More and more people are setting up LANs at home, and with the majority of them connected to the web via cable modems the threat of getting hacked increases -you're on the web all the time.The last thing you need is to have your ISP cancel your account because your LAN was used to launch a Denial of Service (DoS) attack.

Choosing Passwords

One of the first security considerations is the passwords that you chose. Hackers and crackers have access to programs that will run through a dictionary list of words and use them to log into your computers. So when you chose a password keep these rules in mind:

• Do not chose a word that could be found in a dictionary.
• Use a combination of upper and lower case letters.
• Use at least one number.
• Your password should be easy to remember, but not easy to guess.
• Do not write your password down.

Social Engineering

A hacker doesn't necessarily have to use an application to crack the password on a piece of gear that you own -he or she could just ask you! It's called social engineering and the way it works is simple: The attacker calls you pretending to be a technician needing a password in order to fix some bogus problem. Someone at your company (or you) gives the "technician" the password and it's all over, you've been had. So remember:

Never give out a password over the phone.
Make sure everyone where you work knows that passwords are not to be given out over the phone.

If someone asks you for a password, ask them for a phone number that you can use to call them back...

Firewalls with DMZs

Many of the current crop of cable modem routers have firewall capability built into them. A firewall protects your network by hiding the Internet Protocol (IP) addresses from the Internet and breaking the logical connection to the PCs on your LAN. All network connections are made between your LAN and the firewall, and then from the firewall to the Internet.

Some offer a Demilitarized Zone (DMZ) port for servers that need to be accessed from the Internet. A DMZ port allows people on the Internet to connect to the servers in the DMZ while providing some basic protection. Servers in the DMZ are open to attack. For more information on firewall and DMZs check out the Firewalls article.

A DMZ port protects your LAN by keeping vulnerable servers away from your internal computers. If your web server becomes compromised then it's the only machine that you have lost. Your internal network is still protected.

Unfortunately some firewalls also allow you to use "port forwarding" to allow Internet access to a server behind the firewall.

It's a big mistake! All the hacker has to do is break into the web server via the "hole" in your firewall and they can use your server to attack the rest of your network. The moral of the story is: If your cable router has a DMZ port then use it! It's far better to leave one server partially unprotected than to give someone an internal computer that they can use against you. Most of the "firewalls / routers in a box" allow you to apply rules to the DMZ port so you do have some control over the packets that reach the servers in the DMZ. The next diagram is my optimum recommendation:

With a router outside your firewall you can set up a very secure access list to control the type of packets that can reach servers in the DMZ.

Patches

It's impossible to come out with an Operating System (OS) or any program that is 100% secure. New vulnerabilities are discovered all the time, so you need to keep your software up to date:

Keep a list of all the software that is exposed to the Internet and the version numbers of those programs.
Go to the web sites of the companies that make the software you use often to check for updates (some applications and firewalls will automatically check for updates, but don't rely on it).
Many firewalls will log intrusion attempts -check those logs! If you keep getting hit from the same networks then it's time to contact the person who owns them and report the activity.

Web sites like Firewall.com are excellent resources for keeping up to date on the latest security vulnerabilities and what you can do to fix them.

Wrappin' it Up

No matter how tight your network security is there is no substitute for monitoring the traffic on your LAN. If your firewall logs intrusions (and it should) then check the logs daily. Watch web servers for any odd changes in the amount of storage space on the hard drives, or for changes in the password file. Don't rely on the equipment to keep your network safe -keep an eye on it...