Firewall rules

Firewall is usually represented as a block wall, and so forth. But we have in Nashville it looks like three virtual LANs, one for servers, one for wireless, and another for our users. On our firewall, we have a publically accessible web server, and we have maybe some internet connections/WAN connection to our Knoxville branch office, which evidently is much smaller because we have only two virtual local area networks, one for servers and one for users. Visio is especially cool because you can do ultra-detailed network diagrams.

Firewall: Spend $50 for a Network Address Translator firewall device; it’s likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There’s no reason to allow any incoming connections from anybody. • Encryption: Install an e-mail and file encryptor (like PGP or TrueCrypt). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted. [2008 update: Full disk encryption is now easy, and you won’t notice any latency. Do it.] None of the measures I’ve described are foolproof. If the secret police want to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they’ll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you’re unlikely to have any problems. I’m stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don’t need. I’m diligent about backing up my data and about storing data files that are no longer needed offline. I’m suspicious to the point of near-paranoia about e-mail attachments and websites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don’t trust unsolicited e-mails. I don’t care about low-security passwords, but try to have good passwords for accounts that involve money. I still don’t do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I’m not using it. That’s basically it. Really, it’s not that hard. The hardest part is developing an intuition about e-mail and websites. But that just takes experience.
Schneier on Security