Home Internet connections are vulnerable to a variety of security threats. Because these threats are interrelated and the lines between them can be blurry, it's harder than it ought to be to make home security as good as it needs to be. The stakes are multiplied by the prevalence of home workers whose bad practices could jeopardize the security of an enterprise-even if the enterprise itself has good security practices.

Two types of bad things can happen to an Internet-connected home computer: The first involves a miscreant duping a user into running harmful software-a worm, virus, Trojan Horse, or some form of spyware that reports back some aspect of the user's activities or configuration. The second bad thing involves a miscreant taking direct control of the computer and running arbitrary software-either the user's own or the miscreant's. Of course, many type-1 Trojan Horses give attackers type-2 control, but the type-1 exploit isn't the only path to type-2 control.

Common sense is the first line of defense against type-1 attacks. People who use the home network should be educated about the dangers of installing software from dubious sources, executing unsolicited e-mail attachments, and configuring e-mail clients so that they open attachments automatically. You should also limit administrative privileges in operating systems that are designed to implement security measures.
The second line of defense is a good-quality, regularly-updated anti-virus program, which will catch all but the freshest exploits.

Finally, some readily available personal firewalls, as well as professional-grade firewalls, can be configured to alert a user whenever inappropriate data is being sent to an external address, and to block such transactions. For a residential (or small business) user, the key risk factor for an attacker gaining type-2 control is operating server software on the computer. When you install software that's designed to respond to the requests of any stranger with an IP address, you need to employ sound security practices as assiduously as a large enterprise would. At a minimum, install a professional-quality firewall, review its logs regularly, and keep up with security patches and upgrades for all your servers.

Web servers, mail servers, and even Internet Relay Chat (IRC) servers aren't the biggest problem. The really dangerous servers are those not understood to be servers. Windows file sharing (designed as a peer-to-peer file server), bound to the TCP/IP stack and lacking the protection of good passwords, may allow anyone on the Internet to view, modify, or erase your files. AOL Instant Messaging permits file sharing among buddy lists. Gnutella and its derivatives can be configured to make arbitrary files available to anyone. When not properly protected, a remote control program installed to aid a help desk in dealing with remote users can immediately give an intruder access that would otherwise require running a handful of exploits against IIS. Even a security-conscious employee could have a spouse, roommate, houseguest, or kid who opens the floodgates.

There isn't a single solution to the problem of less-than-completely-up-front servers. Pretty much all of them have configuration options that allow moderately safe operation. However, the potential for exploits to get around those options is always there. The backstop solution is a firewall that monitors outbound traffic and blocks suspicious ports that attempt to send data.

As I've noted in the past, important vulnerability factors don't include whether you have a broadband link or a static IP address. A broadband link makes you a more desirable zombie, but if you don't run any vulnerable server processes, you can't be zombified. For an outside type-2 attack to succeed, the attacker must find and connect to a vulnerable server process on the home system, which will almost certainly be thwarted by a firewall or even a Network Address Translation (NAT) router. A home computer running only client Internet software, such as an ordinary browser and an e-mail client, and protected from type-1 malware is not susceptible to a type-2 attack at all.

Steve Steinke Editor-in-Chief