Keep out! Best ways to secure the home net

Our go-to guys share tips for keeping home users safe.

It goes without saying, IT professionals know network security. In the orderly world of the enterprise, risks are assessed, strategies crafted and tools implemented. As important policies are created that users are mandated to follow, your mandates become company policy. Employees face consequences if they break network security rules.

Home networks are another story. The security risks are the same, but the tools are often limited and less mature. And the users? They span the spectrum: Some, like your elderly parents, just don't understand the risks and can be easily intimidated. Others, like corporate workers, are sharp but tend to get sloppy about security when IT's not watching. And kids? They're the worst; smart enough to disable your firewalls but most vulnerable to security risks and least likely to take them seriously.

Too bad you can't fire your teenager, or the CEO down the street for that matter.

So here's a security guide to keep in your toolbox - straight from go-to guys like you and others who deal with home users every day, either as their primary jobs or on the side. You'll also learn about new tools that ease network security and administration. (For more great security tips see "10 ways to stop spyware ")

Batten down the router

"Home network users don't even know they need a firewall, or the benefit of enabling encryption and MAC [media access control] address filtering on their wireless networks," says Jeff Jorvig, a home networking consultant in Chandler, Ariz. "But even I've got problems with my kids using Napster, Kazaa and LimeWire free music-sharing programs."

Many go-to guys, Jorvig among them, feel a network-address translation router is sufficient firewall protection for the home - as long as administrative controls to add and delete programs are password-protected on each PC; and notebook PCs aren't moving in and out from public networks.

In both wired and wireless routers, the most important security step is to change the vendor-provided, default administrator password to a complex alphanumeric one. Some, like Scott Whitesell, of Believe IT in Battle Creek, Mich., take the additional step of keeping router passwords from their network owners. "It may seem kind of mean, but it falls into the category of what users don't know can't hurt them," he says.

But even with the most secure setup, routers can't protect themselves from users who open unsecured ports for gaming, let administrators in from their ISPs, or remotely log on to use tools such as GoToMyPC or PCAnywhere. And all too often, users forget to manually close these ports after using them, which makes them vulnerable to worms and hackers.

Enter PortMagic ($49), a router utility from Pure Networks that closes extraneous ports left open after usage. In April, Pure Networks will release Network Magic , a management tool that helps users develop a simple map of their network and offers alerts when unauthorized devices try to connect. Network Magic also provides alerts when router security is disabled and locks down file shares when a computer leaves the home network. The product runs on Windows machines but recognizes non-Windows connected devices.

Wild wireless west

Jorvig, Whitesell and their brethren spend much of their time dealing with wireless networks. In fact, all the home LANs Jorvig served in the Phoenix area last year were wireless. Both go-to guys always turn off users' network Service Set Identifiers to hide the network from the outside world.

They also agree their biggest challenge is convincing users to turn on encryption. Even after Jorvig warns users of the risks, many still refuse to take the time to configure it. "There just hasn't been enough in the media to scare home users into believing they need it - yet," he says.

The good news is that setting up encryption is much easier on newer routers, including the Linksys Wireless G ($69) and SpeedBooster ($89) models, which encrypt to a user-created pass phrase for Wired Equivalent Privacy and Wi-Fi Protected Access. Next month, Linksys is scheduled to release push-button encryption on its routers, which synchronizes when you push a software button on a PC setup screen. Buffalo Technology's AOSS and WLAN chip maker Atheros' Jumpstart are similar. Of course, for these schemes to work, all your products need to use the same technology.

Although encryption is a good start, wireless networks need stronger protection, says Chris Basham, president of OTO Software, a Denver start-up. Basham argues that pass phrases can be guessed or cracked, and network MAC addresses travel unencrypted inside the network even with encryption turned on.

OTO's Wi-Fi Defense ($29) network utility automatically enables MAC address filtering so only assigned devices can connect to the network. (Currently, you need to enable MAC address filtering manually on the router, which means inputting the IP address of each PC into the router interface.) OTO Software, like Pure Networks, works only with Windows PCs and supports only commonly used router brands.

Desktop defenders

Even with recent improvements, routers don't offer enough network protection, says Brian Milovich, a PC technician at a manufacturing firm in South Bend, Ind. Milovich also runs a small home-network consulting company with about 20 clients, most drawn from his circle of friends. File-share protection won't block worms and viruses when mobile computers connect to public access points.

"If your user gets his notebook infected on a public network and brings that infection home, it spreads through all those shared folders," Milovich says.

Routers do not block malicious code accidentally invited into the network by users who click malicious links and pop-ups, either. And a router can't prevent viruses and Trojans from entering PCs when PDAs, music storage or cell phones are connected via a USB port. Already, Trojan horses are spreading among Bluetooth wireless phones; it's only a matter of time before wireless worms and viruses try hopping between wireless networks.

So as an added layer of security, Milovich and Whitesell install software firewalls on their users' home PCs. Both prefer Zone Alarm's free product because it blocks outbound, malicious traffic. "I like to take my clients to a trash Web site and show them how Zone Alarm will freak out with all these alerts because it's blocking bad stuff," Milovich says.

But those same alarms can confuse users. "That's the hardest thing for them to grasp," Whitesell says. "A window popping up in what to them is Greek, saying 'this program is trying to access the Internet' could be an essential component of IE making a call. They tell it 'no,' and they've disabled it."

A good rule of thumb: "If an alert occurs when users are launching any kind of Internet action, such as connecting to their mail servers, downloading programs, connecting to a Web server, or updating software, then they should accept it," says Norman Merrell, a retired IT manager in Pennsburg, Pa., who administers the networks of his wife's home business and that of her cousin in Hawaii.

Tricks of the trade

Popular brands such as McAfee, Symantec and Trend Micro bundle firewall, anti-virus, spam protection, parental controls and security update services under one user-friendly setup. But users are still confused about updates and scans, which they must enable themselves.

"People think they're protected because they've installed anti-virus. They don't realize those definitions are two years old," Jorvig says.

Whitesell uses the free AVG anti-virus tool and is testing Microsoft's new anti-virus/malicious software removal tool . He'll use it if it's offered free, provided it does a better job than the XP firewall. "Of course, it's hard to trust Microsoft with security," he adds.

Another place to turn for free software might be users' ISPs. AOL 9.0 Security Edition includes McAfee VirusScan Online, McAfee Personal Firewall Express, and AOL Spyware Protection. EarthLink and Comcast offer similar services.

"One of my clients has PeoplePC as his ISP, which offers free firewall and anti-spyware protection," Milovich says. "It's a good added layer of protection, but I don't like it installed on work computers: That creates a headache for guys like me."

Workplace computers usually don't have software firewalls installed, so when his users bring their work machines home, Milovich installs Zone Alarm, as well as Firefox , which automatically blocks pop-ups by default.

Anti-spyware is most problematic for home users because the tools don't automatically scan, update or explain well what they find during scans. Milovich, Whitesell and Merrell each favor Ad-Aware and Spybot , which in conjunction net more spyware than others. And for free, the price is right.

"Once you get past the setup, Mom can run these," Milovich says. He and Whitesell put their users on an update schedule.

"I tell them when they get up on Saturday mornings to make coffee, run their spyware signature updates and scan their machines. It may take an hour, but they don't have to look at it," Milovich says. "Then I tell them to delete everything."

As technology evolves, vendors likely will meld anti-spyware with anti-virus signatures into one convenient scanner. Hopefully, we'll see point solutions such as Network Magic and Wi-Fi Defense cover all security problems in one package. But in the meantime, you'll have to kludge together what works best, and steep your users in ongoing education so they'll learn to be independent, Whitesell says.

"Education is everything," Merrell says. "People need to understand that their computers are a door to the world."

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022