RE: Secure Home Networking?

-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com] Sent: Tuesday, May 27, 2003 12:53 AM
To: Sandy Turner
Cc: pen-test@securityfocus.com
Subject: Re: Secure Home Networking?

>>Perhaps one of the more nasty tests to do on home users is to e-mail then

There are obviously some fairly major legal issues with this approach, without some form of authorisation/disclaimer. Also, I'm not sure how much benefit you get from it, unless you send stuff from some innocuous email address. If a sysadmin sends a user a mail with a subject of "Your automatic VPN configuration utility", and it is a legitimate source and the user activates it, what do you gain? They trust you (obviously never read BOFH www.theregister.co.uk) - if they open an email from evil@hacker.org and execute an attachment of the latest naked celebrity, then you don't want to let them have a computer. Obviously those are the extremes, and there is plenty of scope there for innocuous looking mail.

>>Aside from that get all the netbui/netbios toys you can get

Best you can do is scan them on a periodic basis with nmap and Nessus etc, if you aren't able to dictate the home network configuration. Make sure you are covered legally for this, though.

Create a Security Policy for home users, and get them to sign up to it. See if you can audit them against it periodically. Once you're out of the corporate environment, though, there are limitations on what you can do.

Mark

Mark Brewis

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Security Consultant
EDS
Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.

Tel:	+44 (0)1908 28 4234/4013
Fax:	+44 (0)1908 28 4393
E@:	mark.brewis@eds.com

This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited.

Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses.