Security

[Guest]

Hi, just wondering what would be a good place to start learning about networking security and things like securing server access etc... I'm planning on doing my own home network and I want to make sure I get things secure before proceeding. As secure as possible. 

 

@looney - asked to be notified 

[mikat]

@Security maybe? jk

what kind of security do you want?

what are you doing on your network that isn't secure by default?

[Guest]

If you've got the time and effort, doing a basic networking course like DNCA or CCNA might be a good idea. Otherwise have a look on YouTube: networking is very broad in terms of security as no network is truly secure. You can only make it so complex and difficult as to dissuade someone from getting in, there's always a way in. What you need to take note of is the security threats that you'll face. A wifi network in an apparetment block or Uni dorm will I dare say face a higher skilled intruder than your general suburban home.

[Guest]

Connections that have better encryption, I mean this is why I'm asking. I don't know much about security other than just an anti virus and an anti malware. Pretty basic stuff, I want to get advanced in this topic. 

[Guest]

If you've got the time and effort, doing a basic networking course like DNCA or CCNA might be a good idea. Otherwise have a look on YouTube: networking is very broad in terms of security as no network is truly secure. You can only make it so complex and difficult as to dissuade someone from getting in, there's always a way in. What you need to take note of is the security threats that you'll face. A wifi network in an apparetment block or Uni dorm will I dare say face a higher skilled intruder than your general suburban home.

What are those first two and what would you recommend for a start

[Sunshine1868]

When you ask for encryption, what do you mean? 

Do you mean you want to be safe outside of your house too? - use a VPN

As for inside of your house, get a router with a stateful (layer 7) firewall. (maybe try pfSense)

(a pfSense router would also help with the VPN)

 

if you have an outward-facing server, put it in a DMZ

[LtStaffel]

I've found that you don't learn security, or hacking, or stuff like that.  You learn how computers work and then take advantage of them, and fill in those holes.  Kind of like you don't learn how to break an engine, you learn how it works and then you know that if you plug that hole or remove that pipe it will break.

[mikat]

Connections that have better encryption, I mean this is why I'm asking. I don't know much about security other than just an anti virus and an anti malware. Pretty basic stuff, I want to get advanced in this topic. 

what are you accessing from what computer?

[Sunshine1868]

I've found that you don't learn security, or hacking, or stuff like that.  You learn how computers work and then take advantage of them, and fill in those holes.  Kind of like you don't learn how to break an engine, you learn how it works and then you know that if you plug that hole or remove that pipe it will break.

This.

[Guest]

What are those first two and what would you recommend

DCNA or DNCA or whatever it's called is a basic 3 hour online DLink networking overview covering routing, switching and WiFi network types: very entry level mainly designed for sales people.

CCNA is tier 1 of 3 in the Cisco training accademy and is the equivalent of doing a certificate 4 in their products. Has written test etc however even completing the coursework without doing the exam may be beneficial.

As for your network setup, what devices are connecting, how are they connecting and what is around in the environment? This final point brings me back to my first reply: bored Uni kids will try and get into your wifi network for giggles.

[Guest]

When you ask for encryption, what do you mean? 

Do you mean you want to be safe outside of your house too? - use a VPN

As for inside of your house, get a router with a stateful (layer 7) firewall. (maybe try pfSense)

(a pfSense router would also help with the VPN)

 

if you have an outward-facing server, put it in a DMZ

what is a dmz

[Sunshine1868]

DeMilitarized Zone.

 

LAN - DMZ - WAN

 

Imagine this: you want a minecraft server. so you forward the necessary ports. your server sits in your front hallway in your house. if somebody wants into your house, there is a door (port forward) that lets them into your house to get to your server. but once they are in, they can run amok.

a DMZ is like putting that server on your front porch step. people can get to it and run amok, but it will not affect the other computers inside of your house. 

[Altecice]

Network security & Server security are two different carrier paths. You wont find somebody who is a specialist in both they will do either one or the other. For networking you have CCNA Security (But Id  suggest CCNA Routing & Switching) for Server you will find lots of Microsoft certifications on Windows... but be aware there are a lot more vendors that that out there you have CITRIX/Netapp/Vmware just to name a few. 

[Guest]

DCNA or DNCA or whatever it's called is a basic 3 hour online DLink networking overview covering routing, switching and WiFi network types: very entry level mainly designed for sales people.

CCNA is tier 1 of 3 in the Cisco training accademy and is the equivalent of doing a certificate 4 in their products. Has written test etc however even completing the coursework without doing the exam may be beneficial.

As for your network setup, what devices are connecting, how are they connecting and what is around in the environment? This final point brings me back to my first reply: bored Uni kids will try and get into your wifi network for giggles.

Well I'm more concerned about wireless connections for a start, for example, my phone, I mean not just my phone but what if things change in the future and I want to add someone else's phone to the network to allow access on that note, allow access to certain things, is it possible to have people labeled as guests on a network and is that safe? Things like that, and what can I do to increase secure connections, like is there a way I can increase the difficulty for someone to break or have the time to break so I was thinking higher levels of encryption - is there a way to do that for all devices or all connections on a network? 

[Sunshine1868]

general rules:

 

1) NEVER use WEP authentication

2) I REPEAT NEVER USE WEP

3) Use WPA-2 or RADIUS authentication

4) Use at least 15 characters in a password (just to be safe)

5) Create a hidden network (optional)

6) Filter access by MAC (hardware) Address (optional)

[Guest]

general rules:

 

1) NEVER use WEP authentication

2) I REPEAT NEVER USE WEP

3) Use WPA-2 or RADIUS authentication

4) Use at least 15 characters in a password (just to be safe)

5) Create a hidden network (optional)

6) Filter access by MAC (hardware) Address (optional)

Why WPA-2 or RADIUS? 

Hidden network - you would still be able to connect to but you would have to know something right? Like a connection key or something? 

and then point 6 you said, why a mac? and then address? 

[Blade of Grass]

general rules:

1) NEVER use WEP authentication

2) I REPEAT NEVER USE WEP

3) Use WPA-2 or RADIUS authentication

4) Use at least 15 characters in a password (just to be safe)

5) Create a hidden network (optional)

6) Filter access by MAC (hardware) Address (optional)

Creating a hidden network and MAC filtering are only security through obscurity, they only appear to increase your security (they're easily bypassed by an attacker).

EDIT: if you want to learn about computer networking I suggest watching the Professor Messor Network+ videos and/or reading Conputer Networking By Andrew Tanenbaum.

[Guest]

Creating a hidden network and MAC filtering are only security through obscurity, they only appear to increase your security (they're easily bypassed by an attacker).

I can see how this could make a network more secure though from an attack if my understanding is correct. I mean not even an attack but just keeping a network out of site from the general viewing eyes, is my understanding correct? 

[Sunshine1868]

Hidden Network requires somebody know the network name (or snoop it out) it just makes it slightly more difficult to get in.

MAC filtering means only allowing certain hardware devices in (every network device has a MAC address, like a serial address) however this can be spoofed. again, just another way to slow them down

 

RADIUS and WPA-2 are ways to authenticate users on the network. WPA-2 is a shared-key protocol (there is one password to your wifi that everybody knows). if you make it ~15 characters long, it would take OBSCENELY long (years) to crack even with the best computers.

 

RADIUS is user-based authentication. each person must log in with a username and password that you set

[Guest]

By the way, should we pin something like this or should we start a thread somewhere for something like this or like some kind of official or unofficial thread? I'm surprised something like this is something I haven't seen before, is it somewhere on the site? 

[Sunshine1868]

I can see how this could make a network more secure though from an attack if my understanding is correct. I mean not even an attack but just keeping a network out of site from the general viewing eyes, is my understanding correct? 

yes. the average joe would not see your wifi network on his iGalaxus handheld.

only somebody with the right know-how could sniff it out using special software.

[Blade of Grass]

I can see how this could make a network more secure though from an attack if my understanding is correct. I mean not even an attack but just keeping a network out of site from the general viewing eyes, is my understanding correct?

To clarify what I was saying, they do not make a network more secure. A common misconception is that it makes it more secure, but it doesn't. Security through obfuscation is not real security.

[Guest]

-snip

so my understanding for a hidden network is that it wouldn't show up on something like "available networks" when you're searching for wifi on let's say a laptop to connect to a wireless access point or something - it would be hidden and you could only connect if you knew some connection information of some sort? 

[Sunshine1868]

To clarify what I was saying, they do not make a network more secure. A common misconception is that it makes it more secure, but it doesn't. Security through obfuscation is not real security.

this is true, but like I said, it makes it slightly more difficult to get in. any added step is better than none.

[Sunshine1868]

so my understanding for a hidden network is that it wouldn't show up on something like "available networks" when you're searching for wifi on let's say a laptop to connect to a wireless access point or something - it would be hidden and you could only connect if you knew some connection information of some sort? 

that is exactly correct.