Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to improve network security at home?


  • Please log in to reply
16 replies to this topic

#1 Magilou

Magilou

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 02 March 2017 - 04:43 PM

Hello BC Forum :)

First nice to e-meet You all :D

 

I have some questions ^_^

 

Is possible for a Malware (even ransomware/crypto/etcetc) to spread across home network? With home network I mean no file share, shared folders or similar, just 2-3-4 devices connected to the same router (in example me, mom, dad)

 

In case it's possible how could I prevent this spread? Just as a safety measure, like isolating my pc completely from every communication with others and just accept incoming/outcoming packets with the web but not from other clients/devices

 

Like something in connection properties, disable client recognition or similar

 

Also any other suggestion about this same topic?



BC AdBot (Login to Remove)

 


#2 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:00 AM

Posted 02 March 2017 - 05:00 PM

Hi, welcome to BC!

 

Sure, its definitely possible for viruses to spread on a home network (a network is a network after all).

 

There really isn't much of a way to prevent a virus from spreading once its on your network (save from maybe completely segmenting each and every device on different VLANs). Best defense is to make sure it never gets on your network. Have a good AV (Malwarebytes is starting to include a ransomware stopper in their latest editions), don't click on suspicious links in your email or when surfing the web, use add blockers on your browsers, etc, etc - just be security conscience over all. Don't just trust a source cause it came from a friend.

 

Hopefully that answers your question some!


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#3 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 02 March 2017 - 06:53 PM

Hi, welcome to BC!

 

Sure, its definitely possible for viruses to spread on a home network (a network is a network after all).

 

There really isn't much of a way to prevent a virus from spreading once its on your network (save from maybe completely segmenting each and every device on different VLANs). Best defense is to make sure it never gets on your network. Have a good AV (Malwarebytes is starting to include a ransomware stopper in their latest editions), don't click on suspicious links in your email or when surfing the web, use add blockers on your browsers, etc, etc - just be security conscience over all. Don't just trust a source cause it came from a friend.

 

Hopefully that answers your question some!

It does answer some of my questions but in example

I am quite aware of my actions etc, but in example my dad may open a suspicious email and get a cryptolocker or something similar

He is connected to Wi-Fi, how can I prevent this?

I am sure there is no security software that can't prevent him to click some of the emails since I read that some latest version of cryptolockers come from certified emails too now

 

I just would like to keep my PC safe because, backup, all the things You want but I basically live with it so...



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:00 PM

Posted 03 March 2017 - 04:51 AM

Make sure that your Windows firewall is configured to access an untrusted network (e.g. your home network).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:00 AM

Posted 03 March 2017 - 09:24 AM

There really is no way to prevent ransomware. Best prevention is just have a regular backup plan in place. That way if you do get it you can just wipe and restore.

 

The only home use product I know of that is putting out a ransomware "stopper" is Malwarebytes - so you might take a look into that.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#6 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 March 2017 - 09:49 AM

I just would like to stop it from coming in example from my father PC

let's say he get's it ok?

I don't want it to go across his ethernet cable and go into my PC

 

That's what I want to prevent



#7 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:00 AM

Posted 03 March 2017 - 10:04 AM

To prevent it you would have to put each computer on their own separate network. Either via VLAN or two completely different hardware devices (two different routers with completely different IPs on different network segments). That's really the only way I can think of stopping a virus from spreading across your network - and honestly that may be just overkill for most people.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#8 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 March 2017 - 11:08 AM

To prevent it you would have to put each computer on their own separate network. Either via VLAN or two completely different hardware devices (two different routers with completely different IPs on different network segments). That's really the only way I can think of stopping a virus from spreading across your network - and honestly that may be just overkill for most people.

It's possible to setup a VLAN like the one You are mentioning?

I have a Tp-Link W8980

 

If needed I've made a photo of my VLAN setting in my router, maybe I can send You or post here?

 

You tell me, really :)


Edited by Magilou, 03 March 2017 - 11:22 AM.


#9 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:00 AM

Posted 03 March 2017 - 11:44 AM

Yup - go ahead and post your VLAN settings here (you will have to use an external image hosting service and then post the link here).

 

I haven't set up a VLAN before on a home router... but might be able to help you figure it out! Will be learning along with you. :)

 

*Edit

 

Have a look here under section 4.5.2 Interface Grouping - I did come across one user saying that doing this on a TP-Link device still allowed the PCs to talk to each other. So you'll just have to give it a shot and see if it works.


Edited by DeimosChaos, 03 March 2017 - 11:56 AM.

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#10 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 March 2017 - 11:58 AM

Yup - go ahead and post your VLAN settings here (you will have to use an external image hosting service and then post the link here).

 

I haven't set up a VLAN before on a home router... but might be able to help you figure it out! Will be learning along with you. :)

 

*Edit

 

Have a look here under section 4.5.2 Interface Grouping - I did come across one user saying that doing this on a TP-Link device still allowed the PCs to talk to each other. So you'll just have to give it a shot and see if it works.

Dear Deimos,

 

Here:

http://i68.tinypic.com/13z7813.jpg

http://i67.tinypic.com/wkpag3.jpg

 

IDK if TinyPic is good, sorry

 

LAN1 is actually I guss the ethernet port labeled 1 on the back of my router

All the rest is the other ethernet port and the Wi-Fi (the 5ghz is disabl4d anyway)

 

Now I would like to know if I can, in someway, comepletely isolate my ethernet 1 from the rest (lan2-3-4 and the wifis)


Edited by Magilou, 03 March 2017 - 11:59 AM.


#11 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 March 2017 - 12:14 PM

Also do I have a way to check if they cannot reach me anymore and same on the other way?

Like Ping would work? Like I try to ping a pc outside my VLAN (so the guest one) and the with a Guest one I try to poing another pc into the Guest)

 

Will this be a reliable source and proof of non "reachability?"


Edited by Magilou, 03 March 2017 - 12:15 PM.


#12 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:00 AM

Posted 03 March 2017 - 12:17 PM

TinyPic is fine! Though the pictures were showing up.. now they aren't - no matter! I found the guide for your router so should be fine.

 

If you take a look at the guide I posted in my last post (the edit section) - you will find the instructions on how to group your LAN/Wifi. You could put LAN 1 (if that is where your PC is) into "Group 1" then the rest into a "Group 2". Make sure select the check box "Enable the virtual LAN ports feature".

 

To be honest.. the more I am looking through the user guide.. I don't see any way to configure each VLANs IP range (or somewhere to say one can't reach the other). Gonna see what else I can dig up.

 

Yes ping would be a good way to see if one can reach the other.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#13 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:00 AM

Posted 03 March 2017 - 12:19 PM

Setup your VLAN groups then go over to your Network -> LAN Settings page. Does your groups show up like in this guys pictures? It looks like you can edit the IP settings there.


Edited by DeimosChaos, 03 March 2017 - 12:20 PM.

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#14 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 March 2017 - 12:23 PM

Setup your VLAN groups then go over to your Network -> LAN Settings page. Does your groups show up like in this guys pictures? It looks like you can edit the IP settings there.

It looks like that but I guess I should disable DHCP for that

Also I am trying any possible Ping istance into CMD with admin rights, noone is able to see my PC and my PC is not able to see anyone, but the other devices into the group Guest are able to see each other which is fine, the important part is for my OWN pc to be absolutely isolated from them

 

ANy other verification I can make?

 

EDIT: Then IP actually changed already (usual 192.168.1.1) now for the Guest is 192.168.2.1

 

So it changed the 2 is a different address (local one)

 

But in my case noone can communicate with my pc, I don't understand why that guy has this probnlem

 

Probably because I set my network card to treat my network as public one, i disabled the home group service and I disabled in my network card basically everything (client recognition,. client mapping etc) except for IPV4 and QOS which are (logically) enabled?


Edited by Magilou, 03 March 2017 - 12:26 PM.


#15 Magilou

Magilou
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 03 March 2017 - 12:37 PM

Also I noticed that my own PC does not appear anymore even in the Client List of devices connected to the Router, so basically to know that I am connected You should phisically see my PC turned on and connected to the network

Which seems nice to be honest

 

Really, any more ping testing I can conduct with even something more "deep" to make sure that nothing from the other device can reach my pc?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users