I’m gonna assume you know the basics and will move right into the dirt. The basics would be on the “Advice for Windows Users” and “Advice for MacOSX Users” pages. Those pages secure (for the most part) your machine from viruses, spyware and the like - this page will step out of your machine and deal with everything between your machines and your Internet connection. I am assuming you have either DSL or Cable…

There are a few things you are trying to protect from “bad guys”. The first would be your computer: it stores all your data, pictures, contact info, etc. Your computer can be protected to the extent that the “bad guys” would get tired of trying to get in there and move on to an easier target. The second thing you want to protect is the information you send all over cyberspace. While you’re shopping online (credit card information), while making changes to your website and checking email (passwords), and the like…

The only safe computer is the one that does not touch the Internet…

UNIX and Linux boxes are pretty secure in that you kinda have to know what you are doing to get in there, and it takes a grotesque display of “user-error” to infect these things with viruses and the like. These machines have to ask for and receive the root (”Administrator”) password before installing anything.
A Windows machine will just install it once you enable it - Viruses, Spyware, Worms, etc…

If you want “security” for you machine, you have to run your own firewall and in-house server/s. This will keep the “bad guys” out, but still allow you to send data out to cyberspace.

Let’s run a test: Get Ethereal (Mac Version, or Windows Version (most Linux and UNIX BOXES come with it). Get it, read the documentation, install it, and get it up and running. Now watch the network traffic. You can see the IP address, MAC addresses, location, passwords, webpages, etc. All the activity that is happening on your network is at your finger tips. You can see what each computer is doing online - and the scary thing is that you can see the usernames and passwords coming and going…

You need to stop as many of these passwords as possible from coming and going across the Internet to another server. If someone happens along, they can catch that data just as easily as you just did. Let me put it to you another way: Even with the best firewall in the world, the more data that travels out past your firewall to the Internet, the more that firewall starts looking a lot less like a firewall and a lot more like a hub…

Let’s do another test: run the “ping” command (it’s built into every OS in some way or another). Ping your email server (EX: ping mail.deltavtech.net), ping your webserver (where you frequently ftp your website changes). How many hops does it take to get to it’s destination? How many people, do you think, could snag your user information between each hop?

The only way to keep this data from flowing out into Cyberspace, for anyone to catch, is to bring the server in-house. If you have an in-house server, the info stops at that server - it goes from your computer to the server. That’s it…

If you have one, ping your in-house server - one hop. That one hop is within your network, your network is in your house, and you know who’s in your house right now So, if someone’s trying to be a “bad guy” their most likely sitting a few feet from you…

Unless…

You just had to go wireless, didn’t ya?

Here’s what you have to do when going wireless:

1. Stick the wireless router in the DMZ (De-militarized Zone). The DMZ is between your firewall (which should be a properly configured UNIX/Linux box) and the Internet (which is your cable or DSL modem). You must not allow a wireless router within the network, when it becomes compromised, the doorway is open to the rest of the computers on your network. If it is in the DMZ, the bad guys still have to get through a UNIX/Linux server before they can get to the rest of the computers. Then they have to deal with those firewalls, etc. The point is, the longer it takes for a bad guy to get inside your network, the more likely he is to move on to an easier target…
2. Know that the computer you are “going wireless” with, the client, is always vulnerable. The only “safe” computer on your network is behind your firewall and “wired” to it…
3. Get a D-Link or Airport, read the documentaion, and secure it as well as you can. Close all open ports incoming, open only the outgoing ports that you use, configure the router to talk only to the card you are using (usually via MAC address), and DENY all IP and MAC addresses accept for the specific ones you are using…
4. Unplug the wireless router when you are not using it and disable the wireless portion of your computer when not using it…
5. Know that no matter what you do, that wireless router, and the computer you use to go wireless, is an “open hole” into your world, unless it is turned off…

So you’re all setup and ready to go. OK, let’s test it! I’m assuming you’ve done everything to this point:

• Your computer is “safe” cause you took my advice on the “Advice for Windows Users” or “Advice for MacOSX Users” pages…
• You’ve got a properly configured firewall between your computer/s and the internet…
• You’ve set up an email and web server in-house so most of your important information doesn’t get bounced around cyberspace…
• …and you put the wireless router in the DMZ. Not only is it in the DMZ. but it’s properly configured as far as you know.

No one’s getting in there, right?

Tell you what, get it all up and running. Set it all up and get your laptop online through the wireless router. Have a friend bring over his laptop and run Kismet (UNIX/Linux) or KisMac (MacOSX) - I’m sure there’s one for Windows, but never bothered to look. Anyway, install it, configure it and check it out. This is a completely passive network scanner (if you are running ethereal on your computer while your buddy is scanning the network you would not see him) that catches all Access Points and Wireless Clients within range. It monitors “closed networks” by monitoring for traffic sent by the Wireless Clients, shows these IP addresses/ranges and MAC addresses and much more.

After a while, your buddy has all the info he needs accept for one thing, all he has to do is run Ethereal for an hour or so to get it - now he has all your passwords that you have used while online.

Keep in mind that it doesn’t matter which side of the DMZ the wireless router is on, if someone knows what they are doing. Not only do they now have access to your wireless router, so they can use it and hog your bandwidth for you, but they just got all the information that you were trying to protect in the first place…

The perfect network looks something like this - you could add a few more client computers, servers, and/or printers if you like. You could also use the firewall as a server if you need to. I usually put it behind the firewall cause it just creates one more step for the “bad guys” to deal with…

If your network looks like this, the bad guys will probably move on to an easier target. But they can still grab the data you transmit outside of the network (EX: Credit Card #’s and information while shopping online, Online Banking information, usernames and passwords for certain sites, etc…). So, unless you have a “closed network” (EX: Military) you are always vulnerable. None of us would have any use for a closed network. All we can do is try to make it a point to keep our vulnerability to a minumum…

If you do nothing else (due to lack of funds and/or know-how), you should at least get the firewall up and running and put your email server inhouse.

Why email?

If a “bad guy” has your mail server, username and password - which I think this page proves anyone can do with a little time and effort - they can check your mail without your knowledge. They simply have to check a button in their email program (”leave mail on server”), and you would never know they were doing it cause you would get your email just as you always do (you wouldn’t see it at all).

Now, think about that…

Everytime you order something online or join an online subscription of some type, they send you an email, don’t they? Usernames, passwords, addresses, phone numbers, credit card info, software installation numbers, account numbers, etc. If they can receive your email, this info is theirs…

The Internet is a vast place and none of us will ever be safe from the “bad guys” as long as we’re using it. Of course, “not using it” is not an option for most of us, so all we can do is try to “keep our vulnerability to a minimum”…