I definitely took the easy way out to get my home network up and running. I bought a 10/100 switch and a router to share internet connection and printing, etc.

I've got 3 computers on the network, each one running a different OS: Slackware 8.0 , FreeBSD 4.0, and Win98.

I set the router up using the Win98 box. I haven't gotten Samba up and running yet.

My question is this: What more should I be doing to secure the computers on my network? It seems like the NAT capability on the router takes care of most of the security issues. It shows only 1 IP address to the rest of the mean ol' digital world, and doesn't open any ports to the subnet addresses it creates for each machine.

Am I right/wrong, misled, or missing alot of other issues that should be considered?

I would appreciate your thoughts on the matter. Thanks for your time and consideration.

Mike Flug
michael@floog.net

Well, unless they are misconfigured, more security measures cannot hurt you. As a home user you've got a bit more flexiblity not having to enforce any type of security policies. That said, a simple packet filter gives you a lot of control about the type of traffic that goes in and out of your network.

I think that if you can implement a firewall without pulling your hair out, than the decision to do so is a no-brainer. Even running programs like ZoneAlarm on your Windows machine helps.

Just using NAT helps create a barrier to your network. However, you are still not completely isolated from things like SYN based attacks and other DoS attacks, IP Spoofing, etc. Additionally, you don't really have that much control over outgoing traffic, should a machine be compromised by some other means.

It also depends on your users and the potential risks to your data.

At home, I use My OpenBSD firewall (just a 486DX4, with 2 3com 3c509B's), which goes into my roommate's Linksys NAT router. Everything else hooks up to the router. However, for my parents house, I just set up an SMC Barricade NAT router and make sure they're not using Outlook on any of their PCs. Not being all that technically oriented means much more would just be too intrusive for them.

[QUOTE]Originally posted by thedexman:
That said, a simple packet filter gives you a lot of control about the type of traffic that goes in and out of your network.

Can you give me the name of a couple of good packet filtering programs you've used for linux? I'll check'em out and give one a try.

At home, I use My OpenBSD firewall (just a 486DX4, with 2 3com 3c509B's), which goes into my roommate's Linksys NAT router. Everything else hooks up to the router.

I'm trying to get a picture of your setup. Do you have a few computers all connecting to a hub or switch, and then you have a line in to the OpenBSD box, and then a line out connecting to the router? Correct?

Thanks for your help.

Mike
michael@floog.net

For linux, you should just check iptables (2.4 kernels) or ipchains (2.2 kernels). On OpenBSD I am using ipf. I think FreeBSD has ipfw or something like that (can't remember, sorry).

I'll try and draw a simple diagram:

Internet<--->OpenBSD Firewall<--->Nat Router<--->Switch built in to router<--->Internal Network Stuff

The 2 NICs in the firewall set up in a bridge, with no IP addrs. This way, the firewall looks and acts like just a big piece of network cable, except that it also filters all the traffic that goes through it.

Before my current roommate, it was even simpler:

Internet<--->OpenBSD Firewall/NAT Router<--->Hub<--->Internal Network Stuff

[ 14 November 2001: Message edited by: thedexman ]