As a vulnerability management professional, I talk about vulnerability scanning best practices a lot. There’s a lot more to vulnerability management than just scanning, but if you don’t get scanning right, the rest of the program suffers.
I’m going to talk about a lot of technical controls here, but don’t forget the nontechnical side. People and processes have to support all technology.
I get a lot of questions about the DD-WRT firewall. There’s a lot of talk out there that goes deep into theory and advanced firewall usage, but what if you just want to know how to set up your firewall to protect your network and open up a few ports?
Here’s how to set that up.
Note: If you have multiple DD-WRT boxes running as access points like I do, only the one directly plugged into the Internet needs to be configured this way. Disable the SPI firewall on your internal access points.
I’ve been asked a few times now for my recommended DD-WRT settings, or at least my good-enough settings. I think that’s a great idea, so I’ll walk through how I configure a DD-WRT router. Follow these steps and I can almost guarantee you’ll have the most secure network on your block.
For the purposes of this tutorial, I am going to assume you are configuring DD-WRT as your primary router.
Most of us have an old router like a Linksys WRT54G laying around, or if we don’t, it’s very easy to find one–the nearest garage sale or thrift store is a good bet–but sometimes all we need is a switch, to hook up a couple more computers or other devices to a wired connection. Using a router as a switch wastes some of its capabilities, but it’s easy to do.
I’ve been noticing a lot of slowness that I’ve traced to DNS issues lately, typically with the caching DNS in routers. It happened to me, and it happened to my mom. We have different routers from different manufacturers, and they probably even use different embedded operating systems. Hers almost assuredly runs Linux; I have an oddball one that runs FreeBSD.
But the caching nameservers aren’t working well lately. I haven’t investigated why just yet. The solution I found was to hard-code the DNS settings on all my computers rather than letting them pull it from DHCP (my oddball router won’t let me specify external DNSs to use–lovely). Be sure to pick the best ones for your network.
Making that simple change fixed my mom’s dog-slow computer, and fixed my unreliable one.
A very good question came in as a comment to my earlier post, the benefits of practicing IT at home. What do I mean by putting some Windows 7 machines on a domain? It’s one of several good home network projects.
I mean standing up a server with centralized user accounts and shares, running on Windows Server or Samba, whichever you can afford. Make it a print server too, and print from it, just like you would from an office. Then extend it, and extend your sysadmin skills. Here are several ideas for projects of varying length, difficulty, and expense.
Last week, I presented a shortcut for wiring a house with Ethernet using cheap keystone couplers. I’m happy to say I’ve done it twice now, and it all works, but I wanted to follow up and share a little more experience now that I’ve wired about a dozen ports this way.
I don’t know what happened, but my Ubuntu Linux server crashed hard the other night. And when I brought it back, the rest of the network couldn’t see it. I could ping my gateway (router), and the server was pulling an IP address over DHCP, and the rest of the world had connectivity to it, but I couldn’t ping anything else on the network. And my Windows machines couldn’t connect to it.