logo
background
 Home and Links
 Your PC and Security
 Server NAS
 Wargames
 Astronomy
 PhotoStory
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Setting up a secure home network

Home network security

How do I secure my home network ?

The first step is Physical Security. If an 'intruder' gets past this you need to keep them at bay with a mix of hiding, obscuring, confusing and misdirecting. If all that fails, your final defense is software security (TCP/IP settings, account permissions, passwords and firewalls).

You should always 'hide' your existence from the Internet = if you don't exist, you can't be hacked (from the Internet). Most Routers can be placed into 'stealth mode' (in which it holds all it's 'ports' in the 'closed' position (by default) and does not to respond to any 'query' from the Internet, not even a 'ping') = to test yours, go to Gibson Research and under 'Services' tab, select 'Shields Up!'

If you can avoid attracting the 'attention' of the 'script kiddies' and their 'port scanners', you can avoid having your bandwidth swamped by their attempts to 'get in' using 'password guessing' software that tries thousands of times a second and (should they succeed) avoid them trashing your files in ignorance. Also, the less 'visible' you are, the less likely you will become a target for 'other peoples' infected computers wanting to spread their viruses across your home network

What's best, wired or WiFi ? (and how do kids impact my choice ?)

WiFi is on the 'trusted' side of your Router's firewall. Hackers** within 'range' only*** have to 'crack' the wireless encryption to get access, whilst a fully wired network (with a non-WiFi Router) can only be accessed on the 'trusted' side by those who can gain physical access to your home. This suggests that wires are the most secure (although this often means the 'unacceptable' drilling of holes in walls, floors and ceilings so cables can run from the computers to the Router).

** It's not too hard to avoid the 'casual' WiFi intruder (for example, if you enable WiFi encryption and disable 'Broadcast SSID' your next door neighbour's kids can never 'accidentally' link to your WiFi net) - and keeping out the 'script kiddies' is generally just a matter of making sure you have a 'defence in depth' with passwords and user 'permissions' in place at all levels.

*** If you have a Netgear Router, you also have the option of setting 'Wireless Isolation' which prevents one computer on WiFi from 'accessing' any of the others - and should stop most 'script kiddies' dead in their tracks

Unfortunately, if you have kids, the list of potential 'home intruders' is never-ending (= every 'friend' they ever bring home). In these circumstances a wired system will be LESS secure than WiFi based one = it's really easy to swap an Ethernet cable from one computer to another (no password required**) whereas WiFi requires knowledge of the SSID as well as the WPA2 password

** The only way to prevent an Ethernet 'cable swap' leading to network compromise is by ensuring every wired computer is 'MAC locked' to the Router. This can be a real pain if you want to use a 'spare' Ethernet cable with any of your Laptops in order to 'link' to a back-up Server / NAS

If you don't want their friends using your WiFi, you either have to use MAC address locking or you have to set up the WiFi on their computers / smart phones etc. yourself.

NB. If (when) the kids ring you at work saying they have 'accidentally' lost their WiFi settings (i.e. they need the SSID and WPA2-PSK password for their friends who are visiting with their virus ridden laptops) you need to be firm & tell them "Sorry, you will have to wait until I get home"

My recommendation would be to 'reserve' the Ethernet cables for your own kit and allow your kids to use WiFi. If you have a Router with an 'Isolate Wireless' option, by all means allow their friends access as well.

When they can't get 'on-line' via WiFi your kids (or their friends) will try to use one of your Ethernet cables on their own kit. When that fails, they will try to get access to your wired computer.

So, if you have a mix of WiFi and wired computers, IDEALLY the wired computers should be on a sub-net that can not directly access the internet - if your kids know they can't reach the Internet from your wired desktop computer, they (& their friends) won't bother trying to 'hack' them

If you do use the wired computers on the Internet, in the household with kids, unless you want your wired computers 'trashed' (with 'bootable' USB / CD 'password crackers' or a 'Live' operating system) you must make sure that 'your' computers (e.g. your 'office' PC and your Home Server / NAS) are physically locked away

If you can't keep them locked away, you MUST enable the BIOS Password (and padlock the case - yes, most kids are well aware that to 'clear' the BIOS password all you have to do is open the case and remove the BIOS battery). If they get past the BIOS Password they can change any BIOS setting - so you might as well leave the Boot Order that's the most convenient (usually, CD first).

Do I need to secure my Router ?

If you have kids, then YES, FOR SURE !

You may have hidden your SSID, setup WPA-2, enabled 'IP MAC locking' and setup an 'unbreakable' Admin password, but, unless your Router is physically inaccessible (i.e. locked away) your kids will simply power-cycle the Router whilst holding down 'factory reset', log-in as Admin (using the default password printed on the bottom of the box), disable the Router Firewall and 'open' ports for their friends 'hacked' games (with all their embedded Trojans, root kits and key loggers).

For best coverage of your house and garden, your Router is likely in the loft. So all you need to do to deter your "No. 1 threat", is put a padlock on the loft door :-)

NB. If you have a fully wired system but a WiFi capable Router (as supplied 'free' by most ISP's), don't just rely on setting the Router to 'disable WiFi' & locking it away. Many of todays routers will automatically (re-)enable WiFi on power up and locking it away does not prevent your kids (or their friends) tripping your house mains power breaker just to force a Router reset.

So to defeat any such tricks, you should actually unplug the aerials as well :-)

How do I stop my WiFi signal 'leaking' ?

If you have a WiFi (or mixed wired & WiFi) system be aware that the WiFi signal comes out of the SIDE of the aerials. So the aerials should be oriented 'side to side' (Router aerial to computer aerial) and NOT 'pointing' at one another

To minimise the 'leakage' of signal toward your neighbours, just 'point' the Router aerials at their house. For extra security (and if the Router has internal aerials), you can block the signal using kitchen foil = a simple sheet of foil placed between your router and your neighbours 'script kiddies' will defeat even the most cunning LINUX based WiFi hacking techniques. No 'signal' = no access, full stop :-)

Foil will actually reflect the WiFi signals - so if you want to 'mask' your neighbours on both sides, 'angle' the foil so the signal is bounced downward (or sideways toward your garden where it will boost your reception) ... otherwise signal 'denied' to the neighbour on one side will be reflected across to give the one on the other side access (& vise-versa) !

How do I set up my Router 'out of the box' ?

A1. Start by changing the Routers Administrator password to something much more complex and much less non-obvious. Then write it down on something (eg Business card) you can put in your wallet.

Some routers default to 'admin' as the password ! Even if your's doesn't, you should never stay with the 'factory default' = your kids WILL (eventually) get access to the Router and read the password off the sticker on the bottom !

A2. Next, many Routers have an 'allow Administration from the Internet' option. Find this and make sure it is DISABLED = if you can log-in as admin via the Internet, SO CAN SOMEONE ELSE.

A3. Change the SSID. The LESS any hacker can discover about your Router the better. Default SSID's will always 'give away' the manufacturer (eg 'HomeHub' = BT) and this allows a potential intruder to tailor their 'attack'. Write the SSID on the back of your admin password card (so when the card is on the table whilst you are entering the SSID the admin password is not being shown for all to see).

For obvious reasons, you should also avoid using your name or address. You can choose some random collection of characters - or add to the confusion of the unwanted by using the address of the house across the road or at the bottom of your garden :-)

A4. Set WiFi security to WPA-2 / PSK and choose a random key value.

WEP can be 'cracked' very easily, even by 'script kiddies', so you should never use WPA ! Go to GRC to obtain a random WPA key. Choose the maximum number of 'hex' characters your Router supports (it will be at least 10). Write the key on your card below the SSID.

NEVER leave the WPA 'passkey' set to the 'factory default' - many manufacturers use a simplistic method of generating the 'default' (factory set) key from the device serial number - which it then 'broadcasts' in response to a specific query ... (see, for example, BT's Home Hub)

What can I do if I must use WEP ?

Some devices (mobile phones, the children's game console (PSP etc)) only support WEP. So if you MUST use WEP, make it as hard as possible for the 'crackers' to 'get in'. This means using the maximium key length supported by all your devices (basic 40 (64 bit) encryption = 10 hex digits, 104 (128) = 26 hex digits, 256 = 58 hex digits) and turning on IP MAC Address 'locking' at the router (see below)

Note - it is essentially impossible to 'crack' a WEP router (using the script kiddies favorite tool, 'aircrack') that is 'not in use' i.e. has no devices 'connected' to it via WiFi. So if you are forced to support WEP devices, make sure you 'disconnect' them from the router when not using the Internet

A5. Set the 'Hide SSID' option.

If you 'broadcast' your SSID you are inviting 'script kiddies' to attempt to 'hack' your WiFi & this will kill it's bandwidth (scripts can try thousands of passwords a second) because even Windows will find it and show it to them !

Your SSID can still be discovered even if it's not being 'broadcast' so you should at least make sure never to use your own address (or anything that 'gives away' your 'router' type - knowing, for example, that you have a 'HomeHub' allows the use of specialist 'attacks' that 'work' against BT's Home Hub)

What network settings will help secure my WiFi ?

Enable (select) 'Wireless Isolation'

Netgear Routers (and some others) can prevent computers using WiFi from 'connecting' to others via the router itself (of course they can still connect to the Internet). There is generally no reason why any Laptop / smart phone etc. should ever need to 'connect' to any other computer, except to perform a back-up (in which case, using an Ethernet cable will be faster and more secure). Setting 'Wireless Isolation' also prevents a virus from travelling from one of your computers to the others via WiFi

Use 'IP MAC locking'

Most 'proper' Routers (which does not include the BT HomeHub) have a 'MAC locking' or 'MAC IP Binding' option. This allows you to specify the MAC address of a computer that is permitted to use DHCP, and the IP Address that will to issued to that computer.

To discover a computers MAC address, launch a Command Prompt ('DOS Box' via Start, Run, CMD) and type 'ipconfig /all'. The computers MAC address is listed as it's 'Physical Address' (6 pairs of Hex characters shown as 01-23-45-67-89-AB)

This should be used for ALL computers that will be wired to the Router - it's the only way to stop some-one (such as your kids friends) moving an Ethernet cable from one computer (yours, or your Server/NAS) to another (their virus ridden laptop).

Note - Some Routers have a 'strict bind' or similar settings. This means they will ignore any computer not in the 'MAC binding' list. However others do not - and for these DO NOT leave 'unused' DHCP addresses. If DHCP is set to issue 7 addresses and you only have 6 computers, unless you enter a 'dummy' MAC for the 7th address your Router may happily hand out that 7th 'unused' address to any intruder that asks for it

Use 'non-standard' Subnet and DHCP settings

To make things as hard as possible for the neighbours / your kids / their clever visiting friends, you should AVOID all the normal 'defaults' and 'conventions' when setting up your home network.

Thus, for example, since almost all simple Home Routers default to 192.168.0.1 or 192.168.1.1, you could give the impression of a 'Managed Switch' CISCO environment by using the 10.x.x.x (the CISCO default range) or, even more crafty, the 'non-DHCP' subnet set 169.254.x.x.

Why is using 169.254.x.x so clever ? Because when you turn on a WiFi enabled Windows laptop, if it is unable to obtain an address from your WiFi DHCP Server, the Windows Operating System will 'default' to some 'random' address in the 169.254.x.x. range.

Even if this is a 'valid' LAN subnet address, that computer won't have a Gateway (or any DNS addresses) so can't 'get out onto the Internet' = but when 'kiddie hacker' compares their (non DHCP, default set) 169.254.x.x address to your kids computers Internet connected (DHCP issued) 169.254.x.x address, confusion will set in.

Next, when it comes to DHCP, instead of using the bottom of the address range I always suggest using something a bit further up. That way we can add to the confusion of the unwanted by using the Subnet Mask. You should also avoid using .0 .255 and, indeed, any 'recognisable' binary number (.1, .2 etc) in any address .. generally, the larger the number, the more difficult it is to recognise or manipulate (in binary) and the fact that say .111 'works' but .112 does not will further add to their confusion.

Finally, your Router (Gateway) should never be placed at the obvious x.x.x.1 (i.e 192.168.0.1 , 192.168.1.1 or even 169.254.x.1) address. Indeed, to add to the confusion, you should choose some address 'well outside' the DHCP issued range (if possible).

In order to select addresses, you need to know how the 'subnet mask' works - if you don't go look it up now :-)

Choosing a 'non-standard' Gateway/DHCP Subnet Mask

Unless you are using MAC 'locking' (which allows you to assign specific IP addresses to each computer) your Router will be using DHCP. This will issue SEQUENTIAL addresses starting at the 'base' address you specify (and incrementing the LSB by 1 each time). This means you have to set the 'low order' bits of your Subnet Mask to at least cover the number of addresses you want DHCP to issue.

Suggested settings for a network with a maximum 7 DHCP issued computers

The mask must allow DHCP to issue 7 sequential addresses. This means the 'bottom' 3 bits of the mask must be '000' giving us '1111 1000' as the bottom byte, which is decimal 248. We thus start with a sub-net mask of 255.255.255.248

Next we need to decide the START address for the DHCP range. In theory it can be anything 169.254.x.y, however we want to avoid obvious 'binary' boundaries, so I suggest y=184 (1011 1000 = remember, DHCP starts at 000). For x we want to select a binary number with 'one zero' in it - say 1110 1111 = 239. This gives us 169.254.239.184 as the DHCP start address

With these settings, DHCP will issues 7 addresses, starting with 169.254.239.184 then 169.254.239.185, 169.254.239.186, 169.254.239.187, 169.254.239.188, 169.254.239.189, 169.254.239.190.

What address, then, do we give the Gateway ?? Well, if we modify the Subnet mask to mask one of the 'byte 3' bits we can place it at yet another 'confusing' address. What about 1111 0111 ? (247). This gives us a (modified) Subnet Mask of 255.255.247.248. This Mask allows '3rd byte' IP address of 1110 x111. Since 1110 1111 (239) is issued by DHCP to one of the PC's, that means a Gateway 3rd byte address of 1110 0111 = 231. Since the Mask low byte allows 184 to 190, this allows us to choose a Gateway address of anything in the range 169.254.231.184 to 169.254.231.190. You want to avoid both the start and end of any 'binary range' (since that 'gives the game away'), so how about .189 (just to be a bit more confusing :-) )

To summarise the above :-
Gateway 169.254.231.189
Subnet Mask 255.255.247.248

With DHCP Start 169.254.239.184, DHCP count = 7
Your computers will each get one of the 7 issued addresses :-
169.254.239.184
169.254.239.185
169.254.239.186
169.254.239.187
169.254.239.188
169.254.239.189
169.254.239.190


What's needed for 2 computers to 'communicate' with each other ?

A number of things are required before one computer can access another (i.e. 'map' to shared folders etc.).

1) Each computer must have an IP Address that is 'within' a shared 'Subnet Mask'.

So one of the first steps to securing your Workgroup is to limit the number of IP addresses that can exist and use the Subnet Mask to enforce that limit (see previous).

2) Each computer must be a member of the same Domain or Workgroup.

This is actually just a 'Windows limitation' which most hacker tools just ignore, however the 'kiddie hacker' will usually start by asking Windows to 'give away' the identity of all PC's 'within reach' (so they can choose to start 'hacking' one that 'looks interesting'), so you should NEVER leave your PC in the default "WORKGROUP" or "MSHOME" etc. group (and don't call your NAS/Back-up Server 'My (email) archive' etc. ..

3) In order to access a 'shared folder' a computer must be running the 'Workstation Service' (and the computer that is offering the 'share' must be running the 'Server Service').

You can still browse the web with both these services disabled. However, if you are using file 'synchronisation' software to maintain backups on a Home Server / NAS, your own PC must have Workstation running (and the Server/NAS must have Server running)

If a computer is not running the Server service, then it's impossible to 'connect' to that computer's file system. However, to 'stay protected' you actually have to 'DISABLE' the Server Service (otherwise Windows will (of course) allow the 'hacker' to start the Service remotely)

4) 'Map Network Drive' requires that you know the IP address of the 'source' computer and the exact name of the 'share' (which you can 'hide'). You must also 'connect' with a User Name and Password that the source computer will accept and grant access rights to the Share (i.e. with a User name that matches a valid User Account on the computer that is offering the share and that has access rights to the share being mapped to).

This means you can set up User accounts on your Server that only have 'rights' to access specific folders. You can 'assign' a User to their 'own' back-up Folder and actually 'deny' them access to everything else. Needless to say, User Accounts setup for 'mapped folder' users should NOT be allowed the 'log on locally' right = see my setting up User Accounts in my "Home Server (NAS)" topic (button left, in the Navigation Menu).

5) Finally, you need to prevent them using any of the 'default' User Accounts that exist on all Windows computers

This means you must 'hide' all valid user names (as well as setting passwords of at least 16 characters). Disable the 'Guest' account, change the Administrator account name and disable/delete all the other 'default' accounts that Microsoft has Windows setup for the hacker to use (like 'Backup User' etc.). Then set-up 'dummy' accounts of the same name but with zero 'rights' - since otherwise when they fail to 'find' an account named 'Administrator' they will go looking for it, whereas when they discover the dummy 'Administrator' there's a good chance they will waste time 'hacking' their way into that instead.

Local Area Connection, Properties

General - File and Printer Sharing

If you do not want to share files (or printer) on YOUR PC with other computers on your home network (or if you have no home network), this should be UNINSTALLED in (Start, Settings, Control Panel, Network Connections, Local Area Connection), Properties button, "File and Printer Sharing for Microsoft Networks' (remove 'tick' in box and then click the Uninstall button)

Whilst you are here, you should also Uninstall the useless 'QoS Packet Scheduler'. It's only function is to waste time and resources and get in the way of 'regular' TCP/IP transfers.

Internet Protocol (TCP/IP), Properties

Windows XP allows TWO sets of IP addresses. One ('General' tab) can be set to obtain IP via DHCP, the other ('Alternate Configuration' tab) must be set manually. This means you can setup your PC for 'automatic Internet' access, whilst at the same time manually setting up a connection to your hidden (i.e. on a different sub-net) backup Server.

For once Microsoft did something to help the user ...

To connect to the Gateway, enable DHCP for the 'General' tab.

To connect to your Server / NAS via the Gateway you should set the Alternate IP address MANUALLY. This is because the Server / NAS will also have a manually setup IP and will be using a Subnet Mask that will refuse all 'connection' from any DHCP issued address.

In the above scheme, the Server / NAS address would be 169.254.231.190, it's Subnet Mask would be 255.255.255.248 and the 'Alternate' addresses used (only) by up to 5 computers allowed to connect to the Server / NAS would be in the range 169.254.231.184 - 169.254.231.188 (remember = the Router Gateway is 169.254.231.189)

This assumes that your connection to the Server / NAS is via the Router ... if it is via a separate (intermediate) Hub/Switch you can choose any Alternate IP that is outside the range of the Router Subnet

Do I need WINS ?

No. The purpose of WINS is to convert a 'NetBIOS' computer name (like "\\server") into an IP address in order to make it 'easier' for unwanted intruders to find and connect to your \\server. Plainly that's the last thing we want in a secure network, so all things 'NetBIOS' or 'WINS' should be 'disabled'

In TCP/IP Properties, Advanced, WINS tab, select "Disable NetBIOS over TCP/IP". This will prevent your computers 'mapping' to a share by using the Server name - instead, to 'Map a Network drive', you will have to specify the Servers IP address (as well as the share) eg. \\169.254.231.190\share$

Note that, if you disable WINS, your home network may actually run faster (there will be no 'time outs' whilst Windows tries to find a WINS Server or sends out 'broadcasts' looking for other computers).

What's better, a Domain or a Workgroup ?

The most secure network is 'Domain' based. In a Domain, one computer (the Domain Controller) is responsible for the entire network and will only allow other computers to 'join' the network after that computer user successfully 'logs in' with an Account and Password 'known' to the Domain Controller.

The main advantage of a Domain is that the Domain Controller can control everything that the 'client' users and computers are allowed to do on the network. The disadvantage with a Domain is that it is complex to setup and requires a lot of 'maintenance' - it also requires that you purchase a 'Server' licence (for the Domain Controller) and (if you have more than 5 other computers) you also have to pay Microsoft for additional Domain user ('Client') licences.

For this reason, most home networks are based on the 'Workgroup' system. In a Workgroup, each computer controls it's own users. The disadvantage is that any computer (& user) can 'join' the Workgroup and (potentially) access any other computer in the Group (i.e ones that have a 'Guest' account or other 'guessable' accounts/passwords that allows access).

What are the limitations of a Workgroup ?

Microsoft will tell you that a Workgroup is limited (in XP Pro) to 10 computers. This is not strictly true - the limit is on the number of other computers that can 'map' to a Network Share on a single Windows XP computer 'at the same time' - so you can have as many as you like, so long as no single computer is being 'used' by more than 10 others

This means you can have as many devices connecting to the Internet on your network as you like (it's easy to reach 10 when you add up each DLNA device - DVD/Blu-Ray player, PVR/DVR and even your TV, as well as your 'Games Consoles' and all your 'smart' phones etc.) = you only have to 'count' (as part of the 10 limit) the ones that will be using your Server / NAS 'shares' (for back-ups etc.) - and even then, the limit only applies to computers accessing the share 'at the same time'.

If you have so many computers that more than 10 could try to access the Server 'at once', the Server can be set to 'kick off' (un-map) computers that have been 'idle' for a shorter time than the MS 15 minute default. See my Home Server (NAS) pages (nav. bar, left)

What Workgroup names should I use ?

Microsoft 'Network Neighbourhood' utility will 'group' computers into 'Workgroups'. Placing each computer into a different 'Workgroup' thus makes it 'one click harder' for the script kiddie Windows user to 'discover' the other computers.

When you need to 'link' a computer to the Server / NAS you will need to enter the Server / NAS IP address, and NOT it's 'name'

Microsoft goes out of it's way to allow users to 'browse' looking for Workgroup names. So there is not much you can do to 'hide' the name of a Workgroup - however you CAN confuse matters a little by placing your 'secure' wired PC's into Workgroups called, for example, '%WiFi% x' - and the less secure WiFi connected could be in Workgroups with names like '%LAN% Encrypted' - remember, the more 'smoke and mirrors' you throw in the path of unwanted visitors, the less likely it is they will ever work out how to 'get in' :-)

You are limited to 15 characters, however 'special' characters are accepted. Using names containing '%' characters (as in %NAME%) should confuse the intruder by suggesting some sort of 'variable' name has been created and using embedded '<', '>', '*' and '!' symbols should confuse the 'script kiddies' actual scripts even more :-)

What computer Name should I use ?

On a LAN (local network) computer names ('host' names) are converted into IP addresses by 'WINS' and 'DNS'. Both these 'helpful' services (helpful to the intruder that is) can only cope with names of 15 characters (or less) that contain no special characters. So make sure to use at least 16 characters with at least one 'special' :-)

You will, of course, have tracked down any computer running either 'service' and put a stop to it. You do not want 'host name lookup' on your LAN .. all 'Map Network drive' will be done by entering the known IP address & "{share}$" name - and the harder it is for an intruder to discover a valid IP address the better (you will, of course, have installed Firewalls on every computer that block the script kiddies default method of searching for 'active' computers i.e. the ever helpful 'ping' (ICMP Echo Request) command)

You should give each computer a nice confusing long name containing some 'non-standard' characters ('_' for example) = and whilst the Windows 'Network Wizard' refuses to accept names with 'special characters' (and will truncate the 'NetBIOS' (WINS) name to 15 characters), there is nothing to stop you making changes directly in the Registry :-) Whilst you are at it, you can enter some nice confusing 'Descriptions' as well. You will, of course, have disabled the MS 'Remote Registry' Service on every PC to make it just a little harder for them to access this data

When you use 'Map Network Drive' you will enter the Server IP Address and the share$ name. So both the Workgroup Name and computer Name are irrelevant & the more confusing you can make them the better (for example, your Server could be named '<enter_computer_name_here>' and given the Description "Reserved for my Spare Laptop")

What about my Network Card (NIC) DNS settings ?

To heap confusion on the heads of the unwanted, you can use your Router IP as the DNS Server. If it doesn't actually run a DNS service (and some do), it will forward all DNS traffic automatically to your ISP's DNS servers. Alternatively you could manually configure TCP/IP with 'known' public DNS Servers (such as Google Public DNS, 8.8.8.8 and 8.8.4.4.)

If you are NOT running DNS / WINS on your local network, any attempt to access a 'named' computer on your LAN will be routed to the INTERNET DNS Servers specified in the TCP/IP NIC configuration settings (as seen using the DOS Command 'ipconfig /all'). Hopefully this will result in some nice long delays (whilst the Internet DNS servers try to 'resolve' your computers funny names), which is exactly what you want (since the average impatient script kiddie will give up after the first few attempts)

Use WINS to confuse intruders ?

WINS offers one more opportunity to confuse the ungodly. Since all traffic between computers will be direct to specific IP addresses, there should be no reason why any sort of 'look up' needs to be done - except by Windows or some intruder. So, just to make things difficult, why not set-up your Network card (NIC) TCP/IP Properties with the IP address of some non-existent WINS Server ?

The standard 'cunning trick' is to use 0.0.0.0 = local 'loop back' address. This should have the effect of turning any attempt to perform a WINS look-up into an 'infinite loop' ! (kiddie tries to use one of your computers to access another computer 'by name' - TCP will route a WINS look-up to 0.0.0.0 (i.e. back to itself), however since that PC is not running the WINS Service, it will 'pass on' the WINS request to the WINS server ... which is at 0.0.0.0 ...)

How do I protect my wired computers from WiFi threats ?

If you want to surf the Internet with both wired and WiFi connected computers, the Router has to be able to 'see' them both. Thus you have to set the Routers Subnet Mask to include both - and (unfortunately) whatever Subnet Mask you set for the Router, the Router will then issue to everyone (via DHCP).

Many viruses now incorporate their own TCP/IP 'stack', so can bypass the subnet restrictions on an infected computer anyway. You should not expect Subnet Mask limitations to prevent a virus infection on one computer from 'attacking' another within your network just because it's not on the same subnet

You need to install a Firewall on every computer and use this to protect each computer from ALL the others (and from WiFi intruders).

For example, in Zone Alarm, Firewall, Main, set 'Internet Zone Security' to High. If you need to share the Printer on this computer with other computers, set the 'Trusted Zone security' for this computer to Medium, otherwise (for other computers) set it also High.

On your computers, the Gateway should always be added to the Firewall 'Internet' Zone. If you have a Home Server / NAS that you wish to access, it's IP address should also be added to the 'Internet Zone' (in Zone Alarm, Firewall, Zones, click 'Add', enter the IP Address for your Home Server & select 'Internet').

On the Server / NAS, the IP of each computer that is going to access the server / NAS is added to the 'Trusted Zone'. This is because the Server / NAS has to 'trust' your computers ... but there is NO reason why your computers should 'trust' your Server / NAS !

How do I avoid known spam / phishing / virus infected web sites ?

Plainly you will have installed a Firewall (eg ZoneAlarm, Comodo) on your PC and be browsing using Firefox with the NoScript, AdBlock Plus and FlashBlock add-ons. However it's still possible to be 're-directed' to somewhere nasty by a 'trusted' web site that's been 'hacked' or get 'fooled' by a 'tinyURL' - and, of course, there's little to stop any Root Kit / Key Logger that manages to 'get in' from 'phoning home' using your Internet connection. Fortunately, Open Source applications such as 'Peer Blocker' exist that can be used to block all access (both outgoing and incoming) to known phishing site IP addresses (no matter how well disguised by 'TinyURL') etc.

You should avoid the commercial 'net nanny' type applications (such as NetIntelligence). These are focused on controlling kids browsing, not on security = they may be very good at blocking 'proxies' and 'social' networking (Facebook etc) sites, but, chances are, the vendors have never even heard of fake PayPal 'phishing' sites let alone made any attempt to lock them out (and all kids know how to 'get around' the most common 'net nanny' software anyway)

Most Firefox users will want to install an Advert 'suppression' Addon - note that the most popular, AdBlock Plus, has been PAID BY ADVERTISERS to let their spam through - the 'best' replacement is currently

How do I setup a hidden Shared Folder ?

To setup a shared folder that won't be shown in Microsoft's "Network-neighborhood" search, you add a dollar-sign ($) to the end of the share name - for example 'BACKUP$' rather than 'BACKUPS' (note how my share name is all uppercase and the $ is used you could expect a trailing S = yep, it's another attempt to mislead and confuse someone who 'shoulder surfs'). The share can then only be 'mapped' by entering it's exact path & name (\\(server IP address)\BACKUP$) manually.

Of course if you REALLY wanted to confuse, you wouldn't use a name like BACKUP$ for your backups .. far better would be OLD_PATIO_PLAN$ or MY-READING-LIST$ :-)

What services need to be running ?

It is the 'Server' service on 'this' computer that allows access to other computers - and the other computers use 'Client for Microsoft Networks' (in Network properties) service to obtain access to shares on 'this' computer

This means that ONLY the computer acting as the central 'Server / NAS' (the one with the 'share$') needs to run the 'Server' service - however the Server / NAS has no need to access any other computer, so it's 'Client for Microsoft Networks' should be 'disabled' and removed !

Conversely, all the computers that need to access the Server / NAS will need 'Client for Microsoft Networks' - but they will have no 'shares' of their own, so their own 'Server' service should be Disabled !

The pages in this topic are :-

  + Understanding your Router - (and secure setup) == Latest changes (modified 29th May 2018 14:36.)

  + eMail security


Next page :- Understanding your Router - (and secure setup)

[top]