood, even though we do not have perfect solutions today and probably never will. Meanwhile, however, the home computing environment is evolving into a home network of multiple devices, which will also need to be secured. We have little experience with these new home networks and much research needs to be done in this area. This paper gives a view of the requirements and some of the techniques available for securing home networks. - *[Protecting the Home Office](http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss205_art448,00.html)*, 7 "musts" will help extend proection to home users and road warriers. Aimed at corporate InfoSec people, but good advice for anyone. - James Madison University's *[R.U.N.S.A.F.E.](http://www.jmu.edu/computing/runsafe/)* program (End User tips and awareness). - *[Microsoft Personal Security Advisor (MPSA)](http://www.microsoft.com/technet/mpsa/start.asp)* "is an easy to use web application that will help you secure your Windows NT 4.0 and Windows 2000 computer system. Simply navigate to the MPSA site and press the Scan Now button to receive a detailed report of your computer's security settings and recommendations for improvement." More of a SOHO than corporate focus. *(Curiously, this does not seem to work too well using Netscape. I wonder why???)* - ***[CERT Advisory CA-2001-20: Continuing Threats to Home Users](http://www.cert.org/advisories/CA-2001-20.html)*** and ***[Home Network Security (unmaintained)](http://www.cert.org/tech_tips/home_networks.html)***. The *[CERT Coordination](http://www.cert.org/)* Center (CERT/CC) is a major reporting center for Internet security problems. Staff members provide technical assistance and coordinate responses to security compromises, identify trends in intruder activity, work with other security experts to identify solutions to security problems, and disseminate information to the broad community. The CERT/CC also analyzes product vulnerabilities, publishes technical documents, and presents training courses. - *[Gibson Research Corporation](http://grc.com/default.htm)*, home of "Shields Up," SpinRite and other great tools. Interesting, well organized information about SOHO security and privacy. Check out the *[Leak Test](http://grc.com/lt/leaktest.htm)* page for interesting personal firewall and privacy information. This site can be a little "over the top" and sometimes gets into hysterical, media-feeding-frenzy language, but if you take it with a grain of salt and Don't Panic... - A small *[write-up](http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp)* about the **IIS 4 and IIS 5 Lockdown Tool**. - Ad Aware: *[A free tool to detect and remove "Spyware"](http://www.lavasoft.de/software/adaware/)*. - *[List of on-line Security tests (hack yourself)](http://www.doshelp.com/dostest.htm)* - *[DSLReports: Info About DSL, availability and security](http://www.dslreports.com/)*. - *[Personal Firewalls, DSL and cable modem security](http://www.dslreports.com/front/security/english/)* from DSLReports. - *[Excellent DSL & Cable modem security info (long)](http://Cable-DSL.home.att.net/)*. - *[Excellent DSL & Cable modem security info about NBT](http://Cable-DSL.home.att.net/netbios.htm)* (NetBIOS, AKA Microsoft Networking (sort of)). - *[O'Reilly: Installing a Home Network: Securing the Network (1/3).](http://www.oreilly.com/news/cablemodem1_0101.html)* - *[O'Reilly: Installing a Home Network: Securing the Network (2/3).](http://www.oreilly.com/news/cablemodem2_0101.html)* - *[O'Reilly: Installing a Home Network: Securing the Network (3/3).](http://www.oreilly.com/news/cablemodem3_0101.html)* - *[How to secure your home wireless network](https://comparite.ch/securehomenetwork)* - *[Cable Modem & DSL Info.](http://www.cablemodeminfo.com/)* - *[Cable Modem Sharing Info.](http://www.cablemodeminfo.com/cablesharing.html)* - One-way or " *[telcoreturn](http://www.practicallynetworked.com/sharing/telcoreturn.htm)*" cable modems. - *[Linux Firewall On A 486: A Guard-Penguin For Your DSL Or Cable Modem Connection](http://www.zdnet.com/filters/printerfriendly/0,6061,2503199-77,00.html)* - *[Security Isn't Just for the Corporate World](http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20026)* (February 23, 2001) - *[Trinux](http://trinux.sourceforge.net/)*, a Single Floppy Linux system, for security uses ----- ## SOHO Firewalls - Personal Firewalls -- Firewalls that run on your "workstation" PC: - *[ZoneAlarm](http://www.zonelabs.com/store/content/company/zap_za_grid.jsp)* for Windows®. (See also the *[free](http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp)* version. - *[BLACKIce](http://www.netice.com/html/home___small_office.html)* for Windows® 9x, ME, 2000 and NT4.0. - *[Sybergen Personal Firewall](http://www.sybergen.com/products/shield_ov.htm)* - *[SunScreen Lite](http://www.sun.com/software/securenet/lite)* (For Solaris 8 only) - *[Tiny Personal Firewall](http://www.tinysoftware.com/pwall.php)* for Windows® 9x, ME, 2000 and NT4.0. - SOHO Firewall Appliances -- Firewalls that run on an "appliance" (sort of a single-purpose mini-server): - *[WatchGuard SOHO](http://www.watchguard.com/products/soho.html)* - Other Firewall Appliances - *[GNATBox Lite](http://www.gnatbox.com/Pages/gblight.html)* - *[Mandrake's](http://www.mandrakesoft.com/)* *[Multi Network Firewall](http://www.mandrakesoft.com/products/mnf/)*. This is very cool\! - SOHO Firewall Software: - *[Linux Firewall On A 486: A Guard-Penguin For Your DSL Or Cable Modem Connection](http://www.zdnet.com/filters/printerfriendly/0,6061,2503199-77,00.html)* - *[Securepoint Free Firewall](http://www.securepoint.cc/sp_sb.htm)*, does **not** support DHCP \[Is installed on a "standard PC" (300Mhz, 64MB, 4GB)\] - *[Smoothwall](http://www.smoothwall.org/community/home/)*, a Free RedHat-based Linux firewall, but **not** stateful :-( (ISO Image) - *[Astaro Security Linux](http://www.astaro.com/)*, Stateful firewall, etc. on a Hardened Linux. Free for non-commercial use, but no DHCP (in Beta as of 2002-04-24). (*[FAQ and Support site](http://www.astaro.org/)*) - *[floppyfw](http://www.zelow.no/floppyfw/)*, a Linux Firewall on a Floppy - Other Lists of Firewall Links - *[Good list of firewalls, IDS, Sniffers, etc. many of which are free.](http://www.hideaway.net/Server_Security/Software/Browse_Categories/browse_categories.php)* - *[Rik Farrow; 1997: An Analysis of Current Firewall Technologies](http://www.spirit.com/CSI/Papers/farrowpa.htm)* As an aside here,I personally use [GNATBox Lite](http://www.gnatbox.com/Pages/gblight.html). My requirements were as follows, and that's the only thing I could find that meets them all. (See also my [GNATBox Firewall Installation Quick Reference](gnatbox.html) page.) - Free - Run on a 486 - Run from a single floppy disk -- no hard drive needed - Simple to manage - Remote syslog logging support I'd considered using *[OpenBSD](http://www.openbsd.org/)* with *[IPFilter](http://coombs.anu.edu.au/~avalon/)* as well, but it does not quite meet all of my needs. I am also running a kind of "virtual" VPN \[sic\] using ssh from [OpenSSH](http://www.openssh.org/). I'm in the process of writing up some documentation about this. I'll put a pointer here when it's finished. In the meantime, see O'Reilly's [SSH, The Secure Shell: The Definitive Guide](http://www.oreilly.com/catalog/sshtdg/). {{< snippet "obsolete" >}}