Saturday, July 7, 2012

How to protect your home internet connection

Besides protecting your computers, protecting your access is an important part of your home network security. This includes multiple parts:



  1. Protecting the management of your Internet router
  2. Creating rules to allow only what you need to go from the Internet to your network
  3. Creating rules to allow only what you need to go from your network to the Internet

1. Protecting the management of your Internet router

It may sound dull, obvious and over-repeated but this is a very important part of securing your network. For instance, I just scanned the /24 Internet network I am on: I found the router of another subscriber with remote management - usually port tcp/8080 - and it took me two attempts to find the administrative password. In this case, the username is "admin" and the password is "admin". 

From there, what can I do? A lot! I could obviously mess with the person's Internet access, but I could also get his username/password. On another side, I could also start creating PAT to access his home machines, potentially getting access to his computers. From there: game over, I'm in.

The first thing I suggest: when you get a new Internet router, change the password! There are lists of all the default combinations of username/password for the major brands.

Then, ask yourself that question: how likely is it you will be administering your router from the Internet? In most of the cases, the answer is: not likely at all. In that case, I suggest disabling the remote management facility.

2. Creating rules to allow only what you need to go from the Internet to your network

99% of the time the answer is: you don't need to allow any access from the Internet to your internal network. Do you really host a server at home? Or is it to access your home machine from work? 

In all the cases, be aware of what you do! If you expose your machine to the Internet, you may be giving access from a wider audience than you realize. And in that case, how well is your machine protected? Again, scanning the /24 Internet network I am on, I found 4 machines accessible through RDP. Chances are that I could find a combination of username/password, and again: then, I am in. Game over.

If you need to access your machine from outside your internal network, restrict the IPs from which this is possible. Are you accessing it from your workplace? Ask your network team what the corporate public IP range is, and allow only from that range. If you can't restrict to a specific set of IPs or networks, investigate other ways, such as a secured VPN, and don't be shy with the password!

3. Creating rules to allow only what your need to go from your network to the Internet

This is probably the most overlooked part: all the routers usually come with a default policy that permits anything from the inside network to the outside. While this is nice and works in all the cases, it also adds several security vulnerabilities.

  • Unwanted applications may start communicating
For instance, do you use IRC? Or peer-to-peer? Or do you often send e-mail through a chinese mail server? If the answer is "no", then blocking the corresponding hosts/ports will increase the security of your network. For instance, my own rule set allows:

  • HTTP/HTTPS/FTP/POPS/IMAPS/SSH to the whole Internet;
  • SMTP/SMTPS to my mail server
  • Google Chat to the whole Internet
  • MSN to the address defined in my IM client
  • DNS to the two Google DNS servers 8.8.8.8 and 8.8.4.4
  • A couple of ports/hosts needed for a few online games I play from time to time

And that's it. All in all, I have 29 rules, including the last one that denies everything that is not explicitly permitted. Once in a while, I look at the logs and check whether something was dropped, and if so, if it is normal - such as friends staying with me, broadcasts and all the noise that can exist on a network.

This actually helped me show to a friend that his machine was infected. He was visiting and needed access for his laptop, which I provided through my home wireless. I happened to be playing with IPv6, and I started seeing a lot of drops. Further investigation proved that these were attempts from his machine to send e-mails. I then asked if he was trying to e-mail, and he wasn't, so we started looking closer at his machine, It appeared his machine was compromised by a Trojan that was trying to send some spam. 

Another example happened when I was helping a friend secure his home network. We started seeing drops on some ports. It happens his kid had installed a peer-to-peer client on the family computer. When we looked at the peer-to-peer program, we found it was not secured at all and was sharing his whole hard drive.

  • Your machine may be used to scan the Internet to find other vulnerable machines

If your machine gets compromised, it may start scanning the Internet to find other vulnerable computers. This may result in your address appearing as an attacker in other people's logs, with the potential consequence that you may get a visit from your local authorities - in certain countries, if you fail to protect your Internet connection and your computer, you may be considered responsible for all the damages resulting from a compromise originating from IP address, regardless of whether your are the actual author.

Happy surfing!