Network Security

[Tusc]

I don't have a background in networking and have a few questions. I am looking to start doing computer services as a side job, which I hope to expand into a good secondary income. I want to be able to service small businesses in addition to households. I will obviously be educating myself more over time on network topics, but for now:

I have a buddy who is a potential client and who is concerned primarily over protecting himself from illicit access to his files and/or theft of files. He works out of his house as a consultant and is also writing a book. Even he admits that he doubts anyone would be interested in an unwritten book, but apparently he services a number of large corporations and he has a concern over, essentially, corporate espionage. I'd laugh a little, but I have to take him seriously.

And so I have to ask you guys: what can / should be done to make a home network secure?

The extent of my experience in this regard has been use of cheap routers and firewalls with some open-source firmware or programs. That has always served me well for my home use, and also a few small offices I have run in the past. But I have never been concerned about people trying to actively hack me, so this brings a new perspective to the game.

The budget he has to spend on this can range up to high four digits or low five. I told him I'd research it and hope that most of what he needs can be accomplished with software / firmware, but that since the level of security he is thinking about (as airtight as possible - though I would presume nothing is impermeable) may involve some investment in hardware.

I also told him I'd share this post with him.

Thanks for any information or suggestions you can offer.
If you also know some books you would suggest over others where I could begin to educate myself on networking, I'd appreciate that as well.

 

[Brian_tii]

Well... security is a pretty complex and deep subject. The <best> security is to simply not be connected to any network. If you're really as paranoid as it sounds like I'd recommend separate machines for surfing and writing books and have them separated on different network segments with fw rules defining what if any access is allowed between the two and defining what is allowed out (if anything).

With that being said, assuming only a single machine needs to be able to talk online and surf.... you probably want to take a multi tiered approach similar to most corporations which means you'll want an Intrusion Prevention System, an Antivirus setup as well as content filtering to help limit access to sites that may include malware. You can get all of this functionality into a single box with appliances know as UTM (Unified Threat Management) boxes. I like the IBM Proventia devices from a IPS standpoint, and probably worth looking at the Proventia MX series. I'd likely combine one of those in transparent mode with a Cisco ASA (in routing mode, and specifically the 5505 for your use) for pure firewalling. This gives you multiple vendors which helps to diversify your security posture and IMHO gives you best of breed firewall and IPS. Overall you could get extremely good security appliances with more than enough bandwidth / features for less than $2000. Other vendors worth reviewing are CheckPoint, Juniper, SonicWall, and Fortinet. Of course you'd then have to pay for SmartNet and other maintenance fees for these appliances, but those costs shouldn't be more than a few hundred per year. Keep in mind that the start of good security comes from the users themselves meaning your client. They need to be mindful of what the computer is used for / what emails are opened, etc. If your client needs to "freely surf" I'd insist on a separate machine on a separate network behind your firewall.

Regarding books, you I'd recommend any good CCNA book to get you started understanding networking and the general principles involved. If you really don't understand TCP vs UDP, subnetting, and general firewalling / routing concepts (don't have to be a BGP or RIP expert here... general understanding is good enough) then I'd say you may want to figure those out prior to offering a service.

Disclaimer: I do work for one of the above mentioned companies however I have nothing to gain (I'm not a sales guy, nor do I hold stock), and all opinions are based purely on my personal experience with many vendors products.

 

[riser]

I think it would be a bit overkill to buy some of these devices. Honestly, the biggest threat is him opening a connection and bypassing all that equipment. In a large corporation that equipment is ideal since you could have hundreds or thousands of computers moving across it. For a home user this overkill.

You can buy true firewall devices on NewEgg or TigerDirect for a couple hundred dollars. You can create your rules, access control lists, etc. This might be a bit of a headache because you'll need to figure out what he needs access to and what he doesn't.

I would recommend having your hardware firewall (research them to find out about brands and features) and a solid antivirus application. Windows 7 you could use Essentials which is great and free. At present, it out ranks any other antivirus application for Windows 7.

Another trick you may want to consider is running a virtual computer on his computer for web surfing. If he's researching something, etc, he can use the virtual system to access any website, even suspicious ones, without worrying about any access to his real computer. Though, downloading files and the like will not work (at least easily) but that's part of the security aspect of it.

Pick up a CCNA book. Expect to take around 6 months to get up to speed on it.

 

[Brian_tii]

Agreed with your points and that it's absolutely an overkill. He said the customer was paranoid, and ready to spend like $10,000 for network gear to take every precaution. Otherwise I'd never have mentioned it.

I see his biggest threats being himself browsing / downloading malicious content unknowingly. It's not <just> porn and warez sites these days that gets you a copy of malware installed. Your virtual machine suggestion is a good one, and I'd highly recommend that as well.

 

[riser]

You sales people. Can't ever trust you guys.

 

[jakeBauer]

I don't have a background in networking and have a few questions. I am looking to start doing computer services as a side job, which I hope to expand into a good secondary income. I want to be able to service small businesses in addition to households. I will obviously be educating myself more over time on network topics, but for now:

I have a buddy who is a potential client and who is concerned primarily over protecting himself from illicit access to his files and/or theft of files. He works out of his house as a consultant and is also writing a book. Even he admits that he doubts anyone would be interested in an unwritten book, but apparently he services a number of large corporations and he has a concern over, essentially, corporate espionage. I'd laugh a little, but I have to take him seriously.

And so I have to ask you guys: what can / should be done to make a home network secure?

The extent of my experience in this regard has been use of cheap routers and firewalls with some open-source firmware or programs. That has always served me well for my home use, and also a few small offices I have run in the past. But I have never been concerned about people trying to actively hack me, so this brings a new perspective to the game.

The budget he has to spend on this can range up to high four digits or low five. I told him I'd research it and hope that most of what he needs can be accomplished with software / firmware, but that since the level of security he is thinking about (as airtight as possible - though I would presume nothing is impermeable) may involve some investment in hardware.

I also told him I'd share this post with him.

Thanks for any information or suggestions you can offer.
If you also know some books you would suggest over others where I could begin to educate myself on networking, I'd appreciate that as well.

Ok first you want to secure your home network simply get these items from either ebay or Craigslist or Amazon.

1. Pix 500 series firewall use to sale for 2000.00 but now 100.00 very simple to setup and still bullet proof with the correct ACLs and xlates.
(yes a bit bulky but well worth the money)
2. No matter what wireless you get if your not running WPA2-Radius if can be hacked in about 30 minutes, so you will want to place your wireless router in to the PIX firewall DMZ on a different IP schema.
(Example: Wired IPs 172.20.x.x/24 wireless IPs 10.20.x.x/24)
3. Do not rely on Microsoft firewalls or Security Essentials they will not protect you. MS firewall can be turned off remotely in about 15 minutes in 5 minutes full admin rights. I would recommend Tiny firewall or a third party firewall disabling the MS firewall.
4. Anti-virus I recommend either AVG or Eset
Note: Wireless devices such as Linksys,d-link or any consumer wireless can only handle 5 connections at once with stable results.
I personally built my own WiFi system using debian and a Cisco long range PCIe WiFi card.
5. Its well worth it to have network cables ran into your home for wired access.

6. I also recommend that if your worried about breaches that you use TrueCrypt in two forms, One in Full Disk Encryption, Second Encrypted Container. This will not stop viruses but will stop physical hacks as TrueCrypt is unbreakable, if any one says other wise I like to see them crack it.

7. Getting a Cisco Catalyst switch can be beneficial for VLAN segments and additional ACLs.
8. ACL are critical in Cisco firewalls and switches, I personally am very restrictive on my network, I statically set my IPs and only those IPs can communicate out on web email, DNS, and VPN. Everything else is blocked.

Don't surf porn , don't open emails you don't know who they are from, Don't say yes to activex pops unless you trust the site.

Last Don't , DO NOT USE Windows 8 it reports home what you download what sites you visit. Also the security on windows 8 is a joke.

Hope these ideas help.

Jake