Jump to content
RESET Forums (homeservershow.com)

Securing your WHS


Vulcan
 Share

Recommended Posts

What is everybody doing to secure their WHS? I have been running mine through a cheap $50 router/firewall but I have been thinking of ramping up the security due the level of the content on my WHS and the value I place on the info. I am looking at a few options-
1)Astaro Gateway Astaro
Pros - Free for home use (25 IP limit)
- Digitally signing E Mails automaticly
- Triple virus scan with free updates
- Stateful packet inspections
- Total control of MSN Messanger, Filesharing, Torrents
- Has a VM appliance to test
Cons - Another running system in my house
- Needs 2 NIC so mini PC are not the easiest to use

IPCop IPCop
Pros - Easier to setup?
Cons- Seems like less features

pfsense pfsense
Pros - Good Reviews (a friend uses it)
Cons - ?

Right now I am leaning towards the Astaro as it seems more complete.

What are your thoughts....Do you have data on your WHS that should be protected?

Link to comment
Share on other sites

I'm not using anything on the server, and only protect my PC's with MS Security Essentials. I've heard about Astaro from the Security Now! podcast. And I've thought of trying it out, but never got around to it. If you decide to check it out, I'd be interested to hear how it goes.

Link to comment
Share on other sites

What else are you trying to protect against? SPI in home routers will cover most things that could be problematic. For most people at home, the users are more likely to be the weak link than a consumer-level router.
My personal tips:
*keep Windows up-to-date, and restart after patch Tuesdays whenever it asks you to
*make sure to have virus protection on all client machines
*sett up your router to use WPA/WPA2 with AES if you have wireless
*don't use IE6/7. Use IE8 or FF3+ or Chrome, etc.

Link to comment
Share on other sites

Well, it depends if you're going to run something on your existing router hardware like DD-WRT or Tomato, or if you're going with a UTM or nice software router that runs on separate commodity x86 hardware. If going the latter route, I've had great experience with Untangle for unified threat management(utm), Endian for UTM, pfsense for router/firewall/vpn, and monowall which is a more basic version of pfsense. Right now I run pfsense for routing and firewall and run Untangle as a transparent bridge filtering traffic as well (both virtual :-) They're all free for most of their capability, excluding support of course.

Link to comment
Share on other sites

1)WPA/WPA2 can be cracked fairly easily now....There is an online group that will crack a WPA password in 20 minutes for $17 if you provide them with a packet capture and the SSID.
2)Home Router are not the best defense....Many have default backdoors that will over ride what ever user name and password you have set.
3)Upgrading the firmware on routers and running WRT or Tomato is good...much better than the default
4)Remember that all the WHS and the routers we use have open ports...any open port presents an attack vector.
5) Some form of encrypted storage is a must for your most valuable data.

I bring these points up for discussion as I find (and you may also find) that I have more and more private data on my WHS everyday.

Link to comment
Share on other sites

1/ You'll notice that I specified AES. The cracking thing only works for PSK encryption.
2 & 3/ I'm curious to read more. Do you have any links on this
4/ The router will only have the open ports that you setup (or the WHS sets up via upnp. Have a cheap router or a professional level one isn't going to change that.
5/ In case some steals the physical box? I have yet to see a hardware encryption solution cheap enough and flexible enough for home use.

Link to comment
Share on other sites

Guest no-control

I would be curious to see what percentage of intrusions are actively targeting home networks. Seems like a low RTI from a criminal standpoint.

Technically every window in your home represents an attack vector how many layer of protection do you need over those?

I understand the discussion and its purpose and I agree being secure is just part of the 6 "Ps" of business. But to what extent? How valuable/private is that information?

Link to comment
Share on other sites

Hey usacomp2k3

1) Today it only works with WPA-PSK but what about tomorrow? You will recall when we all thought WEP was secure and then when we thought that WPA was so much better. The only thing that remains constant is the level of effort that the criminal element employes...that is never going to go away.

2) This is a link to default passwords for a bunch of routers....There are several other lists floating Default Password Listsng around on the internet that have the backdoor passwords but I am not interested in having my name linked to them...search them out if you are interested .

4) My point is that if you have an open port you are presenting a possible point of entry. I am not saying that you should not have any ports open but rather be aware that what ports you have open and what services you have running. Think of how most malware gets onto a system...Via E Mail or Web Browsing. At least with something like the Astaro you get triple virus scanning and stateful packet inspections which should increase your protection. Astaro is free for home use....why not give it a try and see if it works for you and your configuration.

5) Have you looked at TrueCrypt? It is free and offers very strong encryption. I am not a fan of whole drive encryption for systems that do not leave my physical control (save the full disk encryption for laptops only). A folder on your WHS could easily be encrypted with TrueCrypt then you could manually mounted the encrypted container when you wanted to add something to the folder.

NoControl

I don't think it is a case of you being targeted but rather somebody runs a scan against a range of IPs and you are unlucky enough to be in that group. There are lots of automated scanning tools out there.

Your comment about the windows is a good one....We all have windows in our houses. Some people go out with the windows open, other with a screen in place, some close and lock the window and some people install bars.....Computer security is just like that as well....you have to apply what level of security you feel is warranted based on your personal risk assessment.

I think you might be surprised at the value of the information stored on your WHS....Things like scanned bank statements, credit card bills, copies of passports and other government documents. It is one of those things that just built up over time. I know for myself I first used my WHS just as a cool method of backing up my digital photos but my use of the WHS has evolved to backing up my completed system which includes a large collection of scanned documents and tax records etc any of which would make me uncomfortable if they were in somebody elses hands.

Link to comment
Share on other sites

Guest no-control

Understood I was trying to be critical of your decision, just pointing out that its easy to get carried away. Sometimes we make the our lives more complicated than it needs to be.
My point is the pay off is bigger for someone(group) to go after a business rather than an individual. I have a certain level of security I'm willing to deal with. If they want it that bad they can have it.

I have several of those same documents (Marriage cert, Birth cert, Passports, Tax records, SSN, etc...) Items which are accessed so infrequently I have placed them on both a DVD and a Flash drive. DVD is located offsite in a relatives safe flash drive is locked up in my safe.

Considring most people bank, shop, manage assests, email sensitive information, and are generally forced to cough up their SSN for anything gov't, medical, finacial related. It's pretty mch in the wind all ready.

That being said WHS is wide open. Network has a consumer grade router and switch. PC's have MS security essentials. I actively manage all of the PCs and appliances on this network.

"There is nothing more imprudent than excessive prudence"

Link to comment
Share on other sites

[*]Firefox w/ NoScript - goodbye JavaScript attack vector [*]Gmail - goodbye spam (most of it, anyway)

*Personally, I'm rooting for someone to set up one of the aforementioned UTM's. If there's no performance hit to Internet up/down speeds, I'd be interested to hear.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...