Below is some basic information about the security measures that I regularly use. I am only revealing general information here so that is why it is not a security risk for me to post it here. (Yes this is off the top of my head so there may be some typos)
- Current home network topology:
This may look complicated to some of you but from an IT standpoint it is a very basic home network setup.
- My custom configured “Hardware” firewall is Pfsense 2.0.1. It is based on FreeBSD 8.0 and enables me to have an enterprise grade, fully customizable firewall at home for free. I have configured Pfsense to be my DHCP server on my home network. This means that any devices that I connect to the internet at home are granted or denied an IP address according to the rules that I have put in place through Pfsense. The first package I have setup is Pfblocker which blacklists many known bad sites and IP addresses via packet filtering. Packet filtering is a real time scanning system that scans all of the packets of information that is passing through the system from the internet to your network and vice versa. It is also running Snort, which is a very intense Intrusion Detection System. An intrusion detection system is a packet sniffer which is similar to packet filtering but just uses a different algorithm and has different priorities. Many banks and other enterprise systems use Snort as well. The next thing I am running on Pfsense is Squid. Squid is a light weight transparent Proxy server. This means that any commonly fetched data from the internet is save in a cache that can be repeatedly used instead of fetching the information from the internet again. This is generally much quicker and makes your internet feel much quicker and more responsive. It also has the added benefit of reducing your bandwidth usage which is useful if your ISP has a monthly cap. Pfsense also has a web graphical user interface which makes it much easier to configure and edit, so you no longer have to SSH into the device anymore unless you really want to. The last thing I wanted to mention here is that I also have Pfsense configured to use OpenDNS as the primary DNS server. Details on OpenDNS can be found in another post here.
- The next item in the diagram is my Belkin Wireless router. Belkin routers have a very rudimentary packet filtering and intrusion detection system built in to its firewall. Cisco routers are more secure than Belkin routers, which is why there is a noticeable price difference for similar networking speeds. Since I have a very robust firewall in place I have all of the security features of the Belking router disabled, and it is set in Bridge mode. This allows the router to act as a switch and still allow me to have a wireless network in place. It also allows Pfsense to be the DHCP server instead of the router. If I had the Belkin router security features enable then I would run into connection issues because the setup would be double NATed. NAT stands for Network Address Translation and is the protocols that allows the network devices to connect to the internet through the firewall.
- Now that the back end security measures are explained, it is time for the security measure I use on my computers themselves.
- First is my choice of paid antivirus software Webroot SecureAnywhere Antivirus. This is Webroot’s latest antivirus software for 2012. I chose this software because it has received excellent test results from independent companies and my own testing. It is also extremely lightweight, meaning is uses very little resources, and has the fastest scan times I have seen yet. Also it has real time scanning, which is extremely important, has built in phishing scanning, and has built in spyware/malware scanning. In addition to all of these important features it also has a built in sandboxing feature. This means that if a threat is detected then it is immediately quarantined and completely isolated from the rest of my running desktop environment. The other great feature of this is that I can run a program that I am not familiar with inside the Webroot sandbox without it affecting anything else on my system. I have Webroot configured to do a daily scan as well. In addition to the daily scans I also do weekly scans of malware and spyware removal programs, Malwarebytes Antimalware and SuperAntispyware. It is important not to use the live scanning version of these or any other antivirus programs if you already have an antivirus program such as Webroot or Norton etc.
- Next is my choice of “software” firewall. I have used COMODO free personal firewall for several years now and have been pleased with it’s performance a majority of the time. I chose this over ZoneALARM free firewall because it uses less resources while running, has built in sandboxing, and also scans live web threats. The only downside I have experienced from COMODO is that when running the Defense+ option there are frequent popups asking you to verify a programs access to the internet. Most of the time I really like this feature, but it can become a nuisance at times.
- Next up is my choice of web browsers. I use Google Chrome about 99% of the time. Another excellent alternative is Mozilla Firefox. I have chosen Google Chrome over Firefox becuase in my experience and research it more secure than any other browser I have used. It is more secure because it has auto-sandboxing for plugins such as Flash and Java. Flash and Java are used in almost everything on the web these days and they both have 0-day vulnerabilities popping up all the time. This means that no matter how much you update Flash or Java then there is still more vulnerabilities that are not yet patched. You should still update Flash and Java immediately once the request is shown. You have to be careful with these updates however because there are now fake Flash update requests that actually install malware or trojans on your system. Another reason that Google Chrome is more secure is because Google updates the Chrome web browser every time there is a major Flash update. This means that you don’t have to update flash if you use Google Chrome because it is automatically officially updated for you.
- Next is important browser addons. I use WOT, which stands for Web of Trust. This is an addon for Mozilla Firefox and Google Chrome that shows a link’s rating with respect to how trustworthy it is. WOT is constantly updated by the authors and other users ratings of sites. This helps when doing Google searches for example because it can tell you whether or not a legitimate site has been compromised by its rating.
- The next browser addon that i always use is HTTPS Everywhere. This addon forces a HTTPS connection whenever possible. HTTPS stands for Hyper Text Transfer Protocol Secure. This means that the data that is transferred between your computer and the particular websites server is encrypted via SSL. Your online banking for example is usually defaulted to HTTPS, but many sites are not.
- The next addon is Lastpass. Lastpass is an extremely secure password manager. Once you sign up for a free account you have to choose a master password. You want it to be as strong as you can make it. This will be the last password you have to remember so that makes it easier to make a strong password. Ideally you should make it 35 or more characters. Mine master password for example is much greater than 25 characters and utilizes all printable characters in a random fashion. Once your account is created, you simply login to LastPass via the browser addon and you login to accounts as normal and then LastPass will prompt you to remember the login credentials. Any information that is saved is encrypted on your computer via AES 256 Bit encryption scheme and then uploaded to the lastpass servers. This means that LastPass can never view your information. Your master password is cryptographically hashed with a 256-bit Salt then hashed via SHA-256 over 100,000 iterations. This means that LastPass or hackers can never know your master password either. If your master password is over the recommended 25 characters then a brute force attack is completely unreasonable. I also use the two stage authentication method that is available for Lastpass login and do not save any trusted computers. Not even my home computers because you never truly know when your computer has been compromised. Another cool feature is the security challenge, which ranks youaccording to your password security methods. See where you rank and if you can get to #1 with me!
- Next is Click and Clean. This is a browser addon that can automatically clear all browser data and clear all cookies when you close your browser. It is important to clear you browser data and cookie cache frequently because you may accidentally pick up some tracking cookies, which is never good.
- That’s it for the basic browser info. Next is my choice of email client. I have chosen Thunderbird as my email client because I have multiple email accounts so it is much easier to check them all in one spot than logging in to each of them individually. Thunderbird will remember the login credentials for each email address that you enter so it is important to enable the master password option so that they are not stored in plane text for any hacker to see.
- Next is a free program called Sandboxie. This program allows you to run programs in a sandbox which is completely isolated from your system. You can also surf the web inside a sandbox with this which I highly recommend no matter what browser you are using. I use Sandboxie because it has more functionality than the sandbox features of Webroot and COMODO.
- Lastly is Truecrypt. Truecrypt is a free encryption program that allows you to create encrypted files or encrypt a whole system partition or drive. I have all of my hard drives encrypted with a triple cascade of AES-Twofish-Serpent. This means that is someone were to steal my laptop or any of my backups drives at home then they can never gain access to any information on the drive granted the password is strong (>25 characters). I also use Truecrypt to encrypt all of the data that I upload to my online backup service Dropbox. Dropbox has been hacked in the past but since my file are in a triple encrytption cascade with multiple brute force resistant keyfiles per file container, the data cannot be retrieved by anyone but myself.
I hope you gain some valuable security information form this post, and as always if you have any questions please post them here. Below is what my future home network will look like once I get the necessary equipment.