Sunday, September 15, 2013

Securing Your Home Network

Every now and again I try to take some time out of my weekend mornings to take a look at my network traffic.  I should certainly do it more often or enable some form of weekly report to be sent to me, maybe that will be a winter project this year.  In any event, with all the new tech we add to our home networks every year, it makes more sense to know just what exactly is going on in the network.  Big enterprises have numerous tools (not so much personnel) to monitor both outbound/inbound traffic, unfortunately the typical home user does not.  In fact many believe that if they slap in their Linksys/Netgear home router, they are good to go and everything will behave.  But with stories such as the "hacked" baby monitor in Texas, we know this is not true.  Just some corrections to that story, it wasn't an actual baby monitor, you know the two way radio sort of monitors.  It was a Foscam IP Video Camera, most likely of the wireless sort.  It sounded like the father took the appropriate steps in configuring it, but again, just doing what the manual tells you to, does not make it securely configured.

But I digress, the point of today's post is to help educate my not so tech savvy readers and make them aware that many of these consumer brand companies really don't put too much effort in securing their product.  They have some basics covered like changing the default password or enabling secure wireless, but something such as allowing access to the device over the internet, well that opens a door and invites trouble into your network.  Researchers and the bad guys are constantly scanning the internet for open ports to determine services that might be running on those ports.  You have your typical ones such as web based TCP 80 (http) and 443 (https), as well as email (SMTP/TCP25), FTP (TCP21), and SSH/SFTP (TCP22).  There are also standard services running on non standard ports; for example, http running TCP 8080.  This is typically done to either obscure a web server from the untrained script kiddie or run more than one web server from a single host.  In my case it would be to get web traffic through my cable companies routing rules, as residential internet typically filters popular traffic such as SMTP and HTTP on standard ports.  We can go into details another time on that.  With tools such as Shodan (See previous post) being used much more frequently and internet scanning software becoming more efficient (Check out the post from Robert Graham), it is getting much easier to find out what is running on people's networks.

So what does all this mean?  Well as consumers we need to start getting smart about what we are connecting to our home networks.  In the past the average home probably had 1-2 computers and possibly both wired and wireless networking.  Now a majority of homes have any number of smart phones, tablets, game consoles, laptops, and (maybe) a desktop all connected up.  They may also include network printers, Smart TVs, Smart Blu-ray players, and other media devices such as Apple TV or Roku.  All of these are now nodes on your home network and they all require internet access to function.  

Now of course we have all created a network diagram that we keep handy for reference... right?? Anyone?  Anyone besides the crickets?  OK I'm joking, only folks like myself who do this for a living will probably go the extra length and document the home network.  At least I can rest easy knowing that if I am ever hit by a truck, my wife will know what device to unplug to reset the cable modem.  I only partially joke about this, but it is not a bad idea to know what is connected to your home network, just draw it out on paper or make a simple list.  You don't need to make high end enterprise architecture diagrams, I mean that would be silly!  The first part to securing something is knowing what it consists of.  You know how many doors and windows you have in your home right?  Well think of your network in a similar way.  The less devices you expose to the internet, the better.  Exposed meaning you allow inbound access to them.  If you absolutely must have access to something while you are away from your home, then look into setting up a VPN.  It is not all that hard and there are a number of both hosted and local solutions out there.  I will be doing a write up on one such device coming up.  The VPN allows you to make a secure connection to your home network from outside.  The tunnel is encrypted so it is difficult to play a man-in-the-middle on.  Is it full proof?  absolutely not, but it is another layer to make it so the novice cannot get in.  In security we like to say, if someone wants something bad enough, they will get it, it is just a matter of time.  You best defense is to make it as hard as possible for them to do it. Think about it this way, putting frosted glass on windows, using thick curtains, and even placing warning signs on your property for dogs or an alarm system.  Granted these may throw up flags that you have valuable stuff, but it will keep the curious passer-bys from snooping around.  A determined criminal may risk it and smash in a window still but he may not be willing to tangle with a big dog.  

So this one went on log enough, I will end with this... don't assume the product manufacturers have your back, they want to make money and adding extra steps to secure something may take from their bottom line.  So go out and do some research on that next new gadget you want to add.  Know that you may need to do some extra work to harden it!  If you ever want more education on the matter, swing by your local Hackerspace, there are always folks willing to educate people on these sorts of things.  If you are local to CT, you can come by nesit.org.  We are usually around in the evenings during the week and random times on the weekends.  The weekly schedule is posted on Sundays.