With
more
and
more homes having multiple computers, home networks are
increasingly common. Many of the cybersafety issues for home networks
are the same as for standalone computers, but there are also some
twists.
This
isn't
the
place to discuss how to set up a home network; if you're
running Win95/98/ME (aka Win9x), you might find my tutorial on the subject useful.
Windows NT and 2000 are somewhat more complex, but aren't used that
often by home users. (One hint-- if you're trying to connect Win9x
systems to access files or printers shared on a WinNT or 2000 system,
you need to set up your Win9x systems to log in using the Login for
Windows Networks, rather than the simpler Windows Login. And the user
name you use for that login will need to be a valid user on the
WinNT/2000 system as well). WinXP (both Home and Pro) has a usable
Network Setup Wizard; open My Network Places, and you'll see the Set Up
a Home or Small Office Network link on the left.
Besides
the
traditional
network tasks of sharing files and printers, most
people setting up a home network want to share a single Internet
connection amongst multiple computers. This is typically done in one of
two ways:
-- having one computer that can connect to the Internet, either using a
standard dialup connection or a broadband (cable or DSL) connection,
then letting that computer act as what's known as a proxy server or gateway, sharing its Internet
connection with the other computers on the network. Starting with
Win98SE (Second Edition), Microsoft has included Internet Connection Sharing software
to make this reasonably easy to do. It's seems magical to open Internet
Explorer on one computer and hear a modem in another computer start to
dial out in response. Of course, it works much better with an
always-connected broadband connection.
-- connecting multiple computers to a router, and using the router to
connect to the Internet. Most often, this is done with a broadband
connection, though some router models can be connected to a dial-up
line. Traditionally, the computers connect to the router using standard
Ethernet cables and adapters, though wireless (802.11) connections are
increasingly popular (and bring their own set of security issues). Some
wireless router models allow for wired Ethernet connections as well.
If
possible,
the
second option-- using a router-- is the better choice.
Some of the reasons:
-- the ICS model requires that the proxy server computer must be on for
any other computers to have access. If that computer crashes or is just
turned off, everyone else is cut off. By contrast, only the router
needs
to be turned on for the computers on the network to get Net access...
and routers are generally simple, robast units that rarely crash. And
if
they do, they are quickly reset.
-- the computer that is directly connected to the Net will have the
best performance; other computers on the network will get slower Net
access. When using a router, each connected system gets an equal share
of the available Internet bandwidth.
-- most routers include a built-in hardware Firewall. This provides a
layer of protection against hackers (though not against spam, spyware,
or viruses) that is always working to shield the computers on your
network. (It may still be worthwhile to install a software firewall on
each system on the network. See the Firewall
tutorial in this series).
(Some
people
use
a sort-of combination of the two approaches; taking a spare
computer and set it up as a dedicated proxy server, perhaps using a
secure operating system such as Linux or BSD Unix. That can work fine,
but takes more computer knowledge and skills then this tutorial is
prepared to teach).
Recommendations for
home (wired) networks:
-- If possible, use a router to connect to the Internet. The
router connects to your cable or DSL (or dial-up) modem, and the
various
computers on your network connect to the router. Yes, if you are
starting with a single computer that has a built-in or USB broadband
modem you may need to replace it with an external broadband modem with
Ethernet connectors, but it will be worth it in the long-run.
-- Even though the router probably includes a hardware firewall, software firewalls on each computer will provide a second level of protection, and will watch outgoing signals, which are not monitored by the router. You still need antivirus software; your firewall (either hardware or software) does not meet this need. Take the time to set up your firewall software, deciding what programs should have access to your internal network, and which really need access to the Internet.
--
Check
your
router-manufacturer's website now and again (perhaps twice a
year) for updates to the router's firmware.
These
are
updates to its built-in operating system, released if bugs or
security flaws are found. Just like with your computers' operating
systems, it's important to keep your router's firmware up to date.
(Keep track of the version of the firmware you've just installed. I
write it
(along with the date) on the inside cover of my router's user manual).
-- If you are sharing files and/or printers, password protect them (with a non-obvious password). Computers logged into your home network may store these passwords so you don't need to enter them each time, but they will provide another level of protection on your systems.
--
change
the
default password used to log onto your router. After
installing a firmware update, you may find that the password has been
reset to the default; be prepared to change it again.
-- Similarly, use log-ins and passwords on your computers. Change the default password on your router and any default passwords already installed for the Administrator account of your Win NT/2000/XP computer.
-- If you must write down your password(s), don't leave them in a piece of paper on the top of your desk, in your desk drawer, or (worst of all!) on a sticky note stuck on your monitor. Don't ever give out a password over the phone, even if the caller claims to be a tech support person. The #1 cause of security problems are users who are careless with their passwords, not hackers with extraordinary computing powers.
--(optionally) Windows 2000 or XP
users may want to learn about turning off unneeded services. Many of
these are set up by Microsoft as part of these operating systems,
running in the background, without your knowledge. If you don't
actually
need them, they both waste system resources, reducing performance, and
carry a security risk. For instance, if you aren't actually sharing
HTML
files, you don't need a web server running. A website called Black Viper has good information on
what services are typically running in the background on these
operating
systems, what each does, and whether they can be safely turned off by
typical users. (It also explains how to do so). Start with the
step-by-step guide (which also spells out precautions at: http://www.blkviper.com/WinXP/supertweaks.htm.
Then,
Windows
2000 users can go to: http://www.blkviper.com/WIN2K/servicecfg.htm,
while
the
WinXP equivalent is at: http://www.blkviper.com/WinXP/servicecfg.htm.
Wireless networks
These have become increasingly popular, letting home users
connect multiple computers without having to run cables, either through
the walls or along the floor. As well, if you've got a notebook with a
wireless connector (known as 'WiFi' or 802.11), you may be able to
connect to the Net in a growing number of 'hot spots' in hotels,
airports, cafes, and more.
Wireless
networks
require
adapters in the computers (built right into some
models, such as notebooks built around Intel's Centrino). They connect to a
wireless base station. Range varies with a number of factors including
the location of the base station, the arrangement of its antennae, and
the type of construction of the building. (Steel and concrete reduce
the
range, while wood frame buildings are relatively invisible to the radio
waves). Notebooks with built-in antennae generally get better wireless
performance than models that use a smaller antenna built-into a plug-in
card. Even the material of a notebook computer's case can affect
performance. Apple's high-end G4 Titanium Powerbook, for instance, has
worse wireless range than the same company's much lower-priced
plastic-shelled iBooks.
Officially,
802.11b
base
stations are supposed to have a range of about 300' (100m)
out of doors; in the real world, range varies. But that implies
standard
antennae. Using specialized antennae on the transmitting base stations
and on the receiving computers, range can be improved dramatically. A
Swedish experiment suspended a wireless base station from a balloon,
and
got a range of miles.
And
that
means
that your signal may be able to be picked up by computers
outside your home network; neighbours, people in parked cars, maybe
even people further away than you thought. Some people are using this
in a positive way-- choosing to create unofficial local neighbourhood
networks sharing a broadband connection, for instance. Or setting up
informal free public hotspots. (See for instance, the international 802.11 Community List:http://www.toaster.net/wireless/community.html)
.
But
it may also mean people are tapping into your broadband
connection without your knowledge or consent, or tapping into the
computers on your local area network.
Part
of
the
problem is that to make it easier for home users to quickly get
a wireless system up and running, most manufacturers have turned off
their hardware's security features by default. (Microsoft, to its
credit, sets the security features of its Broadband Networking Wireless
products on by default.
Users of wireless network should do everything that users of wired network should do. In addition:
--
change
your
wireless base station's default Network Name (referred to
in some hardware models as the SSID).
If
your
router includes the option to turn off SSID Broadcasting, do
it... with that turned off potential users will have to know your SSID
name in order to connect.
--
consider
turning
on wireless encryption (referred to in some hardware
models as WEP for wireless
encryption protocol). WEP isn't perfect; presumably, a motivated and
skilled hacked could break the encryption within a couple of hours--
but
I would probably notice anyone sitting in a car outside my house in
that
time). Note that turning on encryption will reduce performance, as the
computer and router both have the extra work of encoding and decoding
all the packets of Internet information that pass through).
If
you're
going
to use WEP, you'll get a choice of 64Bit or 128Bit
encryption. Pick the more complex 128-bit encryption. You'll be asked
to
enter a Passphrase-- a piece of text that will be used to generate a
long string in the mix of standard numbers and letters known as
hexadecimal numbers. Store both the passphrase and the hexadecimal key... you'll need them to set up
your computers. When each wireless computer on your network tries to
connect to your base station, you'll be asked to enter either the
passphrase or the more obscure key code. (Note that if you're trying to
connect a Mac to a Linksys base station (and probably some other models
as well), you'll need to enter first a '$' followed by the 26-digit key
code). Luckily, you should only have to do this once!
(Once
again,
Microsoft
handles this well-- when you install their Broadband
Networking Wireless base station, you have the option of creating a
floppy disk that stores the passphrase, and simplifies connecting at
your various computers. Of course, that's only usable with Windows
systems).
--
Most
routers
include the ability to specify the MAC addresses of
adapters allowed to connect; every wireless (and wired) network adapter
has a unique 'MAC address', a sort of serial number. If you track down
the MAC addresses of your adapters, you can set your router to allow
only those adapters to be part of your wireless network. When you do
that, however, and your friend drops by with her new wireless-enabled
notebook, she won't be able to make it work with your router.
In
Windows,
going
to a DOS prompt, and typing: ipconfig
/all
|more (note the
'/' and '|' characters) will give a lot of information about your
Internet Protocol configuration (hence the name), including the MAC
address-- in this case referred to as the 'Physical Address'. It will
look something like: 00-08-47-E8-10-97
There
are
lots
of changes afoot in the wireless area; better encryption
protocols should be expected soon. When that happens, there may be
firmware upgrades for your wireless router, as well as operating system
patches for Windows (as well as the Mac OS, etc). Moreover, as this is
written (spring 2003), many companies are selling models using offering
faster 802.11g-style wireless connections. The problem is that the
802.11g standard is still in flux, with an official standard being
promised for summer-2003 (more or less). When that happens, there will
be firmware upgrades for virtually all models, to bring the hardware up
to spec, hopefully with improved security.
--
Make
sure
that any router you buy has flashable firmware, enabling you
to download security and performance fixes from the manufacturer.
Again,
check
your
manufacturer's website regularly; download and install the
latest firmware, and check the configuration options, changing default
settings, and applying security options like encryption. Remember to
reset these each time you upgrade the firmware.
Good
luck!
Homework
(obviously,
this
only
applies if you've got a home network!)
--
if
you've
got a router connected to an Internet device, log onto it and
change its password
-- log onto your router manufacturer's website and check for firmware
updates for your model. Download and install any. (Make sure you've got
firmware specifically made for your model).
-- make sure any shared folders (Win9x) or printers (any Windows
version) are password-protected with none-obvious passwords
-- make sure you don't have any passwords written down in a visible or
obvious location
(wireless
users):
-- check the 802.11 Community List and see if there are any public
access points near you; if so, try and access them.
-- if you have a notebook with a wireless adapter, take it outside for
a walk around your block; see how far you can get a usable Internet
connection from your base station
-- change the SID (Network Name) and turn off SID Broadcasting
-- enable WEP (encryption). Make note of your passphrase and key code
Some other links
NakedWireless.ca:
http://www.nakedwireless.ca Naked is the perfect description of an
unsecured wireless network
Practically Networked: http://www.practicallynetworked.com/support/wireless_secure.htm Securing your wireless network