|
The
Internet has made large amounts of information available to the average computer
user at home, work and school. For many people, having access to this
information is no longer just a privilege, it is essential. On the other hand,
connecting a private network to the Internet can expose critical or confidential
data to malicious attack from anywhere in the world. Users who connect their
computers to the Internet must be aware of these dangers, their implications and
how to protect their data and their critical systems. It’s sad, but true - the
Internet, like any other society, is plagued with a brand of malicious idiots
who enjoy the electronic equivalent of writing on other people's walls with
spray paint, tearing their mailboxes off, or just sitting in the street blowing
their car horns.
To
simply ignore these realities is foolish and potentially dangerous to you, your
business and your data. In previous articles, we addressed the issue of
protecting yourself against external threats to your system, particularly as it
relates to viruses.
Today
we are going to turn our attention to another essential defensive weapon in the
armory -- the firewall.
While
just about everyone these days has an anti-virus program, they are not enough.
There are other methods of attack or intrusion from the Internet against your
network, hence your first line of defense should be a firewall. A firewall
provides protection from port scanning and disables access to shared folders,
files, and printers, which keeps the bad guys from copying files and programs to
your computer that can cause serious problems when executed.
A
firewall can also act as your corporate 'ambassador' to the Internet. Many
corporations use their firewall systems as a place to store public information
about corporate products and services, files to download, bug-fixes, and so
forth. Several of these systems have become important parts of the Internet
service structure (e.g. UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and
have reflected well on their organizational sponsors.
Sounds
great, you say. But what exactly is a firewall?
Firewall
Facts
As
I mentioned, a firewall protects networked computers from intentional hostile
intrusion that could compromise confidentiality or result in data corruption or
denial of service. A firewall can be either a hardware device or a software
program running on a secure host computer. In either case, it must have at least
two network interfaces, one for the network it is intended to protect, and one
for the network it is exposed to. A firewall sits at the junction point or
gateway between the two networks, usually a private network and a public network
such as the Internet.
You
don’t need to understand all of the technical details to use a firewall, but
it is important that you understand how it works. A firewall examines all
traffic routed between the two networks to see if it meets certain criteria.
There
are two access denial methodologies used by firewalls. A firewall may allow all
traffic through unless it meets certain criteria, or it may deny all traffic
unless it meets certain criteria. The type of criteria used to determine whether
traffic should be allowed through varies from one type of firewall to another.
Firewalls can filter packets based on their source and destination addresses and
port numbers. This is known as address filtering. Firewalls can also filter
specific types of network traffic. This is also known as protocol filtering
because the decision to forward or reject traffic is dependent upon the protocol
used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by
packet attribute or state. They may also use complex rule bases that analyze the
application data to determine if the traffic should be allowed through.
If
the traffic meets the criteria, it is routed between the networks, otherwise it
is stopped. A firewall filters both inbound and outbound traffic. It can also
manage public access to private networked resources such as host applications.
It can be used to log all attempts to enter the private network and trigger
alarms when hostile or unauthorized entry is attempted.
Who’s
at Risk?
DSL
or a cable modem poses a greater risk to your computer than dial-up modems. Why?
A dial-up modem uses a different network address every time it connects to the
Web so it is a moving target. DSL or cable connections use a network address
that doesn't change. A firewall helps obscure your network address, even though
it always stays the same. If your computer is always connected to the Internet,
your computer's network address is even more available to hackers. There is also
a risk from "sharing the wire;" people in your neighborhood who have
the same cable service could potentially trespass on your computer. A firewall
can help protect your computer in such instances.
Many
dial-up Internet users believe that anonymity will protect them. They feel that
no malicious intruder would be motivated to break into their computer. It’s a
nice thought, but as the thousands of dial-up users who have been victims of
malicious attacks losing days of work and having to reinstall their operating
system can attest, this is only an illusion. Irresponsible pranksters can use
automated robots to scan random IP addresses and attack whenever the opportunity
presents itself.
Anyone
who connects so much as a single computer to the Internet via modem should have
a firewall. You should also use firewall protection on a computer that has a
direct, dial-up connection to the Internet, a single computer connected to a
cable modem, or a single computer connected to a DSL modem. If you’re a
broadband user with two or more ISP assigned IPs connected through a hub,
you’ll need to protect each computer individually. An easy rule of thumb-if a
computer connects directly to the Internet, it needs protection.
If
you have a Windows XP-based computer that is used for Internet Connection
Sharing (ICS), you’ll also want to enable a firewall on the host computer (and
only the host computer).
Who
does not need a personal firewall?
If
a computer is a client computer to an ICS (Internet Connection Sharing) host, do
not install a firewall, but be sure you do enable it on the host computer. If a
computer is behind a NAT box or router, don’t use a firewall, because the
inherent properties of NAT will protect you. If you’re in an
enterprise/corporate environment, you likely don’t need a personal firewall
while logged into a domain at work because your IT staff will have proper
commercial firewalls in place on the network.
Maintaining
a Firewall
For
a firewall to work, it must be a part of a consistent
overall organizational security architecture. |
|
Simply
installing a firewall is not enough. You need to establish and follow a
maintenance program you will follow every month to keep your firewall in good
condition:
-
Check for software updates. Go to your firewall vendor's Website, and sign
up to be notified of updates. Note: If you are using Windows XP or Windows
Me, you can install the Automatic Updates feature and get the software
updates for Internet Connection Firewall (ICF) delivered automatically.
-
Review the logs. Ascertain how much probing traffic your firewall is
repelling.
-
Turn off an "always on" connection. If you have a DSL or cable
modem, turn off your connection when you don't need to be online.
Firewall
Limitations
Despite
their obvious values, firewalls are not a cure-all or a magic bullet. Firewalls
can't protect against attacks that don't go through the firewall. Many
corporations that connect to the Internet are very concerned about proprietary
data leaking out of the company through that route. Unfortunately for those
concerned, a magnetic tape can just as effectively be used to export data. Many
organizations that are terrified (at a management level) of Internet connections
have no coherent policy about how dial-in access via modems should be protected.
While it is silly to build a 6-foot thick steel door when you live in a wooden
house, I have encountered many corporations and individuals buying expensive
firewalls and neglecting the numerous other back doors into their network. For
a firewall to work, it must be a part of a consistent overall organizational
security architecture. Firewall policies must be realistic and reflect the
level of security in the entire network. For example, a site with top secret or
classified data doesn't need a firewall at all: they shouldn't be hooking up to
the Internet in the first place, or the systems with the really secret data
should be isolated from the rest of the corporate network.
Another
thing a firewall can't protect against is traitors inside your network. Floppy
disks are a far more likely means for information to leak from your organization
than through a firewall. Firewalls also cannot protect you against stupidity.
Users who reveal sensitive information over the telephone are good targets for
social engineering; an attacker may be able to break into your network by
completely bypassing your firewall if he can find a 'helpful'' employee inside
who can be fooled into giving away his password.
Firewall
Related Problems
Firewalls
introduce problems of their own. Information security involves constraints, and
users don't like this. Firewalls restrict access to certain services. The
vendors of information technology are constantly telling us "anything,
anywhere, any time", and we believe them naively. Of course, they forget to
tell us we need to log in and out, to memorize our 27 different passwords rather
than writing them down on a sticky note on our computer screen and so on.
Firewalls
can also constitute a traffic bottleneck. They concentrate security in one spot,
aggravating the single point of failure phenomenon. The alternatives however are
either no Internet access, or no security, neither of which are acceptable in
most organizations or in your home computer.
David
W. Tschanz is a Microsoft certified systems engineer, web developer
and writer of computer-related articles. He is also a medical/military
historian, an epidemiologist, an editor and a demographer. You may contact him
by sending your emails to: Desertwriter1121@yahoo.com.
|
