March 12, 2001, 2:49 PM — Distributed organizations, telecommuting, working from home -- no matter how you slice it, the home office represents one of the biggest security headaches IT must face. Companies are finding that it's one thing to protect systems in-house and another thing altogether to enforce standards in the spare bedroom.
The emerging personal firewall software market offers several products that address networking vulnerabilities at the desktop level. Leading vendors in this space include Network ICE Corp., Sybergen Networks Inc., Sygate Technologies Inc., and Zone Labs Inc.'s Zone Alarm, as well as more familiar companies such as Network Associates Inc. and Symantec Corp. Good desktop firewalls can be had for free, but most commercial packages cost between US$40 and $60 and sometimes include anti-virus capabilities.
These desktop firewalls are a good first step but hardly a complete solution because they don't shield non-networked devices, especially network-attached printers, from remote probing. They do, however, provide a line of protection at the desktop's network interface that we expect will be built in to future operating systems.
SOHO (small office/home office) routers can offer even more protection for the home user by isolating the home network from the broadband connection. Vendors competing in this space include Cisco Systems Inc., Linksys Group Inc., Ramp Networks Inc., SonicWall Inc., and WatchGuard Technologies Inc., with most of their offerings in the $150 to $200 range.
Most SOHO routers are designed to deliver protection equivalent to a low-end firewall: NAT (network address translation) with TCP port inspection. They can perform some simple filtering tasks and forward requests -- depending on the TCP port -- to a limited number of internal hosts.
Most also offer the ability to place one IP address in a DMZ (demilitarized zone) where none of the router's firewall features apply. This can be useful in videoconferencing, when gaming, or when using other types of applications that don't play well with firewalls. One problem with this approach is that often only one computer at a time can be in the DMZ, so managing this feature may prove troublesome in households with multiple users of these services.
We recommend that users install in home offices both personal firewalls and SOHO routers to present a blanket front to potential intruders. This way, if you have to keep one of your hosts in the DMZ more or less permanently, even that exposed host will have some degree of protection from the nasties.
Managing SOHO routers remotely may not be for every organization. The safest rule is that if you provide the hardware you should manage it. At a minimum, a SOHO router should permit management through its WAN interface, although we highly recommend using a nonstandard TCP port instead of easily guessed ones such as 8080.
To take device security a step further, identify and change all default passwords when installing SOHO routers and similar border devices. There is no point in spending a few hundred dollars on security, only to leave a back door open for an attacker who can find the passwords published in the documentation.
Securing the home office presents a number of challenges but nothing that can't be overcome with a little well-directed effort. If your company's home and remote workers aren't using SOHO routers to provide an additional layer of security, you're leaking more information than you might want to be. The protection offered by SOHO routers easily covers the cost of installing them.
SOHOware BroadGuard Secure Cable/DSL Router Specs
Products: SOHOware BroadGuard Secure Cable/DSL Router NBG800
Dimensions (in inches): 10.2 by 1.8 by 6.6
Cost: $179.99
Vendor: SOHOware Inc.
Phone: (800) 632-1118
Web: www.sohoware.com
Pros:
+ Stateful packet inspection allows for better identification of hostile traffic
+ DHCP (Dynamic Host Configuration Protocol) server supports as many as 253 hosts
+ Includes auto-sensing 10/100 Ethernet switch
+ Logs attacks, providing a way to trace assumed hostile attempts to access home network
Con:
- Bulky package compared to other SOHO routers
Security and management: The SOHOware NBG800 has everything we would ask for in a SOHO router and more. Stateful packet inspection improves on simple NAT-based firewalls by actually examining traffic in context, instead of funneling packets based on IP address and port information. The attack monitor can e-mail you with details of probes that serve as an evidence trail, though it's strictly an after-the-fact tool. The BroadGuard supports VPNs using either PPTP (Point to Point Tunneling Protocol) or IPSec.
