Protecting Your Network from Hackers, Viruses and Malicious Software

If you have a server-based network, it’s critically important to protect your server from hackers,

viruses, and other malicious software.If your server is compromised, it can jeopardize the safety

and security of your company’s entire network and all its data. Here are some ways you

can protect your network against attack:

Your server has built-in security features. Use them. If configuring your server’s security settings is beyond 
the scope of your technical expertise, hire an expert to do it. While this will cost you a little more up front,
 the price you’ll pay to secure your network is miniscule when compared to the cost of responding to and 
recovering from a hacked server.
Firewalls are essential. Software firewalls are sufficient for small networks, but if your network is large or
 spread out, you may want to run a hardware firewall in conjunction with your server. A hardware firewall
 will control access to your network’s computers from a single point, making it easier to monitor, and 
theoretically, more secure. But at the bare minimum, your server needs a software firewall.
Software patches are vital to server and network security. When a new threat emerges, be it a virus, worm, 
or Trojan horse, antivirus software developers issue software patches, or updates, that close up the security
 hole that the malicious program has exploited. If you’re running an old version of a server operating system,
 your server could be vulnerable to attack. Not having the latest version of your server’s software installed
 is akin to not getting immunized against eradicated diseases; the cure is out there, but you just haven’t
 bothered to take your medicine.
Unrestricted server permissions and passwords should be given to as few people as possible. Use strong 
passwords, and keep them strictly confidential. (For more information on developing password protocol
for your business, check out Five Rules for Developing Safe and Sane Password Protocol for Your Small
Business.)
Physical security is just as important as password security, if not more so. Protecting your servers from 
the elements — and criminals — is essential. A closet is usually perfect for one or two servers; no windows 
and a single locking door reduce the chance of your servers being damaged. Lock up the room or closet 
whenever it’s not in use, and distribute keys only to employees who absolutely need them. Also, store your 
server computers up off the floor, either on special racks designed for that purpose, or in some other manner,
to keep them from being damaged by floods or leaks.

How to Conduct Internal And External Network Security Audits

According to a recent survey of IT executives and network administrators by VanDyke Software Inc., 46% of companies that undertake internal security audits find that the tests result in the identification of significant security problems. That’s close to half, and the number rises to 54% for external network security audits conducted by outside companies.

Think of it like this: There’s at least a 50/50 chance you have one or more significant network security problems, and an audit is good way to find them. In fact, 43% of survey respondents felt their organizations should audit their networks more frequently.

However, it’s a good bet that some people reading this article work for companies where network security is still not audited on a regular basis, probably because such audits are seen as an unwelcome interference with day-to-day network administration. But an audit should not be seen as a chore. Think of it as a process that others have found useful for ensuring their organization is adequately protecting itself from data loss and related complications, such as litigation, which may ensue. In this tip, let’s review what is required to conduct a systematic examination and verification of network security, which can serve as a potent control while also providing vital feedback on the state of an organization’s security strategy.

Setting the network security baseline

To be effective, an audit must be performed against a defined set of standards: an organization’s data security, integrity and availability policies and procedures, applicable regulatory requirements, and industry best practices. Data gathered during the audit is compared against these to check “what is” against “what should be.”

It may sound like a daunting process, but if some baseline network audit processes are conducted on a regular basis, you can make any major audit less onerous. The first step? Establish a baseline of the network. A good tool for this is Nmap, the free open source utility for network inventory and security auditing. Nmap can inventory network devices and reveal what services they run, as well as what OS and application versions are installed.

Once the network has been mapped, future scan results can be compared against this known and accepted baseline. Any scan results including, for instance, unauthorized applications or never-before-seen devices should serve as red flags. Of course, any such changes should be investigated and resolved, i.e. either remediated or added to your baseline. Prohibited applications discovered by a scan may include peer-to-peer networking, instant messaging, Skype or social media file sharing.

Because network threats constantly evolve, certain baseline checks should be carried out on a weekly, if not daily, basis. Intruders always look to exploit open ports because they are an easy gateway to your systems. Therefore, port scans that identify open ports and the services running on them should be among the most frequently conducted scans. An Nmap scan can also check trust relationships that exist on a network and find connections that violate security policy.

Regular Reviews
Another network element in constant flux is the user base. Regular reviews of network accounts and privileges against HR records are essential to ensure unused accounts are terminated and rights are appropriately assigned. You can combine this with other employee-related checks, such as ensuring separation of duties and compliance with password policies like aging and complexity.

Not every network security control needs checking with equal frequency, but all controls should be reviewed on a regular basis, including basics like physical security, document backup and destruction, and patching. Are backups being performed according to policy and regulatory requirements? Is data destroyed in accordance with its classification? Have backup and restore processes been tested recently to make sure they’re working? Are automated patching processes functioning correctly and deploying updates within an acceptable timeframe?

If you’re in charge of network security, then making these checks part of the regular work cycle will make life much easier when the time comes for a major network audit. The internal assessments you perform to prepare for a big audit only need to cover areas outside your regular monitoring routine.

These include evaluating patch processes, validating that backups perform per policy, assessing the effectiveness of physical security controls, and ensuring compliance with the requirements of relevant regulatory standards.

For some companies, auditing is not always optional. If your systems need to be compliant with a particular standard — such as the PCI Data Security Standard — then an audit by external auditors will be necessary. Even without such requirements, an external network security audit may be the best, or only option if there is suspicion of an internal threat, such as a malicious administrator, or if an organization has too many remote offices for qualified internal staff to ensure policies have been implemented at all sites.

Finally, a few words of caution about one oft-cited reason for security auditing. No audit, internal, external or compliance-related, can by itself ensure a network is secure. Just because a network has been audited does not mean it is, or will remain, secure. The real benefit of an audit comes from implementing its recommendations on how security controls can be improved, dealing with any concerns reported, and more closely aligning information security needs and risk mitigation with business goals. All of which makes the network security audit a worthwhile undertaking.

RAID

How to Implement RAID0?

http://www.youtube.com/v/AH2nWSW9E_Q&color1=0xb1b1b1&color2=0xcfcfcf&hl

How to Unconfiguring RAID0?

http://www.youtube.com/v/EZ42aa0Aj8Y&color1=0xb1b1b1&color2=0xcfcfcf&hl

How to Implement RAID1?

http://www.youtube.com/v/PrxkE2TKvdI&color1=0xb1b1b1&color2=0xcfcfcf&hl

How to Unconfiguring RAID1?

http://www.youtube.com/v/o3sNky6zmDs&color1=0xb1b1b1&color2=0xcfcfcf&hl

How to Implement RAID5?

http://www.youtube.com/v/gWEm1JulAvg&color1=0xb1b1b1&color2=0xcfcfcf&hl

How to Unconfiguring RAID5?

http://www.youtube.com/v/1J9UX75tRfA&color1=0xb1b1b1&color2=0xcfcfcf&hl

How to implement RAID10?

RAID10 can be implemented by first implement RAID1(ie mirring) then implementing RAID0(stripeset on different disks) on it.

Configuring RAID10

Step1:Get the info who many devices are participating, for example here we taken 4 disks(/dev/sda1,/dev/sdb1,/dev/sdc1,/dev/sdd1).

Step2:Implement RAID1 on four drives(taking 2 each)

#mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sd[ab]1
#mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sd[cd]1

Step3:Now implement RAID0 on two of RAID1 devices(/dev/md0,/dev/md1)

#mdadm --create /dev/md2 --chunk=64 --level=0 --raid-devices=2 /dev/md[01]

Step4:Format the RAID10 device with ext3 and mount the device

#mke2fs -j /dev/md2

#mkdir /store

#mount /dev/md2 /store

Unconfiguring RAID10

Step1:Unmount the RAID device /dev/md2

#umount /dev/md2 or #umount /store

Step2:Stop the RAID device

#mdadm --manage /dev/md2 --stop

#mdadm --manage /dev/md1 --stop

#mdadm --manage /dev/md0 --stop

Step3:Remove the Disks(/dev/sda1,/dev/sdb1,/dev/sdc1,/dev/sdd1) by using fdisk utility

RAID01 Vs RAID10

So what is the difference between RAID01 and RAID10?
This is bit tricky question, Recently I came to know about this one in an interview. so do both are same?
No both are not same.

When we are dealing with RAID01 we are actually implementing RAID0 first then RAID1 on it. Ok little bit confused?
Let me put it in this way RAID0 is nothing but stripeset writing of data and RAID1 is Mirring of data on to disks.For example lets take 8 disks, so first we are writing whole data on 4 disks then we are mirring it on to remaining disks.
Where as in RAID10 we are first mirring disk and then striping data on mirrered disks
In general RAID01 is "a mirrior of 2 strips" and RIAD10 is "a single strip on mirrered disks"

So here one more question arises... which one is good?
RAID10 is good, the difference is that the chance of system failure with two drive failures in a RAID 0+1 system with two sets of drives is (n/2)/(n - 1) where "n" is the total number of drives in the system. The chance of system failure in a RAID 1+0 system with two drives per mirror is 1/(n - 1). So, using the 8 drive systems shown in the diagrams, the chance that loosing a second drive would bring down the RAID system is 4/7 with a RAID 0+1system and 1/7 with a RAID 1+0 system.

Linux Boot Sequence

Note:-   The BIOS tests the system, looks for and checks peripheral devices, and then looks for a drive to use to boot the system. The BIOS looks for a Master Book Record (MBR) starting at the first sector on the first hard drive, loads its contents into memory, and then passes control to it. First 512 bytes.The MBR then find and loads the GRUB Boot Loader GRUB finds the necessary boot file, which initializes the kernel and the initial ram disk.
Once the kernel has successfully loaded, it executes /sbin/init. Init parses its connfiguraiton file (/etc/inittab) and finished the boot process according to its configuration. 


Bios Intialization

 |

V
Boot Loader (GRUB or LILO)

 |

V

Kernel Intialization

 |

V

Init Starts and enter desired runlevel by executing(/etc/inittab).

 |

V

/etc/rc.d/rc.sysinit  [Entering Runlevel [0-6] ]

 |

V

/etc/rc.d/rc   &   /etc/rc.d/rc[0-6].d/

 |

V

/etc/rc.d/rc.local

 |

V

Virtual Consoles

 |

V

X display manager

Physical Security

Unauthorized access to your servers can occur just as easily from the inside as the outside. Perhaps even more so since the internal organization is seen as less of a threat. While that may be (somewhat) true from a user perspective, the unauthorized use of the organization’s facilities and hardware is a very real threat.

To most people, physical security means locking up the server hardware and hubs/switches. However, it goes far beyond that. It involves the entire physical plant, the systems that connect to it, and the office space those systems are located in. It even extends to the notebooks carried by your company’s road warriors. Notebooks and PDAs get stolen all the time. And there’s no telling who has access to the computers of those who dial-in from home where users have a tendency to check the “Remember password” box on their dial-up connections.

I have seen countless instances of organizations that spend all kinds of money on fancy security systems surrounding the rooms that house servers and other IT equipment and at the same time have network jacks in locations that anyone can get to without breaking a sweat. Someone could hook up a pocket-sized packet sniffer and in less than a minute have all the IP address information and maybe even some IDs and passwords they need. With all of the foot traffic in large companies at quitting time, it wouldn’t take much for someone with a notebook to slip into a secluded office or cubicle and spend hours on your network with no one but the cleaning people to bother them.

Networks, by their very nature, mean you don’t need to be phsically at a server to administrate that server. While IT operations typically don’t have a lot of clout with a facility’s security people, there are some infrastructure-related steps you can take to try and lock things down. Unplugging unused or publically-accessible network jacks at the cross-connects is one measure. Restricting users to logging in only on certain systems, whether they be identified by MAC address or a hostname, and only during certain hours is a start. Security-minded organziations are also setting up VPNs on internal networks and requiring that all Intranet Web traffic be SSL to guard against unauthorized sniffing.

And how many users do you know have their passwords written down on Post-It Notes stuck to their monitor or on a piece of paper inside a desk drawer? Biometric devices have dropped dramatically in price in the last two years. You can buy a hardware device that reads a fingerprint in order to authenticate users for a little over $100 now (U.are.U Pro from Digital Persona). Setting up certificate servers helps ensure that only authorized systems have access to network resources. They’re not just for remote systems anymore.

That’s not to say physical security of the servers and wiring closets isn’t important. Just don’t overlook the obvious. One organization was so proud of their fire-proof file room for all of their personnel records until I pointed out the room had a wooden door. A chain is only as strong as its weakest link. Do the doors to your server room or wiring closets open out? If so, it’s probably just a matter of popping the hinge pins out and a door comes right off. Crawling over the top of a wall by popping out the panels in a suspended ceiling isn’t all that tough either.

There are many steps you can take to secure the physical environment. Some are electronic, some are mechanical, and others are procedural. But nothing substitutes for common sense.

How to Bypass Most Firewall Restrictions and Access the Internet Privately [Access orkut , Facebook from office , work school]

This is really kind of challenge to all system administrator to restricts those kind of users who are technical and advance users.
I am waiting for reply from those user who has solution about this kind of problems below appreciated wok..........

More and more employers and universities are becoming aware of the amount of time their employees or students are spending using the Internet for personal reasons. Obviously employers want to discourage this behavior and may implement a number of different ways to do so. These can include; 
Restricting people from installing programs on their workstation. This usually won't stop someone from accessing websites, but it may keep people from playing games or using instant messaging software.
Using a firewall or proxy server to restrict access to websites or other Internet protocols. All your Internet communication passes through your network's firewall, so it's a great place to monitor and restrict access. How complex or restrictive it is largely depends how tech savvy your IT department is.
Using a network monitoring system to "spy" on Internet access. This is a form of firewall monitoring, where your employer can intercept and read/save anything flowing through their firewall. Your IT department may call this an Intrusion Detection System, which is primarily used to monitor for attempted hacker attacks or viruses.
Installing programs on workstations that monitor Internet access. This is probably the toughest thing to get around because there are so many different vendors that offer this type of software. In addition, there is software that simply records every keystroke you press. In most cases, there's no way around this other than disabling the software.
This guide discusses a way an employee or student can securely access the Internet while at work or school, and also get around some common firewall restrictions that prevent you from using most networked programs. My definition of "securely" means that there should be no mean by which your employer can know which websites you have visited or are currently visiting, and can not view or decipher the content of those sites (without actually standing over your shoulder.) 

Keep in mind that the method I discuss here will protected you from NETWORK monitoring, not actual computer or keystroke monitoring. So if your IT department has some security software installed on your PC, you probably shouldn't even be looking at this page. 

In addition to protecting you from network monitoring, this method can be used to get around a number of other security protections that may be in place; 
Your employer or school allows access to most of the Internet but blocks certain websites that they consider non-work related. Using this method you can access them.
Your employer or school blocks you from chatting at work using AIM or ICQ or similar instant messaging programs. Follow my instructions and you may be able to get around the firewall and chat at work.
You want to access your employer or school's Intranet from home. Setup the shunnel in the reverse order as I describe, with the SSH server on your work computer, and Putty at home. You'll may be able to access Intranet websites from home just like you were sitting at your work computer.
This is version 2 of the Surf At Work guide. This version details how to encrypt your network traffic using an SSH tunnel with Dynamic Forwarding. Version 1 of the guide was similar, but in addition to SSH used an Apache HTTP Proxy server. The addition of Dynamic Forwarding in Putty removed the need for an external proxy server, assuming your applications can use a SOCKS proxy instead of an HTTP proxy. The old version is still available here for reference. 

Using this method will actually allow you to do more than just surf the web privately. You can bypass a firewall and encrypt the network traffic of any program that can use SOCKS proxy. This includes most instant messaging software like AIM, Yahoo!, MSN, IRC, mIRC and others.

As MySpace.com is now so popular, many schools now comletely block MySpace to keep kids from socialzing online and to sidestep any controversy. Since MySpace is just a website like any other, this method should let you access MySpace freely around most firewalls. 

Overview
The objective is to encrypt your network traffic so it can not be read as it passes through over employer or school's network. To do this, we will; 
Run an SSH server on your computer at home.
Use an SSH client on your computer at work to create a secure tunnel between your home and work computers.
Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy.
Configure Internet Explorer to use a SOCKS Proxy for network traffic instead of connecting directly.
After this is all setup, the process for browsing a website will be as follows. Internet Explorer at work connects to the SSH client running on your computer at work. The SSH client connects to the SSH server running on your computer at home. Internet Exlorer will make requests for websites using the SOCKS protocol, which SSH will intercept and handle for you. Thus, the SSH server talks to the website and returns the web page to the SSH client. The SSH client returns the web page to Internet Explorer. 

In essence, you are tricking Internet Explorer into thinking you have a proxy server running on your local machine, when in fact the proxy is running on your computer at home. Since all communication over your work network takes place through SSH, it can not be read. The SSH traffic CAN be seen or detected, but it will look like a garbled mess of letters and numbers. Other than being a little slower than usual, you shouldn't notice any difference when surfing the web when using the secure method. 

Some people that are familiar with SSH and may be asking, "How can Internet Explorer talk to SSH?". Well, SSH has a great little function called Connection Forwarding. You setup SSH to accept TCP connections on a port and forward them to a port on another computer. SSH takes ALL the network traffic on that port, wraps it in a secure package, and forwards it somewhere else. I refer to this as a "shunnel"; a secure tunnel. 

The other trick to this setup is the Dynamic Port Forwarding. Newer versions of SSH can emulate a SOCKS proxy server. A SOCKS Proxy server is a server that acts like a "middleman." It accepts requests from a client, and connects to the target server on your behalf. Take a look at these links on Webopedia for a little more information; SOCKS Proxy 


Audience
This guide is written for a moderately skilled computer user. You MUST know how to install programs on your computer, how to navigate file systems, and how to edit configuration files. A knowledge of "how the Internet works", like TCP, sockets, ports, HTTP, and other network protocols would be extremely helpful. 

Prerequisites
To use this method, you need the following; 
A decent computer at home that you can leave connected to the Internet all day while you're at work.
A fast Internet connection at home; usually cable or DSL. (Technically, this can work with a dialup modem connection, but it may cause problems and it's really slow.)
Microsoft Windows NT, 2000, or XP installed on your computer at home and any flavor of Windows on your computer at work. You may be able to get this to work with 95, 98, or ME, but I can't say for sure. You definitely can get this to work with Linux or Unix. I don't know about Macintosh.
Alternatively, if you don't meet the prereqs or don't want to leave your computer on all day, you can try HTTP-Tunnel, a commerical alternative that lets you do everything here and more. 

When won't this work?
Please notice the title of this page starts "How To Bypass Most Firewall Restrictions... I say most because the method I describe here will not work for everyone, even if you meet the pre-requisites above. If any of the following are true for you, you probably can't use this method successfully; 
You can not access any external Internet websites; only internal websites or none at all.
You can access a few specific Internet websites, but no others at all.
If either of the 2 lines above apply to you, your network administrator is working hard because they are using a "pessimistic" blocking strategy. In other words, they have decided to block everything, and probably only allow specific access. The problem with that strategy however, is that it requires much more work and maintenance than using an "optimistic" strategy, in which they allow access to everything and block only certain "things". 

The method I describe on this page will not work with a pessimistic blocking strategy because it depends on being able to access your home computer from work. 9 times of 10, if you can't get to www.amazon.com, you won't be able to your home computer either. If for some reason you CAN access your home computer, then great.. proceed If not, you may want to talk to your network administrator. Ask him if they would punch a hole in the firewall so you can SSH to your computer at home. Or come up with some excuse to get access to 1 port on your home computer, then run the SSH server on that port. 

Or... maybe you ARE the network administrator and are just curious about how this works. :) 

Addresses
Before we start installing and configuring software, you need to find out the following things; 
Your home IP Address
Your work/school external IP Address
The easiest way to get your IP Addresses is to go to www.whatismyip.com at home and at work. Write down the numbers. 

Software
We're going to be using 2 fairly simple pieces of software; an SSH Server and an SSH Client. 

There are a few flavors of SSH Server's out there, but we're going to be using OpenSSH because it's free. The website for OpenSSH is http://www.openssh.com . But wait! OpenSSH doesn't run on Windows unfortunately... But there is a site that converted OpenSSH to run on Windows, which is what we want! http://sshwindows.sourceforge.net/ . 

Download OpenSSH for Windows from http://sshwindows.sourceforge.net . The version I wrote this document using was 3.7.1p1-1. The latest version should work for you, plus it will have less security holes. 

For the SSH Client I recommend using Putty. Putty is a small single executable SSH client with the ability to setup a tunnel. The newer version also support Dynamic Forwarding, which is essential. It's possible to use OpenSSH as your client as well as your server, but Putty is much easier to setup and use. Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html . 

Install the SSH Server
The OpenSSH installer comes in a zip file. Unzip the file, then run setupssh.exe. Choose to install both the Client and the Server. It will ask you to install into C:\Program Files\OpenSSH. If you choose to install into a different location, that fine, but be aware I will use the above path in this document. 

Configure Windows
OpenSSH for Windows uses Windows' user database for login authentication. That mean you must have a User name and Password setup to login to your home computer. If you don't, you have 2 choices. 1, set a password on your Windows account, or 2, create a new local account that you will use to login from SSH. I know a lot of people out there don't use logins or passwords on their home computer, but if you're using NT, 2000, or XP, the functionality is there, even if you don't use it. 

There are many different flavors of Windows, with different methods of creating a local user. There's no way I can cover all of them, but here are a few examples; 

To create a new account on your home machine (Windows XP): 
Start Menu, open Control Panel, then User Accounts. 
Click Advanced tab, then the Advanced button. 
Highlight Users, then click Actions, then New User. 
Enter a User name, and a Password twice. I recommend you use a User name and Password that is different than anything you have ever used at work. Obviously, your employer probably knows your password, so there's no security if you use the same password at home. 
Deselect User must change password at next logon.
Check Password never expires. 
Click Create. 
Close the Windows, close Control Panel.
You should now have a new local Windows user on your home machine. Remember the Login name and password for later. 

Configure the SSH Server
We want to configure your SSH server to allow access using User name and Passwords, and to listen on port 443 instead of port 22. 

Why port 443 instead of port 22? In most cases your employer will block almost all outgoing network ports except for port 80 and port 443, which are the 2 ports that webservers run on. I used to tell people to run SSH on port 80 because that's the standard webserver port, but now I recommend you run it on 443. Port 443 is used for encrypted websites, which is what your shunnel traffic will look like as it passes through the firewall. If you have trouble on port 443, try it on port 80 instead. If neither work, you're probably out of luck. 

Open Windows Explorer, navigate to C:\Program Files\OpenSSH\etc. Open the file sshd_config using Wordpad. (That's sshd_config not ssh_config!) 
Change the line 

#Port 22 

to 

Port 443 

Save the file. 


Now open a command prompt. Change to C:\Program Files\OpenSSH\bin. We are going to create a user and group database from your Windows user database. Type the following; 

mkgroup -l > ..\etc\group 

Then 

mkpasswd -l > ..\etc\passwd 

These 2 commands will create group and password files at C:\Program File\OpenSSH\etc 

Start/Stoping the SSH Server
On your home computer, open a command prompt. To start your SSH server, type the following: 

net start opensshd 

To stop your SSH server, type the following: 

net stop opensshd 

To make it easy, you can create a .bat file that will this command. If you make a shortcut to the .bat file in your Windows Startup program group, then when you turn on your home computer in the morning, the servers will startup automatically, and be ready for you when you get to work. 

If you have a wired or wireless router at home (Linksys, D-Link, Netgear, etc)
Some routers call it port forwarding and others call it virtual servers, but the setup is very similar no matter what brand you use. You will need to configure your router to route port 443 to the computer where you're running the SSH server. I not going to go into details, but there is usually a browser based interface directly to the router, which will have a page to setup virtual servers. Configure it to forward port 443 to your SSH server computer, port 443. 

Setup Putty at Work/School
Copy putty.exe to somewhere on your hard drive at work. c:\ will do fine, or anywhere else you want. Your desktop is convenient but kind of obvious. If you don't have permissions to write files to your hard drive, just copy putty.exe and shunnel.bat to a floppy disk or burn them onto a CD. Take the disk to work and run Putty from the appropriate drive. 

Open Notepad and copy the following into it, change the bold part where necessary; 

putty -D 8080 -P 443 -ssh homeIP 
homeIP should be the IP address of your home machine that you wrote down in the Addresses section above.
Save the file as shunnel.bat in the same directory that you saved putty.exe. 

Note for advanced users: If your computer at work is already configured to use a proxy server, you need to configure Putty a little differently, but this may still work.

Open Putty in graphical mode, input your connection setting, and also copy the proxy settings from Internet Explorer to Putty's proxy configuration screen. Putty should now create a secure tunnel through the proxy at work to your computer at home... pretty neat trick.

Create your tunnel
At work, simply double click shunnel.bat to initiate the shunnel. A Putty window will popup asking for a login name and password. Type the user name and password you created above on the Windows account. If it works, you will be presented with a DOS prompt waiting for a command. This is actually a command prompt to your HOME machine. You can use it if you want, but as long as this command prompt is open, your tunnel is alive. To close the tunnel, type exit or close the window. 

For Advanced Users
If you are very familiar with SSH and know what you are doing, you can set this up so you don't have to enter a password each time you create the shunnel. You have to install OpenSSH as your SSH client and then setup key based authentication by creating a public and private key on your work computer. Install the public key on the SSH server on your home computer. Thanks to Robert W. for this suggestion. I may go into more detail on how do set this up in the future. 

Configure Internet Explorer
Now we have to configure Internet Explorer at work to use a SOCKS proxy server. 

First, at school/work, go to http://www.whatismyip.com . Write down the number. This is your IP address WITHOUT your shunnel enabled. 

In Internet Explorer; 
Open the Tools menu, then click Internet Options. 
Click the Connections tab, then click LAN Settings.
Check "Use a proxy server ...", then click the Advanced button. 
If "Use the same proxy for all protocols" is checked, uncheck it. 
Delete anything from the "Proxy address to use" and "Port" boxes. 
On the Socks line, enter "127.0.0.1" for the address, and "8080" for the Port. 
Click OK a couple times, then close Internet Explorer and restart it.



First go to http://www.whatismyip.com again. If everything worked correctly, the page should have changed to show your HOME IP address, NOT your work IP address. If it shows your home IP Address, congratulation, your surfing the web securely and privately from work. 

If your intent is to access MySpace, and MySpace was blocked before, try it now. 

Configuring other applications to use the private connection
Most applications that access the Internet can be configure to use the shunnel. For it to work, they have to support a SOCKS 4 or SOCKS 5 proxy connection. Instant messaging programs like AIM, ICQ, Yahoo IM, and mIRC all support this. 

Setup is different for all application, but the settings will be the same. You want to configure the application to use a SOCKS 4 or SOCKS 5 proxy server, Host should be 127.0.0.1, and Port should be 8080. 

Protect yourself from someone looking over your shoulder
Here's a great application that fits in perfectly with the theme of this page. It's called Ghostzilla. The idea is that you want to surf the web, but have it look like you are doing normal work to people walking by your computer. Ghostzilla is a browser that hides itself in your normal work applications, like Excel, or Word, or Visual Studio... anything. With a swish of the mouse, Ghostzilla pops up and you can surf the web. If you see someone coming, simply move the mouse away, and it disappears, leaving no trace. Plus, you can easily configure it to use the shunnel as described here, for total privacy! 

A Simpler Solution
Buzzsurf has teamed up with HTTP-Tunnel Corp to encourage users to try the HTTP-Tunnel Client as a simplier alterntive to the procedure described here. Using HTTP-Tunnel , you don't need a computer at home to leave turned on all day. And you don't need to know how to install SSH or Putty. All the network communication is encrypted and sent over standard webserver ports, just like I describe, so it offers just as much protection without the hassle. Try it for free at HTTP-Tunnel.com.