The Becsta.NET First Rant - My Home Network

My home network consists of a gateway, a workstation, and a laptop. Three machines, thats all. Oh, and I have VMware on my laptop. All three physical machines are running Linux, with the VMware session running Windows NT. So, why am I concerned about security of my home network, and what am I doing to address the concerns?

Risks and Mitigations

Security is all about risk management - identifying risks and mitigating them. So with that in mind, lets continue...

The concerns I have generally equate to the risks which I perceive my network carries. The greatest risk would be a general compromise of my home network. Ever since I have been connected to the Internet, none of my systems have (as far as I am aware) been compromised. If my home network were hacked, my reputation (both personal and professional) would suffer. My good standing within the company I work for would be questioned, the skills and knowledge I have would also be questioned. So, I have to do something about this risk, and implement security within my home network to stop hackers.

Another risk is leakage of confidential information, specifically personal information, and work information. I don't care (to a degree) if someone snarfs my URL history, but I do care if someone steals my credit card information. I don't keep my credit card information on a file on any of my machines, but how easy would it be to look through a browser cache, or install a keyboard sniffer? I don't want someone stealing my PGP keys, nor do I want someone reading my personal diary.

So what about work files? Aren't they more important than personal stuff? Umm, they should be treated exactly the same as each other (you do give a toss about your personal information, don't you?). Encrypt them, store them offline, use appropriate encryption protocols to move them between work and home, only have files currently being worked on around (all the rest are stored at work - duh). This is a big risk - having work files on home machines is not a good idea, generally, but sometimes you just have to have some work files/documents at home. In the IT security industry, it's not unheard of for employees to work from home from time to time, especially when doing white-hat reviews/documentation/coding. In the end, work files need to be treated with care, and appropriate security measures put in place to protect the information they hold.

What's another risk? Not wanting to have my machines 0wn3d and used for launching attacks on other systems. It is fairly common for hackers to use home machines to launch attacks on more valuable systems. By utilising home machines/networks in these sorts of attacks, the attackers can remain anonymous - it would be nigh on impossible for a general home user to track where an attacker is coming from. The home user would be blamed for the attack, resulting in either costly legal fights, or their Internet account being shut down.

And another risk - I don't want my website being defaced. This would end up having an impact on my reputation in the end. How do I mitigate this one? Have the site hosted by a specialist web-hosting company - responsibility for host security is theirs, not mine. Have the site run on UNIX platforms, not Windows (easier to secure (flames to /dev/null)).

Yet another risk - Denial of Service (DoS) attacks on my home network. There's not much that can be done to mitigate this one, especially since it wouldn't take a lot of effort to kill a slow home link. It's a pain in the ass to have a slow link, but the attackers will get bored and move elsewhere. One defence is to drop the link, redial, and get another IP address. Another is to configure the firewall and IDS correctly, to stop application-level DoS attacks.

Let's see if there are others? *ponders* Ahh! Leakage of personal information to sites on the Internet. Why am I worried about this? See the rant below. I mitigate this one by not blindly accepting cookies, using an ad filter, turning off javascript etc. I am also very hesitant in giving personal information to sites in order to become a "member".

One of the negative security drivers is cost. Lots of security generally equates to lots of cost, of time to set things up, of time to administer, of time to investigate issues, of money to purchase products (hardware, software, etc). Businesses love to talk about security, and be all concerned, but in the end they don't implement appropriate security measures because it is too costly. To sufficiently secure a home network, OTOH, the only cost is time. If there is a financial cost, then you're wasting your time and money. All of the above risks can be mitigated to a reasonable degree by expending time to work through security practices by locking down machines, installing and configuring firewall software etc. More on this later (another page perhaps?).