Please Protect Yourself - Layer Your Defenses

One of the earliest ways of making yourself safe in the Internet was not letting yourself be seen. There are many forms of Security By Obscurity, and they all sound logical.

Security By Obscurity, which may or may not be a good idea, does not replace a good layered defense. Each layer is necessary, because no single layer can produce complete protection. And consider each component carefully, and uniquely, for each network or person being protected.

Now if you're just getting started here, this advice may seem like a lot to take in at once. And it is just that, so take your time reading. Consider one layer at a time, and ask questions.


>>Top

What is a layered defense?
Start by considering a typical medieval castle - classically, one of those would have:

  • A moat - a wide and deep ditch, filled with water.
  • High and thick castle walls.
  • Guard towers, small castles in themselves, in key portions of the castle walls, but more fortified.
  • Small, narrow windows that were used for thru shooting outwardly.
  • An inner sanctum, typically called a "keep", that was a small fortified castle in itself.

Each one of these elements was designed to be enough to protect the inhabitants against intruders. Frequently, though, the intruders would breach the outer defenses, and the inner defenses were needed to protect the owners (though not all the inhabitants) of the castle.

A layered defense for your network is similar to a castle in concept. The outer layers should be sufficient, but in case an intruder gets thru one layer, you have another layer protecting you. Better too much protection than not enough.

>>Top

Layer 1 - Perimeter Network Protection
First, you need to protect your perimeter - the outer edge of your network. Perimeter protection, such as a NAT router, is the first layer in a good layered defense.

A NAT router acts as a firewall, in that it passes only requested traffic back to the computer that requested it. It won't selectively filter traffic from hostile addresses, nor selectively filter bad protocols or programs, however. Some NAT routers also contain firewall components, but they will probably not be as comprehensive, or as configurable, as an ICSA certified firewall.

For more information about firewalls in general:

Please don't confuse the perimeter firewall, which is hardware based, with a personal firewall, which is generally software based. Personal firewalls are discussed in Layer2.

One firewall or NAT router protects your entire LAN, and is a good idea even if your LAN consists of only one computer. A NAT router today is equivalent in concept to perimeter protection, which was considered sufficient 5 years ago. Now we know to use multi-layered defense (aka layered defense).

All NAT routers don't have the same features. Some are designed for special needs.


One of the problems with the medieval moat was that it only protected against ground based attacks. The attackers could stand well outside the castle, and fire arrows, or use a catapult to lob rocks, at the castle and its inhabitants.

You can block Internet based threats with your firewall, or NAT router, but WiFi will be a danger unless you use both encryption (preventing malicious eavesdropping of your WiFi traffic), and authentication (preventing injection of malicious WiFi traffic, or access to your servers). WEP is the absolute minimum security that you may use, but I will never recommend anything less than WPA.

>>Top

Layer 2 - Individual Network Protection
Besides protecting the outer edges of your network, you need to protect its interior components. Interior (individual computer) protection requires a port monitor or a personal firewall.
  • A port monitor lets you see what network traffic is active on your computer. There are two which I use. TCPView, from Sysinternals, is free, easy to install, and lightweight. Port Explorer, from DiamondCS, is free for the basic version, takes a bit of work to install (but is well worth the time), and is very configurable.
  • A personal firewall lets you actively control what network traffic is allowed to reach your computer. In some cases, it will also be used to control what traffic is allowed to exit it, directed towards other computers on your local network, or towards the Internet itself. See various discussions in comp.security.firewalls for good advice on choosing a personal firewall. A personal firewall can selectively block incoming or outgoing traffic, while a port monitor can provide more detail about network conditions, and can provide you additional warning about problems.
  • Besides a personal firewall, which filters network traffic between your computer and the outside world, you can use a sandbox or virtual machine to keep all untrusted network activity separate from the rest of your computer. SandboxIE, which is a lightweight virtual machine, was originally developed to keep Internet Explorer isolated from the rest of your computer; but it can just as well isolate any browser, or any single application, from the rest of your applications.


You need a personal firewall on each computer in your LAN; in case one computer gets infected, a personal firewall on the others could save you a lot of trouble. Note that traditionally, a personal firewall would be software based. Now, there is also the possibility of a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

Relying solely upon a personal firewall or a port monitor, to protect you against hostile outgoing network activity, is like relying upon a dentist for protection, and having him fill the cavities in your teeth. Brushing and flossing (here equivalent to the Third Layer) is a so much more pleasant way to spend time, in the long term.

>>Top

Layer 3 - Software Protection
Perimeter and individual network protection protects you against malicious network traffic. You also need to protect yourself against malicious content. Properly chosen content protection, on each individual computer, complements network based protection. Content protection has many components, to counter the many ways the bad guys will try to take control of your computer. Use as many as possible - better one or two, than none.


>>Top

Layer 4 - Common Sense
Next, use common sense when installing software, and when using your computer.

  • Don't install software based upon advice from unknown sources.
  • Don't install any software, without researching it carefully.
  • Don't open email unless you know who it's from, how and why it was sent, and that it was sent intentionally to you.

The most critical tool, in your defense, is right between your ears. Keep your Chair To Keyboard Interface carefully tuned. If you're playing music, and a EULA pops up, ask why you're seeing a EULA.
>>Top

Layer 5 - Education
Finally, educate yourself. This is a constant activity. Stay informed - Know what the risks are.

>>Top

Overall Security
My personal philosophy about protection is that you should apply protection repeatedly, until you run out of money, paranoia, system resources, or time.

  • Most of the above products are free.
  • I am very paranoid - see my tag line (though not nearly so much as the experts at comp.security.firewalls).
  • My main system, which is over 2 years old, runs 10% CPU / 20% memory utilisation when idle, and maybe 30% / 25% when in use. I have a suite of convenience and frivilous programs, that probably accounts for half of my idle resource utilisation; maybe 5% / 10% idle resource utilisation is from security products. I don't see that as excessive at all.
  • I spend maybe 1/2 hour / day maintaining and running all of my security programs. Much less time than I've been spending with this blog, for instance.


There are many different opinions on this matter. I think that the resources that I spend preventing a malware infection are a far better investment than dealing with (experiencing, detecting, and removing) an infection that could have been prevented. So protect youself, and the rest of the internet, please. The rest of us, who see the effects of our friends becoming infected, thank you.

1 comments:

Anonymous said...

Thanks for all of your help, Chuck. I didn't know there was so much involved in using security on your own website. I have Nortons, NoAdAdware, Spybot, and SpySweeper. I have had 4 credit card numbers stolen in the past year. I do alot of business online. Thank God the credit card companies are so good at checking when they believe there has been a problem.

Thanks for making me much more aware of the security issues.

This is margied, the one who had 12 blogs hijacked on Fri 13th Oct 2006.

I have moved on and created two very quick blogs to get me started and out of the doldrums. You asked me to let you know if I ever decided to get a new blog started. I just have the first entries and I have to change one of the templates at least. You are welcome to check them out if you'd like at http://blog.dreamcancunresorts.com and http://blog.aventuraspapalaceresortsite.com

I have alot to do to work on the site but I wanted to quit crying in my soup so to speak and do something at least. I have been very distressed over all of this but it's time to move on.

I have many more to rebuild to reconnect to my websites. I am the most heartbroken about my for grandmas only blog that was deleted by blogger. That blog wasn't connected to any website.

I still feel that what blogger did was wrong, deleting 12 blogs instead of verifying first if I did what they accused me of doing. I'm only one in millions so I'm sure that it's not a problem for them. Another guy had 16 blogs deleted around Fri Oct 13th as well. I can imagine how he felt. There were others who were stating that their blogs were missing too.

I also feel badly for the link exchange partners I worked with and for losing the money I paid to list in directories even as recently as September. I had spent so much time submitting to directories. aarrrgggghhhhhhhh

My new blogs are built on GoDaddy and I feel it is a better decision. They back up all of their data, but the very best part is, they have people who answer the phone 24/7. I have built most of my websites with them and their technical support department tries really hard to help with a problem. I have decided that I can't live without technical support on my blogs.

I didn't opt for the free ones but it is only about $2.00 per month per blog. I will check out some of your security recommendations and get on with it.

I will check the blogger group from time to time to see if anyone else had the same problem. My advice though is to take a look at other blog hosting companies and NEVER, if you sign up with blogger, NEVER host more than one blog under the same username and password. That way you might have a chance of salvaging at least some of the blogs that you build.

Many blessings to you.
margied (margaret)