Previous posts
Configuring a Router or Residential GatewaySharing an Internet Connection Through Hardware
Adding a Direct Internet Connection to Your LAN
Adding Firewall Protection
Configuring a Broadband Connection
Using Direct Internet Connections on a LAN
Connecting Your Network to the Internet
Sharing an Internet Connection
Managing Passwords
Using Other Methods for Recovering Lost Passwords
Friends
mercredi 30 janvier 2008
Tightening Security on a Router
Adding a router to your network isn't a panacea. Simple NAT and packet-filtering capabilities can provide a baseline level of security for your network, but don't underestimate the resourcefulness and tenacity of outside attackers. A determined intruder who figures out that you're using a specific type of router can craft an attack against the router and may succeed if you aren't thorough in your preparation. To increase the security of the network, follow these tips:
Set a strong password for the router. Out of the box, every router uses a simple default password, and you can bet that every one of those default passwords is on a list that would-be attackers try right away.
Disable remote administration capabilities. Many routers allow you to connect to the router's configuration utility from inside your local network or from the outside. To block a major avenue of attack, disable the capability to manage the router from the Internet.
Configure how the router responds to unsolicited outside traffic. If you're running a server inside your network, forwarding specific ports to the IP address of the computer running the server software, you need to allow outside access to the computer. But you should disable all other unsolicited outside traffic. In particular, if you can configure the router to discard Internet Control Message Protocol (ICMP) packets from the Internet, you should do so. This step prevents outsiders from "pinging" your network and determining that the IP address exists. It also prevents an entire class of attacks that use malformed ICMP packets to cause havoc to the network.
Enable firewall or antivirus features, if available. Some routers integrate with specific antivirus and personal firewall programs. Linksys routers, for instance, work with the ZoneAlarm Pro personal firewall and Trend Micro's PC-Cillin antivirus software. Using this capability, you can enforce a security policy that allows Internet access through the router only to computers that are running either or both of these programs. Figure 15-6 shows the configuration options for this feature on an 8-port Linksys router. (Note that in this example the software does not run on the router itself, only on the client computers. Hardware firewalls that include built-in antivirus software are available, but they typically cost far more than a router intended for use on a home or small business network.)
Figure 15-6. Some routers for home networks, like this Linksys model, allow you to enforce security policies requiring antivirus or personal firewall software.
Carefully configure advanced firewall options. Every router is different. Depending on the specific capabilities of your router, you may be able to block specific incoming ports or block access to particular ports by time of day. The latter capability can be especially useful if you want to prevent kids from browsing the Web after 10:00 PM, for instance.
CAUTION
--------------------------------------------------------------------------------
Many routers include an option to place one or more computers on the local network in a DMZ—an acronym from the military term demilitarized zone. Putting a computer in this zone bypasses the router, giving it direct access to the Internet. Using this option may be the only way to make some types of connections, such as those used in multiplayer games. Just be aware that bypassing the router also gives outsiders unfiltered access to the computer in the DMZ. If you must use this option, we recommend enabling it only when you need it, and removing the local computer from the DMZ when it's no longer required.
Adding a router to your network isn't a panacea. Simple NAT and packet-filtering capabilities can provide a baseline level of security for your network, but don't underestimate the resourcefulness and tenacity of outside attackers. A determined intruder who figures out that you're using a specific type of router can craft an attack against the router and may succeed if you aren't thorough in your preparation. To increase the security of the network, follow these tips:
Set a strong password for the router. Out of the box, every router uses a simple default password, and you can bet that every one of those default passwords is on a list that would-be attackers try right away.
Disable remote administration capabilities. Many routers allow you to connect to the router's configuration utility from inside your local network or from the outside. To block a major avenue of attack, disable the capability to manage the router from the Internet.
Configure how the router responds to unsolicited outside traffic. If you're running a server inside your network, forwarding specific ports to the IP address of the computer running the server software, you need to allow outside access to the computer. But you should disable all other unsolicited outside traffic. In particular, if you can configure the router to discard Internet Control Message Protocol (ICMP) packets from the Internet, you should do so. This step prevents outsiders from "pinging" your network and determining that the IP address exists. It also prevents an entire class of attacks that use malformed ICMP packets to cause havoc to the network.
Enable firewall or antivirus features, if available. Some routers integrate with specific antivirus and personal firewall programs. Linksys routers, for instance, work with the ZoneAlarm Pro personal firewall and Trend Micro's PC-Cillin antivirus software. Using this capability, you can enforce a security policy that allows Internet access through the router only to computers that are running either or both of these programs. Figure 15-6 shows the configuration options for this feature on an 8-port Linksys router. (Note that in this example the software does not run on the router itself, only on the client computers. Hardware firewalls that include built-in antivirus software are available, but they typically cost far more than a router intended for use on a home or small business network.)
Figure 15-6. Some routers for home networks, like this Linksys model, allow you to enforce security policies requiring antivirus or personal firewall software.
Carefully configure advanced firewall options. Every router is different. Depending on the specific capabilities of your router, you may be able to block specific incoming ports or block access to particular ports by time of day. The latter capability can be especially useful if you want to prevent kids from browsing the Web after 10:00 PM, for instance.
CAUTION
--------------------------------------------------------------------------------
Many routers include an option to place one or more computers on the local network in a DMZ—an acronym from the military term demilitarized zone. Putting a computer in this zone bypasses the router, giving it direct access to the Internet. Using this option may be the only way to make some types of connections, such as those used in multiplayer games. Just be aware that bypassing the router also gives outsiders unfiltered access to the computer in the DMZ. If you must use this option, we recommend enabling it only when you need it, and removing the local computer from the DMZ when it's no longer required.
Libellés : Router, Security, Tightening
0 Comments:
Funny Blogs
Blogger Roll
Free Software
