As some will remember from my previous posts in this forum, I've got a home network of four computers. They share a DSL Internet connection. Due to a new need to set up a VPN with another office, we're stepping up to a static IP. I've also purchased a Linksys DSL/VPN router which of course is also a 4-port network switch.

I know having a static IP can open you up for some serious security problems, so what steps do I need to take in order to maintain security on our network? I'd like to have the ability to connect to our computers from the outside if necessary, but obviously this needs to be very well guarded.

So in other words, where do I need to start?

Thanks,

Matthew
Back to top

You have the router, that's step one, biggest one too, hardware firewall will block all ports you don't explicitly assign except 80, 25,21 I think, that's http, pop, can't remember.

Plus the vpn ports.

I like to add a software firewall to each machine to make sure I know what's happening on that level, zonealarm free is fine I think for that.

Good av software, I'm getting more and more down on norton and macafee, I spent last night cleaning out a network machine that was thoroughly infested with viri/trojans/malware and all the while theoretically 'protected' by Norton. Pandasoft pulled off about 10 viruses, Antivir about 15 or so, Trend micro 2. Plus all the spyware spybot and adaware removed. As Andy told me, problem exists between keyboard and chair back... or something to that effect. My current favorite explanation for most virus infestations.

If you're not running apache, try nod32, then report back and let me know how you like it :-)

If budget is an issue, try avg, it's I think one of the better free ones.

Hopefully andy will show up though, he's better at real security stuff than me.
Back to top

This isn't comprehensive and there's a lot of stuff that I am forgetting but it's the end of the workday and I have to run. If you have any questions about specifics, post em and I'll see if I can get to them!

Really the only major difference security-wise between static and dynamic IP addresses is the fact that people are going to be able to easily get back to your system for long term cracking attempts. The router itself should be relatively secure simply due to the fact that management tools that you can get to from within the router itself tend not to be available from external IP addresses. Also, remote access trojans and things of that nature have been able to keep up with dynamic IP addresses for ages (for example, you can get a plug-in for back orifice that will give you IP address updates for your infected clients via email, an IRC channel or even send it to you via ICQ... nifty! ..uhh... i mean... awful and sinister! ...yeah). What you mainly have to worry about is the machines that the router forwards connections to.

For example, if you've got a web server running on an internal computer and an FTP server running on another internal machine and yet another machine running mssql and port forwarding set up to the appropriate ports for all of those machines, be absolutely sure that all of those machines are up to date. If one of them were to be compromised then through that machine they would be able to get to your router through that machine's internal IP address and make themselves a permanent VNC backdoor on port 64952 if they wanted to.

You want to make sure that no actual machine is set to be the "DMZ" on your network. A small all-in-one type router thing has a slightly different definition of DMZ than most network architects do... on a normal network, a DMZ is simply a separate firewalled off portion of your network for computers that need to be accessed from the outside world, and as a result need to be separated from the internal machines. On one of these routing appliances, it means that it will forward all unrequested connection attempts to the IP address that you enter in there. For example, if you have a web server at 192.168.1.10 that you are forwarding web traffic to and a FTP server at 192.168.1.20 that you are forwarding connections to and a DNS server on 192.168.1.30 that you are forwarding connections to and 192.168.1.100 as your DMZ:

Get a connection on 80, gets forwarded to 192.168.1.10
Get a connection on 23, gets forwarded to 192.168.1.100
Get a connection on 21, gets forwarded to 192.168.1.20
Get a connection on 1024, gets forwarded to 192.168.1.100
Get a connection on 53, gets forwarded to 192.168.1.30
Get a connection on 65531, gets forwarded to 192.168.1.100
Get a connection on 31337, gets forwarded to 192.168.1.100

Whereas if you did not have a DMZ set up then the extraneous connections to the random unassigned ports would simply be dropped. Since absolutely nothing is filtered on a machine when it is set as the DMZ (except the connections to ports that are being forwarded to the other machines) then you are automatically prone to any worm, cracker or any other silliness that happens upon your IP with bad intentions.

Probably also a good idea to turn off ICMP to stop people from being able to do things like ping you. It might be inconvenient when trying to see if your IP is up, but it could also prevent you from showing up in some little script-kiddy-dipsh*t's ping sweep scan to see who to run their stupid script against. In your router it's probably known as simply turning off ping or something similar.

Personal firewall programs in your case are only necessary to protect machines against the other machines on the network. Considering that everything else will be filtered out by the router itself, then you should be fine. Just make sure that any services that you are serving from within your internal net are up to date and you shouldn't have any trouble with the script kiddies or worms that plague the net these days. If you get really paranoid (like me ;-) ), you could always try using a scanning tool such as nessus (http://www.nessus.org) which will scan your machine for known vulnerabilities and if possible even *start* the vulnerability to reduce the number of false alarms. Think that it's a little heavy handed? Well I can guarantee that this would only be the beginning of the attack for a competant system cracker.
Back to top