I first wrote this on another site almost 2 years ago and neglected to post it here at DHC so here goes. A fable is an illustrative story meant to teach a lesson or moral. This is a heads up on how a firewall works, and why it is important to have one (and anti-virus software too) if you are a Windows PC owner. If you know this stuff already, fine.A networked computer receives data in the form of "packets", which are specially labelled containers of data. No two packets are labelled the same. In reality a packet consists mostly of various labels needed to address it from one computer out of many millions to another, with very little actual data in it. :eek: (That's why a simple file requires such a long download over a phone line connection).

Think of a long railway train coming to your town with freight cars loaded with all sorts of stuff, even though only a few parcels are actually meant for you personally.

Now, problems happen because packets can be intentionally corrupted in ways that cause them to severely mess up the receiving computer. Attackers have learned thousands of ways to make that happen.

Back to our railway train: consider that a few of the parcels have had their labels intentionally messed up so that you will get them even though you did not order them. They happen to contain bombs that will go off when they are opened, and they are on their way to your house.

A firewall works at the packet level to judge whether packets are acceptable or not, based on a clear set of rules. If a packet passes all the tests, it is let through. If not, it is dropped (gone forever). Firewalls must be kept up to date because intentional packet corruptions get more and more clever. If you do not update your firewall software on a regular basis you are therefore at risk.

Back to our railway: at the station a yard marshall sees the cars on a train as they pass by and determines which cars should go where in the yard, then he routes them to the proper places. He obviously does not know (or care) exactly what is inside the cars. He also has a team of railway police that patrol the fence for criminals trying to sneak in, but the cops don't look inside the cars. This is a lot like how the Internet operates.

As the bomb problem gets worse, railway companies decide to start scanning all parcels for bombs, but its such an impossibly complex job that they leave it up to the folks at the receiving station or else the entire system of railways would be bogged down to a crawl. The individual station masters decide to do the scanning locally at their end, but because its such an impossibly huge job they decide that in order to keep the cargo moving they will only scan envelopes of mail and not most parcels.

The scanning is more like Anti-Virus software, not firewalling. Your Internet Service Provider certainly has a professional grade firewall system, and probably does anti-virus scanning of email to some extent, but just cannot scan all data going though it to and from your computer. This is why you also need to have updated Anti-Virus software on your Windows PC. Remember, Anti-Virus scanning is not Firewalling, and Firewalls do not scan for viruses (unless they are a combined product).

Over time, railway station scanners discover all bombs made in a certain design pattern, and everyone rejoices that the problem has been solved. :) BUT... the bombers get really clever and figure out how the scanners work and design new bombs that cannot be detected yet. They also switch to using minibombs that are much harder to detect. Not only that, but on the outside of the railway yard's fence are criminals who constantly look for holes so that they can get past the cops, get inside, and steal all the great Home Theater equipment in the cars while they plant more minibombs. The railway is fighting a losing battle, and people in the press are whipping up hysteria.

New companies spring up with trained security guards who are hired to stand on your doorstep and scan every envelope, parcel, and package that comes into or out of your house. One guard is given a detailed list of what stuff is allowed, and the remainder is incinerated in the back of his truck regardless of all the time and expense to get it to your doorstep. The other guard takes everything that has been allowed past the first guard and passes it through a detailed scanner. If something inside looks like the stuff that guard has been trained to stop, the guard sounds the alarm and measures are taken to protect your home according to the rules he has been given.

WIndows PC users need to have a personal firewall because you need to prevent maliciously crafted packets from entering your computer from the network. You also need to have top notch Anti-Virus software to scan what makes it past the firewall.

Our two guards on the doorstep unfortunately were not given any communication capabilities, so after a while new types of minibombs arrive, and even though the guards are doing the best job they possibly can, the minibombs start getting through.

You MUST keep the firewall and the Anti-Virus software updated so that the rules and descriptions do not get out of date.

Back on the doorstep, the guards have noticed that minibombs continue to detonate all around them, even though the guards now have shiny new radios and are updated regularly on new defences.

It turns out that there is a much bigger problem that the two guards, no matter how well prepared, cannot defend against: your house has all sorts of holes in it called Windows. The architects of your house have made the structure of it so dependent on its Windows that they cannot be removed, and if they are boarded up the occupants of the house will die because the Windows cannot be opened to let air through. Regardless of the two guards on the doorstep, the house is not capable of being protected!

Across the street the Macintoshes have a different kind of house that is much, much safer, and throughout town the banks, stores, commercial properties, and the homes of the architects and builders themselves are usually made of either UNIX or Linux armor plating, or have Mainframe vaults.

Sadly, even some of those professional sites installed Windows, so huge amounts of time and money have had to be spent to try to get them as secure as UNIX, Linux, and Mainframes, but it just never happens. Nobody seems to question why those Windows installers haven't been fired, but they have the best lawyers on the planet . ;) Also, there's a whole cottage industry in security that is dependent for its livelihood on the fact that Windows are fragile, so the politicians don't want to jeopardize those jobs.

Once inside your home, some of the minibombs bury themselves into your outgoing mail and parcels, and pretty soon everyone in your address book has been mailed minibombs. They themselves start mailing minibombs, and pretty soon everyone with Windows is doing it.

The biggest problem with Firewall and Anti-Virus software packages is that they cannot defend against certain exploits that attack Windows itself. They cannot understand how to analyze certain programs that pass through them. They cannot be told to stop all such programs because that would mean shutting down your Internet capabilities completely.

Just to be sure, you phone the original manufacturer of the Windows to see what solution they offer, but the solution they provide only opens up more Windows to attack!

Microsoft Windows is always left open to attack through the Internet Explorer browser even after all the patches have been applied. There is no fix because the hole is at the very center of the product. It was designed that way.

Then one day a salesman drives up and shows you a new product that replaces your Windows with more heavily constructed, less failure prone ones that have screens that stop the minibombs but still let the air through so that everyone can safely breathe. He points out that while it would be best for you to move to a home like the Macintoshes or even to Linux armor, you like your present house so you take his advice and switch over to one of his new products. The minibombs die off, and you give the salesman a regular call to come over and visit to update them with the latest new materials.

The Mozilla Firefox and Opera web browsers tend to be faster, have more customizable features, and are much more secure than the Microsoft Internet Explorer web browser. They also require patching and updating, but they are vastly more secure than IE.I hope you enjoyed my little fable, and I wish you safe browsing, all!

DEAR LORDY STAMPY... love the system setup ! oh my :D Um we could launch rockets with that. I too share the disdain for an RF path. A safe way would be creating a multiple V-lan through your router to bridge and isolate.

Since so many want the cheapest possible firewall, a physical hardware is the cheapest, least amount of down loads to keep 'updated' (a lot of that is smoke and mirrors to let you think they are taking good care of you by keeping you up to date)

for those where price is an issue, a spare PC running as a firewall uses alot of engery (some pwr supplies 250w etc) vs say a Linksys router that runs <5watts on a step down transformer.

the OTHER best benefit from using a standalone firewall/router is utitilzing the ability of cloaking your machine from the internet by disquising the IP address. There are a few hidden rules of the internet, you can hide your machines, printers, all-in-ones etc from the outside word by using a 10. or 192. ip naming convention. Which will stop someone from seeing your box or other peripherals and preying on them. Ensure that the flash over network features of all your peripherals are disabled.

Well, actually... ;) the firewall PC's power supply is labeled as 200W peak, but since the machine is doing almost everything it is supposed to do in kernel space (in RAM but rarely swapping out to disk) the hardware is not tasked at all so it uses very little power. I disconnected the power supply fan to make it silent (it doesn't overheat) and the only time I can hear the machine is when it is saving its system logs to disk. I don't run a windowing system on the firewall either - just command line.

Nice analogy Stampeder, thanks for that, is that your own discription?

I've used ZoneAlarm Pro for a long time and now I've added a LinkSys router for 2 moats around the computer. I like ZA because I can block certain addresses (like doubleclick.net) to get rid of a lot of annoying ads. I can also control which programs can access the Internet or act as a server. Handy because there's no reason for WMP or iTunes to wander onto the Internet most of the time.

I don't like ZAs new subscription model since you lose a little fuctionality after the first year. I never used it's virus and mail security features anyway.

Your security is still limited by the software you're running. Using a torrent client (or kazaa or LimeWire) opens a bunch of ports that stay open until you reboot Windows. Every now and then I get an alert that "Mozilla wants to act as a server" from ZA -- I'm assuming that some Web site wants to kick Mozilla into server mode for their own benefit.

Nice analogy Stampeder, thanks for that, is that your own discription?Ya I wrote that on another forum to a nice guy who was getting hopelessly mixed up on the terminology and thought he was well protected by just his anti-virus software - I've seen my post pop up in other places too, which is okay by me. :)

I've done a search on this topic but didn't find anything. If anyone can point me to any resource I'd appreciate it very much.

I'm pretty much knowledgeable when it comes to wireless setups but am still unsure of the proper settings for maximizing security using static IP addresses and firewalls.

First off I have a D-Link DI-624 router set up with WPA security. I'd use WPA2 but the wireless card on another laptop my daughter uses doesn't support it.

I also assigned two static IP addresses for both laptops and blocked off the remaining range. This was done to accomodate my torrent client and add an extra layer of security by blocking off uneeded IP's.

My problem is this. I tried to connect to the router without setting up a static IP address and it connected leading me to believe that my router is still assigning IP addresses dynamically. My DHCP server shows as enabled and my static DHCP as disabled. Is this normal? When I try to disable the server it grays out the static DHCP options. However, the Static DHCP Client List does show the two laptop addresses I assigned.

My other problem is the firewall settings. Is there anywhere I can go to read up on proper firewall settings, particularly with the DI-624.

Any suggestions?

I'm pretty much knowledgeable when it comes to wireless setups but am still unsure of the proper settings for maximizing security using static IP addresses and firewalls.I don't think that what you are doing provides any extra security. All it does is provide fixed TCP/IP addresses for certain MAC addresses. Disabling DHCP does not provide extra security either. I suggest you leave DHCP enabled as you have it and do the following:

1. Select Advanced -> Filter.
2. Select Mac Filters.
3. Select "Only allow computers with MAC address listed below to access the network".
4. Then select the DHCP clients from the drop down lists. (Or type in the MAC addresses of your computers.)

My router is a DI-704 but the DI-624 should be very similar. The router manual should be available for download from the support section of the D-Link site.

Dlink has a very good support site that provides FAQ's for all their products and even emulators to walk through config.

http://support.dlink.ca/products/view.asp?productid=DI%2D624
(Not sure which revision of 624 you have, I just picked the rev. A)

1. I would suggest using WPA-PSK and use a passphrase that is complex (includes #, special characters, upper and lower case).

2. Use MAC filtering as was suggested I_Want_My_HDTV, and don't disable DHCP Server.

3. I would enable DHCP Server and Static DHCP if you want to make sure that if you turn on and off your PC's that you don't get any IP conflicts upon bootup with an already booted up PC. The DHCP Server must be running for the Static DHCP to work from what I can see, that is only logical as well.

http://support.dlink.com/emulators/di624/h_dhcp.html

MAC filtering is very weak security and easily subverted.

The best wireless security is simply using a long and complex WPA-PSK passphrase (as suggested above). If you do that, the chances of anyone else getting on your wireless network are virtually nil.

Here's one of many sites that can generate good strong random keys for PSK:
http://www.kurtm.net/wpa-pskgen/

Thanks for the replies guys...

I do use WPA-PSK with a long passphrase including numbers & letters.

I read somewhere that blocking off unused IP's is a good idea if you're not going to use them. Would prevent someone on the outside from connecting to your network, which makes sense to me if there's no address to connect to. Whether this is true or not, doesn't hurt since I don't need any other addresses.

As for MAC address filtering, whenever I try to use it I cannot connect. I know I'm using the right adapter MAC (checked it with ipconfig /all) but I don't get a connection at all. When I disable it, it connects right away.

What about firewalls? Read on another site that the best starting point is to deny all traffic and then set up those apps that need access. But how do I know which apps need access?

To test the security of your firewall/network such as to verify if you have any common ports which are open to the outside world, file shares that are visible, and so on, check out this site: GRC Shields UP (https://www.grc.com/x/ne.dll?bh0bkyd2).

Just like the site linked to above, GRC also has a page that generates long random passwords that could be used for wireless security: High Security Password Generator (https://www.grc.com/passwords.htm).

As others pointed out the best defense is to use a layered approach. That includes using a router that has SPI and updated with the latest firmware. For wireless, it should be secured by WPA (minimum, WPA2 with AES preferred) using the long passwords as prescribed above. It also helps to disable SSID wireless broadcast, enable MAC address filtering, disable DHCP, and disable UPnP relying instead on manually forwarded ports that are used by applications that you know you are using.

For the PC/Workstation, it helps to have a combination of software firewall, anti-virus, anti-spyware software running.

On the software side of things, an added layer of defense would be to use Firefox with extensions such as NoScript, Adblock with Filterset.Update, etc. This should block those 3rd party sites that can potentially carry or link to payloads that can install nasties on your computer. Of course the PC OS AND the software running on it (such as Office, etc.) should be up to date with patches. For example, Microsoft has just released patches for Excel and Outlook (from versions 2000 onwards) last week... You can update your Office by visiting Microsoft's Office Update Site (http://office.microsoft.com/en-us/downloads/FX101321101033.aspx) and selecting the Office Update link (upper right hand corner, 3rd link).

Securing your PC has become almost a full-time job nowadays...

That's a very good site for home users to test their systems - thanks for the new bookmark.

Hey stampeder. If I want to set up a linux firewall pc where is a good place to start to get myself up to speed?

I have most of an old p3 sitting around doing nothing and have been thinking about this project for a little while.

I am not a techie, but am pretty good at picking up what I need to know. I am familiar with unix systems in a general sense, but have never installed an confitugured a linux system.

Fred

Hi Fred, much of what I've done with my firewall/gateway has been a work in progress over the years so I haven't sat down and documented it, but I checked out some bookmarks I had and came across this link to one of the most complete and thorough HOWTOs I've seen on the topic:

http://www.howtoforge.com/ubuntu6.06_firewall_gateway

It does a bit more than mine, so about the only thing I would add to theirs is the Squid Caching Proxy server, which you can find a tutorial about here:

http://www.squid-cache.org/

Thanks stampeder. Thats more of a head first, full speed ahead link. Not sure I want to do a roll-your-own on my first try.

I did some more searching and found a few good links. I need to understand what my options are, and there seem to be quite a few.

Fred

I want to play online with my 360 (I do have a gold account). I recently reset my firewall for McAfee and now I am having trouble with the ports that I need to open:

UDP 88, UDP 3704 & TCP 3704

The thing is... I don't know where to find these ports, and whether I need to open them through MS firewall, my wireless router firewall, or through McAfee firewall.

Any assistance would greatly be appreciated...

Thanks...

If the McAfee firewall is on your PC, then neither it nor the MS firewall should affect the 360. The only settings I think you should have to change would be on the wireless router - unless your McAfee is somehow tied in to your wireless router. If that's the case ignore the rest of this.

Normally the 360 would be initiating the connection from behind your firewall, so the ports would be opened in the expectation of a response from the Live servers. If you needed to open those ports you would have to map them to the IP address the 360 is using on your LAN. If you do that, you should probably assign the 360 a static IP address.

Or you could put the 360 on the router's DMZ. That should bypass the firewall completely. I haven't heard of any DOS attacks or hacks that attack 360's on the Internet?

I appreciate your help greatly; I am not too saavy with this and would like to inquire at how I would put the 360 on the router's DMZ.

Also, what exactly is a DMZ?

Thanks...

DMZ is a "borrowed" military term that stands for "De-Militarized Zone". As applied to routers, it's a physical port on the router that bypasses the hardware firewall.

I don't know McAfee at all, but software can indeed control the ports on your router through uPnP. Otherwise, the data doesn't flow through your PC at all, so the software firewall has no affect on the 360. Really, for most home installations, the hardware firewall in your router is sufficient protection and software firewalls on your PC is overkill. It all depends on you though, and how worried about security you are.

What brand/model router do you have? I can probably look up the manual on-line and instruct you on how to make the necessary changes.