Wow, I wrote this in October 4, 2000 and now it's completely out of date. It's written before there were $40 home firewalls. It was a different world then.

Scroll to the bottom for an update.

Hey Tom, how do I secure my home network? (Oct 4, 2000)

That's sort of a big question. Yes, you should be concerned about security. People are actively scanning xDSL and cable modem IP address spaces looking for misconfigured systems.

The best thing to do is to set up a simple firewall with a policy like, "Outgoing connections are permitted; incoming connections are only permitted to the web server on port 80, and email on port 25."

I've stopped using telnet, and only use ssh.

I've stopped using passwords. No matter what, someone always finds a way to guess passwords. Even passwords over encrypted sessions can be guessed... it just means that someone encrypted their attempts to guess them. Instead, I use a Hand Held Authenticator like Accent Technology, Defender, or others. Of course, the web sites I deal with use passwords, but I use a different password for each of those and maintain an encrypted file that lists those passwords. (Ches calls this "put all your eggs in one basket and then make sure it is a really good basket).

Firewalls are pretty cheap now a days. You can take an old 486 running Linux and turn it into a firewall that can easily keep up with a xDSL line.

Of course, that's sort of putting the cart before the horse. The first place to start is a risk analysis. "What am I trying to protect? What am I willing to spend to protect it?" A lot of people set up a firewall without considering those two questions. If you can answer those two questions it should be easy to pay someone to set up a firewall that meets your needs.

--tal

Hey Tom, how do I secure my home network? (Dec 3, 2003)

The above answer is completely out of date. It was written before cheap home firewalls were available. If I had to write that doc today, I'd make it a checklist:

  1. Use a home NAT box: I like the ones with a built-in 4-port switch and wireless (802.11) basestation.
  2. Secure the wireless network: If it is a wireless basestation, enable the encryption and other security features. Just adding a password is sufficient to keep most numbskulls out. As a result, people visiting you can join your network by just being told the network name and the password.
  3. Stop spy-ware: Run Ad-aware www.lavasoftusa.com once a week.
  4. Stop virii and worms: Run a virus scanner that automatically updates itself daily. I like McAfee but most of the big names are all the same.
I explicitly recommend AGAINST using a "Personal Firewall" software firewall. They break a lot of other software, and permit too much through (every time it blocks something it asks you if you would like to let that traffic through in the future. After you press "YES" enough times, you really aren't protecting your machine any more, are you?). I much prefer the home NAT boxes ("home routers"). However, those hardware solutions don't work if you are traveling with a laptop and are dialing into your ISP. In that case, software "Personal Firewalls" are your only solution. I wonder what my answer will be in 3 years!