Set Up Always On Home Virtual Private Network (VPN) Using DD-WRT and a Linksys Router

Small Network DiagramLast article I went over basic Home Network Security– let’s move on to something a bit more advanced- here’s how to set up an always on Home Virtual Private Network (VPN). What does a VPN do, and why do I need it? Simply put, a VPN creates a tunnel between two endpoints. The endpoints can be clients, such as your PC or even your smart phone. They can also be routers and servers. This tunnel creates a secure VPN connection that prevents interception of plain text and exploitation of the traffic. Also, to the outside world, you connection appears to be sourced at the VPN server, rather than your laptop. This allows you to do things like watch American shows on Hulu from outside the US- or access websites blocked by your normal internet access.

For example, let’s say you were in an coffee shop, or an airport with your laptop, and you connect to the free wireless hotspot. Many business travelers do this on a regular basis. Without a VPN, an unscrupulous person could intercept your email and passwords, provided you’re using the standard POP3/SMTP protocol (If you’re logging into webmail and using SSL/TLS (look for the lock in your browser) you’re fine). Recently there was a great deal of talk in the security community about Firesheep, a Firefox addon that allows a hacker to not only see your social networking credentials (ie Facebook, Twitter, etc.), but to also take over your profile. Anyway, if you’re using any wireless you didn’t set up yourself, consider it insecure. By installing using a VPN client, you create a tunnel between your laptop and the VPN server, and the communication is encrypted. Even if your traffic is intercepted, it cannot be read. Your passwords- your Facebook, remains your information. Corporate travelers usually have a company VPN. For folks who don’t, I recommend StrongVPN. They have a variety of plans, and VPN servers located all over the world, and I used them for this setup.

Strong VPN provides VPN From a Variety of Locations

Pick a Plan

Right now, check your IP address on the front page of StrongVPN. It’s in the top right corner. Or you can just click What is my ip? Write that down, we’ll call it your ISP IP. (This is how we can tell when we’re using the VPN or not- this number will change when we connect.) When you first look over the site, they have quite a few options. Don’t worry, it’s not nearly as complex as it looks. If you look at their packages you can see they range from $7 a month (two servers), all the way up to $30 a month for all their servers (133 in 14 countries as of this writing). Usually they have an annual special- which breaks down to $5 a month or so, depending on what you select. For our purpose, the 4 country PPTP plan will do, although I recommend the OpenVPN version.

PPTP versus OpenVPN

PPTP (Point to Point Tunneling Protocol) is a much older protocol, that allows up to 128bit encryption. Because it has been around for so long, it pretty much runs on a variety of clients (like mobile phones), and is easy to set up. In fact, you don’t need any special software to run PPTP- if you check out the setup instructions you can see you’re basically just adding a network connection. This is the fastest and easiest option. However PPTP is vulnerable to a number of attacks- you can read more on that at SANS. It’s certainly better than no protection at all, but OpenVPN is better still. OpenVPN allows encryption from 128 bits all the way to 2048 bits. It uses SSL/TLS encryption (you may have seen it referred to as an SSL VPN), and public key infrastructure, and it is more secure. Of course OpenVPN is a bit more expensive, so the choice is up to you.

Connect With Your Computer First

One time I had a speaker cutting out in and out in my car. Being a hands on engineer, I of course disassembled the stereo, and measured the output with a meter. There wasn’t a problem. Somewhat puzzled I put it back together- and as I was putting the toolbox back behind the seat, I noticed the speaker wire was loose. This taught me a lesson that’s as valuable in networking as it is in electronics. Start with the simplest item and work forward- not the most complex. Before we touch the router to set up that virtual private network, make sure you can connect with your computer. If you happen to have a laptop this is particularly useful, as you’ll have the configuration already in place for your next trip. Once you’ve signed up with StrongVPN, you’ll get a welcome email. If you picked the PPTP plan, you’re going to get your server username/login, if you’ve signed up for an Open plan you’ll also receive a zip file with the software. Normally I’d detail the steps with screenshots, but StrongVPN has step by step instructions with screenshots on their setup page. In addition, they also have live 24/7 support directly off the web page, via a custom instant messaging interface. It’s hard to go wrong, but if you do, help is literally a click away. Once your VPN connection is up and working, go to StrongVPN and write down your VPN IP address- that’s in the top right corner.

Testing Connection Speed

Okay, once you have the VPN connection working, it’s worth your time to do a speed test. Click the “Start Test” button and try a few of the servers in your plan. You want the closest one possible. They also have some speed suggestions to keep in mind. Now’s a good time to mention that encryption comes with a price- speed. When you use your router as your VPN client, it’s going to be even slower. If you don’t have an acceptable speed with the client VPN, try a different server. To change servers, login to the customer area at StrongVPN, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘change server’ and then pick the new server. You’ll get another email, but if you want the VPN connection information immediately you can go back the ‘VPN Accounts Summary’ and click ‘View Greeting’. You may consider not implementing the VPN (they have a 7 day no questions refund policy) if you’ve spoken with support and tried several servers. As a frame of reference, my VPN speed encrypted from the client PC is about 70% of the unencrypted speed. Using the router, it’s about 45%. That’s not insignificant, but in my case it is acceptable (having a fast connection to begin helps quite a bit.) Be sure to check your speed unencrypted, encrypted from your PC, and encrypted using the router.

Flashing Your Router with DD-WRT

DD-WRT is a free Linux based operating system that runs on a variety of small home office routers. What you do is replace the firmware in your manufacturer’s router (this most likely voids your warranty, but you can flash the original firmware back), which enables quite a bit of diverse functionality. You can see graphs of your network usage- adjust your wireless power settings, and of course connect to a VPN gateway, all without having to invest in additional VPN hardware. However, getting there can be tricky, so a warning is in order. If you fail to follow the instructions exactly- you may “brick your router”- which is as bad as it sounds. You basically have an expensive paperweight. Now I’ve flashed probably a dozen or so routers with DD-WRT and never had a problem, but proceed at your own risk- here’s what you need to do:

  1. Locate your router in the database, and READ the entire entry. If you’re not sure what you have, you can usually find the exact model on the bottom of the router. Might as well check it now, you’re going to be handling it a bit during the flash. For this project I’ve got a Cisco/Linksys WRT-310N. I had it on hand, and it has the horsepower to do an adequate job as a VPN router. If you’re buying a new router, you should consider the Cisco WRT 320, or the ASUS RT-N16. I’m basing that on CPU speed, a faster CPU will perform better under the load of a VPN. By way of comparison, the 310N I used is running at 300Mhz with 32M RAM. The 320N runs at 354Mhz with 32M, and the Asus runs at 480Mhz with 128M of RAM. Note: if you have a Linksys W54, your CPU speed varies by model. If you’re on the slow side, it’s worth a shot, but you may not be happy with performance. Here’s my entry from the 310N. Notice there’s a link for additional instructions.
    Linksys WRT-310N Entry in the Router Database
  2. Read and Save the Instructions- If you click File>Save on your browser you’ll notice you can save and entire web page to your computer. Go ahead and do that- there’s nothing worse than having no internet connection and not being able to connect to get instructions on how to proceed. Notice that my router has a recovery instructions link- if yours does as well, go ahead and save that page too (just in case.)
  3. Save any ISP specific settings, or customizations you made to the configuration of your router. At the very least print them out.
  4. Download the appropriate VPN build of DD-WRT. StrongVPN doesn’t specify, but you need VPN for the OpenVPN to work.
  5. Read the entire flash procedure for your router, and follow it exactly. Here’s a great article about the entire generic installation. The 30-30-30 Hard reset is a pain to complete- but it can be the difference between success and failure- just complete it as directed. Go ahead and Flash the router with DD-WRT.
  6. If things didn’t go as planned, plug your internet connection directly into your computer bypassing the router (you do have your firewall up, right?). Go to recovering from a bad flash.
  7. If everything went fine, you need to change your username and password, which DD-WRT prompts you to do (default user/pass is: root/admin). Now is a great time to go through each page of the admin and set up your wireless network security.
  8. Go to the administration page, backup subtab, and at the bottom and click “backup”. This stores your settings, so you can come back to the configuration if you need to.

Set Up Always On Home Virtual Private Network (VPN)

linksys-310n-router Okay, now the moment of truth and set up a VPN. Actually it’s probably anti-climatic after all that preparation- here’s the configuration for your VPN tunnel, first PPTP and then OpenVPN. After you configure your version jump to the Verifying Your VPN section.

Configure PPTP VPN Client with DD-WRT

  1. Log in to your DD-WRT router from the web interface.
  2. Open the Service>VPN subtab
  3. Select PPTP Client Options Enable
  4. For Server IP enter the IP address of your VPN server from your welcome email. If you haven’t received that, login to the customer area at StrongVPN, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘View Greeting’, and you can copy the information from there. If the IP address of the server isn’t listed, you can open a command prompt (start>programs>accessories>command prompt), and type (everything after the green bar):
    ping vpn-sf1.reliablehosting.com

    replacing that first part with your server name.

  5. For Remote Subnet enter your VPN IP address, the one you got from the StrongVPN homepage WHILE connected via VPN from your computer.
  6. Remote Subnet Mask is 255.255.255.0
  7. For MPPE Encryption enter (everything after the green bar):
    mppe required,stateless
  8. Leave MTU, MRU and NAT at their default values
  9. Username and password are the values from the greeting email.
  10. Click Apply Settings.
  11. Under the Setup>Basic Setup subtab, Network Address Server Settings (DHCP)
    Set DNS 1 to (everything after the green bar):

    216.131.94.5

    Set DNS 2 to(everything after the green bar):

    216.131.95.20

    If you leave the last two addresses blank, your router MAY sometimes use your ISP DNS- which means your queries would be in their logs. If it is important that this not happen, you can load Google DNS servers as the last two entries.

    Set DNS 3 to(everything after the green bar):

    8.8.8.8

    Set DNS 4 to(everything after the green bar):

    8.8.4.4
  12. Click Save
  13. Open the Administration>Command subtab, and paste the following code (after the green bar) in the window:
  14. echo "sleep 40" > /tmp/firewall_script.sh ; echo "gw=\`ip route ls to 0/0|cut -d ' ' -f3\`" >> /tmp/firewall_script.sh ; echo "vpnsrv=\$(nvram get pptpd_client_srvip)" >> /tmp/firewall_script.sh ;echo "dynvpnip=\$(ifconfig ppp0 | grep 'inet addr' | grep -v '127.0.0.1'| awk '{print $2}' | cut -d: -f2)" >> /tmp/firewall_script.sh ; echo "vpnip=\$(nvram get pptpd_client_srvsub)" >> /tmp/firewall_script.sh ; echo "route add -host \$vpnsrv gw \$gw" >> /tmp/firewall_script.sh ; echo "route del default" >> /tmp/firewall_script.sh ; echo "route add default dev ppp0" >> /tmp/firewall_script.sh ; echo "iptables -t nat -I POSTROUTING -o ppp0 -j SNAT --to-source \$dynvpnip" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep tcp\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p tcp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p tcp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep udp\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p udp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p udp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; echo "for i in \`echo \$(nvram get forward_spec)|sed 's=\ =\n=g'|grep on|grep both\` ; do" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p tcp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p tcp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "iptables -t nat -A PREROUTING -p udp -i ppp0 -d \$dynvpnip --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j DNAT --to \`echo \$i|cut -d \> -f 2\`" >> /tmp/firewall_script.sh ; echo "iptables -A FORWARD -p udp -i ppp0 -d \`echo \$i|cut -d \> -f 2|cut -d : -f 1\` --dport \`echo \$i|cut -d : -f 4|cut -d \> -f 1\` -j ACCEPT" >> /tmp/firewall_script.sh ; echo "done" >> /tmp/firewall_script.sh ; sh /tmp/firewall_script.sh &
  15. Click Save Firewall
  16. This bit of code comes from the dynamic IP forum thread, which was helpful in getting the router online. Will at Sabai Technology wrote the code, and also sells pre-configured routers. The original forum post is here- notice I specifically left the SPI firewall on. Dropping it leaves your network exposed. If you need to drop it to get the configuration working, do so briefly (with your computer software firewall on)- but DO NOT leave it off.

  17. Now login to the router via the web interface, go to the Administration>Management subtab, and click ‘Reboot Router’. The router will reboot, and after about 5 minutes the VPN connection should come up.

Configure OpenVPN Client with DD-WRT

  1. Enable the Secure Shell daemon (SSHd) on the Services>Services subtab. Leave it at the default port of 22. Click ‘Save’
  2. Enable SSH Remote Management, again on port 22 on the Administration>Management subtab.
  3. Extract ovpnNNN_ddwrt.sh (where NNN is your server) from the zip file they sent you with sign up. Didn’t get it? Login to the customer area, click the ‘VPN Accounts Summary’ link in the lefthand column. Next click ‘View Greeting’, and then there’s a link to download the configuration zip. You use it to install the client software, and the .sh file contains all the security information your router needs to connect.
  4. Connect to your router to do a secure copy (SCP). There is one gotcha here- your username is “root”- REGARDLESS of your web interface username. The password is the same as the web interface. Once you have a connection, copy ovpnNNN_ddwrt.sh to the /tmp directory. Hang in there, we’re almost done.
  5. Now we’re going to run the script. To do that, connect with SSH, and enter the following command (everything after the green bar):
    sh /tmp/ovpnNNN_ddwrt.sh
  6. Now login to the router via the web interface, go to the Administration>Management subtab, and click ‘Reboot Router’. The router will reboot, and after about 5 minutes the VPN connection should come up. Here’s the complete forum thread on how to accomplish that on StrongVPN if you need additional details. I changed a couple of minor details (left off logging, reboot from the web interface because the ssh command sometimes fails, etc.) If it’s not working work through their method, and then open a ticket- they’re VERY good about responding quickly.

Verifying the Virtual Private Network is Working

There’s a couple of ways you can check this. You can go the the StrongVPN homepage and check your IP- or you can visit What is my ip? and make sure you have a different IP address than your previous ISP address. There’s also a Firefox addon called Show My IP that shows your externally visible IP at all times in the bottom right of the browser. Finally, I usually run a quick scan at GRC Shields Up, just to make sure I don’t have any errant ports open.

Got it all working? Log in to the DD-WRT web interface, go to the administration page, backup subtab, and at the bottom and click “backup”. This stores your settings, so you can come back to the configuration if you need to. Congratulations, on setting up a permanent virtual private network. Now every machine on you home network has an encrypted connection to the Internet.

Home Network Security 101

Home Network Security IntroductionWe (justifiably) spend a great deal of time and effort on Corporate Network Security, but what gets very little attention, is Home Network Security. Many of today’s modern home routers, by companies such as Linksys (now Cisco) and D-Link are a snap to connect, and now it is not uncommon to have multiple devices on a home network. Ten years ago a small office would have two or three computers and a T1 internet connection (1.54M down)- now you can see than many devices in many of your neighbors’ houses with ten times the bandwidth. Got an Xbox or a Tivo? You can put those on your home network too. Wireless throughput has increased more than 25 times from it’s introduction, and setting up a laptop where you sit in the backyard and work on the internet is nothing more than a 20 minute project. Although this article is not a comprehensive guide to home network security, I should mention that home wireless security is a HUGE issue- more on that later.

Network security, and computer security in general is always a compromise between convenience and security. Pull that wireless router out of the box, plug it in, and with the default settings you have a working, albeit insecure network. The manufacturers have worked very hard to make it easy- but easy does not protect your personal information. If you work from home, or do your banking online, the threat is multiplied. Take a look at your entire infrastructure (in the trade this refers to servers and desktops, network components, and physical wiring. At home it’s your computers and home router- possibly including switches and other network devices like Tivos, Playstations, wireless printers, etc.) Here’s a brief look at what you should examine.

Home Network Security 101

  1. Latest Operating System Patches
  2. With corporate infrastructure, it really is amazing how many worms, and intrusions can be prevented using good old patch management. I’ve heard all the excuses on why the machines are patched, most don’t hold water, with the exception of “It breaks my applications I need to do business.” For home users it’s MUCH simpler; I’ve never had an update break a commercial application for any friends or family members’ computer. That doesn’t mean it can’t happen, but it is certainly rare (I do, however, recommend you update your drivers from the manufacturer’s website rather than Windows Update- driver updates are always optional on Windows Update.) What I have seen time after time is a machine compromised by an exploit that is months and sometimes years old. With Microsoft Windows machines, you can easily update your machine automatically using Microsoft Update. It’s fine to apply the updates automatically- although you may want to disable your startup and exit sounds– it’s unsettling to have a computer in the next room reboot at 3am and wake you out of a sound sleep. You can read more on setting up Windows update on my previous post, Travel Tips for Your Laptop. You can also check out Automatic Mac Updates if you have a Macintosh.

  3. Up to Date Anti-virus
  4. If you are running a computer on the internet, you need anti-virus (AV). I’ve seen lab computers that we not connected to the internet become infected with a virus from a USB flash drive- so anti-virus all the time is a good policy. We’ve found Eset to be the fastest and most reliable, and they also offer multiuser packages for a discount. Since I provide technical support for a number of friends and family members, I buy a multi-user license every year and install it on everyone’s machine. The hours I don’t spend fixing virus infections make this small investment more than worth it. As for free solutions, Grisoft puts out a solid product with AVG. If you have the means I recommend purchasing your AV, it’s one piece of software that requires constant updates and care of skilled developers.

  5. Good Malware Scanner
  6. So you have AV- why do you need anti-malware? Well unfortunately most AV packages do not catch the variety of malware and adware out there. You can purchase consolidated products, but there is definitely value in having a multi-layered defense. I’ve had particularly good luck with Malwarebytes Anti-Malware (free, or you can purchase the full version, again well worth it.), Spybot Search and Destroy, and Lavasoft Adaware. Bonus Tip: If you’re using Firefox as your browser, Adblock Plus can get rid of ads on websites. Considering turning it off on websites you frequently visit/trust, you may negatively affect the webmaster’s revenue.

  7. Firewall, preferably Hardware
  8. One of the nice benefits the home router is the included firewall. Be sure yours is enabled. A quick scan using GRC Shields Up can give you a quick baseline of your level of protection. If you do not have a hardware firewall- please ensure you have some type of software firewall in place- either the Windows Firewall or a third party product such as Zone Alarm prior to connecting to the Internet.

  9. Lock Down Wireless
  10. If you’re using wireless with the default SSID, the default password, and WEP or no security, please download this document and update your security. I’ll wait. Really, lock down your wireless now. Just to put it in perspective, if someone manages to get on your wireless, YOU are liable for any civil tort or criminal activities they conduct- makes sharing that connection seem much less attractive, huh?

  11. Backups
  12. Backups and Disaster Recovery are an important part of security that many people overlook. For home users, you need a way to get back your data after a virus- or an emergency such as a fire or burglary. Without going into a ton of detail, a regularly scheduled imaging solution, such as Acronis True Image can be a lifesaver. At the very least, use the free backup utilities that come with your operating system, such as Windows Backup. For extra protection, use external storage and don’t have the completed backup right next to the computer. Imagine if you had a fire- you’d lose the data and the backup at the same time, which can be doubly painful.

Home Network Security is important, and unfortunately often overlooked. Spend your free time on your computer doing what you love- not cleaning out viruses or trying to get back lost files.

Old Fashioned Security and Brand New Technology

Patrick Stewart on Twitter and the Internet If you’re a fan of Star Trek the Next Generation or classical theater, you might recognize Patrick Stewart- he has an interesting take on Twitter, email and the Internet. What’s fascinating is that he embraces some, but not all technologies to communicate. Selection of those tools seems to be very much a function of age. While email has long been a staple for myself and the engineers/consultants, some time ago I had to expand my cell plan to include text support. We’re certainly not up late at night talking about the latest movies or fashion, but it is very effective at sending a short update on a server outage or a meeting update. What I have discovered is that depending on the age group and business we’re working with, you can see a wide variety of communication tools in use- and the effective leader has to learn what works best for their team. At the end of the day, a simple paper filing system that is flexible enough to handle the workload without error will outperform a brilliant ERP system that is either improperly implemented, or not endorsed by employees and management.

Pingdom has an interesting study on 19 of the popular social networking sites, and where they fall with each age group. Social Networking DemographicsAs consultants, our job is to marry the technology with the business need. Sometimes we make suggestions on which technology implement- sometimes we just make it work. What I have noticed fairly consistently, both with businesses and individuals, is a lack of concern for basic security. By security, I’m talking not only about corporate proprietary information, but also personal information as well. Social sites can open up the company to malware, as well as other less obvious vulnerabilities. For example, I had one client who had an employee open up a Facebook page for the company- without its knowledge. Would you want your firm represented by the mail clerk publicly? Many of these types of problems can be avoided in the first place by good documentation- policies and procedures that specifically govern when and how electronic communications, be it email, twitter or Orkut, are to be used. Many people are surprised to learn that instant messages are discoverable in court cases- how would your company fare if some of what people believe is private communication got out? So the answer to the corporate question is to prepare for and educate the user base on official use of the technology. Best case scenario you avoid a problem to begin with, and if it gets to a point when the legal system is involved you at least have a foundation where you set out clear guidelines.

Personal use can also be a problem. The University of Maryland conducted an interesting study noting a druglike addiction social networking among students. How many of your colleagues can disconnect without some degree of anxiety? The fact that technology has enabled us to communicate and collaborate like never before is a great thing. What’s not so great is not everyone realizes that once you put information out there, not everyone who reads it is your friend. For example, Craig Lynch, an escaped fugitive, taunted police on Facebook. Of course he was later captured- perhaps not the smartest course of action. Stepping away from the criminals however, employers are now checking Facebook prior to hiring- as well for active employees. What might be a funny picture to friends and family may not cast you in the best light with your boss.

One of my junior engineers built a website on Mexican cooking. It was very well done- however he added a good deal of personal information about himself and his wife in the about section. Like when he was home, where she went to school, as well as pictures. That coupled with the whois information on the website, provided his home address, his schedule and his home phone number. Couple that with location awareness integration and you have a recipe for disaster. After I showed him what he was broadcasting he made a few changes, and now the website is all about delightful cuisine and not where to find him and his family.

Grandma KnowsReally at the end of the day it’s about common sense. Does your toddler need a Facebook page? Should you really share your spending habits and credit card information online? Be careful what you say in email, instant messages and texts. While most administrators don’t have the time read them- we can if have to. We will if required by law. The simplest way to stay out of trouble is something I learned a long time ago. It’s called the “Grandma Rule”. If you wouldn’t want your Grandma to read it- then don’t write it.

Travel Tips For Your Laptop, Part II

In the first part of the article, Travel Tips For Your Laptop, Part I, I went over how to get your computer ready for a trip. Now I’ll continue on with some of the tricks of the trade that the consultants and I have developed over the years to make traveling easier, and more painless. Let’s talk a little bit about luggage and gear.

Get The Right Computer Bag
Samsonite Wheeled Portfolio Computer CaseA good computer bag can make the difference between showing up at a client looking haggard and hurried or presenting a professional and prepared image. First off, ditch the bag with a strap. If you have your laptop, an extra battery, maybe an external drive, you’re going to be putting a lot of stress on your shoulder. It can also slip off when you get bumped- dropping thousands of dollars worth of equipment onto the ground. Finally the shoulder bags tend to wrinkle your suit or dress. You want a bag that will not add to the stress of your trip, or to you fatigue as you invariably have to walk to the furthest point in the terminal to catch your connecting flight. We’ve had great luck with the Samsonite Wheeled Portfolio Computer Case. This bag has enough room for your laptop, the associated peripherals with room to spare for reading/presentation materials, and several well thought out additions, such as a clip to hold your keys in the front pocket. There’s organizers for pens, and pouch that holds a business card holder nicely. There’s also a few removable, zipped mesh bags that are held in place via velcro. You can put all the little parts of your cell phone, or ipod in one, and know exactly where that charger is, or never lose that USB thumb drive again. Walking through the Denver airport, I pulled it with one finger, so the handle while rugged, balances out the load perfectly. It also stows comfortably in an overhead bin, or under the seat. It’s simply the best travel bag for a laptop we’ve found.

Gadgets for the Road Warrior
First off, you’re going to need more USB ports. Invariably you’ll need to plug in your blackberry, or USB external drive, and you’ll be out of slots on the computer. A simple and quick solution is the USB Squid, which allows you turn your last USB port into 4. It’s particularly handy because each port is on its own cable, allowing you to place the peripherals where you want them.

Next up, we use one type of USB flash drive for anything proprietary. The Iron Key was originally developed for military applications- in fact I should probably write a post about it’s features. Just to summarize, this amazing drive is encrypted with AES, and allows you to securely store documents, as well as passwords. It comes with a hardened version of Firefox. It’s also filled with epoxy, so if anyone did happen to steal it and attempt to remove the chips, they’re going to be out of luck. It’s waterproof- and if you put the wrong password in 10 times, the security chip destroys itself. It’s the ulimate USB flash drive. They’re expensive, but they’re worth it when you’re concerned about security.

So what about an external USB drive? We’ve tried several different brands, including buying the enclosure and building them ourselves. The best balance of price and performance has been the Western Digital My Passport Essential USB 2.0 Portable Hard Drive. You can get half a terabyte for a little over $100 as of this writing, which is big enough for most applications. We’ve found in some emergency situations it’s cheaper to load up a couple of hundred gig backup onto one of these drives and fly out to a site than to wait for the data to transfer over the wire. They’re handy for a variety of uses- including backups, storing your presentations, and of course holding .iso images of CDs.

Wearable Luggage – The Amazing SCOTTEVEST Products
I saved some of the coolest technology for last. SCOTTEVEST has developed a line of clothing designed to accommodate all your gadgets. There’s jackets that will hold a LAPTOP. Shirts with integrated loops for your ipod in the collar. iPhone pockets that are touch sensitive and allow you to push buttons. I’ve had the Essential Jacket so loaded that I didn’t need to bring another bag- 18 pockets will do that for you. The website has a cool X-Ray view so you can see how many pockets are where, and suggested items to into them. The nice thing about SCOTTEVEST is the pockets are cut and located so you can’t tell you have all the gear, but it is easily accessible.

With a little planning and the right equipment, traveling with your laptop is easy. If I missed anything or you have additional suggestions, feel free to leave a comment.

Travel Tips For Your Laptop, Part I

All Keyboards Should Come with a Help KeyMy consultants and I travel with a computer for living, and over the years we’ve come up with several travel tips for your laptop. Some technical, some not, all the product way too many passes through the security checkpoint. It’s not hard to get everything organized, you just need to do a bit of planning.

Pretrip Planning
Like many things in life, the better you prepare, the better the result. First off, you want to make sure your computer is running well before you leave the house. Here are a few things to check so you don’t have any unpleasant surprises on the road:

  • Disk Space – Check to make sure your laptop has adequate space. As a minimum guideline, we recommend you have at least 10% of your drive free. You can check it in Windows XP by going to Start>All Programs>Accessories>Windows Explorer. Right click the “C:\” folder in the left pane, and click on “Properties”. For Vista, click the pearl (circle with the windows flag)>All Programs>Accessories>Windows Explorer. In the left pane, expand the “Computer” folder by clicking the triangle right before the folder. Right click the “C:\” folder in the left pane, and click on “Properties”. If you don’t have enough space you can use the “Disk Cleanup” button. We don’t recommend the option to compress a laptop drive- since most of them spin at 5400RPM anyway, they’ll be noticeably slower. This should be fine for most people, if you’re comfortable with the computer’s file system, there’s a handy utility which can sort all of your folders by size, called Disk Data. It allows you to sort the folders by size, and also has graphs, so you can find that rogue temporary file and delete it.
  • Disk Fragmentation – One of the most common causes for a slow computer is fragmented drive. When your computer writes files to you disk, it does so in sequence whenever it can. Over time, as new files are added and removed, gaps are created, the drive heads have to go to more places to retrieve files. Since this physical head movement is often the bottleneck on your system (particularly laptops), performance of the entire machine suffers. The solution is to defragment your drive, which is easy to do. in Windows XP by going to Start>All Programs>Accessories>Windows Explorer. Right click the “C:\” folder in the left pane, and click on “Properties”. Now click the “Tools” tab at the top of the window, then click the “Defragment Now” button, and click “Defragment Now”. For Vista, click the pearl (circle with the windows flag)>All Programs>Accessories>Windows Explorer. In the left pane, expand the “Computer” folder by clicking the triangle right before the folder. Right click the “C:\” folder in the left pane, and click on “Properties”. Now click the “Tools” tab at the top of the window, then click the “Defragment Now” button, and click “Defragment Now”.
  • Anti-Virus/Malware ScanMalware can ruin your day, and if you’re on the road it can cripple your computer. Make sure you have a good AV program installed. Currently we like Eset for anti-virus, and Malwarebytes for anti-malware, we’ve had good luck removing a variety of threats. We’ve noticed it doesn’t load the system down like the competitors, which is particular important with the slower laptop drives.
  • Windows Update – With our corporate clients, we use a tiered testing approach to validate patches work before rollout to prevent downtime and minize bandwidth utilization across the WAN. For home users we recommend you have automatic updates enabled. The risk of potentially creating a conflict that disables an application or your computer is relatively low compared to the risk of damage from an exploit. Keeping a machine that is frequently on public networks (ie airports and hotel wireless networks) is doubly important, as they are frequently targeted and don’t have the benefit of an additional hardware firewall at the office. To check you setting in XP go to the control panel, then automatic updates. In Vista, control panel, system, security center, automatic updating. Got that? Great, now before your trip, make sure you visit Windows Updates (using Internet Explorer), and download all pending updates in case the automatic setting hasn’t installed before you leave. Reboot your computer after the install. There’s nothing worse than having updates pending, shutting down for a trip, and then opening up a computer that won’t boot. I’ve forgotten this simple tip and had to spend a few minutes before a presentation fixing my computer- this is an easily avoidable problem.
  • Have a VPN Client Configured BEFORE You Leave – There was a time when it took a skilled hacker to intrude upon your network. Unfortunately now there are many commercial and free applications that make casual snooping, or intentional theft exceptionally easy. For example, there’s a Firefox addon that will capture any plaintext transmissions involving social media, like Facebook and Twitter, and allow the hacker to immediately login as you. (It’s called Firesheep.) To avoid losing your email, password and privacy to these nusauances, use a VPN whenever you connect over a wireless hotspot. We like StrongVPN– they have great 24/7 support and reasonable prices.
  • Have a Good Backup – This one catches both our corporate clients and families alike. Backups aren’t fun. They’re not interesting. And unless something is broken, they just take up space. BUT, as soon as you have a drive failure, you learn just how important that backup is. I set up a home machine with an external drive for backups for a friend’s mother. Like I do for my clients and family and friends, I set up Acronis True Image on a schedule. Two years later, her hard drive failed. My friend called me frantic, wondering if there was anything I could do to help. You see there were some important pictures of a new grandchild that they couldn’t replace. One new hard drive and a couple of hours later, the entire machine was back. I was a hero, an IT wizard. Well the truth is I’ve seen data loss many times over the years, and learned that having a backup isn’t an optional step, it’s a required one. Depending upon your budget, when you travel with a laptop, there’s a few things you can do. Here are a few options:
    • At the very least, have a good quality thumb drive with a backup of all your important files, independent of the laptop hard drive. If you completely lose your laptop, you still have your files and can use a loaner to remain productive.
    • Moving up a level, we always recommend you have a good full backup. The best solution is to have the backup offsite, and there are a number of online services available which can store your files for you. If anything happens to your machine- a hardware failure or even a theft, you can still remotely restore your files. I managed a Connected Online backup implementation in a corporate environment, and Iron Mountain offers a solid service with their hosted option.
    • A external drive, which you keep away from the computer is an okay compromise.
    • Of course when you’re traveling, the best solution is to have a second laptop. That’s a bit heavy- but you can have an identical hard drive, imaged with the current drive contents. If you have a problem on the road, put in the new drive and you’re 100% productive. However, there are a few cons to this solution. It’s expensive, and it may be beyond the technical ability of the average person if you have to disassemble the laptop to get the drive. Also doesn’t help if the laptop bag is stolen (another reason we recommend offsite backups).
  • Continued at Travel Tips For Your Laptop, Part II

Password Strength Checker

I remember running a security audit against one of our domains when I was in the military. We ran some utilities against the domain controllers and put together a list of the user’s passwords, and then used them in a presentation about security for the users. They were shocked when we put up the list. Here’s a list of 500 of the most common passwords (*Caution, some of these are obscene*)- if you see any of your passwords here immediately change them. They’re well known and the hackers start with this list. If you didn’t see your list and would like to check a password, try this password checker.

Disaster Recovery

Damage CircleI’d like to take the time to talk about something that most people find boring, but is critically important when it comes to your computer, at work AND at home. Backups. They’re not fun. They’re not exciting. And the only time they really get a lot of attention is when:

1. They’re not done and they’re needed.
2. They don’t work on a restore operation.

About 70% of the time when we present a Disaster Recovery plan I get a great deal of push back from senior executives on why it costs so much for hardware and software which they don’t use on a regular basis (Of course they are referring to Recoveries, they *should* be using backup software every day). I can usually put down all objections for them, and probably home users too, with just one question:

What would it cost if you lost your data?

Think about that for a minute- what if you lost your payroll data? Tax records? Or at home, the picture of the baby’s first steps? The movies of your son’s graduation? There really isn’t a good reason not to backup your data. The rule of thumb I use is if it takes longer to recreate it than to back it up, then back it up. So I wouldn’t worry about a grocery list, but your college term paper should be backed up (I speak from bitter experience on that). We have a thriving business with Disaster Recoveries, and our partners are the BEST at getting data back. The Top Causes of Data Loss is courtesy of their hard work and real world experience. They have highly trained engineers and clean rooms where they can take apart failed drives (and other media) to recover any readable data on it. You get what you pay for- and skill and facilities to do these recoveries are not inexpensive. In the vast majority of recoveries I’ve been involved in, the expense could have been spared by following good back up procedures. (If it’s too late and you found this post while looking for help on a disaster recovery, click the button on the Ontrack button at the top of the page and you can start the recovery process- trying to fix it yourself may make things worse).

Step 1- Decide what to back up.

  • Do you just need your documents?
  • What about email?
  • Your web browser’s favorites?
  • Don’t forget the stuff on your desktop either.
  • How about your operating system?

When in doubt, it certainly doesn’t hurt to just back everything up. Some terms you might come across:

  • Full Backup – All files (our recommendation if you have the time/resources)
  • Incremental Backup – All changed files since the last Full Backup OR the last Incremental. To restore, you’ll need your last Full and EVERY Incremental since then. Minimizes backup time and the expense of restore time.
  • Differential Backup – All changed files since the last Full Backup. Compromise between a full and an incremental- to restore you’ll need your latest Differential and your latest Full backup.

Step 2- Where do I put it?

  • In another directory on the same drive. This is the easiest and least expensive solution- however there are some potential pitfalls. If anything happens to the drive (hardware failure, virus, theft) they you run the risk of losing all the data.
  • On another drive in the same computer. I install an extra drive in every desktop system I build for this purpose. It makes fast backups possible, and provides some protection from hardware failure, however the data is still vulnerable to viruses and theft.
  • To removeable media. You can backup to DVD, CD, Tape or external drives.
  • To offsite storage. This can be shipping physical media out- on an online backup solution

Step 3- How do I back it up?

  • Well the least cost and most accessible option is to use the native windows backup tool. Here are the step-by-step instructions for Windows XP Backup, Vista Backup & Restore.
  • For set it and forget it backups, hands down the only product I recommend to friends and family is Acronis True Image. Simple, easy and fast, it will back up all your files in an image, and you can restore the entire image or any part at your convenience.
  • Regardless of the solution you use, set it to regularly backup your files, and every so often check it to make sure it’s working.

Step 4- Fire Drill!

  • This one gets missed a lot- even with our corporate clients. Periodically you MUST test restore your backups. Even if it’s a file or two, just check to make sure they work. The absolute worst time to learn your backups weren’t working is when you need them during an emergency. By periodically checking them, you ensure that you are as prepared as you can be for that day that you need you backup. Rest assured that day will come- it’s a fact of using a computer and you should be prepared for it.

About Cliff Hatch

Cliff Hatch, MCSE+I, ACE, Security+ is the CIO for Cliff Edge Consulting, LLC (www.cliffedgeconsulting.com), a Las Vegas based consultancy specializing in Microsoft Technologies. (You may republish article in its entirety on your site provided you leave the author credit.)

Strategies for Avoiding and Removing Spyware

Over the last twenty years I’ve worked on computers in the military, IT service providers, businesses both large and small. The one major complaint they all have in common are viruses and spyware. It also happens to be number one on my “Family Tech Support” call list as well. The Anti-Spyware Coalition defines spyware as:

Spyware: Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

  • Material changes that affect their user experience, privacy, or system security;
  • Use of their system resources, including what programs are installed on their computers; and/or
  • Collection, use, and distribution of their personal or other sensitive information.

Spyware can report back on your surfing habits to advertisers, hijack your browser’s home page, log key strokes, and in extreme cases allow complete remote control of your system by an attacker- it even intensifies the the dangers of Webcams. In January of 2007, Julie Amero was convicted on four felony counts of risking injury to minors after she was unable to prevent pornographic pop-ups from showing up on a computer in a classroom in 2004, in spite of testimony that the computer was infested with spyware (her case is going to be re-tried after outrage from the IT community and the media).

So how do we shutdown spyware once and for all? Security is always a compromise with usability. There is no silver bullet that will make your computer immune to spyware. We can, however, put together a layered defense, which should greatly reduce your risk and make your computer less likely to become a pop up factory or a paperweight. To make this a little less painful, let’s compare it to securing your home from a burglar.

1. Get Insurance. Back up your computer regularly. It’s not exciting, but it’s absolutely necessary if your data is important. Think about what you’ve got on your machine- perhaps finance records for the business? Family pictures? Just back it up, preferably on removable media, which is then stored away from the computer. Instructions for XP here and Vista here.

2. Secure the perimeter fence line – Invest in a good hardware firewall. Most businesses run high end appliances, the small business/home user can get adequate protection for less than $100 with a Linksys or Netgear router/firewall. For medium and large businesses with more budget, I’m partial to Cisco equipment. CERT/CC has a good article on home network security here.

3. Secure the front door- If you’ve never seen a firewall log on an Internet facing network, it’s an interesting experience. Every day hundreds of machines will search for an open port to connect to. It’s the cyber equivalent of a car thief walking down a row of cars pulling each door handle to see what’s unlocked. And yes, they do the same thing on your home machine if you have a broadband connection. You can make sure this casual intrusion is stopped dead with a software firewall. At a minimum turn on the Windows Firewall (here’s how to turn it on in XP, in Vista go to the control panel>security center>firewall), particularly if you’re a laptop user connecting without a corporate firewall while traveling. If you’re more security conscious (and comfortable with additional complexity), Zone Labs Zone Alarm replaces the Windows firewall and provides additional protection.

4. Make sure that deadbolt defeats the latest lock picks- Believe it or not, this one catches big businesses a lot more than it should. Make sure you install the latest service packs and patches as soon as possible. For most home users that’s immediately, businesses should test them on pilot systems at a minimum, but deploy them with urgency. The easiest way to do this is automatically- here’s how.

5. Defend the homestead from multiple angles-
a. You should be running a good anti-virus product. Be sure to periodically check it to make sure your definitions are up to date. I recommend Grisoft AVG Anti-Malware, which scans for both spyware and viruses. They offer free anti-virus and anti-spyware for personal use, the anti-spyware link is here.
b. In addition to using AV and anti-spyware from one company, you should periodically (preferably weekly but at least once a month) scan with a different product. Spybot Search and Destroy, and Lavasoft Ad-Aware are great products, and will usually turn up malware on what was believed to be a clean system. They also offer free versions for personal use.

6. Look at things in a new way- Change your browser from Internet Explorer to Firefox– I know, I know, Internet Explorer is easier because it’s preinstalled. I, and several of my peers, have discovered a dramatic decrease in spyware on machines with Firefox, particularly those with Adblock Plus installed.

7. Don’t open the door for strangers- Watch where you surf. Questionable sites, like pornography, illegal software download portals, and some peer to peer networks have been known to infect unsuspecting users with spyware. Also, if you get a popup asking you to install something unexpected, do not click “OK” or “Cancel”. Close the window with the “X” in the top corner- some disreputable programmers install when cancel is clicked…

8. Beware of free samples- Some free programs come with other programs bundled that you don’t want, particularly toolbars. Scan any executable file with an anti-virus program BEFORE you install.

9. Don’t fall the sales pitch- Be sure to read the End User License Agreement when you install unknown software- there have been several cases of questionable software makers including clauses where you allow them access to your personal information, and automated reporting on your habits.

10. Something still got in- Now what? Well you have a couple of choices. Believe it or not, if you followed my advice in Step 1, it may be easier to just restore from backup. Manually hunting down and remove spyware can be time consuming and frustrating. If you’re determined and a little technical, there is help in the form of a great support forum, and a reporting product called HijackThis (now from Trend Micro). The author’s homepage and the forums can be accessed here. Be sure to check out the FAQ before posting.
Additional Reading
FTC Spyware Pages

About Cliff Hatch

Cliff Hatch, MCSE+I, ACE, Security+ is the founder of Cliff Edge Consulting, LLC (www.cliffedgeconsulting.com), a Las Vegas based consultancy specializing in Microsoft Technologies. (You may republish article in its entirety on your site provided you leave the author credit)