An example of securely setting up a home local network. Securing computer networks
When I looked at the statistics search engine Yandex, then noticed that the request: "Security home network" - is requested only 45 times a month, which, let's face it, is quite unfortunate.
In order not to be unfounded, I want to tell you one entertaining story from my life. Some time ago, a neighbor came to see me and decided to join modern life and bought himself a laptop, a router, and took care of connecting to the Internet.
A neighbor bought a D-Link DIR-300-NRU router, and this model has this feature. By default, as a name wireless network(SSID), it uses the brand name. Those. a network named dlink is found in the list of available networks. The fact is that most manufacturers “sew up” the name of the network in the form of brand and model into the settings (for example, Trendnet-TEW432, etc.).
So, I saw dlink in the list of networks and immediately connected to it. I’ll immediately make a reservation that any router (except for Wi-Spots and other exotic devices that do not have RJ-45 network wired interfaces) must be configured by connecting to it via wire. In practice, I can say that you can configure via Wi-Fi, but just do not reflash - reflash only by wire, otherwise there is a chance of seriously damaging it. Although, if I had configured the router via wire, then this funny thing would not have happened and this story would not have happened.
I connect to the dlink network, start setting up - changing the SSID, setting the encryption key, determining the range of addresses, broadcast channel, etc., restarting the router, and only then does it dawn on me that the reception is very uncertain, although the router is nearby costs.
Yes, indeed, I connected to someone else's open router and configured it as needed. Naturally, I immediately returned all the settings to the original ones so that the owners of the router would not be upset and had already configured the target router as needed. But, with all this, I can say that this router still stands unencrypted and anyone can connect to it. So, to avoid such situations, we set up a wireless router and read on about home network security.
Let's look at which elements, both hardware and software, are network defenders, and which are potential gaps, including, by the way, human factor . But first things first.
We will not consider how the Internet comes to your home - it is enough for us to understand that it comes.
And the question is - where does it come? On computer? To the router? To a wireless access point?
We will not consider how the Internet comes to your home - it is enough for us to understand that it comes. Meanwhile, this question is very, very important and here’s why. Each of the above devices has its own degree of protection against various hacker attacks and unauthorized access.
The first place in terms of the level of protection against network attacks can safely be given to a device such as a router (it is also sometimes called a “router” - it’s the same thing, only in English - Router - router). Hardware protection is much more difficult to break through, although it cannot be said that it is impossible. But more on that later. There is a folk wisdom that says: "The simpler the device, the more reliable it is". Because A router is a much simpler device and more highly specialized, which means it is, of course, more reliable.
In second place in terms of protection against network attacks is a computer equipped with various protective software(firewalls, which are also called FireWall - literal translation - Fire Wall. In Windows XP and later, this service is called Firewall). The functionality is approximately the same, but it becomes possible to implement two functions that most often cannot be done using router tools, namely, tracking user visits to sites and limiting access to certain resources. Of course, at home, such functionality is most often not required or can be easily implemented using free services, for example, Yandex.DNS, if you need to protect your child from bad content. Of course, a gateway computer sometimes has such nice functionality as a “flowing” antivirus that can analyze passing traffic, but this is not a reason to refuse antivirus on client computers, because Just in case, the virus may arrive in an archive file with a password, and the antivirus has no way of getting there until you open it.
A wireless access point is a gateway that is transparent in both directions, through which anything can fly, so it makes sense to use access points only in networks protected by a hardware or software firewall (router or computer with specialized software installed).
Most often used on a home network wireless routers, which are equipped with four ports for connecting computers via wire and a radio module that functions as an access point. In this case, the network looks like this:
Here we clearly see that the main defender of our network from hacker attacks is the router, but this does not mean that you can feel absolutely safe.
The function of a router's firewall is that it broadcasts your requests to the Internet and returns the resulting response to you. At the same time, if the information was not requested by anyone on the network, including your computer, then the firewall filters out such data, protecting your peace.
What methods can you use to get into your firewall-protected network?
Most often, these are Trojan viruses that penetrate your network along with infected scripts or downloaded infected programs. Viruses are often distributed as attachments to emails or links contained in the body of the email (email worms). In particular, this is how a worm virus spreads, which encrypts all information on the hard drives of your computer, and then extorts money for decryption.
What else can a virus that has settled on your computer do?
The activities of a virus can be very diverse - from “zombifying” a computer or stealing data to extorting money directly through Windows lock or encryption of all user data.
I have friends who claim that they have never met a more useless program than an antivirus and they get by just fine without it. If you think the same, then I must warn you that the virus does not always reveal itself immediately or at all. Sometimes his activity consists of taking part in DDoS attack any site on the Internet. This does not threaten you with anything except that your provider may block you and force you to check for viruses. Therefore, even if there is no important data on your computer, it is better to install an antivirus, at least free.
If a Trojan has penetrated your computer, it can open a port, create a tunnel and give its creator complete power over your computer.
Many viruses can spread over a network, so if a virus gets on one computer on the network, there is a chance it will penetrate other computers on your home network
How to protect yourself from viruses?
First of all, you need to install an updated antivirus on each computer on the network. Ideally commercial, but if money is tight it can be used free antiviruses, like Avast, Avira, AVG, Microsoft Security Essentials, etc. This is, of course, not as effective protection as paid antivirus, but it’s better than no antivirus at all.
Important: There is a certain “gap” between the appearance of a new virus and the addition of its description to the anti-virus database, lasting from 3 days to 2 weeks (sometimes longer). So, at this time, your computer may be potentially at risk of infection by a virus, even with an updated antivirus. Therefore, we move on to the next stage, namely the instructions, following which you can protect yourself from infection.
In fact, you can even catch a virus from your loved one. news resource through all sorts of popunders or various teasers and other advertising on the site. To prevent this, you need to have an updated antivirus. For your part, you can do the following:
1. Never open attachments in letters or follow links from these letters if the addressee is unknown to you. If the addressee is known to you, but the letter has a pronounced advertising nature or is of the “look at these photos - you’re naked here” category, then, of course, you should not click on any links. The only thing you can do useful in this case is to inform the person that he has caught the virus. It could be like email, as well as messages in Skype, ICQ, Mail.ru-agent and other systems.
2. Sometimes you may receive a message from a “collection agency” or from “MosGorSud” that you are in some kind of trouble - be aware, this is how encryption viruses spread, so under no circumstances should you click on links or open attachments.
3. Be sure to pay attention to what messages about detected viruses by your antivirus look like. Remember them appearance, because Often, when navigating the Internet, a message appears that a virus has been detected, immediately download an antivirus from the site and get checked. If you remember what the antivirus message window looks like, you can always understand whether the antivirus is warning you or whether it is a “trick”. Yes, and the antivirus will never require you to download any add-on from this site - this is the first sign of a virus. Don’t get caught, otherwise you’ll have to call a specialist to treat your computer from the ransomware virus.
4. You downloaded an archive with some program or something else, but when you open the file they ask you to send an SMS and receive a code - under no circumstances do this, no matter how convincing the arguments given in the window are. You will send 3 SMS, costing 300 rubles each, and inside you will see instructions for downloading files from torrents.
6. If you are using a Wi-Fi wireless network, you need to set a network encryption key. If you have an open network, then everyone can connect to it. The danger is not that someone other than you will use your Internet, but that it ends up on your home network, which probably uses some shared resources, which is not advisable to be publicly displayed. About creating a network using Wi-Fi technology you can also read the article.
Instead of summing up
Now we know that no matter how expensive and high-quality our protector - the router - is, if you do not take certain measures, you can infect your computer with a virus, and at the same time create a threat to the entire network. Well, and, of course, we must not forget that the encryption key of your wireless network is also a very important factor.
Rules information security V in this case must be observed by both the provider and its client. In other words, there are two points of vulnerability (on the client side and on the provider side), and each of the participants in this system is forced to defend their interests.
View from the client's side
Doing business in an electronic environment requires high-speed data transmission channels, and if previously the main money of providers was made on connecting to the Internet, now clients have rather strict requirements for the security of the services offered.
A number of hardware devices have appeared in the West that provide secure connections to home networks. As a rule, they are called " SOHO solutions"and combine a hardware firewall, a multi-port hub, a DHCP server and VPN router functions. For example, this is the path taken by the developers of Cisco PIX Firewall and WatchGuard FireBox. Software firewalls remain only at the personal level, and they are used as an additional means of protection.
Developers of SOHO-class hardware firewalls believe that these devices should be easy to manage, “transparent” (that is, invisible) to the user of the home network and correspond in cost to the amount of direct damage from possible actions of attackers. The average cost of a successful attack on a home network is estimated at approximately $500.
To protect your home network, you can use a software firewall or simply remove unnecessary protocols and services from the configuration settings. The best option is if the provider tests several personal firewalls and configures their own own system security and provide their technical support. In particular, this is exactly what the 2COM provider does, which offers its clients a set of tested screens and tips on setting them up. In the simplest case, it is recommended to declare almost all network addresses dangerous, except the addresses local computer and the gateway through which the connection to the Internet is established. If a software or hardware screen on the client side detects signs of intrusion, this must be reported to the service immediately technical support provider.
It should be noted that the firewall protects against external threats, but does not save you from user errors. Therefore, even if the provider or client has installed some kind of security system, both parties must still comply with a number of sufficient simple rules to minimize the likelihood of attacks. First, you should leave as little personal information as possible on the Internet, try to avoid paying with credit cards, or at least check that the server has a digital certificate. Secondly, you should not download from the Internet and run any programs on your computer, especially free ones. It is also not recommended to do local resources externally accessible, install support for unnecessary protocols (such as IPX or SMB), or use default settings (for example, hiding file extensions).
It is especially dangerous to execute scripts attached to letters Email, but it’s better not to use Outlook at all, since most viruses are written specifically for this mail client. In some cases, it is safer to use Web-mail services for working with e-mail, since viruses, as a rule, do not spread through them. For example, the 2COM provider offers a free Web service that allows you to read information from external mailboxes and download only the messages you need to your local machine.
Providers usually do not provide secure access services. The fact is that the client’s vulnerability often depends on his own actions, so in the event of a successful attack it is quite difficult to prove who exactly made the mistake - the client or the provider. In addition, the fact of the attack still needs to be recorded, and this can only be done with the help of proven and certified products. Assessing the damage caused by a hack is also not easy. As a rule, only its minimum value, characterized by the time to restore normal operation of the system.
Providers can provide security postal services by checking all incoming correspondence using antivirus programs, as well as blocking all protocols except the main ones (Web, email, news, ICQ, IRC and some others). Operators cannot always track what is happening on the internal segments of the home network, but since they are forced to defend against external attacks (which is consistent with user protection policies), customers need to interact with their security teams. It should be remembered that the provider does not guarantee absolute security of users - it only pursues its own commercial gain. Often attacks on subscribers are associated with a sharp surge in the volume of information transmitted to them, which, in fact, is how the operator makes money. This means that the interests of the provider can sometimes conflict with the interests of the consumer.
Provider's perspective
For home network service providers, the main problems are unauthorized connections and large internal traffic. Home networks are often used to host games that do not go beyond local network one residential building, but can lead to blocking of its entire segments. In this case, working on the Internet becomes difficult, which causes fair dissatisfaction among commercial clients.
From a cost perspective, providers are interested in minimizing the cost of securing and monitoring their home network. At the same time, they cannot always organize proper protection for the client, since this requires certain costs and restrictions on the part of the user. Unfortunately, not all subscribers agree with this.
Typically, home networks are structured as follows: there is a central router that has an Internet access channel, and an extensive network of the block, house and entrance is connected to it. Naturally, the router functions as a firewall, separating the home network from the rest of the Internet. It implements several security mechanisms, but the most commonly used is address translation, which allows you to simultaneously hide the internal network infrastructure and save the provider's real IP addresses.
However, some providers give their clients real IP addresses (for example, this happens in the network of the Mitino microdistrict, which is connected to the Moscow provider MTU-Intel). In this case, the user's computer becomes directly accessible from the Internet, making it more difficult to protect. It is not surprising that the burden of provision information security falls entirely on the subscribers, and the operator has the only way to control their actions - by IP and MAC addresses. However, modern Ethernet adapters allow you to programmatically change both parameters at the level operating system, and the provider finds itself defenseless against an unscrupulous client.
Of course, some applications require the allocation of real IP addresses. Giving a real static IP address to a client is quite dangerous, because if the server with this address is successfully attacked, the rest of the internal network will become accessible through it.
One of the compromise solutions to the problem safe use IP addresses in the home network is the introduction of VPN technology combined with a mechanism for dynamic address distribution. Briefly, the scheme is as follows. From client machine An encrypted tunnel is established to the router using the PPTP protocol. Since this protocol has been supported by Windows OS since version 95, and is now implemented for other operating systems, the client is not required to install additional software - only configuring already installed components is required. When a user connects to the Internet, he first establishes a connection with the router, then logs in, receives an IP address, and only then can he start working on the Internet.
This type of connection is equivalent to a regular dial-up connection with the difference that when installing it, you can set almost any speed. Even nested VPN subnets will work according to this scheme, which can be used for remote connection clients to the corporate network. During each user session, the provider dynamically allocates either a real or virtual IP address. By the way, 2COM’s real IP address costs $1 per month more than a virtual one.
To implement VPN connections, 2COM has developed its own specialized router that performs all the functions listed above plus service pricing. It should be noted that packet encryption is not the responsibility of CPU, but on a specialized coprocessor, which allows you to simultaneously support up to 500 VPN virtual channels. One such crypto router on the 2COM network is used to connect several houses at once.
Generally in the best possible way home network protection is a close interaction between the provider and the client, within which everyone has the opportunity to defend their interests. At first glance, home network security methods seem similar topics, which are used to provide corporate security, But actually it is not. It is customary for companies to establish fairly strict rules of behavior for employees, adhering to a given information security policy. This option does not work in a home network: each client requires its own services and needs to create general rules behavior is not always successful. Consequently, building a reliable home network security system is much more difficult than ensuring the security of a corporate network.
Introduction
The relevance of this topic lies in the fact that the changes taking place in the economic life of Russia - the creation of a financial and credit system, enterprises various forms property, etc. - have a significant impact on information security issues. For a long time in our country there was only one property - state property, therefore information and secrets were also only state property, which were protected by powerful special services. Information security problems are constantly aggravated by the penetration of technical means of data processing and transmission, and, above all, computer systems, into almost all spheres of social activity. The targets of attacks may themselves be technical means(computers and peripherals) as material objects, software and databases for which technical means are the environment. Each failure of a computer network is not only a “moral” damage to the employees of the enterprise and network administrators. As electronic payment technologies, “paperless” document flow and others develop, a serious failure of local networks can simply paralyze the work of entire corporations and banks, which leads to significant material losses. It is no coincidence that data protection in computer networks is becoming one of the most pressing problems in modern computer science. To date, two have been formulated basic principles information security, which should ensure: - data integrity - protection against failures leading to loss of information, as well as unauthorized creation or destruction of data. - confidentiality of information and, at the same time, its availability to all authorized users. It should also be noted that certain areas of activity (banking and financial institutions, information networks, systems government controlled, defense and special structures) require special data security measures and place increased demands on operational reliability information systems, in accordance with the nature and importance of the tasks they solve.
If a computer is connected to a local network, then, potentially, this computer and the information on it can be accessed by unauthorized persons from the local network.
If a local network is connected to other local networks, then users from these remote networks are added to the list of possible unauthorized users. We will not talk about the accessibility of such a computer from the network or channels through which local networks are connected, because there are probably devices at the exits from local networks that encrypt and control traffic, and the necessary measures have been taken.
If a computer is connected directly through a provider to an external network, for example via a modem to the Internet, for remote interaction with its local network, then the computer and the information on it are potentially accessible to hackers from the Internet. And the most unpleasant thing is that through this computer hackers can also access local network resources.
Naturally, for all such connections, either regular means operating system access control, or specialized means of protection against unauthorized access, or cryptographic systems at the level of specific applications, or both.
However, all these measures, unfortunately, cannot guarantee the desired security during network attacks, and this is explained by the following main reasons:
Operating systems (OS), especially WINDOWS, are software products of high complexity, the creation of which is carried out by large teams of developers. Detailed analysis These systems are extremely difficult to implement. In this connection, it is necessary to reliably substantiate for them the absence of standard features, errors or undocumented features that were accidentally or intentionally left in the OS, and which could be used through network attacks, does not seem possible.
In a multitasking OS, in particular WINDOWS, many different applications can run simultaneously...
Avast always tries to stay ahead when it comes to protecting users from new threats. More and more people are watching movies, sports and TV shows on smart TVs. They control the temperature in their homes using digital thermostats. They wear smart watches and fitness bracelets. As a result, security needs expand beyond personal computer to cover all devices on your home network.
However, home routers, which are key devices in the home network infrastructure, often have security problems and provide easy access to hackers. A recent study by Tripwire found that 80 percent of top-selling routers have vulnerabilities. Moreover, the most common combinations for accessing the administrative interface, in particular admin/admin or admin/no password, are used in 50 percent of routers worldwide. Another 25 percent of users use their address, date of birth, first or last name as router passwords. As a result, more than 75 percent of routers worldwide are vulnerable to simple password attacks, opening the door for threats to be deployed on the home network. The router security landscape today is reminiscent of the 1990s, when new vulnerabilities were discovered every day.
Home Network Security feature
The Home Network Security feature in Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security and Avast Premier Antivirus allows you to solve these problems by scanning your router and home network settings for potential problems. With the Avast Nitro Update, the Home Network Security tool's detection engine has been completely redesigned, adding support for multi-threaded scanning and an improved DNS hijack detector. The engine now supports ARP protocol scans and port scans performed at the kernel driver level, which allows for several times faster scanning compared to the previous version.
Home Network Security can automatically block cross-site request forgery (CSRF) attacks on your router. CSRF exploits exploit website vulnerabilities and allow cybercriminals to send unauthorized commands to a website. The command simulates instructions from a user who is known to the site. Thus, cybercriminals can impersonate a user, for example, transfer money to the victim without his knowledge. Thanks to CSRF requests, criminals can remotely make changes to router settings in order to overwrite DNS settings and redirect traffic to fraudulent sites
The Home Network Security component allows you to scan your home network and router settings for potential security issues. The tool detects weak or standard Wi-Fi passwords, vulnerable routers, compromised Internet connections, and IPv6 enabled but not secured. Avast lists all devices on your home network so users can check that only known devices are connected. The component provides simple recommendations for eliminating detected vulnerabilities.
The tool also notifies the user when new devices join the network, network-connected TVs and other devices. Now the user can immediately detect an unknown device.
The new proactive approach underlines the overall concept of providing maximum comprehensive user protection.
Today, almost every apartment has a home network to which they connect desktop computers, laptops, data storage (NAS), media players, smart TVs, as well as smartphones, tablets and other wearable devices. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP/IP protocols are used. With the development of Internet of Things technologies, Appliances- refrigerators, coffee makers, air conditioners and even electrical installation equipment. Thanks to the solutions " Smart House“We can control the brightness of lighting, remotely adjust the indoor microclimate, turn on and off various devices - this makes life a lot easier, but can create serious problems for the owner of advanced solutions.
Unfortunately, the developers of such devices do not yet care enough about the security of their products, and the number of vulnerabilities found in them is growing like mushrooms after rain. There are often cases when, after entering the market, a device is no longer supported - our TV, for example, has 2016 firmware installed, based on Android 4, and the manufacturer is not going to update it. Guests also add problems: it’s inconvenient to deny them access to Wi-Fi, but you also wouldn’t want to let just anyone into your cozy network. Who knows what viruses can settle in strangers? mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do this, as they say, with little blood and with the least financial costs.
Isolating Wi-Fi networks
In corporate networks, the problem is solved simply - there are managed switches with support for virtual local networks (VLANs), various routers, firewalls and points wireless access- you can build the required number of isolated segments in a couple of hours. Using the Traffic Inspector Next Generation (TING) device, for example, the problem is solved in just a few clicks. It is enough to connect the switch of the guest network segment to a separate Ethernet port and create firewall rules. This option is not suitable for home due to the high cost of equipment - most often our network is controlled by one device that combines the functions of a router, switch, wireless point access and God knows what else.
Fortunately, modern household routers (although it would be more correct to call them Internet centers) have also become very smart and almost all of them, except the very budget ones, have the ability to create an isolated guest Wi-Fi network. The reliability of this very insulation is a question for a separate article; today we will not examine the firmware of household devices from different manufacturers. Let's take ZyXEL as an example. Keenetic Extra II. Now this line has become simply called Keenetic, but we got our hands on a device released under the ZyXEL brand.
Setting up via the web interface will not cause any difficulties even for beginners - a few clicks, and we have a separate wireless network with its own SSID, WPA2 protection and password for access. You can allow guests into it, as well as turn on TVs and players with firmware that has not been updated for a long time, or other clients that you don’t particularly trust. In most devices from other manufacturers, this function, we repeat, is also present and is activated in the same way. This is how, for example, the problem is solved in firmware D-Link routers using the setup wizard.
You can add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
We isolate Ethernet networks
In addition to clients connecting to a wireless network, we may come across devices with a wired interface. Experts will say that to create isolated Ethernet segments, so-called VLANs are used - virtual local networks. Some home routers support this functionality, but this is where the task gets more complicated. I would like to not just make a separate segment, we need to combine ports for wired connection with a wireless guest network on one router. Not everyone can handle this household device: a superficial analysis shows that in addition to Keenetic Internet centers, add Ethernet ports to the network Wi-Fi guest This segment is also possible for models from the MikroTik line, but the process of setting them up is no longer so obvious. If we talk about comparable priced household routers, only Keenetic can solve the problem in a couple of clicks in the web interface.
As you can see, the test subject easily coped with the problem, and here it is worth paying attention to another interesting feature - you can also isolate the wireless clients of the guest network from each other. This is very useful: your friend’s smartphone infected with malware will access the Internet, but it will not be able to attack other devices, even on a guest network. If your router has a similar function, you should definitely enable it, although this will limit the possibilities of client interaction - for example, it will no longer be possible to pair a TV with a media player via Wi-Fi, you will have to use a wired connection. At this stage, our home network looks more secure.
What's the result?
The number of security threats is growing year by year, and manufacturers smart devices they do not always pay enough attention to the timely release of updates. In such a situation, we have only one way out - differentiating home network clients and creating isolated segments for them. To do this, you don’t need to buy equipment for tens of thousands of rubles; a relatively inexpensive household Internet center can handle the task. Here I would like to warn readers against purchasing devices from budget brands. Almost all manufacturers now have more or less the same hardware, but the quality of the built-in software is very different. As well as the duration of the support cycle for released models. Not every household router can cope with even the fairly simple task of combining a wired and wireless network in an isolated segment, and you may have more complex ones. Sometimes it is necessary to configure additional segments or DNS filtering to access only safe hosts, in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. and so on. In addition to security issues, there are other problems: in public networks, it is necessary to ensure that clients are registered in accordance with the requirements Federal Law No. 97 “About information, information technology and on the protection of information." Inexpensive devices capable of solving such problems, but not everyone - functionality The built-in software they have, we repeat, is very different.
