Basic Network Security
Volume 5 in John R. Hines’ Computer Security for Mere
Mortals, short documents that show how to have the most
computer security with the least effort
John R. Hines Net+ Certified, Security+ Certified, Consulting
Security Engineer, LLC

“Plagiarism is when the author steals from one source; scholarship is when
the author steals from many sources.” -- Anonymous
"Facts are stubborn things; and whatever may be our wishes, our inclinations,
or the dictates of our passions, they cannot alter the state of facts and
evidence." --John Adams
Oholiab's First Law: The Suits' need for computing power expands until all
the Geeks' servers are 100% utilized running database queries and printing
reports during business hours.
Corollary to Oholiab's First Law: Development can only access the servers
purchased for development when nobody else wants them.
Oholiab's first law of security (Murphy's first law of planning): The
important things are simple.
Oholiab's second law of security (Murphy's second law of planning): The
simple things are very hard.
Oholiab's corollary to the first and second laws of security: Simple and easy
are not the same thing. Fools don't know the difference.
Warning: If you’re not smart enough to sort the cow pies from the pearls in
these notes, you do not have permission to read these notes!
Copyright © Consulting Security Engineer LLC. All rights reserved. 2016


ISBN N/A
Version 1.201708212300

Suggested reading (when you have time)
Kill Process by William Hertling
Security by Poul Anderson badly formatted but great ideas


Table of Contents
Suggested reading (when you have time)
Revision History
Security
Is security a new problem?
What is security?
What is computer security?
What is in these notes?

Networks
Why care about networks?
What do these notes assume you've already done?
What simple reasonable measures will improve security on your intranet?
Measure #1: Have two routers: one for business use and one for all other
uses
Measure #2: Have at least one old slow network computer for nonbusiness (and for friends and family) use
Measure #3: Shutdown the business (secure) router when no one is the
office
Measure #4: Shutdown the risky (insecure) router when no one should be
on the internet
Measure #5: Do a quick walk about every quarter (when the season
changes) (when TV switches to a different major sport)
Measure #6: Do a quick audit of all computers about every quarter (when
the season changes) (when TV switches to a different major sport)


Appendices
Appendix I: Network basics
What is a cable modem?
What is a network (computer network)?
What is broadband (wideband)?


What is IP (Internet Protocol)?
What is the internet (Internet) (public network)?
What is TCP (Transmission Control Protocol)?
What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking) (Unbounded
media)?
What is wired (hard-wired)?
What is wireless?
Appendix II: Common network utilities
What is the command window (command box) (DOS box)?
Ipconfig (IPCONFIG)
Nbtstat
Net (Net services)
Netstat (netstat) (network statistics)
nslookup (Nslookup) (NSLOOKUP)
Appendix III: Why do I care about intranets?
Appendix III: Using ipconfig to find basic network information
How do I open a Command window (Command box) (DOS box)
PowerShell window?
How do I find out what IP and what router my PC is using?
What is a command window (command box) (DOS box) (PowerShell
window)?
Appendix IV: Use Nmap with Zenmap GUI to find out what your intranet

looks like?
How do I use nmap to find out what my network looks like?
What does Nmap/Zenmap tell me about my home network?
What is Nmap?

What documents are part of this series?
Biography


Revision History
Rev

Change

1.0

Created and published document


Security
Is security a new problem?
No! Security has always been a problem! Even strong men have security
concerns: "When the strong man, fully armed, guards his own dwelling, his
goods are safe. But when someone stronger attacks him and overcomes him,
he takes from him his whole armour in which he trusted, and divides his
spoils." (Luke 11:21-22)
Criminals form gangs to defeat strong men. Captain Grose' 1811 Dictionary
of the Vulgar Tongue (nineteenth century lexicographer) lists 23 occupations
required for a complete "gang of misrule" (crime family). My dictionary
gives these as " … For men, there are fourteen roles: (1) ruffler, (2) upright

man, (3) hooker (angler), (4) rogue, (5) wild rogue, (6) priggers of prancers,
(7) palliards, (8) frater, (9) jarkman (patricoe) (10) whip jacket, (11)
drummerer (dommerer), (12) drunken tinker (13) swadder (pedlar), and (14)
Abram man. For women (and children) there are nine roles: (1) demander for
glimmer or fire, (2) bawdy basket, (3) morts, (4) autem mort, (5) walking
morts (6) doxy, (7) dell, (8) kinching mort, and (9) kinching cove." (Buy my
book if you want to know what all these specialties are.) Add hackers and
testers and you have the kind of crime family HP describes in The Business
of Hacking, capable of stealing from the strong as well as the weak.

What is security?
The dictionary definition of security is "being free from danger or threat".
Experience indicates no one is secure, at least in the dictionary sense.
Solomon had a different take on security (or, maybe, on the lack of security):
"The race is not to the swift or the battle to the strong, nor does food come to
the wise or wealth to the brilliant or favor to the learned; but time and chance
happen to them all" (NIV). (Bumper stickers on the back of pickups
summarize Solomon's quote in two words: "Excrement happens".)
Damon Runyon, writer of "Guys and Dolls" offered an amendment to Solon's
advice: " The race is not always to the swift, nor the battle to the strong, but
that's the way to bet." The way to be secure is to be good and hope to be
lucky. And, (if you've read any of Runyon's other works), the way not to be
secure to be not good (unless you're very, very lucky).
So, I suggest a different definition of security that emphasizes our part in


keeping ourselves secure: "things done and things left undone that give as
much control as possible over the future". Be good (the things done), be
careful (the things not done), and hope to be lucky.
One more quote: "Luck is what happens when preparation meets

opportunity" (Seneca, First Century AD, possibly misattributed). Prepare for
Murphy to knock on your door. A disaster for the unprepared is an
opportunity for the prepared.

What is computer security?
The dictionary says, "measures taken to safeguard code, information, and
systems". A more sensible definition of computer security is "(1) reasonable
measures taken to safeguard code, information, and systems, (2)
unreasonable measures not taken to safeguard code, information, and
systems, and (3) measures not taken to avoid low-rewards." Unfortunately,
reasonable, unreasonable, and low-reward are (like beauty) in the mind of the
beholder.

What is in these notes?
I'm going to tell you what I think are reasonable and unreasonable measures
and what are low-reward measures.

What is a low-reward measure?
A security measure that that has a small payoff for the inconvenience, money
and time associated with the measure. Most of the measures advocated by
security professionals a low-reward measures.

What is a reasonable measure?
A security measure that that has a significant payoff for the inconvenience,
money and time associated with the measure.
Reasonable measures that are not terribly inconvenient for a nonprofessional and require little money and time should ALWAYS be
implemented.
Reasonable measures that are terribly inconvenient for a nonprofessional but require only a small amount of time and money should
be implemented when possible. (Maybe hire a professional for a halfday?)
Reasonable measures that are not inconvenient for a non-professional

but require a small amount of time and money should be implemented


when possible. (I define a small amount of money as my monthly
business cell phone and internet bill. You may have a different
definition.)
Reasonable measures that are terribly inconvenient for a nonprofessional and require a lot of money should only be implemented if
you have suspect you are a potential target. Warning: If you are (1)
involved in politics or social issues, (2) are visible in your community
for some reason, or (3) have strange family members or neighbors then
you should suspect you are a target.

What is an unreasonable measure?
A security measure that that has become popular wisdom but probably is of
little value. (A few years ago, one argument for switching from a PC to a
Mac was "Macs don't get viruses." If that was ever true, it isn't now but
many Mac sales people and users still believe it and repeat it to non-Mac
users.)
Send me an email at to
let me know when I'm wrong. Thanks, John


Networks
Why care about networks?
If you use the internet, you're on a network. If you use the internet at work,
at a library, at a restaurant or whoever supplies the connection (hopefully) has
a professional who takes care of network details for you. However, if you
use the internet at home or at your small business, you have a small network
(an intranet) in your home. If all you have is a direct wired connection to the
internet -- no WIFI -- then the intranet is just your cable modem and your

computer and your problems are small. As soon as you add a router to your
intranet you have (potential) network problems. So, you need to know
enough to do basic security stuff.

What do these notes assume you've already done?
The notes assume you have read "Computer security: a 15-minute talk" and
have already implemented the security measures described in "Basic
Windows 10 Security" and "Basic Phone and Tablet Security". Also, if you
have a router in addition to your cable modem, they assume you have
implemented the security measures in "Basic Router Security". These notes
will still be useful if you have not implemented the measures above but you
will have holes in your security. Caveat emptor! Note: All these notes are
available as eBooks on Amazon.com. Search the Kindle area for "John R.
Hines".


What simple reasonable measures will improve
security on your intranet?
Warning: This note is in a different format than the previous notes because
the problems you are resolving are different. Note: Remember, these notes
are for SOHOs and home users: no fire marshal, no industrial engineer, no
security engineer to detect problems before they become disasters.

Measure #1: Have two routers: one for business use and one for
all other uses
Most SOHOs and all homes have three kinds of users: business users,
business and recreational users, and others (mostly friends, families, and
visitors). Recreational use and "other" use has two securities down sides: (1)
it slows down business use and (2) it frequently brings malware into the
intranet (making security less sure). Most modern cable modems allow you

to attach multiple routers in parallel. Take advantage of this by installing a
good (fast) router for business use (the safe intranet) and an old (cheap)
router for all other use (the risky intranet). BTW: You can put on your CV
that you've partitioned a network for improved security

Mistake #1A: Not moving computers that do both business and
non-business to the risky intranet
Yes, they will be less secure and go slower. But, they are on the risky
intranet because they choose to do risky thing. Measure #2 will partially
resolve this problem.

Mistake #1B: Not moving friends, family and visitors to WIFI
associated with the risky intranet
Laptops, phones and tablets used by friends, family, and visitors should be
assumed to be infected. Also, games and data downloads over WIFI will
slow down business computers (even when the computers are wired to the
intranet) and business phones and tablets.

Mistake #1C: Telling friends, family, and visitors that you've put
them on the risky intranet
:-)

Measure #2: Have at least one old slow network computer for


non-business (and for friends and family) use
All you need on this computer is windows, current antimalware software, and
a browser. Yes, it's slow but it's only for browsing on the Internet.

Mistake #2A: Not placing this computer on a separate intranet

(the risky intranet, if you have one)
Don't ask, don't tell.

Measure #3: Shutdown the business (secure) router when no one
is the office
Unless you (or a key employee) like to work late at night, program your
business router to turn off from 8 PM to 6 AM (or, whatever times make
sense). When the router is up, bad guys have a pathway to attack your
network. You can't avoid that during the day but you may figure there is a
problem when your computer slows to a crawl. Why give them access to
your network when no one will see the network slowdown? Also, if a
computer goes zombie, it will on be behaving badly when someone is there to
notice its behavior.

What is a zombie (member of a botnet)?
Compromised internet-connected computer whose security defenses have
been breached and control ceded to some bad guy. BTW: A herd or zombies
is called a botnet.

Measure #4: Shutdown the risky (insecure) router when no one
should be on the internet
Besides protecting the computers attached to the risky routers when no one
should be using the internet, you can prevent your kids from being on the
internet instead of sleeping.

Measure #5: Do a quick walk about every quarter (when the
season changes) (when TV switches to a different major sport)
Before you start your walkabout, ask yourself, "Have I written an AUP?" If
not, make a note to write one. Also, verify that you can log in to the cable
modem and the router(s).

Take a pen and a piece of paper (unless you can type quickly on your tablet).
Do you see any devices you don't remember installing or paying for? An


employee's workstation or a router buried under a pile of crud? Cables going
to strange places or left where you could trip over them?
Since you're already walking about, check the air flow and temperature of
each computer, each router and the cable modem. (I once discovered my
granddaughter using a router as a coat hook. Had to replace the router and
had to retrain the granddaughter since my wife would let me replace the
granddaughter.)
Check your secure place. Is the secure information storage container still
there? Is your information still in the container? Are admin-equivalent user
IDs and passwords for ALL the computers, routers and cable modem still in
the box?

What is an AUP (Acceptable Use Policy) (fair use policy)?
S set of rules applied by the owner, creator or administrator of a network,
website, or service, that restrict the ways in which the network, website or
system may be used and sets guide lines as to how it should be used.
Alternative: Document stipulating constraints and practices that a user must
agree to for access to a corporate network or the Internet. Many businesses
and educational facilities require that employees or students sign an
acceptable use policy before being granted a network ID. Can be very short.
Warning: If management hasn't prohibited some form of behavior, it's hard
to fire someone who has behaved incorrectly!

Measure #6: Do a quick audit of all computers about every
quarter (when the season changes) (when TV switches to a
different major sport)

Go to each computer and login as an admin equivalent. (You should be an
admin-equivalent on all your computers. Otherwise, you can't administer the
computer. If not, you've discovered a potential disaster!) Are there users you
don't recognize? Are the "Guest" accounts? Are there programs you don't
remember buying? Are there games? Is the anti-malware current? Does the
anti-malware pop up a warning when you insert a flash drive into a USB
slot? (Maybe this should be in your AUP?)

What is an admin-equivalent (admin-equivalent user)?
User who has the same rights as the admin. Can make system changes and
install software.


What is a standard user?
Cannot modify operating system settings or other users' data. Cannot
(usually) install software.


Appendices
Appendix I: Network basics
What is a cable modem?
Connects a computer or local network (intranet) to broadband
Internet service through the same cable that supplies cable
television service or the cable that supplies more modern services
like FIOS or U-verse.
What is an intranet (Intranet) (private network)?
Private network combining existing LAN and WAN technologies
and new Internet technologies. Has all the features of the Internet.
Many intranets. Typically use 10.x.x.x, 127.x.x.x, 172.16.x.x
through 172.31.x.x or 192.168.x.x. Typically connected to the (one

and only) internet by a cable modem but may be stand-alone.
What is a network (computer network)?
Connected graph where nodes are computer network nodes and
edges are computer-to-computer connections.
What is a gateway?
Network node that is an entrance to another network. Often a
router.
What is a LAN (Local Area Network) (Local network)?
Hardware and software that turns terminals, workstations, servers,
and hosts into a single network environment in a small geographic
region like a building. Alternative (more modern): A network
segment that may or may not be connected to another network.
Larger networks are created by "gluing" two or more LANs
together, typically with a router.
What is a network address (network number)?
Bit pattern or group of hexadecimal numbers that uniquely
identifies a network node. In IPv4, eight hex characters, each pair


(except the last) separated by dots. (Four bytes.) In IPv6, 32 hex
characters, each quad (except the last) separated by colons. (16
bytes.)
What is a network device?
Component (hardware) that connects ("glues") computers or other
electronic devices together to share files or resources. Usually a
network node.
What is a network edge?
Single physical connection between two computers. Sometimes
used a synonym for connection (network connection). Alternative:
Cable with connectors at both ends that connects two nodes

What is a network node (computer network node) (network host)
(node)?
An addressable device attached to a computer network.
What is a network segment?
Logical group of computers that share a network resource like a
router, VLAN, or switch segmentation.
What is a subnet (subnetwork) (network subnet)?
Logical, visible subdivision of an IP network. Computers that
belong to a subnet are addressed with a common, identical, mostsignificant bit-group in their IP address. Note: The practice of
dividing a network into two or more networks is called subnetting.
What is broadband (wideband)?
Communications medium that provides enough bandwidth to over
a wide frequency to satisfy a typical internet user (at least gigabit
speed).
What is a communication medium?
(usually high speed) data transmission that can simultaneously
transport multiple signals and traffic types. Typically, coaxial cable
(obsolete), optical fiber, radio or twisted pair.


What is IP (Internet Protocol)?
Basic protocol of the Internet. It enables the unreliable delivery of
individual packets from one host to another. It makes no
guarantees about whether or not the packet will be delivered, how
long it will take, or if multiple packets will arrive in the order they
were sent. Protocols built on top of this add the notions of
connection and reliability.
What is the internet (Internet) (public network)?
Large network with millions of hosts from many organizations and
countries around the world. Amalgamation of many smaller

networks. Data travels by a common set of protocols (starting with
TCP/IP). All (well, almost all-ignore 10.x.x.x, 127.x.x.x,
172.16.x.x through 172.31.x.x and 192.168.x.x) internet addresses
are unique.
What is an IP address (Logical address) (Network address)?
In IPv4, 32-bits or a quad of octets (four bytes). In IPv6, 128-bits
or a hex of octets (eight bytes) or 16 hex characters. A software
address, not a hard-coded address.
What is TCP (Transmission Control Protocol)?
Network reliable communication protocol, typically sits on top of
IP. See UDP.
What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking)
(Unbounded media)?
Local area wireless technology to exchange data or connect to the
internet (usually using 2.4 GHz UHF and 5 GHz SHF).
What is wired (hard-wired)?
Connected to other devices by cables, usually ethernet cables.
What is wireless?
Connected to other devices by WIFI (typically using a WAP).


Appendix II: Common network utilities
What is the command window (command box) (DOS box)?
In Windows, a popup window that acts (somewhat) like the (now
obsolete) DOS command line where the user enters instructions
from the keyboard. It can be opened by clicking on the cmd or
power shell entry in the windows dropdown menu. Warning: The
"admin" version allows admin-equivalent users to run most
commands; the standard version limits what the user can do even if
he is an admin-equivalent.

Ipconfig (IPCONFIG)
Controls network connections on DHCP and DNS. Acronym for internet
protocol configuration (called ifconfig -interface configurator- in Linux). Use
“netmask” before the subnet. Note: Early versions of Windows used
winipcfg.exe. Three main options:

Option

Purpose
Outputs IP address, network mask and
gateway for all NICs (both physical and
virtual) ipconfig

all (/all)

Outputs defaults plus DNS and WINS.
ipconfig /all

flushdns
(/flushdns),
displaydns
(/displaydns)
release
(/release)

Flushes/displays dns cache on all NICs
ipconfig /flushdns

renew
(/renew)


Renews leases on all IP addresses on NIC.
ipconfig /renew

Terminates all TCP connections, releases
leases on all IP addresses on NICs. ipconfig
/release


Setclassid
Managing DHCP server. Seldom used.
(/setclassid), ipconfig /setclassid
showclassid
(/showclassid)
Nbtstat
Windows diagnostic tool for NetBIOS that troubleshoot NetBIOS name
resolution problems. Seldom used.

Net (Net services)
Performs a broad range of network tasks. Type net with no parameters to see
a full list of available command-line options. Typical syntax is
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG |
LOCALGROUP | PAUSE | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER
| VIEW]

NET ACCOUNTS
NET COMPUTER
NET CONFIG
NET CONTINUE
NET FILE

NET GROUP
NET HELP
NET HELPMSG
NET
LOCALGROUP
NET NAME
NET PAUSE
NET SESSION

Change account settings
Add and remove other networked
computers
Displays current SERVER or
WORKSTATION
Continue using SERVICE
Display all the open shared files on a
server and the lock-id
Manage network workgroups

Manage network groups
Manage messaging name
Pause service
List all sessions on current machine


NET SESSION
\\ComputerName:
NET SHARE
sharename
NET START

NET STATISTICS
NET STOP
NET TIME
NET USE

NET USER
NET VIEW

List sessions from a given machine
Manage local share
Start service
Display network statistics for
WORKSTATION or SERVER
Stop service
Display date/time of another
computer
Connects / disconnects the computer
from a shared resource or view the
information about current computer
connections.
Displays users
Display computers in the local
domain
See shares on computer

NET VIEW
\\ComputerName
Netstat (netstat) (network statistics)

Displays network connections for Transmission Control Protocol (both

incoming and outgoing), routing tables, and a number of network interface
(network interface controller or software-defined network interface) and
network protocol statistics.

-a state of all sockets
-b displays executable
creating connection
-n shows network
addresses as numbers


-o displays owning process
nslookup (Nslookup) (NSLOOKUP)
Network administration command-line tool available for many computer
operating systems for querying the DNS to obtain domain name or IP address
mapping or other specific DNS records. To access help, type nslookup
[CR]. When the nslookup prompt appears, enter "?"/

Appendix III: Why do I care about intranets?
If you have a home connection to the internet, you automatically
have an intranet in your home, although it may be a (very) small
intranet. (If all you have is a wired connection to the internet -- no
WIFI -- then the intranet is just your cable modem and your
computer.) As soon as you add a router to your intranet, you have
an intranet with (potential) network problems.

Appendix III: Using ipconfig to find basic network
information
How do I open a Command window (Command box) (DOS box)
PowerShell window?

Right click on the windows flag then click on the Windows
PowerShell (Admin) entry. In earlier versions, click on the
Command (Admin) entry.
How do I find out what IP and what router my PC is using?
Open a PowerShell Window (Admin). Type [ipconfig
What is a command window (command box) (DOS box)
(PowerShell window)?
In Windows, a popup window that acts (somewhat) like the (now
obsolete) DOS command line where the user enters instructions
from the keyboard. Warning: The "admin" version allows adminequivalent users to run most commands; the standard version limits
what the user can do even if he is also an admin-equivalent under
another user name.


Click on the "YES" button when Windows 10 asks you if you want
to allow this application to changes things. Soon, a small blue
window with a command prompt will pop up. Type "ipconfig"
then press [ENTER]. The IPv4 entry shows the workstation IP
address on the intranet. The Default Gateway entry shows the
gateway (router that connects the intranet to the internet). The
Subnet Mask says the intranet is 192.168.1.0-255. Write these
numbers down on a piece of scrap paper. You may want them
later.

Appendix IV: Use Nmap with Zenmap GUI to find
out what your intranet looks like?
How do I use nmap to find out what my network looks like?
Before you start, make sure every device on your network and
every device attached to your intranet by USB is turned on. BTW:
This includes phones and tablets attached by USB cables. Note:

Nmap is not going to detect devices attached to your network by
Start Zenmap as an admin-equivalent. When a full-screen window
pops up asking you if Zenmap can make changes, click on "Yes".
The Zenmap window will pop up.


Enter the intranet addresses (192.169.1.0-255) you got from
ipconfig and click on the "SCAN" button. Wait patiently: The
scan will take multiple minutes. When done, you can look at the
Nmap/Zenmap results by clicking on the various Zenmap tabs.
What does Nmap/Zenmap tell me about my home network?
Hosts found by Nmap/Zenmap displayed in Zenmap host viewer

Services found by Nmap/Zenmap displayed in "Services" tab


Ports on hosts found by Nmap/Zenmap in Hosts Ports/Hosts tab

Network image found by Nmap/Zenmap in
Hosts à Topology à Fisheye tab

Output found by Nmap/Zenmap in Hosts à Nmap Output tab.
When the scan is done, you will something like this:


Starting Nmap 7.60 ( ) at 2017-08-19 14:12
Central Daylight Time
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:12

Completed NSE at 14:12, 0.00s elapsed
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating ARP Ping Scan at 14:12
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 14:12, 2.84s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 14:12
Completed Parallel DNS resolution of 255 hosts. at 14:12, 5.53s
elapsed
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.1 [host down]
//removed unneeded information
Nmap scan report for 192.168.1.63 [host down]
//found some hosts ß 192.168.1.64, .65, .66
Nmap scan report for 192.168.1.67 [host down]
Nmap scan report for 192.168.1.68 [host down]

//found some hosts ß 192.168.1.69
Nmap scan report for 192.168.1.70 [host down]
//removed unneeded information
Nmap scan report for 192.168.1.253 [host down]
//found host ß 192.168.1.254
Nmap scan report for 192.168.1.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 14:12
Completed Parallel DNS resolution of 1 host. at 14:13, 5.51s elapsed
Initiating SYN Stealth Scan at 14:13
Scanning 5 hosts [1000 ports/host]
Discovered open port 443/tcp on 192.168.1.254
Discovered open port 80/tcp on 192.168.1.254
Discovered open port 49152/tcp on 192.168.1.254