With the proliferation of broadband Internet access and pocket gadgets, wireless routers have become extremely popular. Such devices are capable of transmitting a signal via Wi-Fi to both stationary computers and mobile devices - smartphones and tablets - while the bandwidth of the channel is sufficient for simultaneous connection of several consumers.
Today, a wireless router can be found in almost any home with broadband Internet access. However, not all owners of such devices think that with default settings they are extremely vulnerable to intruders. And if you think that you are not doing anything on the Internet that could harm you, think about the fact that by intercepting the signal of the local wireless network, hackers can gain access not only to your personal correspondence, but also to your bank account, official documents and any other files.
Hackers may not limit themselves to examining the memory of only your own devices - their contents can suggest clues to the networks of your company, your relatives and friends, to the data of all kinds of commercial and government information systems. Moreover, cybercriminals can conduct massive attacks, hacks, illegally distribute media files and software, and engage in other criminal activities through your network and on your behalf.
Meanwhile, in order to protect yourself from such threats, it is worth following only a few simple rules that are understandable and accessible even to those who do not have special knowledge in the field of computer networks. We invite you to familiarize yourself with these rules.
1. Change the default administrator credentials
To access the settings of your router, you need to go to its web interface. To do this, you need to know its IP address in the local area network (LAN), as well as the administrator's login and password.
The default internal IP address of the router is usually 192.168.0.1, 192.168.1.1, 192.168.100.1 or, for example, 192.168.123.254 - it is always listed in the hardware documentation. The default username and password are usually also reported in the documentation, or they can be obtained from the manufacturer of the router or your service provider.
We enter the IP-address of the router into the address bar of the browser, and in the window that appears, enter the username and password. Before us will open the web interface of the router with a wide variety of settings.
A key element of home network security is the ability to change settings, so it is imperative to change all the default administrator data, because they can be used in tens of thousands of instances of the same routers as yours. We find the appropriate item and enter new data.
In some cases, the ability to arbitrarily change the administrator's data is blocked by the service provider, and then you will have to contact him for help.
2. Set or change passwords for accessing the local network
You will laugh, but there are still cases where the generous owner of a wireless router organizes an open access point that anyone can connect to. Much more often pseudo-passwords like "1234" or some banal words set during the network installation are chosen for the home network. To minimize the likelihood that someone can easily get into your network, you need to come up with a real long password from letters, numbers and symbols, and set the signal encryption level - preferably WPA2.
3. Disable WPS
WPS (Wi-Fi Protected Setup) technology allows you to quickly establish secure wireless communication between compatible devices without detailed settings, but only by pressing the appropriate buttons on the router and gadget or by entering a digital code.
Meanwhile, this convenient system, usually turned on by default, has one weak point: since WPS does not take into account the number of attempts to enter the wrong code, it can be hacked by brute force by simply brute-force using the simplest utilities. It will take from several minutes to several hours to penetrate your network through the WPS code, after which it will not be difficult to calculate the network password.
Therefore, we find the corresponding item in the "admin panel" and disable WPS. Unfortunately, making changes to the settings will not always actually turn off WPS, and some manufacturers do not provide this option at all.
4. Change the SSID name
The SSID (Service Set Identifier) is the name of your wireless network. It is he who is "remembered" by various devices, which, when recognizing the name and having the necessary passwords, try to connect to the local network. Therefore, if you keep the standard name set, for example, by your ISP, then there is a possibility that your devices will try to connect to many nearby networks with the same name.
Moreover, a router broadcasting a standard SSID is more vulnerable to hackers, who will roughly know its model and usual settings, and will be able to strike at specific weak points of such a configuration. Therefore, choose a name that is as unique as possible, which does not say anything about the service provider or the equipment manufacturer.
At the same time, the frequently encountered advice to hide the SSID broadcast, and this option is standard for the vast majority of routers, is actually untenable. The fact is that all devices trying to connect to your network will try the nearest access points in any case, and can connect to networks specially "placed" by attackers. In other words, by hiding the SSID, you only make life difficult for yourself.
5. Change the IP of the router
To make it even more difficult for unauthorized access to the web interface of the router and its settings, change the default internal IP address (LAN) in them.
6. Disable remote administration
For the convenience of technical support (mostly) in many household routers, a remote administration function is implemented, with the help of which the settings of the router become available via the Internet. Therefore, if we do not want external penetration, it is better to disable this function.
In this case, however, it remains possible to enter the web interface via Wi-Fi if the attacker is in the field of your network and knows the username and password. Some routers have a function to restrict access to the panel only when there is a wired connection, however, unfortunately, this option is quite rare.
7. Update the firmware
Every manufacturer of routers respecting itself and customers is constantly improving the software of its equipment and regularly releases updated versions of firmware ("firmware"). In the latest versions, first of all, the discovered vulnerabilities are fixed, as well as errors that affect the stability of the work.
Please note that after the update, all the settings you have made may be reset to the factory settings, so it makes sense to make a backup copy - also via the web interface.
8. Go to the 5 GHz band
The base range of Wi-Fi networks is 2.4 GHz. It provides reliable reception with most existing devices up to a distance of about 60 m indoors and up to 400 m outdoors. Switching to the 5 GHz band will reduce the communication range by two to three times, limiting the ability for outsiders to penetrate your wireless network. As the bandwidth is less busy, you can also notice the increased data transfer speed and connection stability.
This solution has only one drawback - not all devices work with Wi-Fi of the IEEE 802.11ac standard in the 5 GHz range.
9. Disable PING, Telnet, SSH, UPnP and HNAP functions
If you do not know what is hidden behind these abbreviations, and are not sure if you will definitely need these functions, find them in the settings of your router and disable them. If possible, instead of closing ports, select stealth mode, which, when trying to access them from the outside, will make these ports “invisible”, ignoring requests and “pings”.
10. Turn on the firewall of the router
If your router has a built-in firewall, we recommend turning it on. Of course, this is not a bastion of absolute protection, but in combination with software (even with the built-in firewall in Windows), it is able to resist attacks quite adequately.
11. Disable MAC address filtering
While at first glance it seems that the ability to connect only devices with specific MAC addresses to the network completely guarantees security, in reality this is not the case. What's more, it makes the web open even to less-than-resourceful hackers. If an attacker can trace incoming packets, then he will quickly receive a list of active MAC addresses, since they are transmitted in the data stream unencrypted. And changing the MAC address is not a problem, even for a layman.
12. Change to another DNS server
Instead of using your ISP's DNS server, you can switch to alternatives such as Google Public DNS or OpenDNS. On the one hand, this can speed up the delivery of Internet pages, and on the other, it can increase security. For example, OpenDNS blocks viruses, botnets and phishing requests on any port, protocol and application, and thanks to special algorithms based on Big Data, it is able to predict and prevent a variety of threats and attacks. That being said, Google Public DNS is just a high-speed DNS server with no additional features.
13. Install an alternative "firmware"
And finally, the radical step for someone who understands what they are doing is installing firmware, written not by the manufacturer of your router, but by enthusiasts. As a rule, such "firmware" not only expand the functionality of the device (usually they add support for professional functions like QoS, bridge mode, SNMP, etc.), but also make it more resistant to vulnerabilities, including due to its non-standard nature.
Among the popular open-source "firmware" are Linux-based
Previously, many could somehow control the presence of one or two devices in their network, but now users have more and more devices. This makes it difficult to exercise reliable control.
The development of technology and telecommunications leads to a rapid growth in the homes of users of all kinds of devices that can work with the Internet. Users willingly purchase devices that interact with the Internet to listen to Internet radio, download music, films, programs, e-books, and for other activities. And if earlier many could somehow control the presence of one or two devices in their network, now users have more and more devices. This makes it difficult to exercise reliable control. Especially when the family consists of several users who manage to connect devices to the network, not coordinating with each other. Lack of knowledge in the field of competently setting up a home network leads to the fact that users can be spied on from the Internet against their will (http://habrahabr.ru/post/189674/). Or, on the contrary: users lose the ability to remotely monitor what is happening in the field of view of their IP cameras via the Internet because of Robin Hoods.
With this article, ideally, I would like to increase the literacy of the population in the voiced area. At the very least, I hope that my experience will save time and effort for those who have long thought about dealing with digital anarchy on their home network. And maybe it will be useful to those who are thinking about how to competently organize their home theater.
Initially, I ran into a situation that the list of equipment in my house that needs the Internet reached:
- 2 PCs (mine and my parents)
- mobile phone
- home theater supplies (Synology NAS, Dune media player)
- tablet
But, in the end, I was able to kill two birds with one stone. I stopped at the Latvian Mikrotik 751G-2HnD router. It did not cause much damage to my wallet (just like my joy from the purchased device). And was able to cover all my needs. Looking ahead, I will say that the experience of communicating with this piece of iron was so good that I bought his older brother Mikrotik 951G-2HnD into the office
The general connection diagram of all devices is shown in Fig. 1.
Fig. 1 General diagram of connecting devices in my home network
I will provide the picture with some explanations. TV itself does not communicate with the Internet. Simply because it doesn't have an ethernet cable (he bought it when the heck). It is connected with an HDMI cable to a media player (Dune HD Smart D1). And now Dune can broadcast video to TV. Despite some capabilities of Dune for data storage and support for removable media (as well as the presence of a built-in torrent client). It is only used as a media player. And already Synology DS212j is used as storage for music and movies. Also has a plugin for working with Torrent networks. A shared folder is configured on this device, from where Dune receives media files for display. Dune and Synology combine by connecting to a regular switch (labeled Switch in the picture). I didn't need any features from the switch, so I bought the first 4-port switch I came across.
The switch and both PCs are connected to different Mikrotik ports. I must say that my parents did some serious work on the issue of the presence of the Internet in different parts of the apartment even at the stage of renovation. Therefore, Ethernet cables are routed into almost every room in the walls. So the equipment is physically dispersed in different rooms. And the Ethernet cable is not visible on the floor, ceiling or walls (which can often be found in other apartments). Although, in some corners, there is still not enough cable wiring. Therefore, I advise future young families to think over this issue with special care. After all, Wi-Fi is not always a good solution. But overall, everything is nicely connected.
So, the structure of the network is clear, let's start with setting up Mikrotik
The first steps are Mikrotik's friends with the Internet.
Configuring Mikrotik with RouterOS v6.x has no problems. Through WebFig, in the Quick Set tab (Fig. 2), set the IP address given by the provider (depending on your conditions, register it statically, or set DHCP to receive it automatically). If necessary, you can change the MAC address of the WAN port (if the provider binds the IP issue to the MAC address of one of your devices, for example, the previous router). Check the boxes as in Figure 2
Fig # 2 first steps of setup
For the case with RouterOS version< 6.x всё не так просто. Когда я покупал свой роутер (год назад), там была версия 5.х. MAC-адрес WAN-порта в ней нельзя было менять через браузер, пришлось сделать это через терминал (по ssh). Определённые трудности были и с другими настройкой параметров интернета. Я не буду останавливаться на этом подробно. Все эти проблемы решались через гугл. Скажу лишь, что когда я столкнулся с этим снова (в офисе при замене роутера на Mikrotik), я несколько изловчился: подключил Mikrotik WAN-портом в порт роутера (который планировал заменить), через браузер настроил Mikrotik на получение адреса по DHCP. После чего скачал прошивку версии 6.x. А далее - повторил процедуру, указанную выше. Это значительно сэкономило мне времени. Замена старого роутера прошла с первого раза, без каких-либо проблем.
Network setup - theory
Figure 3 is the final picture that I brought the network to.
Fig. 3 Final network setup
First, I'll tell you what I configured, and then let's move on directly to the configuration. Port knocking is configured on Mikrotik, which allows you to safely open for a certain time access from the Internet to the management of Synology NAS through a browser. What if you want to put on the race, so that you have time to download before returning home.
The switch is connected to port 3 of the router. Therefore, for the convenience of memorization, the entire network on this port is given addresses from the 192.168.3.x subnet
Mikrotik IP address for web management 192.168.5.1.
PC # 1 (192.168.5.100) is connected to port 5 of the router. He is allowed to access the Internet, to all devices on the network and Mikrotik to configure it.
PC # 2 (192.168.4.100) is connected to port 4 of the router. He is allowed to access the Internet, to all devices on the network, except Mikrotik (there must be one king).
NAS Synology, Dune - Allowed to access 192.168.3.x network and the Internet. Everything else is prohibited.
Mobile devices receive an address from the 192.168.88.x network and can communicate with the Internet and other mobile devices. Communication with other subnets is prohibited. The wireless network is encrypted with WPA2.
In general, Mikrotik supports Radius for authorizing devices on the network. The Radius server can be the same Synology. But I didn’t tune it like that. All devices unknown to the router will not be able to communicate with the Internet. This will help avoid situations like watching TVs.
It is highly desirable that the PC that controls Mikrotik (in my case, this is PC # 1), connect to Mikrotik directly, without switches. This is useful for preventing the interception of administrator access parameters (using a man-in-the-middle attack, using the features of the ARP protocol) when working with Mikrotik through a web interface. After all, by default, Mikrotik's web interface goes through HTTP that is open for analysis. Mikrotik has the ability to transfer to HTTPS. However, this is beyond the scope of this article, since it is a separate non-trivial task (for novice Mikrotik administrators).
Now that we have figured out what we want to achieve, it's time to move on to the practical part.
Network setup - practice
We connect to Mikrotik via the web interface. In chapter IP-> Pool set the range for issuing IP addresses for the 192.168.3.x network (Fig. 4)
In chapter IP-> DHCP Server in the tab DHCP press the button Add New and bind to the physical port No. 3 Ethernet ( ether3-slave-local ) the previously created pool of address issuance ( pool3 ) (Figure 5)
In chapter IP-> Routes let's write a route for the new network (Fig. 7):
In chapter Interfaces choose ether3-slave-local and change the parameter value Master port on the none (fig # 8)
In chapter IP-> Addresses create a gateway 192.168.3.1 for the network 192.168.3.0/24 for the port ether3-slave-local (fig # 9)
All other subnets on the remaining physical ports of Mikrotik are configured in the same way.
The subnet has been created. Now devices connected to Ethernet port # 3 can work with the Internet and other subnets of the home network. It's time to allow what we need and deny everything that is not allowed in the section. IP-> Firewall in the tab Filter Rules .
Using the button Add New create the following rules:
We create rules that allow you to contact Mikrotik with a PC # 1 ( 192.168.5.1 ), the rest are prohibited
Chain = input Src.address = 192.168.5.100 Dst.address = 192.168.5.1 Action = accept
Chain = input Action = drop
We only allow Synology NAS to communicate with the Internet, exclude the local network (192.168.0.0/16):
Chain = forward Src.address = 192.168.3.201 Dst.address =! 192.168.0.0/16 Action = accept
Similar settings for Dune media player:
Chain = forward Src.address = 192.168.3.200 Dst.address =! 192.168.0.0/16 Action = accept
We allow both PCs to "communicate" with the Internet and all subnets of the home network:
Chain = forward Src.address = 192.168.5.100 Dst.address = 0.0.0.0/0 Action = drop
Chain = forward Src.address = 192.168.4.100 Dst.address = 0.0.0.0/0 Action = drop
We allow devices from the 192.168.3.x network (where NAS Synology and Dune) to establish connections initiated by PC # 1
Chain = forward Src.address = 192.168.3.0 / 24 Dst.address = 192.168.5.100 Connection State = established, Action = accept
For everyone else, we prohibit outgoing traffic to the Internet and on the subnets of our network:
Chain = forward Src.address = 192.168.0.0 / 16 Dst.address = 0.0.0.0 / 0 Action = drop
To implement port knocking, follow these rules:
chain = input action = add-src-to-address-list protocol = icmp src-address-list = ICMP_SSH_128_stage1 address-list = white_list_NAS address-list-timeout = 1h in-inter packet-size = 128
Chain = input action = add-src-to-address-list protocol = icmp src-address-list = ICMP_SSH_98_stage2 address-list = ICMP_SSH_128_stage1 address-list-timeout = 1m in-inter packet-size = 128
Chain = input action = add-src-to-address-list protocol = icmp src-address-list = ICMP_SSH_98_stage1 address-list = ICMP_SSH_98_stage2 address-list-timeout = 1m in-inter packet-size = 98
Chain = input action = add-src-to-address-list protocol = icmp address-list = ICMP_SSH_98_stage1 address-list-timeout = 1m in-inter packet-size = 98
Who cares why this is exactly how it is prescribed can read (http://habrahabr.ru/post/186488/)
Now "on a knock" our remote computer will be added for 1 hour to the list of allowed ( white_list_NAS). But that's not all. So that he can access the web-based interface of Synology, you need to configure port forwarding for this list ( white_list_NAS)
This is done in the section IP-> Firewall in the tab NAT ... Let's create a rule:
chain = dstnat protocol = tcp Dst.port = 5000 Src address list = white_list_NAS action = dst-nat to addresses = 192.168.3.201 to ports = 5000
Now, by making a ping in a certain way, we will get access to our NAS (Fig. 10)
This completes the setup. If everything is correct, then in the end we have in the sectionIP-> Firewall in the tab Filter Rules you get a picture as in Fig. 11
Checking the configuration
Let's connect via SSH to the NAS-server (192.168.3.201) and perform tracing to PC # 1 (192.168.5.100) and Dune (192.168.3.200) - Fig. 12
Fig. 12 results from NAS
We see that when tracing to PC # 1, the packets go through 192.168.3.1 and do not reach the target. And the packages go directly to Dune. At the same time, pings to the Internet go normally (in this case, to the address 8.8.8.8).
And from PC # 1 (192.168.5.100) to NAS (192.168.3.201), tracing is successful (Figure # 13).
Fig. 13 tracing from PC No. 1
And Fig. 14 shows what happens on a PC, which was connected to the network and after that, no rules were made regarding it in the Mikrotik firewall. As a result, this PC cannot interact either with the Internet or with other devices in other subnets of the local network.
Fig. 14 results from a new PC connected to the network
conclusions
We managed to set up our home network, combining the convenience of working with devices on the network without sacrificing security. The following tasks have been solved:
- Mikrotik configuration is possible via the web interface only with PC # 1
- Synilogy NAS and Dune can receive data from the Internet, but cannot access devices on other subnets. Therefore, even if their firmware contains backdoors for developers, NSA or someone else, all they can find out is only about each other (about NAS Synilogy or Dune)
- Implemented secure remote access from anywhere on the Internet to install the required software for NAS Synilogy download at home
- Unauthorized devices connected to the network have access only within the subnet to which they are connected and cannot transmit data to the Internet.
A lot of beautiful words have already been said about home networks, so let's get down to business right away.
The home network requires a careful and careful attitude towards itself. She needs protection from a variety of factors, namely:
- from hackers and network misfortunes, such as viruses and careless users;
- atmospheric phenomena and imperfections in the household electrical network;
- the human factor, that is, grabbing hands.
Although our magazine is a computer, but in this article we will mainly talk on non-computer topics. We will consider information security only in general, without specifics. But some other aspects deserve attention, primarily because they are rarely remembered.
So, let's start our conversation with a well-known topic ...
Grabbing hands
It is not worth to blame the consciousness of people - beautiful equipment with flashing lights will inevitably attract everyone who is able to take it. In principle, in order to secure the home network, it is possible to ensure that all equipment is located in the users' apartments, but sometimes it becomes necessary to use an attic or similar room. Usually it is convenient to put routers, hubs, repeaters, etc. there. Putting it on is not a problem. Most often, the administration of ZhEKs and DEZs meets halfway and gives permission. The main task is to hide all this well. Since the author is also a user of the home network and participated in its creation, let's talk about those solutions that seemed convenient to us. In our case, it turned out to be quite effective to use a lattice box with a lock, from which the wires go out. It is not worth using a one-piece drawer with a small number of windows, since the computer will get hot there, especially in summer. Agree, the solution is simple and cheap. For those who say that the box can be taken away, I will answer: it is also easy to get into the apartment. The same goes for cymbals. Recently, another problem has arisen with the hubs: there are many light bulbs, so people mistake them for explosive devices. The wires remain: they cannot be hidden. Therefore, there is a risk that they will be cut. After all, some even remove from high voltage. But the next topic is already some claim to the education of those who lay the network.
Electrical safety
There are several aspects to this. The first is the stable operation of devices that ensure the functioning of the network. This requires a good electricity supply to our homes, which, unfortunately, is not always possible. There are power surges and swings, an accident can easily happen or there will be a need to turn off the electricity for a while. Of course, you cannot protect yourself from everything, and the network is certainly not so important that interruptions in its work would have any fatal consequences for users. Nevertheless, there are devices that can smooth out (literally and figuratively) the problem - these are surge protectors. They will not save from shutdown, but completely from power surges. You can slightly improve your chances of stable performance by purchasing several of these filters as they are not expensive. The next stage is UPS, which, of course, are more expensive, but provide new opportunities. First, you can survive a short (the exact time depends on the price) power outage. Secondly, the same protection against power surges. But do not forget that there are two fundamentally different types of UPS: BACK and SMART. The former only know how to maintain power while there is a reserve in the battery. The latter can communicate with the computer and shut it down to avoid crashing when unexpectedly shutting down. Obviously, to keep computers in attics safe, investing in BACK UPS is pointless. To use it effectively, you need to sit next to it and turn everything off if necessary. Using SMART UPS is expensive. Here you have to think what is more expensive for you: interruptions and possible loss of equipment due to sudden outages or hundreds of one and a half dollars for one SMART UPS.
The second aspect is interaction with the conventional electrical network. This problem occurs when it is necessary to pull power cables in close proximity to power cables. In some homes, this can be avoided. There are tricky holes and passages where you can stick the wires. In our house, for example, there are no such holes, and we pulled the wires along the riser next to the telephone line. To be honest, it's extremely inconvenient. We pulled it with a twisted pair, and it is extremely difficult to insert more than five wires into a small hole without breaking the telephone line. nevertheless, it is possible. In our case, we could only hope that there would be no pickups. You can, of course, buy a shielded twisted pair cable, but you will only need it if the network and power wires are mixed. Generally, pickups are not a frequent thing, since there are too different signal transmission frequencies. What else has to do with power wires is grounding. The thing is certainly useful, but in old houses there is simply no grounding. In our house, in general, the situation is abnormal: there are electric stoves in the house, the network is three-phase, there is a working zero, but there is no earth. In principle, grounding to the radiator battery is possible, unless, of course, no one except you has thought of this before. Here in our house someone has already grounded something - now in my apartment the voltage between the heating pipe and the earth contact is about 120 V, which is not very weak, I dare assure you.
And the third aspect is air, or inter-house connections. We are talking, of course, about the network cables. Since the distances are usually rather large, the use of a twisted pair is difficult (its limit is 80 m). Therefore, a coaxial wire is usually thrown, in which the second channel is a screen for the first. True, anything is induced on this screen. Thunderstorms are especially dangerous when a really large charge can build up. What this leads to is obvious: the charge gets into the network card of the computer in the attic, and with great probability ruins it or even the entire computer. To protect against this, there are devices called protectors that are installed at the ends of the wires. However, they are also not perfect, and sometimes it breaks through them. There is also a so-called trunk coaxial with an additional shield that is not connected with data in any way, but this wire is even more expensive than a conventional twisted pair.
And now we turn to the main problem for networkers - information security.
Information Security
and in my opinion, this is the most interesting question, which, however, will be covered in detail in other articles of this special issue.
With a more or less decent number of users, the network has its own mail server, DNS, very often - its own page. Thus, the provider is left with only the channel and general statistics. The channel type can be any - radio or optical fiber, which is not essential. Networking is essential.
The first problem is user relationships. As long as you unite with friends in the same house - that's nothing. You know each other, and, as they say, people are not random. You play together over the network, exchange files, put interesting programs on your network drives for everyone to see, etc. When the network expands, new people and new interests appear. Some openly begin to test their hacking skills. You will say that this should be nipped in the bud, turned off for life, etc. etc. That's right - you need to punish, but you need to be able to repel such attacks. You just have to be prepared for the fact that someone from the inside can plant a pig. Sometimes this happens through no fault of the user, or rather, not through his direct fault (maybe he has a virus that spoils the lives of neighbors), but in any case, the possibility of such a situation cannot be ignored.
The second problem is the leadership, that is, the "admins". Although the network is simple, there should be admins. At the same time, one should not think that it can be any person with at least a little understanding of UNIX. This is a serious job that needs to be done: monitor the network, respond quickly to faults. And, of course, you need to understand administration: be able to correctly set up a gateway, firewall, organize statistics, mail, and maybe something else. All this should work stably and quickly. Plus, the management of the network also has financial responsibility. They are paid money to run the network. And it is logical that people expect to get a normal high-quality connection for this money. The situation is especially aggravated when there are a lot of users. Not everyone can understand with understanding that there are, say, three admins, 150 users, and the accident is generally with an external provider.
The third problem is statistics. It is not difficult to organize it. There are quite a few programs that carry out billing, that is, work with accounts, and in our case, traffic accounting. Installing such a program, sorting out its work and starting to count each byte is a simple matter. You just need to remember to make backups. Desirable every day. it would be nice to make such copies from all materials and files that are the property of the entire network, but information about users and their statistics is especially important.
And finally, the information itself. First is the gateway. It is necessary to configure the firewall on it so that the network is really secure. To do this, you only need to pass your own packets, check what is happening inside the network, of course, monitor intrusion attempts and constantly update the system. Secondly, it is mail. It would be nice to check mail for viruses as soon as it arrives at the mail server on the network. This can save you a lot of hassle later on. If users are inattentive and the settings of their browsers allow viruses to enter the computer, then such a check will protect both these users and their neighbors - if the virus itself spreads over the network. Thirdly, it is the capabilities of users. Only what is necessary should be allowed. I mean network ports. The fewer of them are open, the easier it is to keep track of what is happening on the network. If game ports are open or any other non-working ports, then it is reasonable to make them available only within the network.
Closely related to this problem is the problem of users creating their own resources, such as Web servers. It seems logical that a user can host their server on their own computer. However, this creates new opportunities for restless hackers. Do you need it? May be. But in this case, you, as an administrator, must either monitor the computer of this user, or trust the experience of the subscriber who raised his server.
That, perhaps, is all that I wanted to draw your attention to. It should be emphasized again that the network, including the home, is not only computers, ports and hackers. It is also commonplace difficulties in relations with people, the problem of equipment safety, physical and electrical safety. Many do not think about this, because they are simply used to seeing the ready-made infrastructure in the office or elsewhere, although questions begin to arise when creating a home network. What is described here, in part, took place when the network was created in our area. Therefore, many questions are well known to the author. Perhaps this is an attempt to warn others against mistakes that we ourselves made or which we managed to avoid thanks to our “senior comrades” who already had some experience.
ComputerPress 3 "2002
Introduction
The relevance of this topic lies in the fact that the changes taking place in the economic life of Russia - the creation of a financial and credit system, enterprises of various forms of ownership, etc. - have a significant impact on information security issues. For a long time in our country there was only one property - the state, so information and secrets were also only state ones, which were guarded by powerful special services. Information security problems are constantly aggravated by the penetration of technical means of data processing and transmission into practically all spheres of society, and, first of all, computer systems. The objects of encroachment can be the technical means themselves (computers and peripherals) as material objects, software and databases, for which the technical means are the environment. Every failure of a computer network is not only "moral" damage to the employees of the enterprise and network administrators. With the development of electronic payment technologies, "paperless" document flow and others, a serious failure of local networks can simply paralyze the work of entire corporations and banks, which leads to tangible material losses. It is no coincidence that data protection in computer networks is becoming one of the most pressing problems in modern computer science. To date, two basic principles of information security have been formulated, which should ensure: - data integrity - protection against failures leading to loss of information, as well as unauthorized creation or destruction of data. - confidentiality of information and, at the same time, its availability for all authorized users. It should also be noted that certain areas of activity (banking and financial institutions, information networks, public administration systems, defense and special structures) require special data security measures and place increased requirements on the reliability of the functioning of information systems, in accordance with the nature and importance of the tasks they solve.
If a computer is connected to a local network, then, potentially, unauthorized access to this computer and information in it can be obtained from the local network.
If the local network is connected to other local networks, then users from these remote networks are added to the possible unauthorized users. We will not talk about the availability of such a computer from the network or channels through which the local networks were connected, because surely at the exits from the local networks there are devices that encrypt and control traffic, and the necessary measures have been taken.
If a computer is connected directly through a provider to an external network, for example, via a modem to the Internet, for remote interaction with its local network, the computer and the information in it are potentially available to hackers from the Internet. And the most unpleasant thing is that hackers can also access local network resources through this computer.
Naturally, with all such connections, either standard means of differentiating access of the operating system, or specialized means of protection against tampering, or cryptographic systems at the level of specific applications, or both are used together.
However, all these measures, unfortunately, cannot guarantee the desired security during network attacks, and this is due to the following main reasons:
Operating systems (OS), especially WINDOWS, are highly complex software products, which are created by large teams of developers. Detailed analysis of these systems is extremely difficult. In this connection, it is not possible to reliably substantiate for them the absence of standard features, errors or undocumented features, accidentally or intentionally left in the OS, and which could be used through network attacks, is not possible.
In a multitasking OS, in particular WINDOWS, many different applications can run at the same time, ...
Today, almost every apartment has a home network that connects desktops, laptops, data storage (NAS), media players, smart TVs, as well as smartphones, tablets, and other wearable devices. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP / IP protocols are used. With the development of Internet of Things technologies, household appliances - refrigerators, coffee makers, air conditioners and even wiring equipment - entered the Network. Thanks to Smart Home solutions, we can control the brightness of the lighting, remotely adjust the indoor climate, turn on and off various devices - this greatly makes life easier, but can create serious problems for the owner of advanced solutions.
Unfortunately, the developers of such devices do not yet care enough about the security of their products, and the number of vulnerabilities found in them is growing like mushrooms after a rain. It is not uncommon for a device to no longer be supported after entering the market - for example, our TV has a 2016 firmware based on Android 4, and the manufacturer is not going to update it. Guests also add problems: it is inconvenient to deny them access to Wi-Fi, but I would not want to let just anyone into my cozy network either. Who knows what viruses can settle in other people's mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do this, as they say, with little blood and with the lowest financial costs.
Isolate Wi-Fi networks
In corporate networks, the problem is solved simply - there are managed switches with support for virtual local area networks (VLANs), various routers, firewalls and wireless access points - you can build the required number of isolated segments in a couple of hours. With the help of the Traffic Inspector Next Generation (TING) device, for example, the task is solved in just a few clicks. It is enough to connect the switch of the guest network segment to a separate Ethernet port and create firewall rules. For a home, this option is not suitable due to the high cost of equipment - most often the network is controlled by one device that combines the functions of a router, switch, wireless access point and God knows what else.
Fortunately, modern household routers (although it is more correct to call them Internet centers) have also become very smart and in almost all of them, except perhaps very budgetary ones, there is an opportunity to create an isolated guest Wi-Fi network. The reliability of this very isolation is a question for a separate article, today we will not examine the firmware of household devices from different manufacturers. Take ZyXEL Keenetic Extra II as an example. Now this line has become simply called Keenetic, but we got our hands on a device released under the ZyXEL brand.
Setting up via the web interface will not cause any difficulties even for beginners - a few clicks, and we have a separate wireless network with its own SSID, WPA2 protection and password for access. You can let guests into it, as well as turn on TVs and players with a firmware that has not been updated for a long time or other clients that you do not particularly trust. In most devices from other manufacturers, this function, we repeat, is also present and enabled in the same way. This is how, for example, the problem is solved in the firmware of D-Link routers using the setup wizard.
You can add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
Isolating Ethernet networks
In addition to clients connecting to the wireless network, we may come across devices with a wired interface. Experts will say that so-called VLANs - virtual local area networks - are used to create isolated Ethernet segments. Some home routers support this functionality, but here the task becomes more complicated. I would like to not just make a separate segment, we need to combine the ports for wired connection with a wireless guest network on one router. Not every household device can handle this: a superficial analysis shows that in addition to Keenetic Internet centers, MikroTik models can also add Ethernet ports to a single guest segment with a Wi-Fi network, but the process of setting them up is not so obvious. If we talk about household routers comparable in price, only Keenetic can solve the problem in a couple of clicks in the web interface.
As you can see, the subject easily coped with the problem, and here it is worth paying attention to another interesting feature - you can also isolate the wireless clients of the guest network from each other. This is very useful: your friend's smartphone infected with malware will access the Internet, but he will not be able to attack other devices even in the guest network. If your router has a similar function, you should definitely turn it on, although this will limit the possibilities of customer interaction - for example, you will no longer be able to make friends between a TV and a media player via Wi-Fi, you will have to use a wired connection. At this point, our home network looks more secure.
What's the bottom line?
The number of security threats is growing from year to year, and manufacturers of smart devices do not always pay enough attention to timely release of updates. In such a situation, we have only one way out - the differentiation of home network clients and the creation of isolated segments for them. To do this, you do not need to buy equipment for tens of thousands of rubles; a relatively inexpensive household Internet center can cope with the task. Here I would like to warn readers against buying devices from budget brands. The hardware is now more or less the same for almost all manufacturers, but the quality of the built-in software is very different. As well as the length of the support cycle for released models. Even with a fairly simple task of combining in an isolated segment of a wired and wireless network, not every household router can cope with it, and you may have more complex ones. Sometimes you need to configure additional segments or DNS filtering to access only secure hosts, in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure registration of clients in accordance with the requirements of Federal Law No. 97 "On Information, Information Technologies and Information Protection". Inexpensive devices are capable of solving such problems, but not all of them - the functionality of the built-in software, we repeat, is very different.
