One of the earliest ways of making yourself safe in the Internet was not letting yourself be seen. There are many forms of Security By Obscurity, and they all sound logical.
Security By Obscurity, which may or may not be a good idea, does not replace a good layered defense. Each layer is necessary, because no single layer can produce complete protection. And consider each component carefully, and uniquely, for each network or person being protected.
Now if you're just getting started here, this advice may seem like a lot to take in at once. And it is just that, so take your time reading. Consider one layer at a time, and ask questions.
- Layer 1 - Perimeter Network Protection
- Layer 2 - Individual Network Protection
- Layer 3 - Software Protection
- Layer 4 - Common Sense
- Layer 5 - Education
- Overall Strategy
What is a layered defense?
Start by considering a typical medieval castle - classically, one of those would have:
- A moat - a wide and deep ditch, filled with water.
- High and thick castle walls.
- Guard towers, small castles in themselves, in key portions of the castle walls, but more fortified.
- Small, narrow windows that were used for thru shooting outwardly.
- An inner sanctum, typically called a "keep", that was a small fortified castle in itself.
Each one of these elements was designed to be enough to protect the inhabitants against intruders. Frequently, though, the intruders would breach the outer defenses, and the inner defenses were needed to protect the owners (though not all the inhabitants) of the castle.
A layered defense for your network is similar to a castle in concept. The outer layers should be sufficient, but in case an intruder gets thru one layer, you have another layer protecting you. Better too much protection than not enough.
Layer 1 - Perimeter Network Protection
First, you need to protect your perimeter - the outer edge of your network. Perimeter protection, such as a NAT router, is the first layer in a good layered defense.
A NAT router acts as a firewall, in that it passes only requested traffic back to the computer that requested it. It won't selectively filter traffic from hostile addresses, nor selectively filter bad protocols or programs, however. Some NAT routers also contain firewall components, but they will probably not be as comprehensive, or as configurable, as an ICSA certified firewall.
For more information about firewalls in general:
- Microsoft (KB321050): Description of a Personal Firewall.
- PChuck Better Protection - Hardware or Software Firewall?.
- Wikipedia Firewall (networking).
Please don't confuse the perimeter firewall, which is hardware based, with a personal firewall, which is generally software based. Personal firewalls are discussed in Layer2.
One firewall or NAT router protects your entire LAN, and is a good idea even if your LAN consists of only one computer. A NAT router today is equivalent in concept to perimeter protection, which was considered sufficient 5 years ago. Now we know to use multi-layered defense (aka layered defense).
All NAT routers don't have the same features. Some are designed for special needs.
- If you have dial-up Internet service, you can still use a NAT router for protection.
- You can complement your Ethernet network with the convenience of WiFi, but be aware of the specific security needs of WiFi networks.
One of the problems with the medieval moat was that it only protected against ground based attacks. The attackers could stand well outside the castle, and fire arrows, or use a catapult to lob rocks, at the castle and its inhabitants.
You can block Internet based threats with your firewall, or NAT router, but WiFi will be a danger unless you use both encryption (preventing malicious eavesdropping of your WiFi traffic), and authentication (preventing injection of malicious WiFi traffic, or access to your servers). WEP is the absolute minimum security that you may use, but I will never recommend anything less than WPA.
Layer 2 - Individual Network Protection
Besides protecting the outer edges of your network, you need to protect its interior components. Interior (individual computer) protection requires a port monitor or a personal firewall.
- A port monitor lets you see what network traffic is active on your computer. There are two which I use. TCPView, from Sysinternals, is free, easy to install, and lightweight. Port Explorer, from DiamondCS, is free for the basic version, takes a bit of work to install (but is well worth the time), and is very configurable.
- A personal firewall lets you actively control what network traffic is allowed to reach your computer. In some cases, it will also be used to control what traffic is allowed to exit it, directed towards other computers on your local network, or towards the Internet itself. See various discussions in comp.security.firewalls for good advice on choosing a personal firewall. A personal firewall can selectively block incoming or outgoing traffic, while a port monitor can provide more detail about network conditions, and can provide you additional warning about problems.
- Besides a personal firewall, which filters network traffic between your computer and the outside world, you can use a sandbox or virtual machine to keep all untrusted network activity separate from the rest of your computer. SandboxIE, which is a lightweight virtual machine, was originally developed to keep Internet Explorer isolated from the rest of your computer; but it can just as well isolate any browser, or any single application, from the rest of your applications.
You need a personal firewall on each computer in your LAN; in case one computer gets infected, a personal firewall on the others could save you a lot of trouble. Note that traditionally, a personal firewall would be software based. Now, there is also the possibility of a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.
Relying solely upon a personal firewall or a port monitor, to protect you against hostile outgoing network activity, is like relying upon a dentist for protection, and having him fill the cavities in your teeth. Brushing and flossing (here equivalent to the Third Layer) is a so much more pleasant way to spend time, in the long term.
Layer 3 - Software Protection
Perimeter and individual network protection protects you against malicious network traffic. You also need to protect yourself against malicious content. Properly chosen content protection, on each individual computer, complements network based protection. Content protection has many components, to counter the many ways the bad guys will try to take control of your computer. Use as many as possible - better one or two, than none.
- Activity related protection.
- Always use AntiMalware protection. Make sure that it includes real time (on demand) scanning, plus a regularly scheduled complete system scan, and make sure that it's regularly updated. See discussions in alt.comp.virus, and alt.privacy.spyware, for advice. Complete instructions, using Spybot S&D and HijackThis (both free), are provided by SpywareInfo.
- If you download files, use an on-demand trojan scanner. I have been using A-Squared Free for a while. I have also seen recommendations for BOClean, Ewido, and TDS-3 from DiamondCS. A-Squared Free (aka A2) is free, I am not sure about cost for the others.
- Understand the differences between trojans (adware / spyware) and viruses.
- Secure your operating system, and applications. Don't use, or leave activated, any accounts with names or passwords with trivial (guessable) values. Don't use an account with administrative authority, except when you're intentionally doing administrative tasks.
- Component related protection.
- If you feel up to it, you can learn to interpret a HijackThis log - on your own, or with carefully chosen assistance.
- Harden your browser. There are various websites which will check for vulnerabilities; I use and recommend two:
- Consider using an alternate browser, like Firefox, for the majority of your browsing activities.
- Harden Firefox - Eric Howes tells us how in Mozilla Firefox Privacy & Security Settings.
- Harden Internet Explorer - block ActiveX scripts from malicious websites. Populate the Restricted Zone database, using Eric Howes IE-SpyAd, or configure IE to safely browse untrusted Internet Zone websites.
- Block known dangerous scripts from running, and possibly installing spyware, using SpywareBlaster.
- Block known spyware from installing, using SpywareGuard.
- Make sure that the spyware detection / protection products that you use are reliable, with Eric Howes Rogue/Suspect Anti-Spyware Products & Web Sites Database.
- Harden your operating system. Check at least monthly for security updates, with Windows Update. Or do as Microsoft wants you to, and enable Automatic Update (I prefer retaining a small amount of control; your needs may differ).
- Web site related protection.
- Block Browser Helper Objects (a type of script) from installing into Internet Explorer, using BHODemon (free) from Definitive Solutions.
- Block script execution, from unknown websites, using NoScript, for Firefox.
- Protect yourself from web sites with malicious content - either don't go there, or know when you are surfing a web site with malicious content.
Layer 4 - Common Sense
Next, use common sense when installing software, and when using your computer.
- Don't install software based upon advice from unknown sources.
- Don't install any software, without researching it carefully.
- Don't open email unless you know who it's from, how and why it was sent, and that it was sent intentionally to you.
The most critical tool, in your defense, is right between your ears. Keep your Chair To Keyboard Interface carefully tuned. If you're playing music, and a EULA pops up, ask why you're seeing a EULA.
Layer 5 - Education
Finally, educate yourself. This is a constant activity. Stay informed - Know what the risks are.
- Check the logs from the other layers regularly, look for things that don't belong, and take action when necessary.
- Read Usenet forums. Here are but 5 - there are dozens more.
- Read Web forums. Here are 3 - and there are dozens others.
- Read various web pages that discuss security issues.
My personal philosophy about protection is that you should apply protection repeatedly, until you run out of money, paranoia, system resources, or time.
- Most of the above products are free.
- I am very paranoid - see my tag line (though not nearly so much as the experts at comp.security.firewalls).
- My main system, which is over 2 years old, runs 10% CPU / 20% memory utilisation when idle, and maybe 30% / 25% when in use. I have a suite of convenience and frivilous programs, that probably accounts for half of my idle resource utilisation; maybe 5% / 10% idle resource utilisation is from security products. I don't see that as excessive at all.
- I spend maybe 1/2 hour / day maintaining and running all of my security programs. Much less time than I've been spending with this blog, for instance.
There are many different opinions on this matter. I think that the resources that I spend preventing a malware infection are a far better investment than dealing with (experiencing, detecting, and removing) an infection that could have been prevented. So protect youself, and the rest of the internet, please. The rest of us, who see the effects of our friends becoming infected, thank you.