Introduction
The following procedure walks you through the process of securing your small network firewall. Specifically, it walks you through securing an integrated cable gateway/firewall device that functions as your small network's primary access point. This walkthrough is based upon securing the Linksys WCG200 integrated cable gateway modem access pont. However, the methods presented here are applicable to all home and small network access points. This walkthrough assumes that you have correctly configured your gateway for ISP connection and that you are able to access the gateway's administration web page. It assumes a wired network and does not examine wireless security. It does not address all aspects of home network gateway configuration: only those specific aspects associated with firewall security. This walkthrough is organized into five steps: 1) disabling remote administration, 2) enabling stateful packet inspection, 3) enabling common packet inspection rules, 4) configuring port filtering, and 5) enabling VPN passthrough. References pointing to additional details on the topics covered in this walkthrough are provided in the References section. Good Luck!
Procedure
Step 1: Disable Remote Administration
Remote administration can be hacked using dictionary attack methods. Best to disable it. Set Remote Administration to Disable.
The default password on Linksys appliances is often "admin." Now you know it. So does everyone else. Best to change it to something different; something difficult. Best to create a password that meets the following minimum guidelines:
Step 2: Enable Stateful Packet Inspection
To enable your firewall to look inside packets and filter them based upon their contents, you need to enable Stateful Packet Inspection (SPI). Without SPI switched on, your firewall is handicapped. Go to the security section of the admin console. For the WCG200, go: Security > Firewall. Select Enable for Firewall Protection.
Step 3: Enable common Packet Handling Rules
Some common packet handling rules that you should enable include rules for blocking:
Don't disable Cookies, Java Applets, ActiveX, or popups, as they are needed for most browser viewing of websites. Proxy should be blocked. It's aslso useful to enable Port Scan alerting: this will log such scans for later analysis. Port scanning is performed by attackers to discover open ports.
Step 4: Configuring Port Filtering
There are 65,535 ports. You only need to use a few of these. The rest are open doors to trojans and drive-by surveillance efforts. A number of ports are known entry/exit points for various trojans, viruses and worms. Lock them up and block them out.
Before blocking them out, do your homework. Take an inventory of your special needs: some applications (e.g., games) use special ports; distributed applications may employ special ports; if you VPN to special URLs, log the ports you connect to. Use terminal commands, such as netstat, to monitor ports and build a baseline inventory of those ports that are commonly used. TCPView is also a good tool for this. After a few days of monitoring, you'll build a pretty good idea of what to block and what not to block. You can do this incrementally: block a certain range; see what happens; if nothing, then block another range - in this fashion, you slowly and inexorably lock down the firewall. Don't panic if you block a port range and then discover that something no longer works. Just unblock the port range. That will fix the problem. Here are common ports you need to keep open:
To set up port filter on the WCG200, go: Access Restrictions > Filter Internet Traffic. The WCG200 provides you the ability to specify 10 port filtering ranges. Your own gateway/firewall may be different. On a spreadsheet, map out the ranges that you want to filter. Then enter them into the screen. The following image shows the results of such mapping for a typical home gateway/firewall.
The port filtering rules have been enabled for all devices (0.2-0.254) on the home network. Note that one special port in the upper range was kept open. You may need to do likewise.
Step 5: Enable VPN Passthrough
If you connect to a corporate or other private network over the Internet, you must enable virtual private network (VPN) passthrough. In 2011, most machines use IPsec. PPTP is still supported for backwards compatability. Unless you know you need to use PPTP, disable it.
Summary
Congratulations! You've completed this walkthrough. Bet you didn't think you could configure such a technical device as your small network firewall. For further information on the topics discussed in this walkthrough, consult the references.
References
The following procedure walks you through the process of securing your small network firewall. Specifically, it walks you through securing an integrated cable gateway/firewall device that functions as your small network's primary access point. This walkthrough is based upon securing the Linksys WCG200 integrated cable gateway modem access pont. However, the methods presented here are applicable to all home and small network access points. This walkthrough assumes that you have correctly configured your gateway for ISP connection and that you are able to access the gateway's administration web page. It assumes a wired network and does not examine wireless security. It does not address all aspects of home network gateway configuration: only those specific aspects associated with firewall security. This walkthrough is organized into five steps: 1) disabling remote administration, 2) enabling stateful packet inspection, 3) enabling common packet inspection rules, 4) configuring port filtering, and 5) enabling VPN passthrough. References pointing to additional details on the topics covered in this walkthrough are provided in the References section. Good Luck!
Procedure
Step 1: Disable Remote Administration
Remote administration can be hacked using dictionary attack methods. Best to disable it. Set Remote Administration to Disable.
The default password on Linksys appliances is often "admin." Now you know it. So does everyone else. Best to change it to something different; something difficult. Best to create a password that meets the following minimum guidelines:
- Minimum 8 characters
- At least one number
- At least one upper and one lower case numbers
- At least one special character (subject to what your firewall allows)
Step 2: Enable Stateful Packet Inspection
To enable your firewall to look inside packets and filter them based upon their contents, you need to enable Stateful Packet Inspection (SPI). Without SPI switched on, your firewall is handicapped. Go to the security section of the admin console. For the WCG200, go: Security > Firewall. Select Enable for Firewall Protection.
Step 3: Enable common Packet Handling Rules
Some common packet handling rules that you should enable include rules for blocking:
- Fragmented packets: used to perform IP fragmentation attacks
- Anonymous Internet requests: used to discover your network topology, including IPs and ports, and to initiate connections to machines on your network - bad news: block these
- Multicast: used to perform DDoS and remote code execution attacks
Don't disable Cookies, Java Applets, ActiveX, or popups, as they are needed for most browser viewing of websites. Proxy should be blocked. It's aslso useful to enable Port Scan alerting: this will log such scans for later analysis. Port scanning is performed by attackers to discover open ports.
Step 4: Configuring Port Filtering
There are 65,535 ports. You only need to use a few of these. The rest are open doors to trojans and drive-by surveillance efforts. A number of ports are known entry/exit points for various trojans, viruses and worms. Lock them up and block them out.
Before blocking them out, do your homework. Take an inventory of your special needs: some applications (e.g., games) use special ports; distributed applications may employ special ports; if you VPN to special URLs, log the ports you connect to. Use terminal commands, such as netstat, to monitor ports and build a baseline inventory of those ports that are commonly used. TCPView is also a good tool for this. After a few days of monitoring, you'll build a pretty good idea of what to block and what not to block. You can do this incrementally: block a certain range; see what happens; if nothing, then block another range - in this fashion, you slowly and inexorably lock down the firewall. Don't panic if you block a port range and then discover that something no longer works. Just unblock the port range. That will fix the problem. Here are common ports you need to keep open:
Port Number | Service | Description |
3389 | RDP | Remote desktop, both TCP/UDP |
995 | POP3 | Incoming POP3 |
587 | SSL | Outgoing SMTP |
443 | SSL | Encrypted website access |
110 | POP3 | Unencrypted email transfer to email server from your machine |
80 | WWW | standard WWW access |
68 | DHCP | Communication with your ISP for modem configuration information |
67 | DHCP | Communication with your ISP for modem configuration information |
53 | DNS | DNS queries |
25 | SMTP | Unencrypted email transfer from email server to your machine |
23 | SSH | Secure shell connection to machine on private network |
22 | SSH | Secure shell connection to machine on private network |
21 | FTP | Ftp command |
20 | FTP | Ftp data transfer |
To set up port filter on the WCG200, go: Access Restrictions > Filter Internet Traffic. The WCG200 provides you the ability to specify 10 port filtering ranges. Your own gateway/firewall may be different. On a spreadsheet, map out the ranges that you want to filter. Then enter them into the screen. The following image shows the results of such mapping for a typical home gateway/firewall.
The port filtering rules have been enabled for all devices (0.2-0.254) on the home network. Note that one special port in the upper range was kept open. You may need to do likewise.
Step 5: Enable VPN Passthrough
If you connect to a corporate or other private network over the Internet, you must enable virtual private network (VPN) passthrough. In 2011, most machines use IPsec. PPTP is still supported for backwards compatability. Unless you know you need to use PPTP, disable it.
Summary
Congratulations! You've completed this walkthrough. Bet you didn't think you could configure such a technical device as your small network firewall. For further information on the topics discussed in this walkthrough, consult the references.
References
- List of TCP and UDP port numbers, Wikipedia
- COMMON PORTS Cheat Sheet, PacketLife Blog, Jeremy Stretch
- Wireless-G Cable Gateway (WCG200), Linksys (Cisco) support
- IP fragmentation attacks, Wikipedia
- Port scanner, Wikipedia
- PORT NUMBERS, Internet Assigned Numbers Authority
- netstat, Wikipedia
- TCPView v3.04, Windows SysInternals
- Firewall Port Security, Chaminade
- Intrusion Detection FAQ: What port numbers do well-known trojan horses use?, SANS
- Remote Desktop Protocol
- This walkthrough based upon the Wireless-G Cable Gateway, WCG200 ver.2.
- Filtering ports on the WCG200 doesn't stop your machine from using those same ports to launch connections. It only prevents connections to these ports from being initiated by external sources.
- An excellent tool for active testing of your firewall is available at Gibson Research: https://www.grc.com/x/ne.dll?bh0bkyd2. Lots of other useful firewall-related information at this site.
- Top 5 Free Antivirus for 2011, PCWorld 2011
- The Best Free Antivirus Software, PCMag, 7/19/2011
- ZoneAlarm Free Firewall 9.2, PCMag, May 24, 2010