What is everyone doing to add more protection for their computers in their networks?
Our network is already protected by two firewalls. The first is a computer using OpenBSD with the pf software to filter out much of the incoming traffic.
This is a small town ISP and so we can't filter as heavily as we could for a regular company, but for all home networks, all incoming TCP and UDP traffic to their IP addresses is entirely filtered unless it is part of a TCP connection established by the customer or a UDP response to UDP traffic originated by the customer. Many of the small businesses, including our own internal network, is filtered in the same manner. For most of those that do need to have traffic coming in, for example a VPN, only incoming traffic from IP address blocks in the US are permitted. For a very few, all incoming traffic is permitted.
It's amazing how many fewer attempts to break into your computers you'll see if traffic is restricted to only US traffic. On one computer, we saw more than 300,000 attempts to connect via ssh from one small block of IP addresses in China, 116.,31.116.0/24. The least we saw from that block was only about 500,000 attempts in four months.
One day I was setting up a new computer and was seeing about 30,000 SSH connections per day. I found a source of US IPv4 (http://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone) and IPv6 ([url] http://www.ipdeny.com/ipv6/ipaddresses/blocks/us.zone[/url]) address blocks. When I started filtering out all connection attempts to SSH that did not come from US addresses, the numbers dropped into the low double digits per day. The various scans of other ports dropped dramatically as well.
The funny thing about setting up the new computer is that the IP address that I assigned to it hadn't been used in several months. Yet, the attacks began about an hour after I set the IP address and they quickly picked up from there.
Behind the first firewall are our various customers and our own office firewall which is a commercial small office firewall.
One thing I'm planning on doing is to put a small office router in every office and hooking the computers up to that. The idea is that if one computer is compromised, it won't be able to be used to compromise other computers in the network outside of that one office. Any internal server will be hardened and will only allow connections on those ports necessary. I'm not sure how well this will go over with everyone else at the office.
Our network is already protected by two firewalls. The first is a computer using OpenBSD with the pf software to filter out much of the incoming traffic.
This is a small town ISP and so we can't filter as heavily as we could for a regular company, but for all home networks, all incoming TCP and UDP traffic to their IP addresses is entirely filtered unless it is part of a TCP connection established by the customer or a UDP response to UDP traffic originated by the customer. Many of the small businesses, including our own internal network, is filtered in the same manner. For most of those that do need to have traffic coming in, for example a VPN, only incoming traffic from IP address blocks in the US are permitted. For a very few, all incoming traffic is permitted.
It's amazing how many fewer attempts to break into your computers you'll see if traffic is restricted to only US traffic. On one computer, we saw more than 300,000 attempts to connect via ssh from one small block of IP addresses in China, 116.,31.116.0/24. The least we saw from that block was only about 500,000 attempts in four months.
One day I was setting up a new computer and was seeing about 30,000 SSH connections per day. I found a source of US IPv4 (http://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone) and IPv6 ([url] http://www.ipdeny.com/ipv6/ipaddresses/blocks/us.zone[/url]) address blocks. When I started filtering out all connection attempts to SSH that did not come from US addresses, the numbers dropped into the low double digits per day. The various scans of other ports dropped dramatically as well.
The funny thing about setting up the new computer is that the IP address that I assigned to it hadn't been used in several months. Yet, the attacks began about an hour after I set the IP address and they quickly picked up from there.
Behind the first firewall are our various customers and our own office firewall which is a commercial small office firewall.
One thing I'm planning on doing is to put a small office router in every office and hooking the computers up to that. The idea is that if one computer is compromised, it won't be able to be used to compromise other computers in the network outside of that one office. Any internal server will be hardened and will only allow connections on those ports necessary. I'm not sure how well this will go over with everyone else at the office.