This is Part 9 of Securing Your WHS & Network. This part identifies the risks and benefits of using the Internet to share public information. Security and privacy issues related to the use of computers available for public use and web hosting of non-sensitive information are identified. We explain how the network router can be used to increase the security of your computers and network.
An Internet browser is used to access content published by web servers. The browser uses hyper text transfer protocol (HTTP) to send a request for information to the appropriate server. The server returns the information back to display in the browser. This protocol is not used to exchange sensitive or personal information.
There are risks associated with accessing the Internet with a browser. All information is transmitted in a format that can be intercepted and read by anyone with software programs that are commonly available. Private and sensitive information can be disclosed if included as part of the traffic. The web-based email of ISPs and Internet mail providers including Google, Yahoo, and MSN are based on HTTP. Therefore; when reading or sending email, personal information can be intercepted.
Using computers that are available to the public pose a risk to your personal information. The user name and password can be saved by a malicious program running on the computer or be cached in a cookie by using the "Keep me signed in" option. Passwords can be saved by the AutoComplete Passwords option.
If a public computer used for browsing the Internet, we strongly suggest that the AutoComplete settings in the Internet Options Content tab be inspected before accessing the Internet. Turn off AutoComplete for Forms and User names and passwords on forms by removing the check mark in the check boxes. Then click the OK buttons for the AutoComplete Settings and Internet Options dialog boxes. The following shows an example of changing the AutoComplete settings.
While browsing the Internet and you want to check your email. We strongly recommend that the Keep me signed in option or its equivalent not be checked to save your user id and password. If you see the AutoComplete Passwords dialog box, click the No button and change the AutoComplete Settings in Internet Options.
Remember that when you are reading your email messages, personal information contained in the message can be stored on the computer. Also, a record of every site that is visited is cached. It is possible that this information can be disclosed to other users of the computer.
To prevent possible disclosure of personal information, we recommend that when finished using the public computer, that the browsing history in the Internet Options General tab be cleared. Click the Delete... button in the browsing history section. Click the Delete all... button in the Delete Browsing History dialog box. Place a check mark in the Also delete files and settings stored by add-ons. option and click the Yes button in the Delete Browsing History dialog box. Finally, click the OK button in the Internet Options dialog box. The following displays the actions necessary to delete the Internet history from the computer.
Home or small businesses that host a public website usually want to give it a name that is easy to remember. This name is called a domain name or domain. To create a domain, one must obtain it from a domain registrar. There is an annual fee that is charged for registering the domain. The availability of domain names depends on the country that registers the domain. Some countries have more options as to the choice of top-level domains. Click this link to see all the top-level domains.
Let's say we are a small business and we want a domain called microminisoft.com. Since.com is a top-level domain for the United States we go to a US domain registrar's web site to perform a search for the name. We are in luck, the name is available.
Normally when a business registers a domain name they have static public IP addresses that are assigned to them. They would create DNS or domain name system IP address or A Records to associate domain and sub-domain names with their public IP addresses. The following is an example of what some of Microsoft's DNS "A records" would be registered as. In this case, www.microsoft.com and microsoft.com would be associated with 65.55.12.249. The two sub-domains, support.microsoft.com and windowshelp.microsoft.com would be associated with 207.46.255.250 and 207.46.197.98, respectively.
Some home or small businesses may decide that the cost of registering a domain name is too expensive or that the desired domain is not available. An alternative that is offered by some dynamic DNS hosting sites is to prepend a domain name of your choosing to their domain. Let's say www.xyz.com offers this service. Offered at a relatively small fee per year, you can add your microminisoft name as a sub-domain to xyz.com. Your Internet address would then be microminisoft.xyz.com. Sometimes this service comes bundled with their dynamic DNS service.
Part 8 described that DNS is the Internet's "phone book" that translates a domain name to a numerical IP address. The dilemma is how a subscriber can list their domain name in DNS when their public IP address is subject to constant change. This makes hosting a website very difficult if the public IP address is different every day. The challenge is to have a way to change DNS records when the public IP address changes.
There are several sites that can register your domain and/or establish a service called Dynamic DNS or DDNS. DDNS means that the host of DDNS can change the public IP address of your domain quickly when your ISP assigns you a different public IP address. There are DDNS hosts that provide this service for free. Most hosts charge a nominal yearly fee based on the desired level of service that is subscribed.
Usually the network router can be configured to automatically notify the DDNS host that the public IP address has changed. DDNS hosts change over time and depending on the date of the last available firmware upgrade of your router can limit the choice of DDNS hosts.
To configure the SonicWALL TZ-180 router, click Network and then click the Dynamic DNS option. Click the Add... button to create a new DDNS profile. Place a check mark in the check boxes for the Enable this DDNS Profile and Use Online Settings options. Enter the profile name and select the provider. Enter the user name, password, and domain name and select the service type according to the instructions of the DDNS host. Click the OK button to save the settings.
If your DDNS host is not supported by your router, then do not create a DDNS profile or leave the DDNS option Disabled. The host can provide a software program that runs on a computer connected to your network and performs the notification function described above.
The DDNS host maintains DNS servers in several cities in the US and several countries to speed the propagation or notification to other DNS servers that the IP address has changed. It can take up to six hours for the change to be fully propagated to all DNS servers around the world.
The choice of a DDNS host should be based on cost, reliability, where the host's DNS servers are located, and the geographical area where you expect users to be located. For example, if a family has a website and has relatives located in several countries, the DNS servers should be within close proximity of those users.
Home or small businesses that want to host a website must establish a boundary between 1) the information that is non-sensitive and available to anyone and 2) information that is sensitive, personal, or proprietary that is limited to known and trusted users. Make sure that any sensitive information requires a user id and password to access the information. This section focuses only on hosting a website for non-sensitive, public information. Part 10 focuses on the hosting of a website that contains sensitive, personal, and proprietary information.
Part 2 introduced the network router and explained its general functionality. Part 3 identified the different types of ISPs and the services they provide. Part 5 explained how ISPs use DHCP or dynamic host configuration protocol to assign public IP addresses to their subscribers and described the router and its role as an interface with the cable/DSL modem. Part 5 explained in detail how to configure the WAN, LAN and DHCP settings of the router.
The greatest threat when hosting a website is that a hacker can take advantage of the vulnerabilities of the web server. It is possible that a malicious software program can be installed in a way to permit the hacker to gain control of the computer. Files can be deleted or the computer can be turned into a "zombie" and spread the malicious program to other computers on the local network or to computers that browse your website.
If the website allows for files to be uploaded, viruses and other malicious programs can be passed to the web server. Many owners of WHS consider the server to be safe from being infected by viruses because it is run as a headless or no direct user access system. Therefore, the majority of WHS computers do not use anti-virus software.
There are two ways to protect the WHS from viruses and malicious programs. Anti-virus software can be installed on the WHS or a firewall router capable of deep packet inspection (DPI) and virus detection can be used.
In Part 8 we presented a cost analysis of a comparing the cost of a DPI firewall router, a DPI software firewall, and Internet security software. We recommended purchasing a DPI firewall router such as the SonicWALL TZ-180. For administrators with a high level of technical ability, we recommended a DPI software firewall. Firewalls that are based on DPI provide a significantly higher level of network security. The major advantage is that the firewall can catch many threats before they can enter the local network. This is an important factor if the WHS is to be used to publish web content or allow remote access.
There are several WHS Add-In products that permit website hosting on the WHS. We will investigate the threats and vulnerabilities associated with those products in later blogs.
Higher-end routing equipment such as the SonicWALL TZ series, Netscreen, or WatchGuard must define certain network devices as address objects. The Windows Home Server must be defined in the router as an address object. To create the address object for the WHS, click Network and then click the Address Objects option. Scroll to the Address Objects table and click the Add button. Enter the name of the WHS and its local IP address. Select LAN as the zone assignment and Host as the type. Click the OK button to save the configuration settings.
The service used to publish general non-sensitive public information is based on HTTP or hyper text transfer protocol. Port 80 is the standard Internet port that is related to this service. This means when http://www.microsoft.com/ is typed in the browser, port 80 is automatically used.
Depending on what type of information that needs to be available to the website, rules must be configured in the router to instruct it what it should do for each type of request. All routers are initially programmed to reject any request for information from the Internet. They only permit outgoing traffic and responses to the outgoing traffic.
To allow computers to connect to a website via the Internet, an inbound or WAN to LAN rule must be defined in the router for the HTTP service. This rule permits public HTTP traffic to reach the home server. In general a rule encompasses five components.
To configure the HTTP rule in the router, click Firewall and then click the Access Rules option. Since we want to define a WAN to LAN rule, click the configure icon at the intersection of WAN and LAN in the access rules matrix.
To add a WAN to LAN rule for HTTP, click the Add button. Click the Allow radio button for action. Select the HTTP option for service, the All WAN IP option for source, the name of the WHS option for destination, the All option for users allowed, and the Always on option for schedule. A comment can be added for the rule. Note that the WHS, Earth in our example, was previously defined as an address object. Click the OK button to save the configuration settings.
The public port 80 is the Internet default for HTTP. The WHS listens for HTTP requests on port 80 but cannot hear any requests directly from the Internet because the router is blocking the traffic. By associating the public port 80 with the private port 80 for the HTTP service the rule allows HTTP requests to be passed to the WHS.
In our example the WHS is used as the web server. The WHS has been defined as an address object and assigned a private IP address of 192.168.145.30.
Defining a HTTP rule permits the web server to respond to requests for web content. Most routers provide stateful packet inspection or SPI to perform a cursory inspection of the packet for damage or alteration. In Part 8 we identified the vulnerabilities and threats that are associated with SPI. We recommended using a router that performs deep packet inspection that can identify malicious programs and other attempts to gain unauthorized access to the server.
When a URL or uniform resource locator is typed in the address bar of the Internet browser, port 80 is automatically used. . A way to see how this works is to type http://www.microsoft.com:80/ in the browser. Since port 80 is the default port for HTTP, the connection is made to the server and the ":80" portion of the URL is removed.
As explained in Part 3, port 80 is often blocked by the ISP to discourage the subscriber from hosting a website. The challenge is to overcome this restriction so that a website can be hosted by your WHS. There are alternative methods that can be used to circumvent this restriction.
One method is to add an alternate port to the URL. Ports such as 81, 8000 or 8080 can be used as an alternative to port 80. Sometimes one of these ports is used by the router, but the router can be configured to use another port. For example, port 8000 can be used as an alternate HTTP port. When distributing your website's address, instruct them to add ":8000" to the domain name. The URL would be typed as http://www.<yourdomain>.com:8000/ in the Internet browser. This method can be used without incurring extra fees from the DDNS host.
Another method is called port relay. This is a service provided by the DDNS host to intercept the HTTP request before it reaches the web server and automatically changes the port. The URL typed in the Internet browser would be http://www.<yourdomain>.com/. The DDNS host intercepts the HTTP request, modifies it to http://www.<yourdomain>.com:8000/, and relays the modified URL to your website. There is an additional cost for this service.
There are pros and cons for each method. Internet users are not accustomed to add anything to the end of an URL. If the port is not typed, the Internet user will receive a "Webpage cannot be displayed" message. This method may be a major drawback for small businesses.
Using a port relay service relieves the Internet user from typing the port number in the URL. As long as the web address is typed correctly in the address bar of the Internet browser, the website is found. There is a modest annual charge for this service.
To use an alternate public port such as 8000, either modify an existing HTTP rule or create a new HTTP rule in the router to map the public port 8000 to the private port 80 and use the private IP address of the web server. The following is an example of configuring the HTTP rule to forward port 8000 to port 80.
To add or change the public port for the HTTP service, click the Firewall and then click the Settings option. To change the public port for the HTTP service, locate the HTTP service and click the Configure icon. Enter the public port you want to use for the HTTP service. In our example, we have entered 8000 for the port range. Click the OK button to save the settings.
Click the Add... button to create a new service for the alternate port. Select the TCP protocol and enter the name and port range. We have used HTTP-8000 as the service name and 8000 for the port range. Click the OK button to save the settings.
Next a rule for the newly defined HTTP-8000 service must be defined. Click Firewall, then click the Access Rules option, then click the configure icon at the intersection of WAN and LAN in the access rules matrix. Click the Add... button.
Click the Allow radio button for action. Select the HTTP-8000 option for service, the All WAN IP option for source, the name of the WHS option for destination, the All option for users allowed, and the Always on option for schedule. A comment can be added for the rule. Click the OK button to save the configuration settings.
We have explained how Internet domain names are registered, how to create an inbound rule for HTTP on port 80 and alternate ports, and how to configure the router to use DDNS. This information is presented to document what is necessary to publish a public website. The Windows Home Server is capable of publishing a website, but we do not recommend doing so. The added cost for domain registration, DDNS, and port forwarding fees and the time needed to develop the website cannot be justified for most homes and small businesses.
Windows Home Server has a cost effective alternative solution that provides a secured method to remotely access and shares your files. Part 10 will discuss this alternative.
We at Home Server Land make the following recommendations to enhance the security of computer and your privacy as it applies to web browsing and hosting threats.
This blog identified threats that are associated with website browsing and publishing. The security plan should be updated to identify threats specific to your WHS and network and address methods to resolve the threats. We have developed the HTTP and Web Hosting Threats Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 9 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated with browsing the Internet and hosting a public website. The router is the first line of defense to protect the network from attacks by unauthorized people. We recommend that if hosting a general non-secure website that a router that is capable of DPI be considered.
In Part 10, we will identify threats exposed by using and hosting websites that use the HTTPS protocol. We identify the role of the administrator and how the network router secures the network.
In the meantime, we invite your discussion, ideas, or comments in response to this blog.
Threat and Risk Assessment Worksheet
This series has been developed by the Home Server Land team to introduce computing and networking technologies. Throughout the series, we identify threats and vulnerabilities that exist and identify methods that can be taken to reduce them. We encourage