• Home
  • InfoBase
  • Dictionaries
  • Member
  • News
    • 中文网站
     Advanced Search
    Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
    HomeHow to

    How to secure a SOHO network ?

    In this article, we assume the SOHO office has multiple PCs networked in LAN as shown in the Figure 1. We also assume that you aren't hosting a Web site and that you aren't supporting VPN connections. If you are, you'll need to extend the techniques in this article to properly secure Web access, VPN connections, and other customer services you provide.

    There are basically two key points in securing a small office/home office (SOHO): 1) Detect and delete unwanted messages such as virus/trojan/worm attached emails and spyware and adware programs, last but not the least: email spams; 2) preventing and detecting unwanted access. The steps we described here will significantly reduce your network vulnerabilities instead of guarantee a problem free network.

    Choosing a More Secure SOHO Configuration

    How to secure a SOHO network - 1

    How to secure a SOHO network - 1

    Two common SOHO configurations exist: one that maximizes your exposure to potentially malicious actions and one that isolates exposure to a single system. If you connect a cable or DSL modem directly to a hub and your other systems connect to the same hub, every system has a direct Internet connection. This configuration maximizes your vulnerability and requires that you implement security deterrents on every system. See the above figure.

    The more secure alternative is to pick one system to connect directly to the Internet, then buy and install a second network adapter on this system. Connect one adapter to the hub (LAN connection), and connect the second adapter to the modem. You've now centralized all your Internet traffic on this system with two network adapters. With centralized traffic, you can manage and protect your SOHO network more effectively. You'll need to implement Internet Connection Sharing (ICS) or RRAS to let LAN clients communicate with the Internet. You may also install a router with a secure broadband connection. Such a router is often integrated with firewall and other security features.

    How to secure a SOHO network - 2

    How to secure a SOHO network - 2

    Choose and Install Antivirus, Anti-Spyware and Anti-Spam Software and Hardware

    For a SOHO network, you need to install a piece of antivirus software at every PC. It is critical to turn the real – time protection feature on since viruses are coming constantly from many sources. You also need to have complete scan of your PC periodically in case something escaped the real-time protection system. There are many anti-spyware/adware software for free download or purchase. You need to install a copy of this software on each PC and scan your PC periodically. Email spam becomes an increasing threat to your network performance, it is necessary to turn on anti-spam features on in your mail server (typically at your ISP site) or install a anti-spam software at your PC.

    There are some gateways and routers which have integrated antivirus (and firewall) software into it. You may purchase a box like that and install it in your network to reduce virus reaching your PCs.

    Using Network Address Translation (NAT) Feature

    When you have two or more static addresses, you can reduce intrusion opportunities by implementing Network Address Translation (NAT) on a PC system or on NAT-compatible DSL or cable modems. A system running NAT accepts Internet traffic from a LAN client and repackages the request with its address instead of the client's address. NAT then forwards the outgoing message to the requested destination. When the destination responds, NAT uses a mapping table to route incoming responses to the correct client. NAT has a couple of drawbacks. You'll need to fine-tune NAT rules to permit clients to FTP to or from an Internet site, to enable a client application to directly access the Internet, or to enable Internet-based game playing. NAT isn't compatible with Layer Two Tunneling Protocol (L2TP) or IP Security (IPSec) or other protocols that embed client IP addresses within their packets, so if you support encrypted L2TP connections, NAT isn't an option.

    Reducing Service-Based Exposure

    You can further protect your Internet machine by disabling (and optionally removing) high exposure services that you don't need.

    • Telnet: Telnet permits users with valid logon credentials to connect through a TCP/IP address or port number and enter unrestricted commands at a command prompt. You can't remove this service, but you should disable it.
    • Indexing Service: provides fast full-text searching of documents. If you're not running a Web server or managing gigabytes of documents on the Internet machine, you should also disable this service.
    • IIS: provides Web and FTP access to the system. If you don't need a Web server on your Internet machine, disable the World Wide Publishing Service and the companion FTP Publishing Service.
    • Remote Registry Service: Because a consistent registry is absolutely essential to a healthy Win2K system, you should eliminate the registry as a target for remote modification. However, remember that when you disable the Remote Registry Service, you'll have to make registry modifications by logging on locally or by applying changes with group or local policies.
    • UPnP: If you've installed MSN Explorer or Windows Messenger (Windows XP always installs MSN Explorer), you should also disable the two services that support these applications: Universal Plug and Play (UPnP) and the Simple Service Discovery Protocol (SSDP Discovery) service.

    Adding Firewall Protection

    A firewall provides a layer of security between your PC and the Internet. It can block access to your system from unauthorized users, and serve as a central point for offloading security-related activity from your PC. Firewalls and other gateway servers can also act as Internet gateways for SOHO LANs, enabling multiple PCs to share a broadband Internet connection in a secure manner.

    Firewalls can solve the static IP address vulnerability through a pair of technologies, Network Address Translation (NAT) and the Dynamic Host Configuration Protocol (DHCP). These protocols come standard with most firewalls.

    Basic Intrusion Detection

    Implementing security-auditing techniques for you to log the success and failure of access attempts to your system. Security auditing is an intrusion-detection method you can employ to monitor the effectiveness of deterrent techniques. It's best to place the IDS on a system behind the firewall. This way, the amount of traffic it has to deal with is lessened, and it can become a reliable part of the security system.

    ‹ How to Protect WLAN Security ?upHow to Select Small Business Network Monitoring Solution? ›