Network Security Basics - Are you doing these things?

Added: 2026-05-05

[00:00:00]Let's talk about basic network security today. This is meant for the layman.

[00:00:04]We're just going to go over the big highlights here. Uh don't worry, I'm not going to be shilling some VPN or internet security suite. Both those don't do really much for your internet security. We'll get into why that is, but there's no affiliate links associated with this video. Let's just give you some basic protection and things you should be doing. I think everyone should know this and do it. So, let's first start with a basic network scan. You can go to GRC shields up. This scans your external gateway to see if any holes are punched in it. And if you're exposing any ports, the big thing here is just do an all port scan. Look from zero to a th00and. This should pretty much show up all green for every home user out there. Uh in a business or somewhere like let's say you're serving a web server, port 80 or 443 might be open or blue. That just means or that those uh can actively be serving uh certain application to the outside world. But for most people, this should be green. And if it isn't, you need to look at your router settings or maybe even switch routers at this point. All right, moving on. Now, let's go to your actual device. We we'll touch back on this the actual gateway and how to use or or switch that out here in a second.

[00:01:21]In Windows, you can do a netstat. Same with Linux. Many people have done this.

[00:01:26]Uh I'm going to go a different direction on this. We're going to pull up something called TCP view. This is actually from Microsoft. It was originally made by CIS internals, Microsoft Bottom Out. Uh you can install this for free through microsoft.com or it's included in the Windows utility. So if you're a Windows user, you can install this and and look at certain things in here. The big thing is hit this remote address button. Scroll down and see what is connected to the outside world. Um, this right here is Synology Active Backup. It's currently back and forth backing up this specific system.

[00:02:02]Uh, and this is an IPv6 address on 443 uh, with SVC host. I don't think that's anything to worry about, but just kind of make a note of all this. Ideally, you wouldn't see any remote access or address connected to your system in here. Now, other things that I would like to point out here is if you sort by local host or local port, see what is listening and could be connected to on your system. Here we have port 22 open.

[00:02:33]The SSH service on this Windows machine is enabled, which means someone could remote in if they had credentials or if they wanted to exploit it, if they could, they could possibly get in. Just know it's an attack surface that I'm exposing on this Windows system. You can close or uninstall or disable SSH and then this would disappear. So just know this executable is running in the background and it could establish stuff.

[00:02:59]So look out for port 22. Other ports to look out for here is port 80 and 443.

[00:03:04]These are both web server ports. Uh very common you might see something. Another port that I currently am listening to could be port um for 5900 which would be your VNC port. So VNC is used for remote access and a lot of different programs.

[00:03:25]So having this exposed or currently listening means someone could connect to your system. So shutting down this or uninstalling tight VNC server in this case uh you can see it in my taskbar over here. Uh that actually is currently listening. So if I ever get locked out of this machine, I can just remote into it. That's why I have it open, but it's still an attack surface. Another port I probably would look out for besides 5900 for VNC is 3389, which is Windows RDP.

[00:03:53]So that would be right in here. Uh RDP is very common on Windows machines and it could be enabled. It's currently not enabled on this system as I don't really use it, so it's disabled. You want to disable these types of things because that's what's called an attack surface.

[00:04:07]and reducing that surface just saying, "Hey, I don't have capabilities for SSH or VNC." Just means it kind of closes that hole or that surface that someone could hit your system and possibly get into. So, that's how you'd scan for ports and look at them on your Windows system. On Linux, uh, let's just clear this out. I would probably do SS TULP on a newer system. Uh you could do netstat t aulp on an older system if you have the net-tools uh installed on your system. Tuln that's why I'm I'm like why am I not seeing it not tulp although tulp does show uh right here you can see this port but if you actually want to see the port itself you can actually do tul and that's going to show right under here. Get out of my big old fat head out of the way. You can see port 1313 being exposed on the LAN address here of uh 97 which is currently my LAN address here. Nothing external though. There's no external connections to any peer addresses. So nothing in my local network or externally it would show up in the pure address port. Now you might be thinking Titus, how do I uh see what's on that port? You can do an lsof-i and then a colon 1313. And that's going to show you everything that's currently connected to this port. The big thing to look at is right here, the command Hugo, which is my web server, which uh you can see right here. This is how I'm previewing my website before I publish it. And then Chrome. Chrome's actually what is displaying that service. So, it's all kind of contained in here. So, nothing really to worry about. Um, but if you did have like external peer addresses, same thing that we saw in Windows, this is how you look at it. Uh, another really good use case of LSOF is when you're, let's say you set up a server as a CIS admin and you're wanting to do like a web server and you're doing trying to use port 80 and 443, but something's already loaded there. Well, this is how you find out what's loaded and then you can kill that process or uninstall it or choose a different port.

[00:06:21]There's all these things. So, uh, netstat and lsof is just such a clutch thing for Linux users out there. Now, about securing the network, we kind of touched on that about the gateways.

[00:06:32]There's third party gateways, but the internet provided or your internet service or ISP gateway that comes with it, like a two-wire if you're an AT&T user. There's a bunch of crappy like gateways from cable networks out there.

[00:06:46]Most of these are just trash, but it's still like, hey, it's what you got. I get it. Um, those are probably the most exploited. And while I recommend doing like a third-party router behind these, I think it'd be better. That way, you can control your network a little bit better and not rely on your internet provider to give you any kind of security, which, you know, spoiler, they don't really do very well. So, I would recommend some kind of thirdparty router for most residential people. There's ASUS, TPLink, all these Netgear if back in the day. God, Cisco had their own little bit. Um, but these days, nobody really uses that.

[00:07:29]Um, and I think ASUS, last I checked, I think they had an exploit within the past year. Um, TPLink and other ones are, I think, on the way out. I think they're getting banned from the United States. Don't quote me on that, but I think Jeff Gearling did a video on that if you're interested in third-party routers, but I don't um I think they're still better than the stuff from your ISP, but probably still not ideal and not anything I would ever recommend. So, don't freak out if you do have these routers. Um I would just steer clear of them and go with something from Ubiquiti. You know, UniFi, if you look at it, h you got the full gateway routers. I know 200, $300, $400, these are kind of expensive, but uh worth it for what they provide.

[00:08:18]You're going to have excellent Wi-Fi.

[00:08:20]You're going to have fantastic gateway protection. I just love UniFi. Um I personally would just recommend a smaller gateway and then just add on an access point to provide Wi-Fi. Uh, for most home users, I would do like a Gateway Ultra and probably just a low-end uh, access point. So, you could go with something like this with a lower-end access point for like a hundred bucks, like a U7 light. So, you'd be out probably a little over $200 for a basic UniFi setup. And I would say that's probably the best security for a home user. Um, right out of the gate, real easy use setup. Now, having said that, I know a lot of my audience loves to tinker, kind of loves to get in the nitty-gritty. And if you're getting into networking and you really want to control everything in your network, UniFi is not very good for that. And that's where like PFSense, OpenSense would be fantastic. Uh Lawrence PC here on YouTube's a great resource for PFSense. Uh I know hardware haven is another great resource if you really are looking at like build your own router type situation uh and you really want to tinker absolutely fantastic. If you want something like out of the box from pfSense you could do Netgate is their parent uh you know coupled technology if you want another option. Just know that it is a more difficult setup but it does give you a lot more control. So it depends on where you are at in your journey and how much time you want to spend on network security. But router is something you really need to focus on. I absolutely love uh all these uh that I talked about today. Both pfsense and ubiquity is the only thing I recommend.

[00:10:06]Uh all the other stuff you buy at like Best Buy and MicroEnter and a lot of that stuff. Actually MicroEnter sells a bunch of Ubiquiti stuff. So really it's just Best Buy and a lot of the other big box stores here in the States that just provide the other crap that I would just never use. So that's routers in a nutshell, my recommendations. And the other thing here is blocking devices and just kind of going through your network.

[00:10:31]Here is my network. Um, I just go to the device panel right over here and list the devices. Go through, scroll through this entire list. If there's something that's not there, you just go over here and block. And almost every router has this capability. If your router doesn't have this capability, you absolutely need to change that out. Uh I think even ISP routers have this capability. So it's really important to go through and remember security is a journey, not a destination. And look at what's on your network. If you see something on your rout network and be like, "Oh, what the hell is that?" Uh let me expand that.

[00:11:07]Oh, router board. That's probably like a microte I got somewhere else in the house that I'm using. So using that crappy that's cheap but it's a standard switch. Anyways, I digress. Find these, look through, you can always block them and then see if something happens. And if nothing happens, you can just leave it blocked and that prevents that device from communicating from anywhere on your network. So, if you're worried about like your neighbors stealing your internet, um because I think I did that back in the early 2000s at an apartment, I didn't want to pay for internet. I was just like, man, uh you could just go war diving and just have a blast in a in a apartment complex and never pay for internet again. Not that I recommend that. I don't even know how feasible that is these days as I have been uh not living in an apartment for quite some time. But regardless, you should know if you are in an apartment, this is a huge amount of exposure. Someone, your neighbor next door could just be sitting there constantly pinging your network.

[00:12:07]So having a decent setup is nice. As far as software firewalls for Linux, I just recommend UFW, which is a really uncomplicated firewall. You can just say deny and allow outgoing. Check it at any time. If you want a guey, GUFW for Linux. For Windows, you have the bakedin firewall at WFMSC.

[00:12:30]You can just go WF MSC and you can go to inbound rules and then set things. So if you wanted to make sure you blocked SSH, for instance, bam, SSH is now blocked on this one. Um, and you can see all inbound rules that don't match one of these will be blocked. Outbound rules are always wide open. If you really want to go real and tinker a lot, I really wouldn't recommend Windows Firewall. It kind of sucks. Uh I don't like it. But uh don't disable the service. It can break Office and other things. So if you wanted to, let's say, bypass Windows Firewall and just say, "Okay, I'll just leave outbound rules alone. Inbound rules, you just make one master rule in custom all programs. any next next allow everything and this essentially uh this allow rule wouldn't be needed but essentially that would just allow everything to get into this Windows box if you wanted to bypass Windows firewall or let's say Windows firewall is giving you problems don't stack a bunch of firewall softwares on top of each other it's just a recipe for disaster uh I probably would recommend something like tiny tiny wall or uh simply I think simple wall I think I did a video on. Yeah. Yeah. I I think I called it block internet access in Windows using simple wall and simple wall is a foss tool. It's free and open source. You can do whatever you want with it. It's fantastic. So I'd recommend that uh probably this for Linux simple wall if you want something really granular and dive deep. Otherwise just some basic Windows firewall configuration is fine. As far as VPNs go, VPNs, I'm not going to spend a lot of time here because essentially all a VPN is establishing a secure connection between wherever you are and wherever the VPN terminates. That's it. It just does a secure connection between there and there. So, if you're compromised and you have bad things running on your system, the only thing that it does is it sends it through the secure tunnel and then out to the attacker. It doesn't prevent that from happening. So VPNs are often touted as this massive security.

[00:14:45]Oh, you need a VPN. I'm like, oh god, I can't. It just drives me completely nuts. And security people are just nutty people. And there's just such a good way to make money on YouTube shilling VPNs.

[00:14:59]You get like 30% margins. They're insane. Uh so if I was smart, I'd probably tell you to go buy a VPN, but honestly, most of you don't. Here's the use cases for VPN if you're interested.

[00:15:10]uh torrenting so you don't get DMCA uh and get a nasty letter in the mail.

[00:15:15]That's a that's a use case. Another use case would be to go and let's say I want to watch Bridgetgerton and it's only in the United Kingdom. I could VPN over to the United Kingdom and say I'm a United Kingdom person, give me Bridgetgerton Netflix and then it would display it because it would think I was in the United Kingdom. So it changed my location essentially. Um, and probably a third thing where actually securing the connection between you and the endpoint would actually be useful is a very public setting. Like think of a coffee shop or even a hotel. Most reputable coffee shops and hotels that are big are already doing this. They're isolating all the access points so nobody can talk to each other and hacking each other.

[00:15:56]But like a mom and pop cafe, you know, coffee shop probably would be the most vulnerable. If I wanted to do war diving and like hack into people's stuff, I would target probably those lower uh mom and pop shops that don't have proper IT support that haven't set up their access points to be isolated uh or isolating each individual user of it. But places like Starbucks pretty much already do this. Anyways, that's the use case for a VPN. And probably the last thing I want to leave you with that's probably even the most important is that blocking on the network. That's active protection.

[00:16:32]It's why people pay cyber security folks to be on staff. They want to be constantly monitoring the network because it's not if something like that happens, it's when. There's always going to be Bob down the road that does something stupid and ends up installing, you know, whatever virus on the system.

[00:16:53]And when that happens, you need to have somebody that knows something to block him, remove the threat, and then also know it happened. The worst thing I've ever seen is when people just blindly assume, hey, I have a VPN, I have security software, I'm safe forever.

[00:17:11]That's stupid. Uh, again, security is a journey, not a destination. And the biggest thing I can say to just hammer that home is just think of someone like me that knows a lot about this type of thing. I still would never say I'm secure. There's always a chunks like uh HW monitor CPUZ was hacked for about six hours last week. I download those programs all the time. I could have downloaded them during that hack.

[00:17:40]Probably not from the website. I usually use Windgit, which was safe. But let's say they did get hacked and someone was able to put a lashes file up there and I downloaded it. It could happen to anybody. So, nobody's really safe. Uh don't ever think of yourself as safe.

[00:17:55]That's when the worst hacks can happen because you should always be checking what's on your network, blocking it when you don't understand it. And then if it is like, oh crap, yeah, I added a robot vacuum that's now connected to the internet. Okay, I get it. Uh, hell, I think dishwashers go to the internet now, which I probably would go ahead and block those regardless because Anyways, I'm going to go on a whole different rant. Hope this helped everybody out.

[00:18:20]Um, if not, uh, I'll leave this up on chrisitus.com. Go check it out and well, let me know your thoughts. I'm sure there's a lot I missed. This is such a huge topic. It's not just use this one thing. I try to touch on a little bit of everything just to give you some a taste of what it takes to get some basic security. Not to scare you or anything, but there's just a lot that goes into it. And that's why people have cyber security jobs because it gets even bigger in business. This is just basic security. Anyways, hopefully this helps