Last updated: 27 January 2003 11:48 -0500

Defending Your Home Computer

The following is written by the Information Warfare Division Chief (or Branch Chief) of the Joint Command, Control and Information Warfare School at the Joint Forces Staff College. It includes best practices and personal recommendations. The recommendations do not constitute endorsement of the companies involved. It is a work in progress and will no doubt change in the future. Recommendations are based on available public information. The most recent version of this file may be found on the JFSC website at http://www.jfsc.ndu.edu/jciws/cnd.htm. This article does not address defending against intentional misuse of your home computers.

The government plan for cyber security is available at http://www.securecyberspace.gov/ and reads very similar to what is below. An article from the Carnegie-Mellon CERT Coordination Center on Home Network Security at http://www.cert.org/tech_tips/home_networks.html goes into significantly greater detail. I would like to claim all the ideas below are mine, but they are a compilation of best practices and good ideas from many sources. Just like you lock your doors and draw the shades in your house, you should do the same for your computer.

Recommendations Summary

General Security

Regularly update your operating system, web browser, and other key software, using the manufacturers' update features or web downloads
Do not open an email attachment, even from someone you know well, unless you know what it contains
Configure your computer to show file name extensions so you are certain what type of file you are working with
Configure your computer to not share files over your Internet connection
Create a floppy boot disk as part of an emergency recovery plan
Do not respond to spam email - you are only confirming to the spammer that they have a valid address
Configure your email software to not use automatic preview in your default Inbox - this may execute an undesired script or applet
Make regular backups of important data - a CD burner is great for this
Keep a list of the programs installed on each computer with the installation disks in a known location
Make sure all passwords are strong with: at least eight characters of mixed case, include at least one numeral (not at either end), include at least one special character, and do not include common words; and change them at least every six months
Run all wireless networks with WEP enabled and treat your boundary security as if you were wired
Be aware that email and the web is not the only connection to the Internet you may use - check for instant messaging (IM) and chat (IRC) programs also

Firewall

Use a firewall to protect all your computers all of the time
Configure the firewall correctly to restrict the maximum number of avenues into your machine (do not assume the manufacturer defaults are correct for your situation)
Configure the firewall to operate in stealth mode
Ensure the firewall will email alerts and logs to an account that you monitor

Virus

Install antivirus software on every machine
Configure the antivirus software to automatically download updates at frequent intervals
Configure the antivirus software to automatically scan the computer daily for viruses (optimally after the update check)
Manually scan disks with antivirus software before you use disks from an outside source, including manufacturer's installation disks
Manually scan with antivirus software when you suspect you may have been infected
Do not forward any email warning about a new virus since it is likely a hoax or outdated

Symptoms

Has your computer been getting slower and slower?
Have advertising windows been popping up with greater frequency, even at sites where they have not previously been showing?
Are programs crashing more frequently?
Are you getting more spam than legitimate email?

A Home System

To put the following discussion in perspective, here is a brief description of a sample advanced home computer setup. Take the discussion below in context with this description. The installation has a cable modem to provide the Internet access. The modem is connected to a NetGear FR314 Firewall Router (now discontinued) that provides connections for multiple computers. There are four machines plugged into this router: two primary use machines, a portable, and a 1994-vintage machine that has lots of old data still on it. Each machine is running a ZoneAlarm Pro software firewall and Norton Antivirus. The hardware firewall has probably had the most evolution since the original purchase in late 1999, although its firmware in up-to-date. Examine the currently offered products and choose one with similar functionality. The two primary machines are on all the time. This is used to advantage as described below. It also allows for constant, instant access to POP3 email via Microsoft Outlook.

Wireless Networking

I do not do wireless networking because it is just too insecure. The standard method for adding security to a wireless network (WLAN) is via a system call Wired Equivalent Privacy or WEP. Essentially WEP is a low-level encryption scheme that protects the connection between the WLAN base station (called an access point) and your computer. It relies on having the same numeric keys installed manually on both the access point and the computer. Unfortunately, even this system can be broken within a few minutes. Also, access point often broadcast their presence in order to allow computers to find them automatically as they boot up. Also unfortunately, this means people driving down the street can access your WLAN. Manufacturers have proprietary security solutions, but only if you buy into using their hardware throughout your system. Good luck ... I'm staying away from this.

Internet Connections

If you have a cable modem or a DSL (digital subscriber line) phone connection, you should be running some form of firewall to protect your computers, especially if you have them on all of the time. There are two basic types: hardware and software. A firewall should be used regardless of whether you are on a high-speed connection or a slower dialup connection. Your machine is vulnerable either way. I recommend a hardware firewall for protection of a home network because it is a special-purpose computer that has been built specifically for the job. It is not running on a user computer and therefore does not have any interactions or conflicts with an operating system or installed programs. I recommend a software firewall for portable computers at a minimum. Both hardware and software firewalls are running on the sample home network. The reasoning is explained below.

Firewalls

As stated above, there are two types: hardware and software.

Hardware

A hardware firewall is a hardware routing device with specialized configurations for packet and connection checking. It is a special purpose computer whose only mission is to pass legitimate network traffic and block everything they have been told to block. Firewalls can be simple pass though devices or more complex firewall routers, where the function of a firewall has been built into a router that provides for connection of more than one computer in an internal network. To be completely protective, a firewall must be able to block both incoming and outgoing data. Also, how the firewall is programmed is vital, since it will only do what you tell it. Representative manufacturers include NetGear, Linksys, Cisco and others. See http://www.firewallguide.com/ for advice on a variety of products. The common price for a good home firewall will be $100-250, but the security it provides cannot be accomplished with hardware alone. (Remember that cheaper is not better.) Good hardware firewall features include:

Network Address Translation (NAT)
Stateful Packet Inspection (SPI)
Stealthed port mode
Updateable firmware
Automatic logging, automatic emailing of logs, and email alerts
Fully controllable port and protocol authorizations
Optional: Content filtering

The following is a good overview from http://www.epinions.com/content_2027004036. It is a bit dense and commercially oriented, but it tells you what you need to know. Bypass this if hardware technology makes your head hurt.

A hardware firewall is a hardware routing device with specialized configurations for packet and connection checking. Is it right for you?

Over the past several years, there has been a huge upsurge in the trend of hacking attempts with the numbers growing exponentially as the Internet grows in size and reach. New tools are coming out for shady computer users that make it faster and easier than ever before to break in to other people's computers. Many of these new tools are fast and are targeted towards high bandwidth connections, T3 and greater.

While software firewalls have been sufficient for corporations in the past, they are now more suitable for the use of home based broadband consumers, persons who are limited to a specific amount of bandwidth, say 10Mbps or less. Now that corporations are moving from ISDN lines and T1s to OC-3s and OC-12s, the bandwidth that a software firewall would have to monitor just becomes too large and the number of packets begins to overwhelm the capabilities of an application running at normal priorities. It is for that reason that more and more companies and particularly large businesses are turning to hardware firewalls as part of their protection scheme.

If you have not yet done so, please read my Epinion on "What is a Software firewall" if you are not familiar with the OSI model as it relates to firewall operations. I will only briefly summarize that explanation here. It is necessary to understand firewall operation. Please also note that I will use Cisco firewalls as the basis of this Epinion and I realize that there are hybrids etc out there but I will use Cisco because it is an accepted example.

The reference model for network equipment, applications, protocols, and standards is a seven-layered pyramid. The first layer is the physical layer, the layer that actually sends and carries the electrical signals. The second is the data link layer that deals with hardware addressing and sending a signal via the physical layer. The third is the network layer that handles IP addressing and routing to get data where it needs to go. The fourth deals with connection based transmissions and data flow control. Each layer relies on the services of the one under it to function properly in sending or receiving data. Layers 5, 6, and 7 are unimportant when you are looking at hardware firewalls as hardware firewalls operate mostly on layers 4 and 5.

A hardware firewall is, essentially, a specialized router that has been configured with a mix of hardware and pre-loaded software specifically to accommodate network security. The difference between it and a software firewall is that this is a device that was built specifically with certain technologies integrated into the equipment to facilitate the single purpose of providing high speed routing services while checking packets and transmissions through the firewall engine.

A hardware firewall usually follows the following operation pattern, simplified and written out here:

Packets enter via a restricted port. They are stripped of their header at the data link layer, and then forwarded up to the network layer processes.

The IP header is checked for IP address destination and port connection. These statistics are checked against the rules list which follows the process of denied, allowed, rules (in other words, check to see if explicitly denied, check to see if the IP/port the transmission is coming from is specifically trusted, then check to see if there are any rules about protocol forwarding e.g. If traffic is on TCP port 25, it goes to the mail gate located at address 192.168.10.1 only. No other addresses are permitted.)

If it passes this step, hardware and software algorithms are enacted to process the packet, examining the packet and comparing it against known hacking traffic and packet signatures.

If the packet is still clear, It is passed on to its destination or at least the next step in the perimeter network.

Because the firewall never goes above the fourth layer (it has no graphical user interface, no code presentation for viewing, nothing of that nature), it is able to devote all of the devices resources to processing packets especially at high traffic times. This application of resources combined with the specifically constructed hardware provides fast and comprehensive network protection.

Hardware firewalls are not foolproof, however, and they are much more difficult to set up than a software firewall. In addition, they cost much more than a software firewall would. Because a hardware firewall (at least Cisco and some other major competitors) is essentially a special-purpose router, it requires an experienced information technology trained person in order to properly install and configure the firewall for enterprise use. In addition, there is much more that can go wrong with a hardware firewall. If your software firewall is blocking access you need or is causing problems, you just turn off the firewall engine and do your thing and then restart it. Because a hardware firewall is a router and firewall, any number of problems can occur from bad static routes, poor routing protocol configurations, port problems, any number of things which a skilled technician must come back and fix.

Also, a hardware firewall is not just a $1000+ plug and play device. It must be configured which can take several painstaking hours to load denied addresses, allowed traffic, traffic rules, setting up routing protocols, setting up IP and any other protocols on each port, doing password and IOS configuration. There are more and more options that must be set as a firewall becomes more comprehensive and the cost of the advanced feature set is high both in money and in configuration time.

All in all, a hardware firewall is an advanced business tool that requires a proper information technology team with the applicable expertise and experience required to configure and maintain it. Though the hardware firewall can accept more traffic than a software firewall, thus cost is often very high both in money and configuration time. For large businesses, however, there is no other option.

Software

If a hardware firewall is inappropriate, then a software firewall is required. I recommend ZoneAlarm from Zone Labs (http://www.zonelabs.com/). It is free for personal use. The advanced version is ZoneAlarm Pro. It adds some compelling features that you should consider. I run ZoneAlarm Pro on my portable so it is covered while I am on the road. Since the additional features are compelling, I have added it to my home networked computers as well. Here is a good summary piece on software firewalls from http://www.epinions.com/content_2003411076. Bypass the following bit if technology makes your eyes glaze over.

Software firewalls provide inexpensive limited security, but can you configure them and will it work for you?

As more and more consumers have become security conscious in today's internet age of broadband connections, some have turned to low-cost software programs such as Black Ice Defender (published by Network Ice which has since been bought by ISS) and Norton Personal Firewall (by the Norton Corporation). While some of these software-only solutions will provide a limited amount of extra security for the average user, there are several things that you have to understand about internetworking security before rushing out to buy a firewall.

First of all, software firewalls are not for everyone. You have to remember that with any firewall configuration, what you are essentially doing is laying brick walls over some of your computer's connection ports. As such, firewalls may cause you trouble in the fact that out of the box software firewalls are usually not highly customizable for the average user. What does that mean for you? It means that some of your programs that use the internet or your home LAN may not be able to function properly since it may require the ability to accept traffic on a port that the firewall is default configured to reject.

To tell the truth, this is a common problem and an easy one to solve. Virtually any software firewall available on the consumer market today will allow you to configure the firewall to allow or reject specific ports on the computer for Internet traffic for both outbound and inbound communications. The main thing that you will have to contend with is finding the options menu to do so and understanding exactly how to allow or reject ports.

Most consumers, however, know virtually nothing about ports and which software programs use which ports. A port first of all is a virtual socket in your computer's internet connection that your computer and other computers can send traffic specifically to in order to distinguish it from traffic going to another type of program. For example, on the average computer the most commonly used ports are 80 and 8080 for Internet web pages, 23 for telnet, 21 for FTP, and 25 for SMTP (mail) services. In addition, many of the software programs that you use everyday have proprietary port numbers that could be reasonably complex considering that companies have thousands of ports to choose from that are currently unassigned.

As with any computer related task, there should be at least some basic written planning before you go out and buy a software firewall. You need to know 1) exactly which ports you send and receive traffic through (a port list can be found on http://www.iana.com/ under protocol number assignment services, "P", "Port Numbers"). You will then have a list of port numbers for both TCP and UDP communications along with what program or service uses them.

In addition, I would advise actually reading the manual for your particular software firewall program, as it will tell you how to explicitly allow or deny particular ports on your computer.

Understand finally that any computer running a software firewall should not also be running a number of other services as those services may conflict with the firewall. For example, don't run a DNS/WINS/DHCP server on the machine hosting your firewall software. In most cases, the firewall will not conflict with your gaming so gaming while running the firewall is, in most cases, OK.

Though software firewalls now offer a host of low-cost protection measures for home users with modem or broadband connections, they are not an install and forget mechanism. A firewall is worthless if your Operating system does not have the latest security patches as well as any Internet or network bases software that you may run. An uncovered hole in any of these programs can make your software firewall worthless.

It is for that reason above any other that I would rather have either a proxy machine running my software firewall or a hardware firewall running as part of a planned perimeter network.

Why Two Firewalls?

There is some advantage to running both a hardware firewall and ZoneAlarm. The hardware firewall will provide a single point of filtering to hide your presence on the Internet. It also allows you to pay for only a single IP address from your ISP. The additional software firewall provided by ZoneAlarm, especially ZoneAlarm Pro, does additional rejection and filtering. Some websites attach additional content to HTTP port 80 that is not filtered by the hardware firewall, but is caught by ZoneAlarm Pro. The most important feature that adding a software firewall to each machine gains you is control over what programs access the Internet outbound from your machine. While most traffic is innocent, "adware" and Trojan programs can contact their owners without you being aware. ZoneAlarm Pro will flag this traffic for your attention. It is up to you to decide if it is legitimate. ZoneAlarm Pro also can stop the pop-up advertisements as well as other common advertisements on web pages. This will speed up your web page views when using a dial-up connection. Be aware that not all software firewalls will stop unauthorized programs from accessing the Internet. By design, hardware firewalls know nothing of what program is requesting Internet access, they just ensure that external information was first requested internally.

Security Scanning

Once you have a firewall system set up, how do you know it is secure? This will require an external scan. One site that offers such a service for free is at http://grc.com/default.htm. Gibson Research Corporation offers their free ShieldsUP! service (scroll down the main page to find the link). This scanning service will test your computer's security and provide you with a detailed report and links to more information. It is very reliable and accurate, and is highly recommended.

Antivirus Protection

Every computer should be running some form of antivirus software, without exception. There are so many different ways to move information into a computer that it is impossible to guard every one. Instead, a centralized protection program running on each machine has to guard against virus intrusions. The two most popular are Symantec Norton Antivirus and Network Associates McAfee Antivirus. Both can be downloaded free for unrestricted home use from http://www.cert.mil/ as long as you are downloading from a .mil site. This is also available from service CERT websites.

The antivirus detection signatures should be updated regularly. I have my machines automatically update the virus definitions each night at 0123 local. (I pick an odd time to ensure that the server is not overloaded.) I then have the machines perform a full disk virus scan at 0200 each morning. This takes awhile, but I sleep through the process. You can also schedule other routine tasks (such as CheckDisk or defragmentation) to occur during the night using the Windows Scheduler.

Software Updates

The best thing you can do is to go to the Microsoft Windows Update website http://windowsupdate.microsoft.com/ regularly. While there is an automatic "critical update" feature you can install, it will not tell you of the arrival of other updates. The Microsoft Office Update website http://office.microsoft.com/ProductUpdates/ is another place to visit regularly. A site at which you can manually track non-Microsoft updates is http://www.versiontracker.com/.

A great source for finding non-Microsoft updates used to be the free CNet Catchup Service available at http://catchup.cnet.com/. This service has been "discontinued until further notice." Hopefully, they will be back online soon, because it was the most convenient method available to find the links to the manufacturers' updates. My previous comments about this service, should it ever return, are as follows: This site requires you to download a small file version-scanning tool in order to operate. The tool scans your computer to find the currently installed versions of the files that actually exist in all the directories. It then compares the versions found to a database of current versions and presents you with a web page that contains the necessary links to the manufacturers' websites. Note that the CNet Catchup Service has a software update scanner, a security fix scanner, and an "adware" scanner.

Software updates are a manual process and generally involve rebooting the computer. Assume this will take at least a few minutes each week.

Email Security

The following comments pertain to Microsoft Outlook, but they may apply to other email clients as well. Since Outlook uses elements of Microsoft Internet Explorer, it is best to not use the preview window in your default Inbox. Since HTML email messages may contain Java and Visual Basic scripts, previewing may cause the browser to execute the scripts. Many of the more sensational Outlook security patches revolve around insecurities in this system, so it is best to just turn it off. Also, using Microsoft Word to edit your email messages is also generally a Bad Thing To Do. Turn this option off within Outlook to avoid another round of insecurities. The latest version of Outlook provides some significant enhancements to keep evil attachments from doing you harm. So does ZoneAlarm. So does Norton Antivirus. Between the three of them and some caution, you should stay safe.

Windows hides file name extensions by default because Microsoft believes that they will confuse users. If you change the file name extension that is associated with an installed program, you are breaking the linkage that allows Windows to automatically start the appropriate program when you double-click the file name. If you receive an email with an attachment named "readme.htm.com", you are not getting a HTML file, but rather an executable program instead. By default, Windows only displays the "readme.htm" portion of the file name. To get Windows to show you the full file name, start Windows Explorer via Start | Programs | Accessories. Click on Tools | Folder Options... then the View tab. You want to remove the check from the box in front of the "Hide file extensions for known file types." Click OK. Windows will now show you all file extensions.

Want to keep up-to-date on the latest with Microsoft products from someone unassociated with Microsoft? I recommend the series of free email newsletters written by Woody Leonhard available at http://www.woodyswatch.com/.

Spam is big business. It is trivial to send out millions of email solicitations with the costs amply covered by the few who respond. Spam is not necessarily a security problem, but it can be an irritant. The content may also be inappropriate for some family members. Microsoft Outlook users can download a free copy of SpamNet from Cloudmark (http://www.cloudmark.com/). [I am currently evaluating this program and will update my opinions on this type of software later.] Other email client users should consider McAfee's SpamKiller (http://www.mcafee.com/myapps/msk/) or SpamAssassin (http://spamassassin.taint.org/).

Content Security

Much like spam can open up a world of inappropriate material, you may want to block those websites from being accessed from your systems. The White House cyber security plan linked above suggests that "parents may want to consider managing their children's Internet use with software that allows them to access to age-appropriate sites and materials." This is up to you, but I think such software is worth considering. Some firewall routers (like sample NetGear FR314) support content filtering, generally for an additional cost for the service of maintaining the updated list of banned sites. Firewall content filtering often cannot be configured on a per-user basis. You can find plenty of information about filtering software at http://www.getnetwise.org/ or at http://www.safekids.com/.

Backups

Backups of important data should be a no-brainer. Compare the number of hours it would take you to recreate the data versus the cost of keeping a copy always on hand and it should be obvious that backups are cost effective for everyone.

The easiest method to do backups nowadays is via a CD burner. For Windows, copy your entire My Documents folder to the CD, then add any other important data directories. Keep the CD in a fire-resistant box in your house or in a safe deposit box (or both).

What To Do If You Have Been Hacked

Immediately disconnect the telephone or network connection from the computer
Run a complete virus scan using fully updated antivirus software
Install a firewall if you do not have one
Before reconnecting to the Internet, try to find out why your computer was vulnerable

What To Do If You Get A Virus

Immediately disconnect the telephone or network connection from the computer
Run a complete virus scan using fully updated antivirus software
DO NOT delete files, even infected ones - let the antivirus software attempt to disinfect the files instead
DO NOT reformat your hard drive
DO NOT run your email program until you have run an antivirus scan