[Previous entry: ""] [Main Index] [Next entry: "A plan for email"]

12/19/2003 Archived Entry: "More on firewalls"

A bit more about network firewalls.

Scott M. writes regarding Zone Alarm, "First, firewall algorithms, like other security code, need to be perpetually updated. So where does that leave a user who bought a free product just before it was removed from marketing? If Checkpoint takes this tack, it won't support the free version forever."

I agree, somewhat. Firewalls aren't virus scanners; they don't need to be constantly updated with new signatures. Ideally a firewall will close all unused ports on the system and not allow incoming connections. But most firewall software is probably not this paranoid -- I have no personal experience with Zone Alarm -- and popular packages may themselves be subjected to attack. So yes, keeping up to date is a good idea, and something you'll want to think about when you install software.

(I've been using the same "firewall software" -- ipchains -- for almost three years. Occasionally I have to modify the packet filtering rules; recently I blocked all responses to "ping." But ipchains allows changing its rules, and I know enough to write them.)

"Second, all else equal, a firewall running as a program on the machine that it protects has intrinsic vulnerabilities that do not exist on a firewall implemented on a separate piece of hardware. ... I am in the process of evaluating an SMC Barricade router/firewall device that claims to do stateful packet inspection and is priced at <$50. It is one of many similar products in this price class. An added benefit is that if a DSL or cable-modem user decides to serve multiple home computers with one connection, a single device can protect the entire LAN."

Agreed, on all counts. We use a dedicated firewall computer running Linux -- I posted some information before about how to do this -- and it protects all our computers. A dedicated box you can buy will certainly be easier for most users to set up, and I'll be interested to hear reports on the SMC unit (or any others people may have tried).

"Third, when last I checked, Zone Alarm was only for Windows. While that cobbled-up product is arguably the most vulnerable OS, it would be dangerous to assume that the others need no protection. I really think that these devices are the best way to go for home users with a static connection."

Also true. Linux and Mac users should learn how to enable their OS firewalls...I'm happy to see that some Linux systems (e.g. Red Hat) are now making this part of the installation process. But while a dedicated firewall unit might be better than some add-on software, any firewall protection is better than no firewall protection. So if you can afford it, invest in a commercial product. If you're broke but technically adept, build a Linux firewall out of an old PC. All other Windows users, download what you can. Protect your computer.


Powered By Greymatter