Classroom 101: Hardening Your Home Network

root — Sat, 22 Sep 2007 09:26:49 GMT

Last Updated: 9/21/2007 5:38 CST

This post is to help someone new to network security (for the home). Some limited knowledge of networking is a plus, but not necessary.

Topics that will be covered:

Security by Design
Routers
Wireless

Broadcasting
Encryption
MAC Filtering
DHCP

Wired
DMZ
IDS
Root's Thoughts

Security by Design

You have to understand the realities of security before you can tackle the problem. Security in itself isn't flawless. There is no such thing as a completely secured network (just a very difficult one to circumvent). So what's the point? Few people have the patience, and the know how, to circumvent a hardened network. So for your average home user, you won't have nearly the kind of attention a large corporation would have. Most of these techniques I'm about to show you will dissuade even the stubborn.

The trick about security is to do it in layers. The more layers, the harder (and longer) an attacker has to push. Unfortunately, many people don't like a lot of layers because to keep people out, you have to give permission to (legitimate) people wanting in. The more layers, the more time it takes to do this. The post will cover all the popular techniques available for the home user that come standard with most routers as well as some of the various ways to circumvent it.

Routers

Due to the popularity of broad band, network devices are becoming more and more popular. Routers/Switches/Modems/Hubs/Gateways, you've probably heard one or all of these terms. Most consumer level routers are both Router/Switch/Gateway. Usually you have a modem in front of your router, which it plugs into your LAN port (on the router). The router essentially manages your network by assigning IP's out, and routing traffic to the right people/places. The first step in securing your network is securing your router.

Look at your router's documentation and you should find a way to log into your router, which allows you to configure it. CHANGE THE PASSWORD. This is my first tip to you. It is well known all the common user/passwords to most (if not all) network devices out there. A quick search on Google can easily show you a list of default logins. It is especially easy for someone to 'own' your router when you have wireless enabled, which leads me to the next section.

My next free tip to you is to update your firmware. Not only does it sometimes patch security issues/bugs, you can actually get more functionality from your network device. And if it is already updated, make a note to yourself to check it in 6 months.

Wireless

First I want to start off by saying that wireless is a bad idea if you are wanting to lock down your network. It is too easy to circumvent most techniques, as well as bringing it down. Since wireless routers use radio signals, one can easily disrupt that signal to bring your network to a grinding halt. On top of that, unlike a wired network, you do not know from where people can access it because its a radio blanket, not a physical port that you've ran a network cable to (and you know where those ports are). And lets not forget it's slow.

But people love wireless for it's flexibility (you aren't limited to location), so let's devule into the many different techniques (layers) at hardening your wireless network.

Wireless - Broadcasting

This is the easiest thing to do, and will probably stop most "curious" people. Your wireless router broadcasts something called your SSID (Service Set Identifier), which is your wireless router's ID, or name, of it's network. Typically, by default, it's turned on. When you have your laptop up and you scan your neighborhood/apartment complex for wireless networks, and you see a bunch show up, this is why. They are broadcasting. When you disable broadcasting, and your buddy comes over, all you have to do is manually add your SSID into their wireless management software. It's pretty easy to do and not that much of a hassle.

Now with programs like AirSnort, you can actually find these hidden networks by looking at the clients that are on that network and seeing the relationship to that router. Obviously this requires a computer talking to the hidden network, but you get the idea.

Wireless - Encryption

This technique is very cat and mouse. Encryption just scrambles the the data traveling over the radio waves so it's harder to read. WEP, the older encryption standard, can now be circumvented in seconds/minutes (with the PTW technique--40,000 packets or less needed, which isn't much).

Isn't that comforting?

One of the most powerful (free) programs that's used at cracking WEP is aircrack-ng and there are plenty of tutorials out there on how to use it. Want to know the scary part of all this? WEP is the most used type of encryption to date, because it was one of the first ones out. I can almost promise you, if you go out now (as of this posting), and scan for networks around you, the networks you can see are either completely open (no encryption) or are WEP encrypted.

"He did say minutes right?"

Yup.

So WEP was old, what's new? That would be WPA1 and WPA2, the latter being the "better" of the two. As of right now, I don't think either one of them is going to be cracked any time soon. At least, that is what I've been reading and this is because it doesn't have the same IV limitation (I won't go into it, just roll with it) as WEP. WPA-PSK, however, can be cracked (just takes a bit of a finesse).

"Root, you talk of WEP, WPA blah, blah blah. What's the point?"

Use WPA2, if you have the option. Else, WPA1. If you don't have either, use WPA-PSK. And, only if you don't have any of those, should you use WEP.

"But you just said it could be cracked..."

And I also said security is about layers. Perhaps that curious script kiddie (low-level hacker) that stumbled upon your little wireless network only knows how to see hidden networks, and doesn't know how to crack WEP (I know, that's a stretch). Or doesn't have that minute to crack it and the kiddie chooses your neighbors which is wide open. You see? Deflected! All because they were lazy! Your neighbor is so nice. You should bring them a six pack next time.

Wireless - MAC Filtering

MAC filtering is using your network card's unique ID as your authentication into your network. This unique ID is called your MAC address and it's made up of letters and numbers (hex).

tip:

For you window's people, hit your windows key + r. Type in 'cmd'. Then type, in the new command prompt, 'ipconfig /all'
Do you see 'Physical Address'? That's your MAC address. See? root taught you a windows trick!

Because it's specific to you, its another obstacle for our annoying script kiddie. Only the MAC address on your approved list are allowed access to your wireless network.

But wait! He has a PRISM card and can manipulate his wireless card to think it's the same MAC address as you? Sigh. When will this kiddie just go away? Stupid wireless.

Wireless - DHCP

oooo. What is this DHCP you speak of root? DHCP is the thing that issues out IP address. You can actually limit the amount of IP's it gives out. Since this has nothing to do with the wireless part of the router, but the actual networking part, our little kiddie can't circumvent this without bring down one (or more) of your wireless devices....right?

"Don't tell me."

But what would be in the fun in that? You can actually kick people off your network with a number of attacks and 'slide' in before the legitimate wireless devices can grab their own IP. Sneaky little kiddie.

Wired

As you might have guessed, wired is the way to go from a security conscious point of view. It's hard to crack a wired network from the outside, or at least much more harder. To get inside, usually you'd have to compromise a machine already in the network (either by email/website/etc) but there are some attacks that can go through the front door. Most routers come with built in firewalls, and NAT, so pushing your way through the front door can be very difficult without knowledge of the LAN. Good news is, since it isn't wireless, you know that someone would have to physically be there to access your LAN--assuming you have your firewall set up (NAT you usually can't turn off). This is because with wireless, and high powered wireless antennas, you don't necessarily have to be close to access your network.

The other thing to keep in mind, for the home user, is that your real IP address, the one that your ISP issues to you, can change frequently (even sometimes up to a daily basis). Unless you got the government on you, or you already have a compromised machine 'tattle-telling' on you, it's pretty safe to say you only need to worry about your roomate or computer-illiterate girlfriend.

*looks over his shoulder*

DMZ

For those of you who were in the military, you should recognize this term. De-Militarized Zone. As the name implys, it is a 'zone' that sits in between the 'internet' and your LAN. This is great to use when utilizing honey pots, for if some one does happen to get in through your front door, they will most likely hit your DMZ and leave your precious LAN alone.

What is a honey pot you ask? Well since this is geared toward the home network, I'll leave that to you and Google/wikipedia. I only wanted to mention DMZ because sometimes you might have to put your computer on it if your router has some serious firewalling (my work's VPN won't work in my LAN and I've yet to figure out how to get it to work).

IDS

IDS (intrusion detection system) is another good word to know when hardening your network. But, like the honey pot, most likely not needed for the home. I just wanted to mention it for the people who are curious about network security and want to get more into it.

A good read:

http://www.securityfocus.com/infocus/1742

Root's Thoughts

So what all should you take from this post? And what other tips can you tell me?

Use a layered approach. I'd advise disabling broadcasting and using WPA1 or 2 encryption, minimum. While WPA2 is uncrackable (that I know of, and as of right now), there is still the chance that someone has cracked it but hasn't shared it. Now why would that elite hacker be jacking your home wireless connection... well maybe you are just that special in the cosmic world.
Understand the limitations of security, that it isn't fool proof and that you are only minimizing the risk of being attacked.
Your home LAN most likely won't be the target of all the network guru's out there, so don't be sweating when you read my warnings.
If you can get away with not using wireless (or can turn it off when not in use), then do. Especially if you are doing some sensitive stuff like online banking. There is a small chance that they (hackers) can see the traffic going from your PC (see next).
Sites that support SSL (https://.....) utilize a point to point encrypted tunnel. What this means is that even if you aren't utilizing encryption, it is still encrypted from your computer to those sites. So when you are doing an online transaction and writing down your credit card information, make sure it has that s next to http. Also, make sure that all parts of the page is encrypted. Firefox (version 2+ I believe), highlights the address bar in red if only part of the page is utilizing SSL (one way a hacker can trick you into giving out your information).
Periodically check your logs. If your neighbor is using your wireless, you should be able to tell by logging into your router and checking the logs (or the DHCP part of your router).
If you know enough about networking, utilize subnet masks. Subnet masks divide up your network logically to where parts of your network can't talk to each other, which can be a good thing (but not always).

As per usual, I won't turn down a PM and no question is stupid. I am learning as well so if you find anything that contradicts what I'm preaching, PM me with credible facts and I'll keep an open mind.

If you have questions, or would like to discuss this topic with me, go here:

http://www.eggxpert.com/forums/166515/ShowThread.aspx#166515