Introduction

Over and over again I am asked about securing home and small office/home office (SOHO) computers.  This FAQ pertains to a SOHO network with some type of permanent Internet connection such as cable, DSL, private circuit, etc.

Every network and its attached devices needs to utilize a layered defense, often called defense in depth.  I will attempt to explain general protection concepts of the various layers as well as links for further explanations or details. 

Network Security

Working from the Internet to the internal network's workstations we begin with a perimeter security device such as a firewall or router with security features.  Many of the viruses, worms, and other nasties can be prevented by stopping them at the gate.  Even the cheapest of home routers provide Network Address Translation (NAT).   Routers with NAT allow just one public Internet TCP/IP address to be used by routing them to one or more private internal TCP/IP addresses.

Routers with firewall and security features permit blocking certain types of network traffic.  In general default settings of Home or SOHO routers block all incoming network traffic unless it is specifically configured to allow it.  This might be the case if a business hosts its own web server and wants people on the Internet to browse to it for information, place orders, etc.  If the traffic is initiated by an internal workstation it is usually allowed by default.  Again, if so inclined a configuration could be made to prevent internal users from using FTP to transfer files.

I have heard the arguments that perimeter security such as a firewall between the Internet and internal network are not necessary with the advancement of host based firewalls such as the Windows firewall, Zone Alarm, and others.  My feelings are that it certainly does not hurt to have both.  Software firewalls that are installed directly on a computer meant to be protected means that the potentially malicious network traffic is not getting stopped until it actually gets processed by that computer.  That's too close for comfort if the highest levels of security are required.  Many viruses and malware have been known to disable host based software firewalls and anti-virus programs, so keep the perimeter security for the multi-tiered protection.

Workstation Security

Anti-virus software is a must.  No matter  how carefully a router and firewall are configured, legitimate network traffic can piggyback as a payload.  The media can print front page headlines about a new e-mail that has a virus attachment, yet it still gets opened by people living under a rock or perhaps carelessly by someone plowing through hundreds of e-mails upon a return from vacation.  Best practice - never open an attachment unless you are expecting it and then only do so if anti-virus software is installed and up to date.  My current favorite is Avast because it has a feature to perform a boot time scan.  (see my FAQ "Avast Boot Scan")

Spyware is not looked upon by many anti-virus companies as a virus, though this perception is changing.  Not cleaning a system of spyware can lead to performance degradation to the point that it may barely be able to boot.  It can also allow your computer usage to get reported to tracking companies so they can sell your information to spammers.  This paragraph will get repetitive of another link at schmahl.net so the discussion of spyware in this page will end here.  Please read the Spyware Info page for more information.

Keep the Operating System patched.  Microsoft OS's are the most widely used by the audience reading this page so we will not get into any OS wars here.  Simply put, Microsoft is the most widely used desktop operating system so of course there is a huge target placed on it.  A lot of blame is placed on Microsoft for the users' lack of diligence.  Some of the recent worms would have been rendered DOA if a patch for a previous problem would have been installed.  In many cases Microsoft issued a patch several months before a worm's relentless attack.  All it takes to keep a Windows system patched is to run the applet "Windows Updates" or "Automatic Updates" in Control Panel.

Use a host based firewall.  The Windows firewall gets better with each version of Windows.  For more features try freebies such as Zone Alarm or commercial products from McAfee, Norton, or others.  One of the features allows  notices of internal activity that attempts to contact the Internet.  Configuring this option allows notice of spyware, bots, viruses, or even legitimate software trying to contact the Internet.  Examples would be programs that check the company's site for updates and bug fixes.  That isn't necessarily a bad thing, but it is still nice to know. 

On networks not using server based user accounts, configure user accounts on the workstation(s).  This not only prevents users from arguing over wallpaper but can often isolate issues to within a particular account.  While creating the accounts it pays not let them be administrators.  Viruses are programs, and they have a hard time installing if a user is not an administrator to allow installations of programs.

Advanced Settings

So many networks and workstations are compromised from malicious web sites that I highly recommend content filtering.  Content filtering allows an administrator to block viewing of web sites that are not in the best interests of the company, home, or SOHO.  OpenDNS.com offers free and up services to block categories of sites.  It is easy to sign up, easy to setup, and performs well.  Whether you are a parent wanting to block your children from pornography sites or a business that doesn't want its employees shopping during work hours I highly recommend OpenDNS.  I personally use it to block, among others, categories for Adware and Phishing.  It's one more layer of protection.

Companies should incorporate a user agreement.  These can be simple single page agreements or many pages depending on the needs of the company.  Simply put, a user agreement is a document signed by the employee stating they understand the company has the right to monitor computer usage, owns the work product and resulting data, and has the right to administer the technology based upon the needs of the company.  Do not present this to employees as a threat.  Explain that the user agreement is a way to provide guidance even to good employees that may not understand the various technologies a company has in place.

"Blame not the tool for the incompetence of the carpenter."  Think about it.  There are many knee-jerk reactions blaming Microsoft and other vendors for writing insecure code.  Yet over and over again the worms and viruses are infecting systems that are ignored from the fundamentals written above.

Useful Links and Further Reading:

http://blogs.schmahl.net/wordpress/?p=72 - My blog about Open DNS

http://www.schmahl.net/spyware.php

http://www.schmahl.net/everydaysw.php

http://www.securityfocus.com/columnists/220 - A Home User's Security Checklist for Windows

http://www.teamanti-virus.org/rules.html - Ten Rules of Common Sense Computing and virus defense

http://www.cert.org/tech_tips/before_you_plug_in.html - Before You Connect a New Computer to the Internet

http://www.cert.org/homeusers/HomeComputerSecurity - Home Computer Security

http://www.microsoft.com/security/protect/default.asp - Microsoft guides and videos to protect your PC

http://www.giac.org/practical/gsec/Andrew_Baker_GSEC.pdf - Connecting Your Home LAN to the Internet

http://KB.UltraTech-llc.com/?File=PFirewalls.TXT - Personal Firewall options

http://www.personalfirewallday.org - Personal Firewall educational page

http://secunia.com - A nice one-stop shop of the latest viruses and security advisories.

Click HERE to mail this document to someone.