This document discusses how to secure a local area network (LAN). It identifies risks like connecting via modem or sharing files publicly. It recommends separating the LAN with its own network and removing file sharing from computers connected to the internet. Specific steps are outlined to avoid risks like binding Microsoft file sharing only to the NetBEUI protocol and password protecting shared resources. The conclusion notes that ports may need to be opened for some applications but this increases risk, so additional protections like personal firewalls and regular anti-virus updates are important.
3. Risk Identification
Do I have to worry if I connect via dial-up
modem?
The two best things you can do to secure your
LAN
Should I use NetBEUI?
What if I have only one computer?
What if I need to access computers on my
LAN from the Internet?
Securing Proxy-based sharing programs
Is "Stealth" important?
4. Risk analysis
If you are using the Multiple IP method to share
your Internet connection, it is very important
that you follow the instructions in the Should I
use NetBEUI section to secure your LAN. You
should also share only what you need to, and
have strong password protection on anything
you share.
5. Avoiding risks
a. Separate your LAN onto its own network.
If you've followed my instructions for sharing your connection, you either
are running a sharing program in a computer that has two Ethernet
adapters (NICs), or your LAN is behind a hardware router. In either case,
you have made your LAN really LOCAL and the only data that goes out to
the Internet is data that you want to go there.
b. Unbind Microsoft Networks from TCP/IP on any Network adapter that
is connected to the Internet
One of the first things that crackers check when they're looking for
unsecured computers is whether they can see shared resources (files,
folders, disk drives). If you're running any form of Windows, you
probably share files and printers via Client for Microsoft Networks and
the File and Printer sharing for Microsoft Networks service.
6. Risk transfer
• Chances are that even if you have only one computer,
you probably have unnecessary software running that
can make your PC a target for unwanted visitors. Add a
full-time, high speed connection to the equation, and
you may already have been visited!
• The most effective action you can take in this case is
to remove Microsoft Networking from your PC
entirely. Just open the Network Control Panel,
select Client for Microsoft Networks as shown below,
and click the Remove button on the Network Control
panel. Click on OK to close the Network Control panel
and let your machine reboot. That's all there is to it!
7. Conclusion
Some people need to allow requests for data originating from the Internet reach computers on
their LAN. Examples of this are:
• Running a webserver
• Receiving a NetMeeting or Dialpad call
• Grabbing a file from your home computer with pcAnywhere while you're at the office
• Remotely administrating your LAN's router or sharing computer
In this case, you need to selectively open holes or ports in the firewall, so that the desired
requests can reach the appropriate computers on your LAN. How you do this depends on the product
your are using to share your connection, and is beyond the scope of this page, but is covered over in
the Special Applications page. The important thing about opening ports through your firewall is that
each one is a potential way for unwanted users to access your computers.If you must open holes in your
firewall, then it's important to move up to the next level of protection. This would include:
• Binding Microsoft File and Print sharing to the NetBEUI protocol.
• Sharing only the files that need to be shared.
• Password protecting anything that is shared with a strong password. Note that this includes
password protecting your router or sharing software's administration features.
• Opening only the ports that you need. Running some sort of personal firewall or port monitoring
program. Running good, current-version anti-Virus software and keeping the virus files updated at
least monthly. McAfee Virus Scan, Norton AntiVirus, and other good programs now also detect many
Trojans and worms in addition to viruses.
• Enabling logging on any services that you run and regularly reviewing the logs