Tech

I skipped ahead in Part 2 of my Computer Security 101 entries to cover passwords, or rather passphrases, despite it falling out of line with an outside-in approach to security. Entering into the actual desktop arena, I am going to skip ahead of a few items to cover the important field of User Permissions.

Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.

I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.

User permissions are probably the most under managed and over looked area of computer security, both at the home computing level and within enterprise organizations. Users break things. Users also bring in spyware, adware and viruses. The sad thing is that with proper user permissions most problems can be averted.

I will give an example of just how effective proper user permissions can be:

A while back my daughter had started to use my laptop to work on school projects. Being a person in general and a teenager in particular, she used the laptop for other things as well, such as going to her MySpace page. One thing lead to another and I was removing all sorts of spyware and trojan viruses from that laptop by the time she left that weekend. Yes, one weekend and the laptop was a cesspool.

Now, to put things in perspective this laptop was running the latest in enterprise level virus scanning software, as well as several anti-malware programs. All software and definitions were up to date. Yet, in a short 48 hours it was covered with all sorts of nasty little buggers. The reason? The account she was using had administrator level permissions. That was it; that was the security breach.

Mind you, the rest of my home network kept that laptop from "spreading the disease" or becoming a bot for malicious users, but it was a reminder to myself as to just how important user permissions can be. Since that time she has been setup with a user level account and there has not been a single instance of reinfection. If that is not enough convincing, let me point out that because she has effectively commandeered this laptop, the only account to logon for weeks at a time is hers. She is also not one to update the virus definitions, nor can she with her user permission level (as I said, enterprise antivirus software). But the laptop remains clean as a whistle, all thanks to reduced user permissions.

The lesson to be had here is that everyone should be performing their day to day computer activities with a computer account granted as minimal of permissions as possible. In the Windows environment this means being part of the "User Group", as opposed to the default in a home computer that dumps accounts automatically into the "Administrators Group."

To be completely clear, when I say "everyone," I mean everyone. At the home level a simple user account should be used for 99.999% of your activities. At the corporate level, every employee should be performing their work using a simple user account. This includes department heads, vice presidents, and even IT personnel. Especially IT personnel and most especially developers. 99.999% of all your activities at your desktop can be accomplished using a standard user account.

In order to cover the 0.001% of the time where less restrictive permissions are required, companies have an IT staff to handle things. And those IT personnel should have a second account with appropriate permissions to be used strictly for performing these 0.001% tasks. Home computers should be setup in the same manner as IT personnel: one User level account for everything and one Administrator level account for stuff not covered by everything.

I have heard all sorts of complaints and excuses in the past as to why "so-and-so" is a local administrator on their desktop, or why a developer needs to be an administrator, or why it is inconvenient to have to switch user accounts. To these excuses I say a nice resounding "Bull Shit."

Inconvenient is a home user having to spend $65 an hour to clean all the malware off their computer. Inconvenient is trying to fix your credit after your identity has been stolen. Inconvenient is having your company blacklisted on Spamhaus because a developer's computer is sending out spam thanks to a virus. Inconvenient is having to explain to your customers how their personally identifiable information might have been lost as part of a recent security breach. Inconvenient is going before a judge to explain your company's negligence. These things are inconvenient; having to log off your computer and back on with a different account to install new software is not.

There are other areas of user permissions aside from the simple User versus Administrator, but that really becomes a case by case kind of thing. The best rule to follow is to start off with the most restrictive level of permissions for each person possible and then tweak things as needed. You might get yelled at for a person's lack of access to something, but you are not going to get subpoenaed; and any yelling stops when you fix the problem.

Using the outside-in approach to computer security, we are now at a point to begin covering the actual computer systems. Before we get to that, I thought it prudent to put up a simple FAQ covering the common questions and/or concerns from parts 1 thru five 5. Well, really 2 thru 5, seeing as part 1 was the introduction.

This FAQ mostly covers home network security and does not replace reading the actual articles in this series, or getting help from a professional if you are completely inept in the field of computers.

1. Why are passwords important?
Passwords provide a means of proving your identity to a computer system. Without having this method of identification, everyone could pretend to be anyone they wished and the world would quickly fall into chaos, until someone finally pretended to be the guy with permissions to launch nuclear missiles; at which point the world would just end. This is all very bad.

2. How do passwords help protect me?
As mentioned in item 1, passwords provide a means of identifying you as you, rather than someone pretending to be you. Secondly, passwords are used in some systems to encrypt data so that if someone were to look at a file without the password it would appear as gibberish.

3. What is a complex password?
While the exact measurement of a complex password is system specific, the general rule requires that a password contain at least eight (8) total characters. Of those eight characters at least one must be an uppercase letter, at least one must be a lowercase letter, and one must be a number or other non-alphabetical character. This is the base guidelines, and to be honest are quite antiquated. Realistically, a password should contain at least 13 characters, with the other rules staying the same.

4. How often should I change my password?
Passwords should be changed at least once every three months, depending on what the password is for. Passwords used for more sensitive information should be changed more often than passwords used for nonsense; as an example the password to your online bank account should be changed at least once every two months, while the password for your Netflix account would not be as critical and could be changed every three months (unless you save credit card information in your Netflix account at which time it becomes more critical). Your passwords should also be changed anytime you suspect any of your accounts to have been hacked or your computer becomes infected with a virus/spyware (once the virus has been completely removed).

5. Can I write down my passwords?
Do you leave the keys to your car dangling from the door handle in the bad section of town? That was a rhetorical question. The answer is NO.

6. How do you expect me to remember all these complex passwords that change so often?
I don't. I expect you to use passphrases instead.

7. What is a passphrase?
Passphrases are sentences, phrases, exclamations or questions that are used in place of complex passwords. Passphrases are easier to make complex and are generally much easier to remember. "My6catsareallSiamese!" Often passphrases can include spaces, making them even easier to type. "My 6 cats are all Siamese!"

8. What is a firewall?
A firewall is a device (hardware or software based) that restricts certain types of traffic from entering or leaving a network.

9. Why do I need a firewall?
There are bad people in the world who think it is fun to screw up other people's lives. There are also people who want to steal from you. And then there are people who are just nosey and want to snoop. If these people can get to your computer they can do all sorts of bad things such as deleting all your files, stealing your bank account and credit card information, stealing incriminating files from your computer (nude photos, etc), or just using your computer to send out spam email messages. Firewalls can help keep these people from getting to your computer from the Internet.

10. Why should I restrict outbound traffic on my firewall?
There are many ways for bad people to get to your computer and firewalls do not stop all of them (i.e. malware and viruses). Once your computer is infected with a simple piece of malware it can be used to download more dangerous software from the Internet. The malware can also turn your computer into a tool for the bad guys, such as by using your computer to send out spam email messages or attack other computers. If you have ever wondered why it is so hard to catch the bad guys on the Internet, it is because they use "innocent" people's computers to do their dirty work. Restricting outgoing traffic across a firewall can help stop these things from happening.

11. What ports do I need to allow for email?
Some ISPs use alternate, or nonstandard, port numbers for their email, but for most you will need to allow outbound traffic on port 25 for SMTP and port 110 for POP3 (both are used, the first to send, the second to receive emails). You should also restrict which external Internet addresses (IP Addresses) these ports are allowed to connect with, so that you don't inadvertently allow the bad people to use your computer to send out spam emails (see question 9 above).

12. My wireless router came with WEP enabled, isn't this secure?
No. WEP is not secure. WEP is akin to locking the screen door on your house and thinking no one can break in.

13. What security option should I use on my wireless router?
WPA2 (Wi-Fi Protected Access 2) with AES (Advanced Encryption Standard) is currently the most secure wireless option. If you have a very old wireless device that does not support WPA2, your next best option is WPA, although you should check with the manufacturer for firmware updates to bring it up to WPA2, failing that you should replace your wireless device.

14. What is the SSID?
Service Set Identifier. The SSID is a nice friendly name used to identify a wireless network. This allows you to connect to "MrMoms Network" instead of some long convoluted string of hexadecimal characters.

15. Why should I turn off SSID broadcasting?
In order to connect to a wireless network, you have to know the SSID. When the SSID is broadcast, everyone in range is told what it is. By disabling SSID broadcasting you have added an additional level of protection to your wireless network and helped to prevent nosey people from "just browsing" through your network.

16. My son/daughter/niece/nephew/neighbor's kid said I don't need to do X.
Not really a question, but if X is something I said to do above or in one of the related articles: your son, daughter, niece, nephew or neighbor's kid is an idiot. If they happen to be a CISSP and have a better alternative solution to put into place, then by all means listen to them. Otherwise, I stand by my calling that precious little bundle of joy an idiot and adamantly state that you should not listen to them.

Odds are in favor of there being a wireless network in your home or at your work. Actually, odds are in favor of there being a wireless network located at both your home and work. Even if you are one of the oddball people who do not have a wireless network setup, there is probably one broadcasting into your home or office from nearby. Wireless networks are almost everywhere and the numbers are continuing to multiply fast. Exponentially even.

In the dark ages of wireless (about a year and a half ago) there was about an 80% chance that any given wireless network was completely unsecured. Now I would gauge it at around 70% of wireless networks having inadequate security and 40% remain completely unsecured. Yes, I pulled those numbers out of my proverbial ass; but if I count the number of wireless networks that I come into contact with daily (that are outside of my control), those numbers are just about dead on.

While 40% down from 80% shows that there has been a drastic improvement in wireless security awareness over the past couple years, it is still enough to keep a person up at night. As with all things security related, I blame a lack of knowledge and lack of caring as the reasons those numbers are not down to under 10%. So let's start with the reasons for not only securing your wireless network, but ensuring it is secured properly.

1) Illegal Activities - In today's world where everything can be tracked and traced in some manner or another, it just makes sense to not use your own Internet connection if you are going to perform some sort of illegal activity. Hackers know this. Pedophiles know this. My former IT Director who tried to bring down the company network after he was fired knew this. Instead of using their own Internet connections to perform these illegal activities, they connect to one of the many unsecured wireless networks and let their activities get traced back to some unsuspecting dupe (that would be you). Of course they would have to be smart enough to change their computer name and MAC address to not get caught, but that is another story.

2) All Your Base Are - Continuing the thoughts from reason #1 above into why adequate security is necessary; if someone is going to attempt to break into a network illegally using the Internet and they are smart enough to use someone else's Internet connection to do so, I am willing to bet the farm that they are smart enough to hack a WEP secured wireless network. Although saying "WEP" and "secured" really is an oxymoron.

3) Easy Network Access - The easiest method to gain unauthorized access to a company network is through social engineering. The second easiest method, and easiest method for a home network, is through unsecured wireless. Why not just start asking people driving past if they would like to come inside and use your computer?

4) Internet Bandwidth - The speed you access the Internet is not unlimited, despite how much faster your cable modem is versus your previous AOL dialup. The more traffic running across that connection, the slower your web surfing is going to be. There are also plenty of Internet service providers who are looking at changing their billing model to include over-bandwidth pricing; meaning if you use more than what they consider your fair share of the Internet, you pay more. Now why would I want to jack up my Internet bill downloading all those adult movies when I can just attach to your wireless and make you pay the bill?

The list goes on, but these are some of the bigger reasons for properly securing your wireless network. The really nice thing is that securing a wireless network is about the easiest thing you can do. The bad thing is all the oddball circumstances that crop up in the course of normal business that have kept many companies from securing their wireless access. Being a heck of a nice guy I will cover both sides: the straight forward secured wireless network and securing a wireless network under oddball requirements. But first up, let's take a look at the various methods available to secure a wireless network.

Turn Wireless Off - I would like to say I am surprised at the number of people and companies who have a wireless network and do not even know it. Rogue Wireless Networks. I am not really surprised because I know the sheer number of devices that arrive from the manufacturer with wireless turned on. Purchase a new router for your home network? Probably has wireless built in and turned on. Have a DSL Internet connection? The new DSL modems have built in firewalls, switches AND wireless; and wireless is turned on by default. Basically, turn off wireless on each device you have if it is not needed. If you are not positive beyond any reasonable doubt that it is needed, turn it off. Something will either stop working or someone will complain if it really was needed.

Segment Wireless Networks - Hopefully you have read my previous entry entitled Computer Security 101 - Part 4 - LAN. If you haven't, go read it now. Very few businesses use wireless networks for daily operations. Very few homes do for that matter. Wireless is either accidentally left on or is put into place to meet some need or another. Usually that need is Internet access for someone with a laptop who has enough pull to make your life miserable. The beauty here is that they do not need access to your entire network, just a small section of it. Through network segmentation (you did read the article I just listed, right?) you can limit the access that particular wireless network has to your overall network and effectively mitigate many security threats in doing so.

Disable SSID Broadcast - According to some silly 802.11 standard or another, wireless devices send out a broadcast beacon. Part of this broadcast beacon is the SSID (also the channel number, but if you see the broadcast you already know the channel number because, well, you see the broadcast. See how silly 802.11 standards can be?). In order to connect to that wireless device, you need to know the SSID. If you turn off the broadcasting of that SSID you require anyone who wants to connect to your wireless network to already know the SSID. Ingenious, right? Of course you also need to set the SSID to something not easily guessed, but we'll get to that in a minute.

MAC Address Filtering - A MAC (Media Access Control) address is a hardcoded 12 character hexadecimal code set into all Ethernet devices by the manufacturer that are required to be unique for each device (another one of those IEEE standards). Most wireless devices have the ability to limit which MAC addresses are allowed to talk to it. If a device connects with a MAC address not on the list, it ignores the device. Pretty simple. Except MAC addresses are easy to spoof (pretend to be). MAC Address Filtering is a pain to setup because it needs to be maintained and is lacking on its own. In combination with other methods of wireless security it will help to protect your network, but it is still an administrative nightmare to maintain for a business and rarely worth the extra protection provided.

WEP Security - Wired Equivalent Privacy. Useless security option. Really. Most of the new DSL modems I have seen recently have WEP turned on by default (along with wireless) so the company can pretend to have cared about your network security and not get sued. Of course any computer security person would shred that argument in court, so they are depending on people's ignorance to save them from a lawsuit when someone hacks the wireless network they left on by default. WEP is useless.

WPA and WPA2 - Wi-Fi Protected Access. Another set of those 802.11 standards. WPA is the old standard that made use of TKIP (Temporal Key Integrity Protocol); and was designed to replace WEP without much fuss. Unfortunately, people were able to crack the WPA-TKIP standard in 2008. Luckily, the Wi-Fi Alliance people adopted a new 802.11 standard in 2006 that became known as WPA2-AES (Advanced Encryption Standard). The difference between the two standards really is in the encryption algorithms used. Basically, use WPA2.

Pre-Shared Key (PSK) or Personal Mode - Pre-Shared Keys were introduced with WEP and carried forward into WPA and WPA2. It is a passphrase set on any wireless access point that is used to partially encrypt the data sent wirelessly. I say partially, because the encryption actually changes once the connection is established. You can read up on the entire 802.11 IEEE standards if you really care about useless information, or just want to hit that homerun during your next technical interview. Anyway, all wireless devices are supposed to support PSK and it is more than adequate for personal home networks (hence the Personal Mode pseudonym) and even most businesses; assuming the passphrase is sufficiently complex (getting to that in just another moment).

RADIUS Server or Enterprise Mode - Sometimes mistakenly called EAP or Extensible Authentication Protocol (PSK above is a flavor of EAP, hence the mistakenly part). Enterprise mode uses a RADIUS server like Microsoft IAS or Cisco ACS to provide the authentication methods for wireless connections. A pre-shared key still exists between the RADIUS server and the wireless device, but it expires after a preset period of time and is changed out automatically. This is the mode to use for any business with a RADIUS server.

Strong Passphrases - Every wireless device has at least three passphrases that can be set. The first is the one used to access the wireless device in order to make configuration changes. The second is the SSID. The third is the Pre-Shared Key (may not be used though). Treat each of these as a secure passphrase. Each of these passphrases should be unique from one another. Each of these passphrases should be exactly that, a passphrase instead of a password. Each of these passphrases should be complex in nature, meaning include at least one upper case letter, one lower case letter and one number or symbol. Each of these passphrases should be at least 16 characters long. Do not use your name or your company's name for any of these passphrases. Read my entry entitled Computer Security 101 - Part 2 - Passwords if you have not done so already.

Wireless security is constantly changing and improving, as well as having previous methods become weakened or obsolete. A few years ago you would probably have been told an eight (8) character password was sufficient to protect against a brute force attack, two years ago it would have been 13 characters, now I personally recommend 16 character complex passphrases (thanks in part to GPU offloading). There are also newer features put forward by the Wi-Fi Alliance that will automatically configure wireless security between devices using various methods. All that being said, let's actually cover the concrete security methods that should be put in place.

First thing is first. Shutdown all wireless access points and routers that are absolutely not needed. Move onto the next step if you are doing all this for your home or a small office (two paragraphs down); otherwise grab yourself a laptop with a wireless card and start walking your perimeter. You will want a wireless card that supports at least 802.11 b and 802.11 g network standards; 802.11 n is currently an added bonus, but is increasingly becoming a requirement. As you walk around refresh the available wireless network screen and see what you see. Write down each and every wireless network you find and the locations you find it in. Write down the SSID if it is available. Write down the security level (WPA2-AES, WPA-TKIP, etc) that each wireless network lists as being used. Connect to unsecured wireless networks and see if it is part of your network or perhaps something from the Starbucks next door. There are free tools available on the Internet to help in all this (mostly for Linux, but still plenty for Windows), just don't spend any money.

Now that you have identified all the Rogue airwaves (not necessarily Rogue Networks) in your company space, see what you can identify. Use a little common sense in this practice. If a wireless network is strongest in the eastern region of your building, talk to the departments in that area. If there are other companies in the Eastern region, see if they are running wireless. Pretty simple stuff. Once you identify all that you can identify, the rest is considered a Rogue Network and needs to be found. Again, there are freely available software applications and instructions elsewhere on the Internet (like making a focused antenna with a Pringles can). Find these Rogue Networks (assuming they are actually on your company’s network) and eliminate them.

Assuming you need a wireless network to not be shutoff, the next thing to do is setup an actual secured wireless network. The best possible combination of security layers available is to segment the wireless network (at work, probably not home), use WPA2-AES protocols, disable SSID broadcast, and use strong passphrases (complex and 16 characters or longer). A company that has a RADIUS server should make use of Enterprise mode WPA2. Discuss with whoever handles your RADIUS server as to which EAP types are available. Everyone else has to use EAP-PSK, or Personal mode; again with a strong passphrase. MAC Address filtering provides very little added benefit at this point, so ignore it. It would be like putting an umbrella over a submarine to protect against the rain.

There. Done. That is currently the best configuration available for an active wireless network setup. The problem is each device (laptop, PDA, tablet, etc) that is going to connect to the wireless network must be setup now. This is generally not a big deal as it requires each device to only be setup once (set-and-forget). The real problem comes from C-level executives who believe they are tech-savvy and, worse still, salespeople (regardless of their tech level).

Both of these groups of people generally have no idea why they need an IT department to begin with. All those damn geeks do is make things more complicated than it needs to be. They do not want to call IT when their 4 year old is using mommy's laptop in the office and needs wireless access, or when a salesperson has a client in who needs to check their email. This is where wireless becomes unsecure once again. Ideally there is a strong CIO (CSO would be even better) who will insist that policy is policy and the wireless has to remain secure. Even without that CIO you still have a few things you can do to keep your network secure.

The first thing to do in the above scenario is to pick a good location for the "open" wireless. Conference rooms near the center of a building between floors two and five are excellent choices (first floor gets the most non-work traffic. Too high up in a building and, because of signal bounce, you can become a radio station broadcasting to the world). Picking locations like this for open wireless access points will reduce the likelihood of outside persons gaining access to your wireless network. Some wireless routers and access points offer further assistance here by allowing the signal broadcast strength to be reduced, thus decreasing the distance available to connect to the wireless network. Almost every sales person or C-level exec will be satisfied with someone telling them "There is wireless available in the third floor conference room," as opposed to not at all.

The next step is to segment the open wireless network from the rest of the network. As much as is possible that is. A little guided research is required to discover what the use of the wireless network will be. Leading questions are great here such as, "I can setup the third floor conference room for wireless Internet access. Will that work for your sales team?" The answer will be "yes" and you can segment that wireless network from everything but Internet access.

The last step is to turn off the wireless. A good majority of commercially available wireless routers have some sort of scheduling built-in. This can range from allowing wireless access during certain times on certain days, to perhaps blocking certain Internet protocols (block any any) during certain times of the day. These functions can be used to restrict the wireless access to business hours only, which increase the wireless security level slightly (only the truly bold are going to connect illegally to a wireless network when the IT staff is there and alert).

Under normal circumstances the obvious choice is to put into place the most secure wireless settings possible. Failing that, virtually ever business scenario for not having restricted wireless access can be mitigated by combining the various methods of securing a wireless network listed above. A little thought process combined with a few leading questions and you can once again sleep soundly at night.

Continuing the outside-in approach to security, once you make it past all the routers, firewalls and Demilitarized Zones (DMZ) you eventually come upon the local area network, or LAN for short. Stop! Hold it! Router? DMZ? Why didn't this stuff get covered? How can we possibly move on when I just mentioned two things that were not covered on the way in from the Internet?

The short answer is that they were covered, just not spoken about directly. As I mentioned during Part 3, a firewall is a specialized router. If you are using a router as part of your security approach, you are using it as a firewall. As to the whole DMZ thing, well that is just the area of a network that lies between the Internet and your local network. This is usually the "optional" network port off of a firewall or, ideally, the space between an external firewall and an internal firewall. There. Happy now?

For the majority of computer networks out there, your entire network is your LAN. A good chunk of companies have wide area networks (WAN) of one flavor or another, but with technology the way it is these days, the wide part has gotten really thin. Without a geographic map for a guide, it has become increasingly more difficult to tell the difference between a local resource and a remote resource. In effect, a WAN should be treated as just another segment of your LAN.

You might have noticed that the word segment was a link up there. That's because segment is an important word when it comes to LAN security and I wanted to make sure everyone knew what it meant. The first definition listed will do. A segment is just a section or part of the whole. Nothing overly technical about that. It is important because segments are what help secure a LAN.

In order to understand this, we need to delve into a little technical mumbo-jumbo. All networks have some sort of addressing scheme, Internet Protocol (IP) addressing is the most common (FYI, there is NO SUCH THING as TCP/IP addressing, there is only IP addressing), so we will use IP addressing for this example. Every device on a network has some sort of address attached to it, again, usually an IP address. In order to talk to a device from your computer you need to have that device's IP address. With me so far?

There are three main ways to get a device's IP address. The most common method is through domain name service resolution (DNS). DNS is the IP address resolution method of the Internet and most networks. It basically works like calling telephone directory information to get a phone number. Your computer knows to dial 411 when it needs an address; the DNS server is the operator that answers 411 and tells your computer what the IP address is for a given device.

A second, older method of getting an IP address for a device is through WINS resolution. WINS has been made obsolete by DNS, but there are some networks out there that continue to use it for one reason or another. WINS works in the same way as the DNS-operator analogy above.

The last method of your computer finding an IP address (that it does not know already) is to send out a broadcast. Most network communications are unicast, meaning one device to one device. Basically like a normal phone call. Broadcast is a scream out to an entire network segment, meaning one device to every device. It is comparable to a mom in the grocery store whose 4 year old has wandered off to the cereal isle. Everyone knows little Timmy is missing.

Broadcasts might be good to find little Timmy in a grocery store, but on a network they tend to be bad. When mom screams out "Timmy" in that oh-so-shrill voice of hers, EVERYONE stops what they are doing and looks up. Broadcasts on a network are the same way, every device has to take the moment to recognize the broadcast and either ignore it, or respond. The primary security problem is in that response, notice I did say primary though.

We'll use another example to see exactly what the problem with that response is. In this example Timmy is a little mentally slow (all the screams from his mom melted his brain), but he is carrying a knapsack with $1,000,000.00 in it (Timmy is very strong). Timmy is someplace in a clothing store; in order to get that cool million bucks you just need to find Timmy. Clothing stores are generally wide open areas, with little to block sound, so when you yell out, "Timmy," he is going to respond back with a nice loud, "Here!" As I said, he is a little mentally slow, so he'll respond to anyone saying his name. One million dollars in the bank later and you are a happy camper.

Now what if Timmy was someplace in a multi-floor, multi-company office building? Walk through the front door, yell out for the kid, and you are not getting anywhere. Oh, you might get really lucky and find him standing there in the lobby, one finger in his nose, the other scratching who-knows-what; but given the number of floors, companies and rooms, the odds are against you. Makes it a lot more difficult to find that million dollar prize. Also, the more you wander the building yelling out for Timmy, the more likely someone is going to take notice and have you escorted away by security.

Relating Timmy's story back to your network, if your LAN is one big happy segment (the clothing store) with all the devices on that same segment and a hacker gets onto your LAN, it makes his life really easy to find the million dollars by using broadcast shout outs. If you divide your network up into multiple segments (the office building), you just made the hacker's job a lot more difficult. Just like with the office building, the more the hacker has to wander your network to find something, the better a chance of getting caught or, at the very least, leaving a nice trail of breadcrumbs back to them.

The second security problem with broadcasts is that everyone looks up to see mom screaming before ignoring her again. It is only an instant of time, but imagine if the grocery store was full of 1000 screeching mothers looking for Timmy. Not much shopping is going to get done in that grocery store. That is the equivalent of a broadcast attack on a LAN. Not very common, but it has happened and will bring a network to a screeching (pun intended) halt. Segmentation helps with this as well.

The better you can isolate sections of your network from one another, the more secure your LAN becomes. This is done by using subnets, which is the IP address way of breaking up a network into segments. You can think of a subnet as a telephone area code, limiting which numbers are available before you have to change to another area code. In order to do this, and make it count, you will have to use switches instead of hubs (if you are not already). You will also need to ensure your switches are not set to forward broadcast packets (usually the default setting), but are set to relay DHCP requests to a DHCP server (as needed).

Subnets can be either physically broken up networks or more practical Virtual LANs (VLAN). In the physical world, you would decide that everything attached to Switch-A belongs to Subnet-A, Switch-B to Subnet-B, etc; and then place some type of routing device between each. That can mean a lot of pieces of physical hardware. Explaining VLANs fully is a bit beyond the scope here, but using VLANs (which most modern switches support) you divide up each switch into multiple subnets based on different criteria; usually the jack number on the switch (for untagged) or with tagging. As a result of not needing tons of extra hardware, VLANs are a much more practical approach to segmentation.

Through proper network segmenting you can not only provide for a more secure LAN, but also speed up network traffic across your network. If you know accounting uses only one server and little else, you can move that server directly to the accounting subnet. You can also control what information is passed by a DHCP server to each subnet; allowing you to set everything from which DNS server a given subnet uses, to stopping Internet traffic for one particular subnet. Combine that with the above broadcast scenarios and segmentation becomes a very good thing for increasing your LAN security.

When it comes to computer and network security, I believe in an outside-in approach. Start as far away from your computer as possible and work your way back, putting up as many roadblocks in the way as you can. This approach has served me well in the past, and will likely continue to do so in the future. And so we will continue delving into computer security at the network perimeter with the firewall.

Before we begin I should point out that passwords were covered first and foremost due to their very nature. That is to say, everything has passwords of one sort or another. Firewalls included. So it would have been negligent of me to not cover passwords first. Now we can move on. Thank you for your patience.

There are a lot of people out there who do not know what a firewall really is, let alone understand what it does. This group of people includes many IT professionals, even very seasoned professionals. I often get a look of disbelief during technical interviews when I am asked about experience with a particular firewall or another, because I always respond with something along the lines of "a firewall is a firewall."

Usually my resume is directly in front of them and lists my Check Point Certified Security Administrator NG, Cisco Certified Network Associate, and Certified Information Security Manager certificates; as well as a plethora of various hardware that I have worked on (such as PIX or Watchguard firewalls). So when the person across the desk asks me if I have experience with a Sonic firewall, well, "a firewall is a firewall" is about as polite an answer as I can give. Sometimes I just blow the interview right there and go into sassy mode. But I digress.

A firewall is a firewall is a firewall. Period. Some are better than others, but they all do the same basic thing and are configured the same way. The interface might be different, but just because one car has a digital speedometer does not make it any more difficult to drive than one with a standard needle (analog) speedometer. Let’s dive in to what that same basic thing is.

In the beginning we had routers. Routers route network traffic. Then someone said, hey, let’s make a specialized router that does the same thing, only less of it, call it a firewall and charge additional money for it. Thus the firewall was born.

If you were to think of your network as a company, with the computers as departments and the software running on the computers as people; firewalls would be the mailroom. Any type of parcel has three things that are readily available to be seen: 1) The address the parcel was sent to, 2) The address the parcel came from, and 3) How the parcel was delivered (FedEx, UPS, USPS, etc). A good mailroom looks at these three things and determines what to do with the parcel. Simple and easy.

A mailroom example of what is taking place with that parcel: A letter arrives addressed to the CEO of the company, there is no return address, and the letter arrived with a bulk mail (USPS) stamp on it. What do you think the mailroom is going to do with that letter? Were I a CEO, I would fire a few people for delivering junk mail to me; thus the mailroom might trash the letter outright or they might decide to deliver it someplace else, say the CEO's secretary (sorry, administrative assistant). It really would depend on the instructions given to the mailroom, right?

Next a big brown box arrives that is addressed only to the company itself. The box arrived via UPS ground. A good mailroom is going to look at the packing slip to find a little more information. They immediately notice the parcel arrived from Dell Computer Corp, and move the box on down to the IT department without a second thought.

Mailroom gets a letter for Jane Smith, well there is no Jane Smith here: RETURN TO SENDER. And the mailroom never accepts C.O.D. parcels.

This is exactly what a firewall does. It is behaves like a good mailroom staff with instructions on what to do with each parcel that arrives; only it deals with data as its parcel. There are three things that are readily available to a firewall: 1) The address the data is sent to, 2) The address the data came from, and 3) What port the data is being delivered on. Simple and easy.

Configuring a firewall is about the same as giving instructions to the mailroom. "Only allow marketing to send out bulk mailers." "Anything that comes in from Dell goes to IT." "Only John can send out packages using the freight company." Etc, etc. The only differences are in what the address looks like (hint, it’s an IP address instead of a postal address) and instead of saying "UPS Next Day Delivery," we use port numbers.

The bulk of setting up a firewall comes before you even touch it. Before you can set it up, you need to know what the instructions are going to be. The best instruction is always return everything to sender that comes in and don't let anyone use the stamp machine to send out. In firewall terms, this is "deny any any". It should always be your starting point; everything else gets built on top of that and creates a pecking order for what happens with the data parcels. This works for a firewall just like a mailroom: John can use the stamp machine. You are not John; therefore you get denied the use of the stamp machine.

Coming up with the instructions to give the firewall are relatively easy, but usually takes a few minutes to do. It involves a little research to see what software applications are used to do what on your network. This includes sending and receiving email, browsing the web, running a SageTV placeshifter server or playing online games. If something needs to talk to the Internet, it needs a rule for the firewall. You just need to figure out (look up) what those rules need to be.

A few simple guidelines for setting up rules:

1) Permitting all outgoing traffic is a very bad thing. So don't do it. Spend the 15 minutes to find out what traffic needs to go out and to where.

2) If you have a dedicated email server, it should be the only thing on your network that can send or receive email. That is to say that POP3 (port 110) and SMTP (port 25) should only be permitted to and from that server.

3) If you do not have a dedicated email server (meaning you get your email from your ISP) you should block incoming SMTP & POP3, and allow outgoing SMTP & POP3 **ONLY** to your email provider (these are the addresses that look like smtpout.yourprovider.com that you put into Outlook when you setup your email account).

4) If you have a dedicated DNS server, it should be the only thing on your network that can send out DNS lookup packets (port 53).

5) If you do not have a dedicated DNS server you should only allow outgoing DNS traffic to go to your ISP's DNS server (your ISP gave you this address someplace).

6) Unless you handle your own DNS services for an Internet server, you should block incoming DNS requests.

7) Explicitly stating where any outgoing traffic is going to is a very good thing. If your game requires port 9110 to be open, then only allow port 9110 to be open with an outbound address of the game server.

You can't surf porn without allowing web traffic, so odds are you will want to allow outgoing HTTP (port 80) and HTTPS (port 443). Not much you can do there, but it does provide a big loophole. Other programs use these ports to bypass firewalls, and that is a bad thing. The fix is an Application Layer Firewall. If you are setting up your firewall for home use, don't worry about it. If you are doing it for a company and you have not yet purchased your firewall, or have the budget to "upgrade" your firewall, get an Application Layer Firewall.

Continuing the mailroom analogy... A fruit basket arrives addressed to Gertrude in Accounting delivered by the flower delivery guy. Every company accepts deliveries from the flower delivery guy. The flower delivery guy is HTTP on Port 80. So the mailroom rushes that fruit basket over to Gertrude, only instead of pineapples, the fruit basket contained pineapple grenades. Boom. Poor Gertrude. And poor everyone in Accounting.

An Application Layer Firewall is like if the mailroom X-rayed every piece of mail that came through there. More so, they were allowed and required to open every parcel that comes and goes to take a quick peek to make sure the package is what it says it is. That is exactly what an Application Layer Firewall does, because the Internet is chock full of people trying to send pineapple grenades to Gertrude; and Gertrude (bless her little heart) is trying to send socks to her nephew in Utah using the company's UPS account.

A last note on firewalls, primarily for corporate IT people: Two firewalls are better than one. The best setup for a firewall is to have an external firewall that handles incoming traffic, such as allowing traffic to your web server, and a second internal firewall that handles outgoing traffic. The external firewall can be in drop-in mode (meaning it knows all the external IP addresses that your company uses, but is not performing NAT translations, just filtering). The internal firewall connects to the external firewall, gets one of those external IP addresses, provides NAT translations (using that external IP) and should be an Application Layer Firewall. More internal firewalls are even better, but two should suffice. Between the two firewalls are your outside only services (web servers, email forwarders, porn, etc). You can even get creative and place honey pots between them, but that is a bit beyond the scope here.

Firewalls are as complicated as you want to make them, but really you should be making them very simple. Keep in mind that a firewall performs the same tasks as a good mailroom. If you do your homework to determine what traffic you need to allow (port numbers), where the traffic should be coming from, and where it should be going to; then you have 99% of what it takes to setup a secure firewall. The other 1% is just punching in that information.

As I have already mentioned, I have worked for a variety of different companies. Each one has had their own policy on account passwords and those policies have been as varied as the companies themselves. Most have not been very secure at all.

One good example of this always comes to mind when I talk to people about account passwords. About 14 years ago I worked for (contracted with) a well known company in Ohio, that also happens to have one of the largest repositories of legal information in the world. My position within the company was along the lines of desktop support where we would get assigned support tickets to fix users problems. Our performance was based mostly off volume completed and the time each support ticket was open.

Invariably there would be times where I would arrive at a user's desk to fix some problem, only to discover they had left for an extended lunch (Executives were great for this) or had taken a few days off from work. As luck would have it, it was also extremely likely that the support ticket had something to do with the user's profile on their computer (a "profile" is all the settings on a computer that pertain to that particular person, such as the wallpaper or screensaver they have chosen). This meant that without being on the computer as that user, the problem could not be fixed, the ticket would remain open, our (my) performance level would go down (kind of a crappy way to do things, but it was what it was), and if cuts came, well you know the story.

To solve this problem I would immediately turn the keyboard over and look for a little piece of paper taped to the bottom of it containing the user account password. About 50% of the time, it was there. The little pull out writing tables that are part of some desks were another great place to look. And when all else failed I would open their picture frames on their desk and find their children's names. I had about a 90% success rate in getting into the computer as the user. Pitiful.

Nowadays I would verbally reprimand myself for doing that. I would write-up (or outright fire) the user. My, how times have changed. Except they haven't. I no longer "hack" into user accounts in this manner, but far too often those user passwords are still written down someplace on that desk. The excuses are always the same, "I have too many passwords to remember" or "IT makes me have too difficult of a password to remember." Well, I have a solution.

The first part is to forget about passwords. Passwords suck. Passwords are like relatives you have to visit, but go into convulsions at the sight of. Passwords are so 1990s. For you retro-people, that is not a good thing. Instead of passwords, passphrases are the way to go. It is one of those new industry best practices, and it is a smart one.

A password is a bunch of letters and numbers thrown together to let you log onto the computer. In order to increase security, IT departments have required that passwords be a set minimum length and contain a certain level of complexity (usually something like it must contain one uppercase letter, one lowercase letter and one number or other symbol. Sound familiar?). Users write these down. Passwords are bad.

A passphrase is a phrase or sentence that is easy to remember. Passphrases are easy to create that will meet any level of complexity requirements. Users do not need to write down passphrases. Passphrases are good.

Here's an example of the difference between a password and passphrase. For this example let us say that the "password" must be at least 10 characters long, contain at least one uppercase character, one lowercase character, one number and one symbol. Relatively complex and difficult to brute force (brute forcing is throwing characters at a password until the right combination is obtained, more on that in a minute).

For our password we have: Id10t.Error
For our passphrase we have: Mydaughteris17yearsold.

Which is easier to remember? The first one has 11 total characters, the second 23 characters; yet the second would be easier to remember for any parent. Heck, a lot of systems will even allow you to use spaces as characters, thus making the passphrase much the same as typing a sentence. The second is also more difficult to brute force attack due to the increased length, and given such a huge range of possible passphrases that a person might pick, pretty much impossible to simply guess.

Now a word on cracking passwords. There are a few methods for getting a password, the most common is for the user to tell you; either directly or by writing the password down. Flat out guessing, or making educated guesses is the second in the list of most common and easiest. Lastly comes cracking the password (there are other methods, but these are the most common). This is generally done using brute force attacks, so named because it is similar to a physical brute force attack in that a would-be hacker just continues to pound away at the possibilities until security falls away. A variation (although some consider it completely different) on brute force attacks is the use of dictionary files, where entire words are thrown at a password, alone or in combination. Still qualifies as a brute force attack in my opinion.

Brute force attacks are generally done using specialized programs that allow the hacker to set a few parameters, such as minimum password length, and the program does the rest. Character by character these password crackers plug-in sequential combinations of letters and numbers until a successful password attempt is achieved (aaaaaa, aaaaab, aaaaac, etc). These attacks take time, based on the possibilities for a given password. The more confined the password requirements are, the less time a brute force attack will take. The fewer characters in a password, the less time an attack will take. The fewer types of characters in a password, the less time an attack will take. Using dictionary files instead of strictly sequential attempts also reduces the attack time. And to top it off, each year computers get faster and faster, allowing more password attempts to occur over a given period of time, and thus, the less time an attack will take.

After touting passphrases over passwords I present the doom and gloom. Bad, bad Andrew. There is good news though, I promise. The first piece of good news is that if you read back you will see that brute force attacks are third on my list of methods for gaining someone's password. That means that the other two items are far more likely. Using complex (containing numbers and letters with a minimum set length and no, or very high, maximum length) passphrases over passwords greatly reduces the likelihood of a person ever guessing a password. Passphrases, as mentioned, also increase the likelihood of a user remembering their password, and as such greatly reduce the likelihood of someone finding it written down.

That leaves one further part from the list of the three methods: telling people your password. Don't do it. Not ever. Never ever. Your passphrase is yours and yours alone. Do not, under any circumstance, tell anyone your passphrase. Not your spouse, not your manager, not the CEO of the company, and especially not someone from IT. People always try to tell me their passwords. I make loud noises and cover my ears until they stop, and then proceed to tell them that they are trying to do something bad. No one, let me repeat, no one needs your password but you. In the unlikely event that someone someplace needs to access your account, IT can reset your password. The glory of this is that it creates a paper trail showing that someone changed your password, and you will know it has been changed.

Returning to the doom and gloom of brute force attacks, there is more good news. A big help with stopping these attacks is in changing your passphrase on a fairly regular basis, at least once every 60 days, preferably 30. On that note, when you change your passphrase you should not use the same one you have used previously. At least not for a year or two. The reason? In the event that a passphrase is compromised (meaning you told someone who called up and said they were from IT), it is only good for a certain period of time. Then poof, it is a new password. This also hurts brute force attacks, because if they get a password and it is changed, they have to start all over again. IT personnel should set these options in their systems to force regular password changes to occur.

The last note on passphrases is for the IT persons out there: set an automatic failed attempt lock-out. Huh? Almost all systems that use passwords have a setting that will lock out a user account if the wrong password is entered X number of times within a given time period. You can even set the lock-out to expire after X period of time automatically on many systems. A good setting level is to have automatic one hour account lock-out after 3 failed attempts. This effectively reduces the success level for any brute force attack to 0, because three attempts in an hour will take many, many lifetimes.

To sum things up, here is the simplified version of all the junk above. Learn it. Live it. Love it.

1. Use passphrases instead of passwords.
2. Ensure your passphrases contain both upper and lower case characters, as well as numbers. Symbols are also good.
3. Never write your passphrase down anywhere.
4. Never tell anyone your passphrase.
5. Change your passphrase at least once every two months, preferably once a month.
6. Do not reuse a passphrase for at least a year.
7. For IT: Automatic account lock-outs are your friend.

There. You have your 20 minutes of security work for the week. And it didn't even cost you a dime, imagine that. Next up we'll move out to the network perimeter and start working our way in. Stay tuned for Part 3 - Firewalls. Until then, be safe.