[Previous entry: "New Words for 2004"] [Main Index] [Next entry: "Bulletproof Computing: ISPs"]
03/13/2004 Archived Entry: "Bulletproof Computing: Firewalls"
Wendy says that I've put enough resource material into McBlog that it needs its own index. So in blatant mimicry of Fred Reed, I've started the "Brad on Everything" page, with links to my more substantive posts. (I've left out most of the rants and "news" posts.)
While email-borne nasties are probably the #1 source of infection for home computers, direct attack on your PC's Internet ports is a strong #2. Hence the need for firewalls as your second line of defense.
Firewalls don't protect against email attachments, just against direct port attacks (for lack of a better term). But unlike an email attachment, you don't have to take any action for a port attack to succeed. Merely connecting your computer to the Internet exposes its port vulnerabilities.
One thing you should do is shut down the operating system services that use those ports. If you're a home PC user, you don't need to run a web server or a FTP server, yet many Linux distributions install these servers by default. Learn how to turn these services off (it varies from system to system). Then, even if a vulnerability is discovered in, say, the Apache web server, you won't be affected because that program isn't running in your system.
Most users can shut down the web server, POP server, SMTP (mail) server, FTP server, and NFS server. If you're not networking locally to other Windows machines, you can (and should) shut down the SMB server as well.
Windows users, alas, don't have the option of selectively disabling services in the operating system. And Linux users may want to keep some services (like NFS or SMB for local file sharing). So you still need a firewall.
I've talked about firewalls before, here and here and here and here. So as not to repeat myself too much, here's a summary of your three options:
1. Software firewalls. These are easy to install, but (on Windows computers at least) may still leave some vulnerabilities. I've suggested Zone Alarm in the past, but at least one friend has had problems with it causing system instability, so you might want to research other products for Windows. I've just stumbled across the Home PC Firewall Guide, which might be of help.
For Linux, almost every modern distribution comes with firewall software... but you may have to enable it. (For Xandros Linux you need to download the Firestarter application from Xandros Networks.) This can give excellent protection if properly configured, but if carelessly configured can leave vulnerabilities exposed. I don't have experience yet with the various "wizard" programs that will configure a Linux firewall, so I can't make a recommendation.
2. Build-it-yourself firewall. Only for the technically adept! With an old 486 PC and a bit of free software, you can make and excellent firewall box. My friend Paul Rogers has a web page devoted to this topic. If you're a dialup Internet customer with several networked computers at home, this might be the way to go, because it can also provide dial-on-demand and Network Address Translation (NAT). But it's not trivial to do.
3. Firewall-in-a-box. I was delighted to see, at our local Linux Users Group meeting, an under-$100 home Ethernet router for broadband users. This little box included a built-in fully-functional firewall (the same "netfilter" used by Linux systems). You plug this box into your high-speed Internet modem, and your computer into the box, and you've got superb firewall protection.
To see how many of these devices are out there, just go to eBay and search for "Ethernet router firewall" in title & description. Here's just one example. Caveat: This is not a recommendation for this model. I've chosen this example randomly from the list; I know nothing about this particular unit.
The "average" PC user is going to be limited to options #1 and #3. If you're using Windows and high-speed Internet I'd say you simply must have a firewall box (option #3). Linux/Mac users with high-speed Internet might also want one of these; the time you save learning how to implement this on your Linux box can pay for the extra hardware. Dialup Linux users should learn to configure the built-in firewall. (I believe this also exists in Mac OS X.) As for dialup Windows users...well, until someone makes a dial-on-demand firewall-in-a-box, your best choice may be to download or buy a software firewall.
But however you do it...you must have a firewall.