Improving security on a home network

[stevech]

Your sensitive data on TruCrypt volumes.. If you're like me, those volumes are not open/mounted except when I'm doing work with the files. So the thief gets nada.

[vnangia]

Quote:

Originally Posted by stevech

Your sensitive data on TruCrypt volumes.. If you're like me, those volumes are not open/mounted except when I'm doing work with the files. So the thief gets nada.

Fair point... but I think there's multiple categories of data - confidential, private, who-cares; I mean, even the family photos could go on to a TrueCrypt volume, but it would be at ridiculous computational cost. Seems to me that a better strategy would be to make it more difficult to break in, no?

And none of that still address my stupidity - for example, accidentally triggering the installation of the Flashback Trojan on my Mac, because I need to have Java installed for certain work applications.

To wit, I've already taken your excellent suggestion on rechecking the ports both inbound and out on the router and I'm putting together a network map to figure out how machines need to and do not need to talk to each other with the view of splitting up the network with VLANs, as recommended by STX and Tim in the discussion above. I'm still not sure whether that addresses my concerns about accidentally bringing a plague of locusts, but we are basically following all of the steps recommended by Krebs here, with the exception of NoScript which makes life nigh impossible on the modern web - try selecting the charts on SNB, for instance

[stevech]

Viruses, spyware, accidental deletion...
I store data on the NAS, not the PCs.
I image the PC disks every week or so, to the NAS.

The one time I got a bad virus/malware I couldn't eliminate, I just roll in the last image or partition backup. I now have these two backups automated on PCs, using Acronis (I've tried most all, and such as it is, Acronis is the best, IMO).

My main PC - has an SSD boot disk (120GB) and a 160GB mechanical disk. Again, I store no data on these, only the OS and programs.
I use Acronis to clone the 120GB to the 160GB quite often. I don't use the 160GB. Worst happens, I just clone the 160 back to the 120. This has saved my rear more than once. Cloning is better than partition imaging, by far, at the cost of a dedicated drive.

[rquared]

Quote:

Originally Posted by vnangia

I suppose the more relevant question is, does it make sense to invest in a SOHO/SMB-class UTM appliance to replace my consumer router - is that the right tool to prevent myself from accidental stupidity and a potential light attack from the kinds of people who hacked Honan last year? (By which I mean script kiddies with preassembled tools rather than a nation-state with an army, more than the precise nature of the attack.) I suppose I'm aiming more for deterrence rather than anything else.

Sophos has a free UTM for home use that is awesome. Astaro UTM Home User version has everything (well almost that corp america has and is fairly straight forward. Untangle also has a product I've used for over a year, but just recently switched to Astaro due to the completeness of the offering. I can't recommend it enough for doing exactly what your talking about! You will need a system with two NICs, but they are cheap. Personally I use an Atom Supermicro server with ESXi installed and Astaro as a VM. Works flawlessly!

Wanna dig deeper and get real geeky, check out Security Onion.

Hope that helps.