You Can Trust Our Reviews
Deeper Dive: Our Top Tested Picks
Buying Guide: Network & Wireless Security
How Secure are You?
Get a checkup. Vulnerability scanners probe computers on the network for potential security holes, and some even give you instructions on fixing them. There are many excellent commercial scanners, such as Retina from eEye ( www.eeye.com ), the ISS Internet Scanner ( www.iss.net ), and AppDetective by Application Security ( www.appsecinc.com ), which scan for a large number of known problems and are updated as new issues are discovered. You can specify a particular system to scan or, if you give the tools an address range, they will find all systems and scan them for you. 
These are probably overkill for a home network. Instead, you could try the NeWT security scanner, a free tool from Tenable Network Security ( www.tenablesecurity.com ). Microsoft also offers a free tool, the Microsoft Baseline Security Analyzer ( http://www.microsoft.com/technet/security/tools/mbsahome.mspx ), which scans single systems or systems across a network for common misconfigurations and missing security updates. If you administer a business network, you should use these free tools in addition to a commercial scanner.
Scan from within and without. Scans run inside the network probe for vulnerabilities from the perspective of a user already logged on. If you have a firewall in place, your internal environment is protected from many outside threats. Run the scanner from outside your network and tell it to scan your outside IP address. Look for open ports and make sure they're all being used for the applications you want.
Be cautious. Vulnerability scanners can generate a flood of warning messages, many of them doing nothing more than telling you that you did something (like open port 80 on your Web server) that you plainly intended to do. So don't assume the scanner knows more than you, especially when it gives the warning a low priority. Take advice from these programs as suggestions, not orders.
<<back: A Custom Network Neighborhood
Wireless? Go WPA
Even the people who designed WEP (Wired Equivalency Privacy, the first-generation wireless security protocol), admit that it's a weak protocol that's easily outwitted. The next generation, WPA (Wi-Fi Protected Access), is a much better solution, but it's not necessarily available for your old Wi-Fi equipment. Linksys, for example, includes WPA support in all its 802.11g equipment, but added it to only a few of the older, 802.11b devices. See "Wireless Security: WPA Step by Step" at go.pcmag.com/WPA to learn how to upgrade your equipment to WPA.
WPA provides enterprise mode, in which users enter individual usernames and passwords that are checked by a special server, and personal mode, where everyone uses the same shared password. That password is used as a key for encrypting all the data on the network. In our experience, we've found that all home users and almost all small businesses will get along fine with the shared password mode.
A relatively new WPA2 that implements even stronger encryption than WPA is beginning to appear in products. The improvements are benign overkill for home users, but WPA2 is backward-compatible with WPA, so there's no reason not to buy it.
For the best protection, use a passphrase of at least 20 characters and write it down somewhere safe.
Avoid Windows Messenger Spam
If you're using Windows XP or Windows 2000 and connect directly to the Internet, you can fall victim to Windows Messenger Service pop-ups. This is not related to any instant messaging app, but to an arcane network utility called Net Send.
The Net Send message service was used by network administrators to send pop-up messages to all users (like "The server's going down in 5 minutes, so save your work and shut down"), and to let users send notes to one another. 
By default, Windows XP and 2000 both have this service running when you start your computer, with the result that when you are connected to the Internet, anyone who knows your IP address can send you a pop-up message that looks like a Windows alert, not an ad. Some spammers scan through a series of Internet addresses and find computers that have this service turned on. When they find one, they send it a message.
Turn off Net Send. In Windows 2000 and XP, you can turn off the Messenger Service by clicking on the Start button, then selecting Run and typing Services.msc. Press Enter. In the Services window, scroll down to the Messenger entry. Double-click on it to bring up the Messenger Properties window. First click the Stop button to end the Messenger Service. Once the Service status is tagged Stopped, click on the Startup type drop-down box and select Disabled. Now click on OK. You will be brought back to the Services window, and the Messenger Properties window will now say Disabled under Startup type. Close the window and you're done.
Or keep it on. The fix above can eliminate the problem, though it can sometimes get in the way of legitimate application alert functions from antivirus programs, print spoolers, or a UPS device.
If you find that you must keep the Net Send Messenger Service running, you can block external messages using a firewall. When using a hardware or software firewall, block inbound NetBIOS and UDP protocol broadcast traffic. When setting up a personal firewall, such as ZoneAlarm, you may need to create exceptions for your own subnet, or for individual machines with which you want to share data.
Working on the Chain
Some browser hijackers insert themselves into the Windows Winsock (Windows Sockets) component—the mechanism that applications use to make Internet connections—and when they're removed they leave the component broken and unable to connect. 
The new Winsock 2, installed by upgraded versions of Internet Explorer and native to Windows XP, incorporates a feature called Layered Service Provider (LSP), which allows third-party vendors to insert their own code—for monitoring or content filtering—into the Winsock data stream. The feature is also used by spyware companies to facilitate their own monitoring. When a legitimate program (such as Net Nanny or Cybersitter) is uninstalled, it patches up the Winsock. Spyware products don't always extend the same courtesy.
When the Winsock is broken, you may be able to use IM but not e-mail and Web browsing. This odd behavior makes troubleshooting difficult, because you're connected to the Internet and you have an IP address, but the browser still won't work.
The easiest way to fix the broken chain is to use a freeware utility called LSP-Fix. This utility is primarily for Windows 98, though it works on Windows Me, 2000, and XP. It is available from Counterexploitation, a Web site dedicated to identifying and removing spyware, adware, and other malicious programs, at www.cexx.org/lspfix.htm. LSP-Fix works by "reconnecting" the disconnected layers in the Winsock stack. In most cases it can repair the damage without further problems.