Please Protect Yourself – Layer Your Defenses

One of the earliest ways of making yourself safe in the Internet was not letting yourself be seen. There are many forms of Security By Obscurity, and they all sound logical.

Security By Obscurity, which may or may not be a good idea, does not replace a good layered defense. Each layer is necessary, because no single layer can produce complete protection. And consider each component carefully, and uniquely, for each network or person being protected.

Now if you’re just getting started here, this advice may seem like a lot to take in at once. And it is just that, so take your time reading. Consider one layer at a time, and ask questions.

>>Top

What is a layered defense?
Start by considering a typical medieval castle – classically, one of those would have:

  • A moat – a wide and deep ditch, filled with water.
  • High and thick castle walls.
  • Guard towers, small castles in themselves, in key portions of the castle walls, but more fortified.
  • Small, narrow windows that were used for thru shooting outwardly.
  • An inner sanctum, typically called a “keep”, that was a small fortified castle in itself.

Each one of these elements was designed to be enough to protect the inhabitants against intruders. Frequently, though, the intruders would breach the outer defenses, and the inner defenses were needed to protect the owners (though not all the inhabitants) of the castle.

A layered defense for your network is similar to a castle in concept. The outer layers should be sufficient, but in case an intruder gets thru one layer, you have another layer protecting you. Better too much protection than not enough.

>>Top

Layer 1 – Perimeter Network Protection
First, you need to protect your perimeter – the outer edge of your network. Perimeter protection, such as a NAT router, is the first layer in a good layered defense.

A NAT router acts as a firewall, in that it passes only requested traffic back to the computer that requested it. It won’t selectively filter traffic from hostile addresses, nor selectively filter bad protocols or programs, however. Some NAT routers also contain firewall components, but they will probably not be as comprehensive, or as configurable, as an ICSA certified firewall.

For more information about firewalls in general:

Please don’t confuse the perimeter firewall, which is hardware based, with a personal firewall, which is generally software based. Personal firewalls are discussed in Layer2.

One firewall or NAT router protects your entire LAN, and is a good idea even if your LAN consists of only one computer. A NAT router today is equivalent in concept to perimeter protection, which was considered sufficient 5 years ago. Now we know to use multi-layered defense (aka layered defense).

All NAT routers don’t have the same features. Some are designed for special needs.

>>Top

Layer 2 – Individual Network Protection
Besides protecting the outer edges of your network, you need to protect its interior components. Interior (individual computer) protection requires a port monitor or a personal firewall.

  • A port monitor lets you see what network traffic is active on your computer. There are two which I use. TCPView, from Sysinternals, is free, easy to install, and lightweight. Port Explorer, from DiamondCS, is free for the basic version, takes a bit of work to install (but is well worth the time), and is very configurable.
  • A personal firewall lets you actively control what network traffic is allowed to reach your computer. In some cases, it will also be used to control what traffic is allowed to exit it, directed towards other computers on your local network, or towards the Internet itself. See various discussions in comp.security.firewalls for good advice on choosing a personal firewall. A personal firewall can selectively block incoming or outgoing traffic, while a port monitor can provide more detail about network conditions, and can provide you additional warning about problems.

You need a personal firewall on each computer in your LAN; in case one computer gets infected, a personal firewall on the others could save you a lot of trouble. Note that traditionally, a personal firewall would be software based. Now, there is also the possibility of a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

Relying solely upon a personal firewall or a port monitor, to protect you against hostile outgoing network activity, is like relying upon a dentist for protection, and having him fill the cavities in your teeth. Brushing and flossing (here equivalent to the Third Layer) is a so much more pleasant way to spend time, in the long term.

>>Top

Layer 3 – Software Protection
Perimeter and individual network protection protects you against malicious network traffic. You also need to protect yourself against malicious content. Properly chosen content protection, on each individual computer, complements network based protection. Content protection has many components, to counter the many ways the bad guys will try to take control of your computer. Use as many as possible – better one or two, than none.

  • Activity related protection.
    • Always use AntiVirus protection. Make sure that it includes real time (on demand) scanning, plus a regularly scheduled complete system scan, and make sure that it’s regularly updated. See discussions in alt.comp.virus for advice.
    • Always use Adware / Spyware protection. Make sure that it includes real time (on demand) scanning, plus a regularly scheduled complete system scan, and make sure that it’s regularly updated. See discussions in alt.privacy.spyware for advice. Complete instructions, using Spybot S&D and HijackThis (both free), are provided by SpywareInfo.
    • Understand the differences between trojans (adware / spyware) and viruses.
    • If you download files, use an on-demand trojan scanner. I have been using A-Squared Free for a while. I have also seen recommendations for BOClean, Ewido, and TDS-3 from DiamondCS. A-Squared Free (aka A2) is free, I am not sure about cost for the others.
    • Secure your operating system, and applications. Don’t use, or leave activated, any accounts with names or passwords with trivial (guessable) values. Don’t use an account with administrative authority, except when you’re intentionally doing administrative tasks.
  • Component related protection.
    • If you feel up to it, you can learn to interpret a HijackThis log – on your own, or with carefully chosen assistance.
    • Harden your browser. There are various websites which will check for vulnerabilities; I use and recommend two:
    • Consider using an alternate browser, like Firefox, for the majority of your browsing activities.
    • Harden Firefox – Eric Howes tells us how in Mozilla Firefox Privacy & Security Settings.
    • Harden Internet Explorer – block ActiveX scripts from malicious websites. Populate the Restricted Zone database, using Eric Howes IE-SpyAd, or configure IE to safely browse untrusted Internet Zone websites.
    • Block known dangerous scripts from running, and possibly installing spyware, using SpywareBlaster.
    • Block known spyware from installing, using SpywareGuard.
    • Make sure that the spyware detection / protection products that you use are reliable, with Eric Howes Rogue/Suspect Anti-Spyware Products & Web Sites Database.
    • Harden your operating system. Check at least monthly for security updates, with Windows Update. Or do as Microsoft wants you to, and enable Automatic Update (I prefer retaining a small amount of control; your needs may differ).
  • Web site related protection.
    • Block script execution, from unknown websites, using NoScript, for Firefox.
    • Block traffic to websites, known for serving malicious content, using a Hosts file.

>>Top

Layer 4 – Common Sense
Next, use common sense when installing software, and when using your computer.

  • Don’t install software based upon advice from unknown sources.
  • Don’t install free software, without researching it carefully.
  • Don’t open email unless you know who it’s from, how and why it was sent, and that it was sent intentionally.

The most critical tool, in your defense, is right between your ears. Keep your Chair To Keyboard Interface carefully tuned. If you’re playing music, and a EULA pops up, ask why you’re seeing a EULA.
>>Top

Layer 5 – Education
Finally, educate yourself. This is a constant activity. Stay informed – Know what the risks are.

>>Top

Overall Security
My personal philosophy about protection is that you should apply protection repeatedly, until you run out of money, paranoia, system resources, or time.

  • Most of the above products are free.
  • I am very paranoid – see my tag line (though not nearly so much as the experts at comp.security.firewalls).
  • My main system, which is over 2 years old, runs 10% CPU / 20% memory utilisation when idle, and maybe 30% / 25% when in use. I have a suite of convenience and frivilous programs, that probably accounts for half of my idle resource utilisation; maybe 5% / 10% idle resource utilisation is from security products. I don’t see that as excessive at all.
  • I spend maybe 1/2 hour / day maintaining and running all of my security programs. Much less time than I’ve been spending with this blog, for instance.

There are many different opinions on this matter. I think that the resources that I spend preventing a malware infection are a far better investment than dealing with (experiencing, detecting, and removing) an infection that could have been prevented. So protect youself, and the rest of the internet, please. The rest of us, who see the effects of our friends becoming infected, thank you.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: