Here are four things you should in the hour after you’ve happily observed that you’ve “got ping” (i.e., a network connection) to make your network a little safer.
Maybe it’s a little box that doles out IP addresses, provides NAT and offers e-z wireless connectivity. Or perhap it’s an operating system with enough wizards, control panels and big red buttons to open the world of SOHO networking up to an 8-year-old.
In any case, the problem they all have in common is how easy they make it for the would-be administrator to hook up a few cables, click on a few buttons, then lean back contentedly and say to himself “Well, I’ve got ping … I’m done.”
If I were here to complain about the perils of accessible technology, I could lean back at this point myself, because you’ve heard this complaint enough times that I could probably leave you a few blank lines and invite you to write the rest for yourself.
The world has plenty of elitists, though, so I’m going to try to take the constructive path and offer four things you should be do in the hour after you’ve happily observed that you’ve “got ping” to make your network a little safer with just a little legwork. This isn’t a definitive list — just a few pointers to help you get on the path to locking things down.
1. Keep a Log
Before you start doing anything to tighten down your networked systems, dig about $2 out from under the sofa cushions and go buy a notebook, preferably with a sturdy cover. Even though a lot of home and small office networking gear is friendly when it comes to configuring the basics, the options for doing more advanced stuff can often wreak havoc if they aren’t well-documented, or if the vendor uses slightly different language from what you’re used to hearing.
Use your notebook to keep track of the things you need to know to keep your network running and connected to the ‘net. For instance, record your cable or DSL modem’s IP address, its subnet mask, its gateway address and the DNS servers your ISP provides.
Also record the IP and MAC addresses of all the systems on your network.
Finally, record the settings you changed when you first configured your Internet router or wireless access point before you change them to improve security. If you make a mistake and knock yourself off the ‘net, you’d rather have it all written down than go through the configuration process from scratch again.
Keep your notebook up to date, too. If you add a new computer, get its MAC information before it goes under a desk or into a rack or closet and before you turn it on. That’ll make the next step easier.
2. Restrict Access by Machine
Most wireless network devices and complex network services have provisions to restrict access from machines they don’t recognize. Using those tools can help keep your internal network safe from hostile users, and they can provide a first line of defense against someone who wants to use your Internet connection as a spam relay, or a launch point for attacks against other systems on the Internet.
These restrictions can take several forms: They might involve restricting machines by IP address, MAC address or even a physical port on a switch.
Wireless access points (WAPs), for instance, will tend to offer a chance to restrict access by MAC address. A MAC address is the unique identification every piece of network hardware carries. You can find it printed on a label on network cards, and it’s often on a decal on the bottom of laptops with built-in networking equipment.
If you don’t share your WAP with a lot of people, it just makes sense to turn on MAC restrictions right off the bat. Yes, MAC addresses can be spoofed, but it pays to remember that you’re not securing the Pentagon’s mainframes here — you’re just taking a sensible precaution to keep random passers by from using your WAP.
Network services, such as you might find on a Linux server for handling things like mail relays and Internet caching, tend to offer options to restrict access by IP address. They’ll usually ask for lists by either specific IP, or they’ll ask for a range of addresses using net masking. If you’re feeling foggy on the whole issue of IP addresses and subnet masking, I know of no better tutorial than one from last year that covers just this topic in very simple terms.
3. Keep Your Shields Up
One common question I hear has to do with getting access to games and messaging services through the NAT firewall network appliances provide. The issue boils down to this: Traffic from a system behind one of these firewalls has an easy time reaching the service in question, but traffic back to the system from the service is stopped at the firewall because the port isn’t properly forwarded.
Some broadband routers offer a way to put a specific computer they serve “out on the DMZ” rather than figuring out which specific ports to forward. This offers a quick fix, but at the risk of exposing every port on the computer.
If a game or service isn’t working, rather than just completely opening the computer to the Internet, take the time to learn which ports need to be open and use the router’s configuration tool to forward those ports only to the computer that needs the service. Your system will have a much lower profile when it comes to vulnerabilities.
4. Use Passwords and Change the Default Password
You know this already, but it bears repeating: Access points, routers and computers come with the capability to assign passwords for a reason. Also, make sure you change the default password on your networking gear. Not sure why? Follow this link and get a quick education. That was in the top results on the Google search “wap passwords.”
If you have a hard time remembering passwords, feel free to take security expert Bruce Schneier’s advice and write it down, but keep it in your wallet, where it’s as safe as any credit card you have in there.
And there you have it: A few things to look out for and a few steps you can take to make your network devices more secure without breaking your back.
And if you keep track of all your changes in your notebook, it becomes that much easier to explore other security options your software or hardware might offer without fear of messing everything up.