We protect the router and home network. Well, how to protect smartphones and tablets? Provider's perspective
The main threat to the security of your data is the World Wide Web. How to provide reliable protection home network?
Users often mistakenly believe that a regular antivirus is sufficient to protect a home PC connected to the Internet. The inscriptions on the boxes of the routers are also misleading, stating that these devices implement a powerful firewall at the hardware level that can protect against hacker attacks. These statements are only partly true. First of all, both tools require proper configuration. However, many antivirus packages simply do not have such a feature as a firewall.
Meanwhile, competent construction of protection begins from the very connection to the Internet. Modern home networks typically use Wi-Fi routers using an Ethernet cable connection. They have access to the Internet via a local network desktop computers and laptops, smartphones and tablets. Moreover, in a single bundle there are both the PCs themselves and peripherals, such as printers and scanners, many of which are connected via a network.
By hacking your access point, an attacker can not only use your Internet connection and control home computer devices, but also place World Wide Web illegal content using your IP address, as well as steal information stored on equipment connected to the network. Today we’ll talk about the basic rules for protecting networks, maintaining their functionality and preventing hacking.
Hardware
Most modern network equipment requires configuring security features. First of all we're talking about about various filters, firewalls and scheduled access lists. An untrained user can set the protection parameters, but you should know some nuances.
WE USE TRAFFIC ENCRYPTION When setting up an access point, be sure to enable the most robust traffic security mechanisms, create a complex, meaningless password, and use the WPA2 protocol with AES encryption algorithm. WEP is outdated and can be hacked in minutes.
WE REGULARLY CHANGE YOUR ACCOUNTING DATA Set strong access passwords and change them regularly (for example, once every six months). The easiest way to hack a device on which the user has left the standard login and password “admin”/“admin”.
HIDING SSID The SSID (Service Set Identifier) parameter is the public name wireless network, which is broadcast over the air so that user devices can see it. Using the option to hide the SSID will protect you from novice hackers, but then to connect new devices you will need to manually enter the access point parameters.
ADVICE When setting up the access point for the first time, change the SSID, as this name reflects the model of the router, which can serve as a hint to an attacker when searching for vulnerabilities.
CONFIGURING THE BUILT-IN FIREWALL Routers in most cases are equipped with simple versions of firewalls. With their help, it will not be possible to thoroughly configure many rules for secure work on the network, but you can cover the main vulnerabilities, or, for example, prohibit the operation of email clients.
ACCESS RESTRICTION BY MAC ADDRESS Using MAC address lists (Media Access Control), you can deny access to the local network to those devices whose physical addresses are not included in such a list. To do this, you will need to manually create lists of equipment allowed on the network. Each device equipped with network interface, there is a unique MAC address assigned to it at the factory. It can be recognized by looking at the label or markings on the equipment, or using special commands and network scanners. If there is a web interface or display (for example, routers and network printers) You will find the MAC address in the settings menu.
The MAC address of your computer's network card can be found in its properties. To do this, go to the menu “Control Panel | Networks and Internet | Network Control Center and shared access", then in the left part of the window, click on the link "Change adapter settings", right-click on the network card being used and select "Status". In the window that opens, you need to click on the “Details” button and look at the “Physical Address” line, where six pairs of numbers will be displayed indicating the MAC address of your network card.
There are more quick way. To use it, press the key combination “Win + R”, enter CMD in the line that appears and click “OK”. In the window that opens, enter the command:
Press "Enter". Find the lines “Physical Address” in the displayed data - this value is the MAC address.
Having protected the network physically, it is necessary to take care of the software part of the “defense”. Comprehensive antivirus packages will help you with this, firewalls and vulnerability scanners.
CONFIGURING ACCESS TO FOLDERS Do not place folders with system or simply important data in directories that are accessible to internal network users. In addition, try not to create folders that can be accessed from the network on the system drive. If there is no special need, it is better to limit all such directories with the “Read Only” attribute. Otherwise, a virus disguised as documents may settle in the shared folder.
INSTALLING A FIREWALL Software firewalls are usually easy to configure and have a self-learning mode. When using it, the program asks the user which connections he approves and which he considers necessary to prohibit.
We recommend using personal firewalls built into such popular commercial products as Kaspersky Internet Security, Norton internet Security, NOD Internet Security, as well as free solutions - for example, Comodo Firewall. The standard Windows firewall, unfortunately, cannot boast of reliable security, providing only basic port settings.
Vulnerability test
The greatest danger to the performance of a computer and network are programs containing “holes” and incorrectly configured security measures.
XSpider An easy-to-use program for scanning your network for vulnerabilities. It will allow you to quickly identify most current problems, and also provide their description and, in some cases, solutions. Unfortunately, some time ago the utility became paid, and this is perhaps its only drawback.
Nmap Non-profit network scanner with open source code. The program was originally developed for UNIX users, but later, due to its increased popularity, it was ported to Windows. The utility is designed for experienced users. Nmap has a simple and user-friendly interface, but understanding the data it produces without basic knowledge will not be easy.
KIS 2013 This package provides not only comprehensive protection, but also diagnostic tools. You can use it to scan installed programs for the presence of critical vulnerabilities. As a result of this procedure, the program will present a list of utilities in which gaps need to be closed, and you can find out detailed information about each of the vulnerabilities and how to fix it.
Tips for installing a network
You can make your network more secure not only at the stage of its deployment and configuration, but also when it already exists. When ensuring security, you need to consider the number of connected devices, the location of the network cable, the distribution of the Wi-Fi signal and the types of obstacles to it.
POSITIONING THE ACCESS POINT Assess how much area you need to bring within Wi-Fi range. If you only need to cover an area of your apartment, then you should not place the wireless access point near the windows. This will reduce the risk of interception and hacking of a weakly protected channel by wardrivers - people hunting for free wireless Internet access points and also using illegal methods. It should be taken into account that each concrete wall reduces the signal power by half. Also remember that the mirror of a wardrobe is an almost impenetrable screen for the Wi-Fi signal, which in some cases can be used to prevent the propagation of radio waves in certain directions in the apartment. In addition, some Wi-Fi routers allow you to configure the signal strength in hardware. With this option, you can artificially ensure access only to users located in the room with the access point. The disadvantage of this method is the possible lack of signal in remote areas of your apartment.
LAYING CABLES A network organized primarily using cable provides the highest speed and reliability of communication, while eliminating the possibility of someone interfering with it, as can happen with a Wi-Fi connection. the possibility of wedging into it from the outside, as can happen with a Wi-Fi connection.
To avoid unauthorized connections, when laying a cable network, take care to protect the wires from mechanical damage, use special cable ducts and avoid areas where the cord will sag too much or, conversely, be excessively tense. Do not lay the cable near sources of strong interference or in an area with poor environmental conditions (critical temperatures and humidity). You can also use a shielded cable for additional protection.
PROTECTING FROM THE ELEMENTS Wired and wireless networks are susceptible to the effects of thunderstorms, and in some cases, a lightning strike can damage more than just network equipment or network card, but also many PC components. To reduce the risk, first remember to ground electrical outlets and PC components. Use Pilot type devices that use protective circuits from interference and power surges.
Besides, the best solution may become a source uninterruptible power supply(UPS). Modern versions include both voltage stabilizers and autonomous power supply, as well as special connectors for connecting a network cable through them. If lightning suddenly strikes the Internet provider's equipment, such a UPS will not allow a harmful power surge to enter the network card of your PC. It is worth remembering that in any case, grounding outlets or the equipment itself is extremely important.
Using VPN tunnel building tools
A fairly reliable way to protect information transmitted over a network is VPN tunnels (Virtual Private Network). Tunneling technology allows you to create an encrypted channel through which data is transferred between several devices. Organizing a VPN to improve information security is possible within a home network, but it is very labor-intensive and requires special knowledge. The most common method of using a VPN is to connect to your home PC from outside, for example from a work computer. Thus, data transferred between your machines will be well protected by traffic encryption. For these purposes, it is better to use a very reliable free Hamachi program. In this case, only basic knowledge of organizing a VPN will be required, which is within the capabilities of an untrained user.
Introduction
The relevance of this topic lies in the fact that the changes taking place in the economic life of Russia - the creation of a financial and credit system, enterprises of various forms of ownership, etc. - have a significant impact on information security issues. For a long time, in our country there was only one property - state property, so information and secrets were also only state property, which were protected by powerful special services. Problems information security are constantly aggravated by the penetration of technical means of data processing and transmission, and, above all, computer systems, into almost all spheres of social activity. The targets of attacks may themselves be technical means(computers and peripherals) as material objects, software and databases for which technical means are the environment. Each failure of a computer network is not only “moral” damage for enterprise employees and network administrators. As electronic payment technologies, “paperless” document flow and others develop, a serious failure of local networks can simply paralyze the work of entire corporations and banks, which leads to significant material losses. It is no coincidence that data protection in computer networks is becoming one of the most pressing problems in modern computer science. To date, two basic principles of information security have been formulated, which should ensure: - data integrity - protection against failures leading to loss of information, as well as unauthorized creation or destruction of data. - confidentiality of information and, at the same time, its availability to all authorized users. It should also be noted that certain areas of activity (banking and financial institutions, information networks, systems government controlled, defense and special structures) require special data security measures and place increased demands on operational reliability information systems, in accordance with the nature and importance of the tasks they solve.
If a computer is connected to a local network, then, potentially, this computer and the information on it can be accessed by unauthorized persons from the local network.
If the local network is connected to other local networks, then users from these are added to the list of possible unauthorized users. remote networks. We will not talk about the accessibility of such a computer from the network or channels through which local networks are connected, because there are probably devices at the exits from local networks that encrypt and control traffic, and the necessary measures have been taken.
If a computer is connected directly through a provider to an external network, for example via a modem to the Internet, for remote interaction with its local network, then the computer and the information on it are potentially accessible to hackers from the Internet. And the most unpleasant thing is that through this computer hackers can also access local network resources.
Naturally, for all such connections, either regular means operating system access control, or specialized means of protection against unauthorized access, or cryptographic systems at the level of specific applications, or both.
However, all these measures, unfortunately, cannot guarantee the desired security during network attacks, and this is explained by the following main reasons:
Operating systems (OS), especially WINDOWS, are software products of high complexity, the creation of which is carried out by large teams of developers. A detailed analysis of these systems is extremely difficult. In this connection, it is not possible to reliably substantiate for them the absence of standard features, errors or undocumented features accidentally or intentionally left in the OS and which could be used through network attacks.
In a multitasking OS, in particular WINDOWS, many different applications can run simultaneously...
In this case, both the provider and its client must comply with information security rules. In other words, there are two points of vulnerability (on the client side and on the provider side), and each of the participants in this system is forced to defend their interests.
View from the client's side
Doing business in an electronic environment requires high-speed data transmission channels, and if previously the main money of providers was made on connecting to the Internet, now clients have rather stringent requirements for the security of the services offered.
A number of hardware devices have appeared in the West that provide secure connections to home networks. As a rule, they are called “SOHO solutions” and combine a hardware firewall, a hub with several ports, a DHCP server and the functions of a VPN router. For example, this is the path taken by the developers of Cisco PIX Firewall and WatchGuard FireBox. Software firewalls remain only at the personal level, and they are used as an additional means of protection.
The developers of SOHO-class hardware firewalls believe that these devices should be easy to manage, “transparent” (that is, invisible) to the user of the home network and correspond in cost to the amount of direct damage from possible actions intruders. Average damage for a successful attack on home network estimated at approximately $500.
To protect your home network, you can use a software firewall or simply remove unnecessary protocols and services from the configuration settings. The best option is for the provider to test several personal firewalls, configure their own security system on them and provide technical support for them. In particular, this is exactly what the 2COM provider does, which offers its clients a set of tested screens and tips on setting them up. In the simplest case, it is recommended to declare almost all network addresses dangerous, except the addresses local computer and the gateway through which the connection to the Internet is established. If a software or hardware screen on the client side detects signs of intrusion, this must be reported to the service immediately technical support provider.
It should be noted that a firewall protects against external threats, but does not protect against user errors. Therefore, even if the provider or client has installed some kind of security system, both parties must still follow a number of fairly simple rules to minimize the likelihood of attacks. First, you should leave as little personal information as possible on the Internet, try to avoid paying with credit cards, or at least check that the server has a digital certificate. Secondly, you should not download from the Internet and run any programs on your computer, especially free ones. It is also not recommended to make local resources available externally, install support for unnecessary protocols (such as IPX or SMB), or use default settings (for example, hiding file extensions).
It is especially dangerous to execute scripts attached to letters Email, but it’s better not to use Outlook at all, since most viruses are written specifically for this email client. In some cases, it is safer to use Web-mail services for working with e-mail, since viruses, as a rule, do not spread through them. For example, the 2COM provider offers a free Web service that allows you to read information from external mailboxes and upload to local machine only the messages you need.
Providers usually do not provide secure access services. The fact is that the client’s vulnerability often depends on his own actions, so in the event of a successful attack it is quite difficult to prove who exactly made the mistake - the client or the provider. In addition, the fact of the attack still needs to be recorded, and this can only be done using proven and certified means. Assessing the damage caused by a hack is also not easy. As a rule, only its minimum value is determined, characterized by the time to restore normal operation of the system.
Providers can ensure the security of mail services by checking all incoming mail using antivirus programs, as well as blocking all protocols except the main ones (Web, email, news, ICQ, IRC and some others). Operators cannot always track what is happening on the internal segments of the home network, but since they are forced to defend against external attacks (which is consistent with user protection policies), customers need to interact with their security teams. It should be remembered that the provider does not guarantee absolute security of users - it only pursues its own commercial gain. Often attacks on subscribers are associated with a sharp surge in the volume of information transmitted to them, which, in fact, is how the operator makes money. This means that the interests of the provider can sometimes conflict with the interests of the consumer.
Provider's perspective
For home network service providers, the main problems are unauthorized connections and high internal traffic. Home networks are often used to host games that do not extend beyond the local network of one residential building, but can lead to blocking of entire segments of it. In this case, working on the Internet becomes difficult, which causes fair dissatisfaction among commercial clients.
From a cost perspective, providers are interested in minimizing the cost of securing and monitoring their home network. At the same time, they cannot always organize proper protection for the client, since this requires certain costs and restrictions on the part of the user. Unfortunately, not all subscribers agree with this.
Typically, home networks are structured as follows: there is a central router that has an Internet access channel, and an extensive network of the block, house and entrance is connected to it. Naturally, the router functions as a firewall, separating the home network from the rest of the Internet. It implements several security mechanisms, but the most commonly used is address translation, which allows you to simultaneously hide the internal network infrastructure and save the provider's real IP addresses.
However, some providers give their clients real IP addresses (for example, this happens in the network of the Mitino microdistrict, which is connected to the Moscow provider MTU-Intel). In this case, the user's computer becomes directly accessible from the Internet, making it more difficult to protect. It is not surprising that the burden of provision information security falls entirely on the subscribers, while the operator is left with the only way control over their actions - by IP and MAC addresses. However, modern Ethernet adapters allow you to programmatically change both parameters at the operating system level, and the provider is defenseless against an unscrupulous client.
Of course, some applications require the allocation of real IP addresses. Giving a real static IP address to a client is quite dangerous, because if the server with this address is successfully attacked, the rest of the internal network will become accessible through it.
One of the compromise solutions to the problem safe use IP addresses in a home network is the introduction of VPN technology combined with a mechanism for dynamic address distribution. Briefly, the scheme is as follows. An encrypted tunnel is established from the client machine to the router using the PPTP protocol. Since this protocol has been supported by Windows OS since version 95, and is now implemented for others operating systems, the client is not required to install additional software - they only need to configure the already installed components. When a user connects to the Internet, he first establishes a connection with the router, then logs in, receives an IP address, and only then can he start working on the Internet.
This type of connection is equivalent to a regular dial-up connection with the difference that when installing it, you can set almost any speed. Even nested VPN subnets will work according to this scheme, which can be used to remotely connect clients to the corporate network. During each user session, the provider dynamically allocates either a real or virtual IP address. By the way, 2COM’s real IP address costs $1 per month more than a virtual one.
To implement VPN connections, 2COM has developed its own specialized router that performs all the functions listed above plus service pricing. It should be noted that packet encryption is not the responsibility of CPU, but on a specialized coprocessor, which allows you to simultaneously support up to 500 virtual VPN channels. One such crypto router on the 2COM network is used to connect several houses at once.
Generally in the best possible way home network protection is a close interaction between the provider and the client, within which everyone has the opportunity to defend their interests. At first glance, home network security methods seem similar to those used to secure corporate security, But actually it is not. It is customary for companies to establish fairly strict rules of behavior for employees, adhering to a given information security policy. This option does not work in a home network: each client requires its own services and needs to create general rules behavior is not always successful. Consequently, building a reliable home network security system is much more difficult than ensuring the security of a corporate network.
PNST301-2018/ISO/IEC 24767-1:2008
PRELIMINARY NATIONAL STANDARD OF THE RUSSIAN FEDERATION
Information Technology
HOME NETWORK SECURITY
Safety requirements
Information technology. Home network security. Part 1.Security requirements
OKS 35.110, 35.200,35.240.99
Valid from 2019-02-01
Preface
Preface
1 PREPARED by the Federal State Budgetary Educational Institution of Higher Education "Russian Economic University named after G.V. Plekhanov" (FSBEI HE "REU named after G.V. Plekhanov") based on its own translation into Russian of the English version of the international standard specified in paragraph 4
2INTRODUCED by the Technical Committee for Standardization TC 22 "Information Technologies"
3APPROVED AND ENTERED INTO EFFECT by Order of the Federal Agency for Technical Regulation and Metrology dated September 4, 2018 N38-pnst
4This standard is identical to the international standard ISO/IEC 24767-1:2008* "Information technology - Home network security - Part 1: Security requirements", IDT)
________________
*Access to international and foreign documents mentioned here and further in the text can be obtained by following the link to the site. - Note from the database manufacturer.
The rules for applying this standard and conducting its monitoring are established in GOST R 1.16-2011 (sections 5 and 6).
The Federal Agency for Technical Regulation and Metrology collects information on the practical application of this standard. This information, as well as comments and suggestions on the content of the standard, can be sent no later than 4 days in advance. months before the expiration of its validity period to the developer of this standard at the address: 117997 Moscow, Stremyanny Lane, 36, Federal State Budgetary Educational Institution of Higher Education "REU"named after G.V. Plekhanov" and to the Federal Agency for Technical Regulation and Metrology at: 109074 Moscow, Kitaygorodsky proezd, 7, building 1.
In case of cancellation of this standard, the relevant information will be published in the monthly information index "National Standards" and will also be posted on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet (www.gost.ru)
Introduction
ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form a specialized system for worldwide standardization. Government bodies that are members of ISO or IEC participate in the development of international standards through technical committees. Any interested body that is a member of ISO or IEC can participate in the development of a standard in a specific area. Other international organizations, governmental and non-governmental, in contact with ISO and IEC are also involved in the work.
In the area of information technology, ISO and IEC have established the Joint Technical Committee ISO/IEC JTC 1. Draft International Standards prepared by the Joint Technical Committee are circulated to national committees for voting. Publication as an International Standard requires approval by at least 75% of the voting National Committees.
Formal decisions or agreements of the IEC and ISO on technical matters express, as far as possible, international consensus on the issues involved, since each technical committee has representatives from all the national IEC and ISO member committees concerned.
Publications of the IEC, ISO and ISO/IEC are in the form of recommendations for international use and are adopted by the national committees - members of the IEC and ISO precisely in this understanding. Although every effort has been made to ensure accuracy technical content IEC, ISO and ISO/IEC publications, IEC or ISO accept no responsibility for the manner in which they are used or for their misinterpretation by the end user.
In order to ensure international unification (a single system), the national committees of IEC and ISO undertake to ensure maximum transparency in the application of international standards of IEC, ISO and ISO/IEC, as far as national and regional conditions of a given country allow. Any discrepancy between ISO/IEC publications and the relevant national or regional standards shall be clearly indicated in the latter.
ISO and IEC do not provide labeling procedures and are not responsible for any equipment claiming compliance with one of the ISO/IEC standards.
All users should ensure that they are using the latest edition of this publication.
The IEC or ISO, their management, employees, servants or representatives, including individual experts and members of their technical committees, and members of the IEC or ISO national committees shall not be liable for accidents, property damage or other damage, direct or indirect, or for costs (including legal costs) incurred in connection with the publication of or from the use of this ISO/IEC publication or another IEC, ISO or ISO/IEC publication.
Particular attention is required to the regulatory documentation cited in this publication. The use of referenced documents is necessary for the correct application of this publication.
Attention is drawn to the fact that some elements of this International Standard may be the subject of patent rights. ISO and IEC are not responsible for determining any or all such patent rights.
International Standard ISO/IEC 24767-1 was developed by Joint Technical Committee ISO/IEC 1, Information technology, Subcommittee 25, Information technology equipment interconnections.
A list of all currently available parts of the ISO/IEC 24767 series under the general title "Information technology - Home network security" is presented on the IEC website.
1 area of use
This standard defines the requirements for protecting a home network from internal or external threats. The standard serves as the basis for the development of security systems that protect the internal environment from various threats.
Security requirements are addressed in a relatively informal manner in this standard. Although many of the issues discussed in this standard provide guidance for the design of security systems for both the intranet and the Internet, they are informal requirements in nature.
Connected to the internal (home) network various devices(see Figure 1). "Appliance networking" devices, "AV entertainment" devices, and "information application" devices have different functions and performance characteristics. This standard provides tools to analyze the risks of each device connected to a network and determine the security requirements for each device.
2Terms, definitions and abbreviations
2.1Terms and definitions
The following terms and definitions are used in this standard:
2.1.1 consumer electronics(brown goods): Audio/video devices that are primarily used for entertainment purposes, such as a television or DVD recorder.
2.1.2confidentiality(confidentiality): A property that ensures the inaccessibility and non-disclosure of information to unauthorized persons, organizations or processes.
2.1.3 data authentication(data authentication): A service used to ensure correct verification of a claimed data source.
2.1.4 data integrity(data integrity): A property that verifies that data has not been modified or destroyed in an unauthorized manner.
2.1.5 user authentication(user authentication): A service to ensure that the authentication information provided by a communication participant is correctly verified, while the authorization service ensures that the identified and authorized user has access to specific device or home network application.
2.1.6 Appliances(white goods): Devices used in everyday use, such as air conditioning, refrigerators, etc.
2.2Abbreviations
The following abbreviations are used in this standard:
3Compliance
This standard provides guidance without any requirements for conformity.
4Security requirements for internal home electronic systems and networks
4.1 General provisions
With the rapid development of the Internet and related network technologies, it has become possible to establish connections between computers in offices and homes with the outside world, which provides access to a variety of resources. Today, the technologies that underpinned that success have reached our homes and are making it possible to connect appliances just like personal computers. Thus, they not only allow users to monitor and control their household appliances, both inside and outside the home, but also create new services and capabilities, such as remote control and maintenance of household appliances. This means that the usual computer environment at home is transformed into an internal home network, connecting many devices, the security of which will also need to be ensured.
It is necessary that residents, users and owners of both the home and the system trust the home electronic system. Home electronic security goal support systems trust in the system. Since many homemade components electronic system are in operation continuously, 24 hours a day, and automatically exchange information with the outside world, information security is necessary to ensure the confidentiality, integrity and availability of data and the system. A properly implemented security solution implies, for example, that access to the system and stored, incoming and outgoing data only authorized users and processes receive, and that only authorized users can use the system and make changes to it.
Security requirements for an HES network can be described in several ways. This standard is limited to the IT security of the HES network. However, IT security must extend beyond the system itself, since the home must function, albeit in a limited capacity, in the event of an IT system failure. The intelligent functions that are typically supported by an HES network can also be performed when system connections are lost. In such cases, it can be understood that there are security requirements that cannot be part of the system itself, but the system should not prohibit the implementation of fallback solutions.
There are a number of people interested in security issues. The home electronic system must be trusted not only by residents and owners, but also by service and content providers. The latter must ensure that the services and content they offer are used only in an authorized manner. However, one of the fundamentals of system security is that a specific security administrator should be responsible for it. Obviously, such responsibility should be assigned to the residents (system owners). It doesn’t matter whether the administrator does this personally or outsources it. In any case, the responsibility lies with the security system administrator. The trust of service and content providers in the home electronic system and their confidence that users are using their services and content appropriately is determined by the contractual obligations between the parties. The contract, for example, may list the functions, components, or processes that a home electronics system must support.
The architecture of the home electronic system is different for different types of houses. Any model may have its own specific set of security requirements. Below are descriptions of three different models of home electronic systems with different sets of security requirements.
Obviously, some security requirements are more important than others. Thus, it is clear that support for some countermeasures will be optional. In addition, countermeasures may vary in quality and cost. Also, different skills may be required to manage and maintain such countermeasures. This standard attempts to clarify the rationale for the security requirements listed and thereby enable home electronics system designers to determine which security features a particular product should support. home system and, taking into account quality requirements and management and maintenance efforts, which mechanism should be selected for such functions.
The security requirements of an internal network depend on the definition of security and "home" and what is meant by "network" in that home. If a network is simply a link connecting a single PC to a printer or cable modem, then securing your home network is as simple as securing that link and the equipment it connects.
However, if there are dozens, if not hundreds, of networked devices in a domain, some of which belong to the household as a whole, and some of which belong to people in the home, more sophisticated security measures will need to be implemented.
4.2 Home Electronic System Security
4.2.1 Definition of home electronic system and system security
A home electronics system and network can be defined as the collection of elements that process, transmit, store, and manage information, providing connectivity and integration to the many computing, control, monitoring and communication devices found in the home.
In addition, home electronic systems and networks provide interconnection between entertainment and information devices, as well as communications and security devices, and household appliances in the home. Such devices and devices will exchange information, they can be controlled and monitored while in the house or remotely. Accordingly, all internal home networks will require certain security mechanisms to protect their day-to-day operations.
Network and information security can be understood as the ability of a network or information system to withstand random events or malicious actions at a certain level. Such events or actions may compromise the availability, authenticity, authenticity and confidentiality of stored or transmitted data, as well as related services offered through such networks and systems.
Information security incidents can be grouped into the following groups:
Electronic communications may be intercepted and data may be copied or altered. This may result in damage caused both by violation of the individual's right to confidentiality and by misuse of intercepted data;
Unauthorized access to a computer and internal computer networks is usually carried out with malicious intent to copy, change or destroy data and can extend to automatic equipment and systems located in the home;
Malicious attacks on the Internet have become quite common, and the telephone network may also become more vulnerable in the future;
Malicious software, such as viruses, can disable computers, delete or change data, or reprogram household appliances. Some virus attacks have been quite destructive and costly;
Misrepresentation of information about individuals or legal entities may cause significant harm, for example, customers may download malicious software from a website masquerading as a trusted source, contracts may be terminated, or confidential information may be sent to inappropriate recipients;
Many information security incidents involve unexpected and unintended events, such as natural disasters (floods, storms and earthquakes), hardware or software, as well as the human factor.
Today, almost every apartment has a home network to which they connect desktop computers, laptops, data storage (NAS), media players, smart TVs, as well as smartphones, tablets and other wearable devices. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP/IP protocols are used. With the development of Internet of Things technologies, household appliances - refrigerators, coffee makers, air conditioners and even electrical installation equipment - have come online. Thanks to the solutions " Smart House“We can control the brightness of lighting, remotely adjust the indoor microclimate, turn on and off various devices - this makes life a lot easier, but can create serious problems for the owner of advanced solutions.
Unfortunately, the developers of such devices do not yet care enough about the security of their products, and the number of vulnerabilities found in them is growing like mushrooms after rain. There are often cases when, after entering the market, a device is no longer supported - our TV, for example, has 2016 firmware installed, based on Android 4, and the manufacturer is not going to update it. Guests also add problems: it’s inconvenient to deny them access to Wi-Fi, but you also wouldn’t want to let just anyone into your cozy network. Who knows what viruses can settle in strangers? mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do this, as they say, with little blood and with the least financial costs.
Isolating Wi-Fi networks
In corporate networks, the problem is easily solved - there are managed switches with support for virtual local networks (VLANs), various routers, firewalls and wireless access points - you can build the required number of isolated segments in a couple of hours. Using the Traffic Inspector Next Generation (TING) device, for example, the problem is solved in just a few clicks. It is enough to connect the switch of the guest network segment to a separate Ethernet port and create firewall rules. This option is not suitable for home due to the high cost of the equipment - most often our network is managed by one device that combines the functions of a router, switch, wireless access point and God knows what else.
Fortunately, modern household routers (although it would be more correct to call them Internet centers) have also become very smart and almost all of them, except the very budget ones, have the ability to create an isolated guest Wi-Fi network. The reliability of this very insulation is a question for a separate article; today we will not examine the firmware of household devices from different manufacturers. Let's take ZyXEL Keenetic Extra II as an example. Now this line has become simply called Keenetic, but we got our hands on a device released under the ZyXEL brand.
Setting up via the web interface will not cause any difficulties even for beginners - a few clicks, and we have a separate wireless network with its own SSID, WPA2 protection and password for access. You can allow guests into it, as well as turn on TVs and players with firmware that has not been updated for a long time, or other clients that you don’t particularly trust. In most devices from other manufacturers, this function, we repeat, is also present and is activated in the same way. This is how, for example, the problem is solved in firmware D-Link routers using the setup wizard.
You can add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
We isolate Ethernet networks
In addition to clients connecting to the wireless network, we may come across devices with wired interface. Experts will say that to create isolated Ethernet segments, so-called VLANs are used - virtual local networks. Some home routers support this functionality, but this is where the task gets more complicated. I would like to not just make a separate segment, we need to combine ports for a wired connection with a wireless guest network on one router. Not every household device can handle this: a superficial analysis shows that in addition to Keenetic Internet centers, add Ethernet ports at one with Wi-Fi network Models from the MikroTik line are also capable of the guest segment, but the process of setting them up is no longer so obvious. If we talk about comparable priced household routers, only Keenetic can solve the problem in a couple of clicks in the web interface.
As you can see, the test subject easily coped with the problem, and here it is worth paying attention to another interesting feature - you can also isolate the wireless clients of the guest network from each other. This is very useful: your friend’s smartphone infected with malware will access the Internet, but it will not be able to attack other devices, even on a guest network. If your router has a similar function, you should definitely enable it, although this will limit the possibilities of client interaction - for example, it will no longer be possible to pair a TV with a media player via Wi-Fi, you will have to use a wired connection. At this stage, our home network looks more secure.
What's the result?
The number of security threats is growing year by year, and manufacturers smart devices they do not always pay enough attention to the timely release of updates. In such a situation, we have only one way out - differentiating home network clients and creating isolated segments for them. To do this, you don’t need to buy equipment for tens of thousands of rubles; a relatively inexpensive household Internet center can handle the task. Here I would like to warn readers against purchasing devices from budget brands. Almost all manufacturers now have more or less the same hardware, but the quality of the built-in software is very different. As well as the duration of the support cycle for released models. Not every household router can cope with even the fairly simple task of combining a wired and wireless network in an isolated segment, and you may have more complex ones. Sometimes you need to configure additional segments or DNS filtering to access only secure hosts, in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. and so on. In addition to security issues, there are other problems: in public networks it is necessary to ensure registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, information technology and on the protection of information." Inexpensive devices are capable of solving such problems, but not all - functionality The built-in software they have, we repeat, is very different.
