Distributed organizations, telecommuting, working from home -- no matter how you slice it, the home office represents one of the biggest security headaches IT must face. Companies are finding that it's one thing to protect systems in-house and another thing altogether to enforce standards in the spare bedroom.

The emerging personal firewall software market offers several products that address networking vulnerabilities at the desktop level. Leading vendors in this space include Network ICE Corp., Sybergen Networks Inc., Sygate Technologies Inc., and Zone Labs Inc.'s Zone Alarm, as well as more familiar companies such as Network Associates Inc. and Symantec Corp. Good desktop firewalls can be had for free, but most commercial packages cost between US$40 and $60 and sometimes include anti-virus capabilities.

These desktop firewalls are a good first step but hardly a complete solution because they don't shield non-networked devices, especially network-attached printers, from remote probing. They do, however, provide a line of protection at the desktop's network interface that we expect will be built in to future operating systems.

SOHO (small office/home office) routers can offer even more protection for the home user by isolating the home network from the broadband connection. Vendors competing in this space include Cisco Systems Inc., Linksys Group Inc., Ramp Networks Inc., SonicWall Inc., and WatchGuard Technologies Inc., with most of their offerings in the $150 to $200 range.

Most SOHO routers are designed to deliver protection equivalent to a low-end firewall: NAT (network address translation) with TCP port inspection. They can perform some simple filtering tasks and forward requests -- depending on the TCP port -- to a limited number of internal hosts.

Most also offer the ability to place one IP address in a DMZ (demilitarized zone) where none of the router's firewall features apply. This can be useful in videoconferencing, when gaming, or when using other types of applications that don't play well with firewalls. One problem with this approach is that often only one computer at a time can be in the DMZ, so managing this feature may prove troublesome in households with multiple users of these services.

We recommend that users install in home offices both personal firewalls and SOHO routers to present a blanket front to potential intruders. This way, if you have to keep one of your hosts in the DMZ more or less permanently, even that exposed host will have some degree of protection from the nasties.

Managing SOHO routers remotely may not be for every organization. The safest rule is that if you provide the hardware you should manage it. At a minimum, a SOHO router should permit management through its WAN interface, although we highly recommend using a nonstandard TCP port instead of easily guessed ones such as 8080.

To take device security a step further, identify and change all default passwords when installing SOHO routers and similar border devices. There is no point in spending a few hundred dollars on security, only to leave a back door open for an attacker who can find the passwords published in the documentation.

Securing

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine