Internet Firewalls Discussion

[jbracing24]

Everybody should be behind a router, even if only one computer is hooked up to it. A router and Windows Firewall is all you need.

[Petee_C]

What if u plan to use your computer (laptop) at hotspots?

Is the Windows firewall enough?

My case:

I have a recent Toshiba DuoCore laptop (Aug 2006). It is part a network at home with a couple computers, 360, linksys wireless printserver at home. I sometimes run filesharing between the computer.

If I take the laptop on trips and use it to connect to the net and surf, email etc. Will my folders be open to others at the same wifi spot?

Ditto, if I have snoopy neighbors, will windows Firewall keep them out if they decide to breakin my network from inside? i.e war drive, and decrypt my WEP?

My linksys printserver, although a .11g device doesn't seem to support encryption higher than WEP.

P

[new-guy]

personally I use zonealarm and find it works very well. I dont necessarily find it slows things down.

[ihdtv]

As Wabbit pointed out routers and the windows firewall will block any attempts from outside into your computer but will not stop outgoing traffic. A router will assume that any outgoing traffic initiated from your computer is "approved" by the user and will happily pass it on the intended recipient.

If you have a Trojan or virus on your computer that likes to phone home you won't know about it unless you're running a software firewall as well. FW's like Zonealarm, Kerio etc will warn you about outgoing attempts as well and more immediately than your spyware/av software will.

In my set up I run a router and a software FW. I also run AV software and a spyware program. This gives me a 4 level defense or 4 pronged if you will. It all runs fine on my system with no problems.

If you choose to only run Windows Firewall and/or a router you are only defending incoming traffic.

ihdtv

[stampeder]

Quote:

Originally Posted by ihdtv

If you choose to only run Windows Firewall and/or a router you are only defending incoming traffic.

That's an excellent point, ihdtv. A proper firewall must filter in both directions.

A "free" firewall might not be enough, and I agree with reddfoxx about using Linux for something this important. My prescription may seem paranoid to some, but its my hobby and I'd rather be safe as possible... mind you I can't think of a single thing anyone would want on my systems... I've dabbled with OpenBSD as the Firewall OS and I really like it, but Linux suits me better for my own personal reasons, and my Firewall box is also configured to speed up client performance too.

A Low-Cost Firewall security/performance prescription for Geeky Folks:

• an old PC as a Firewall (not too old a PC that it will soon die - I upgrade a lot so I'm using a PIII450 - more than enough power for this role) - $100 to $200 used
• the Firewall PC runs hardened Linux with IPV4 Port Forwarding'Masquerading, Routing, Caching DNS Nameserver, and Squid Web Accelerator HTTP/FTP Proxy Cache enabled - $Free
• the Linux iptables firewall kernel modules filter every kind of packet I could think of and more, bidirectionally (lots of free tools, great scripts out there too) - $Free
• arp MAC address filtering enabled
• the Linux kernel router daemon directs all internal and external bound packets appropriately
• I perform regular kernel, OS, and applications updates - $Free
• the Firewall PC logs all activity and I can monitor with Open Source tools like tcpdump, Snort, Nagios, etc. - $Free
• all ports are closed unless needed
• if I wanted to I could install CLAM AV (antivirus scanning) on the Firewall PC but we don't use any Windows or Microsoft products so I haven't bothered - $Free
• my Cable Modem connects to the Firewall PC via a 10/100 MBit Ethernet NIC - $7 to $9 new
• the internal LAN connects to the Firewall PC via a 1GBit Ethernet NIC through a 1GBit Ethernet switch (not a router, a switch since the Firewall PC will route everything) - $50 to $80 for switch, $20 to $35 for one NIC
• all internal LAN clients run at 1GBit Full Duplex (great for internal LAN streaming and moving huge files like movies, etc.) - $25 to $35 for a 1GBit NIC if the client's mobo doesn't already have one
• web browser caches on all clients are disabled, letting Squid do it on the Firewall PC (means much faster web browsing on clients, better security since nobody can snoop into any of the users' private caches because their aren't any - Squid cache is binary so it isn't humanly readable)
• DNS searches got to Firewall's Caching DNS Nameserver first before going to Internet (speeds up name resolution of often-visited sites since their info is cached locally)
• the house is strung in Cat5E copper home runs - $ by the foot for self cutting/crimping or precut/precrimped
• local jumper leads are Cat6 because I had some available (Cat5E would be fine) - $20 precut/precrimped
• no DHCP, BOOTP, Wake-On-LAN, or PXE are allowed on internal LAN - only static IPs
• only encrypted remote desktop sharing is allowed (No X Server, PCAnywhere, etc.)
• only encrypted local configs are allowed per client (no central authorization/authentication, such as NIS, ActiveDirectory, internal DNS, etc.)
• no wireless connections are allowed in my house (although this system is easily changed to add wireless LAN capability)
• several internal LANs can be Firewalled by this one PC:
  • physical = number of available PCI slots in Firewall PC for NICs (1 physical LAN per NIC)
  • virtual = 256 IP addresses per NIC are allowed in Linux (performance bottlenecks happen at some count way, way beyond what a home user would need)
• any client OS, printer, device using TCP/IP over Ethernet is supported (Firewall/Cache is invisible to end users)

The Bottom Line: assuming you don't already have an older PC with 2 NICs lying around, total hardware cost would be between about $115 for just one client on internal LAN to about $350 or more to support several internal LAN clients. For people who intend to spend several hundred dollars or more for the newest, latest OS and apps this firewall system is a surefire bargain for only a drop in the bucket.

[diogen]

I use the WRT54G (with Alchemy) as the entrance router and WallWatcher on every desktop inside the house.
Gives you more information about in-/outgoing traffic than you'll ever need.

Diogen.

[I_Want_My_HDTV]

Quote:

Your best bet as Hugh said is Microsoft's firewall.

Almost every security expert on the planet says the opposite. There are a number of good options that are more reliable and secure.

Both a hardware and software firewall are recommended for high speed internet connections. Both do slightly different jobs and both can be hacked or crash, leaving a computer exposed if only one is used. Internet routers/firewalls can be picked up for as little as $10 on sale or with rebates.

[heybirder]

There's a relatively new one called Comodo Firewall. You get what you pay for though.

I've used ZoneAlarm Pro for many years, and I highly recommend it for Windows XP users. The price is a small amount compared to the benefits. Any firewall is only as good as the rules set but once you understand how to use the program, it's very good. They have a free version but I haven't looked at what is missing.

[hedge]

Another thumbs up for zonealarm et al and thumbs down for microsoft firewall. I think the MS firewall is slower than zonealarm. I also don't trust it to block 'it's own programs', such as windows media player.

[stampeder]

Quote:

Any firewall is only as good as the rules set

I'm guessing that when you use the word "any" you probably mean in the context of "any software firewall running on a Windows OS client machine facing the Internet in real time".

A proper firewall should never be running on the same machine as the client OS, which in the case of Windows is (hopefully) all the while running anti-virus, anti-phishing, anti-trojan software to keep up with the OS's inherent vulnerabilities. Microsoft themselves never put a Windows box directly onto the Internet unless to test how quick it'll be 0wned.

A clever Windows hack coming from the Internet can disable all your protective software in real time.

For dirt cheap you can build/outfit a firewall using an OS that does not have the vulnerabilities of the internal LAN client(s). It is a shrewd and sensible move considering all the money someone spends on their PC. You lose none of your Internet capabilities on the client (unless you want to) and if some script-kiddie-L33t-Hack0rz-wannabe tries Windows-based cracks on your Linux or OpenBSD firewall they'll just have to give up and move on to their next target.

The next post in this thread helps to explain some of the concepts of firewalling.

[stampeder]

I first wrote this on another site almost 2 years ago and neglected to post it here at DHC so here goes. A fable is an illustrative story meant to teach a lesson or moral. This is a heads up on how a firewall works, and why it is important to have one (and anti-virus software too) if you are a Windows PC owner. If you know this stuff already, fine.

Quote:

A networked computer receives data in the form of "packets", which are specially labelled containers of data. No two packets are labelled the same. In reality a packet consists mostly of various labels needed to address it from one computer out of many millions to another, with very little actual data in it. (That's why a simple file requires such a long download over a phone line connection).

Think of a long railway train coming to your town with freight cars loaded with all sorts of stuff, even though only a few parcels are actually meant for you personally.

Now, problems happen because packets can be intentionally corrupted in ways that cause them to severely mess up the receiving computer. Attackers have learned thousands of ways to make that happen.

Back to our railway train: consider that a few of the parcels have had their labels intentionally messed up so that you will get them even though you did not order them. They happen to contain bombs that will go off when they are opened, and they are on their way to your house.

A firewall works at the packet level to judge whether packets are acceptable or not, based on a clear set of rules. If a packet passes all the tests, it is let through. If not, it is dropped (gone forever). Firewalls must be kept up to date because intentional packet corruptions get more and more clever. If you do not update your firewall software on a regular basis you are therefore at risk.

Back to our railway: at the station a yard marshall sees the cars on a train as they pass by and determines which cars should go where in the yard, then he routes them to the proper places. He obviously does not know (or care) exactly what is inside the cars. He also has a team of railway police that patrol the fence for criminals trying to sneak in, but the cops don't look inside the cars. This is a lot like how the Internet operates.

As the bomb problem gets worse, railway companies decide to start scanning all parcels for bombs, but its such an impossibly complex job that they leave it up to the folks at the receiving station or else the entire system of railways would be bogged down to a crawl. The individual station masters decide to do the scanning locally at their end, but because its such an impossibly huge job they decide that in order to keep the cargo moving they will only scan envelopes of mail and not most parcels.

The scanning is more like Anti-Virus software, not firewalling. Your Internet Service Provider certainly has a professional grade firewall system, and probably does anti-virus scanning of email to some extent, but just cannot scan all data going though it to and from your computer. This is why you also need to have updated Anti-Virus software on your Windows PC. Remember, Anti-Virus scanning is not Firewalling, and Firewalls do not scan for viruses (unless they are a combined product).

Over time, railway station scanners discover all bombs made in a certain design pattern, and everyone rejoices that the problem has been solved. BUT... the bombers get really clever and figure out how the scanners work and design new bombs that cannot be detected yet. They also switch to using minibombs that are much harder to detect. Not only that, but on the outside of the railway yard's fence are criminals who constantly look for holes so that they can get past the cops, get inside, and steal all the great Home Theater equipment in the cars while they plant more minibombs. The railway is fighting a losing battle, and people in the press are whipping up hysteria.

New companies spring up with trained security guards who are hired to stand on your doorstep and scan every envelope, parcel, and package that comes into or out of your house. One guard is given a detailed list of what stuff is allowed, and the remainder is incinerated in the back of his truck regardless of all the time and expense to get it to your doorstep. The other guard takes everything that has been allowed past the first guard and passes it through a detailed scanner. If something inside looks like the stuff that guard has been trained to stop, the guard sounds the alarm and measures are taken to protect your home according to the rules he has been given.

WIndows PC users need to have a personal firewall because you need to prevent maliciously crafted packets from entering your computer from the network. You also need to have top notch Anti-Virus software to scan what makes it past the firewall.

Our two guards on the doorstep unfortunately were not given any communication capabilities, so after a while new types of minibombs arrive, and even though the guards are doing the best job they possibly can, the minibombs start getting through.

You MUST keep the firewall and the Anti-Virus software updated so that the rules and descriptions do not get out of date.

Back on the doorstep, the guards have noticed that minibombs continue to detonate all around them, even though the guards now have shiny new radios and are updated regularly on new defences.

It turns out that there is a much bigger problem that the two guards, no matter how well prepared, cannot defend against: your house has all sorts of holes in it called Windows. The architects of your house have made the structure of it so dependent on its Windows that they cannot be removed, and if they are boarded up the occupants of the house will die because the Windows cannot be opened to let air through. Regardless of the two guards on the doorstep, the house is not capable of being protected!

Across the street the Macintoshes have a different kind of house that is much, much safer, and throughout town the banks, stores, commercial properties, and the homes of the architects and builders themselves are usually made of either UNIX or Linux armor plating, or have Mainframe vaults.

Sadly, even some of those professional sites installed Windows, so huge amounts of time and money have had to be spent to try to get them as secure as UNIX, Linux, and Mainframes, but it just never happens. Nobody seems to question why those Windows installers haven't been fired, but they have the best lawyers on the planet . Also, there's a whole cottage industry in security that is dependent for its livelihood on the fact that Windows are fragile, so the politicians don't want to jeopardize those jobs.

Once inside your home, some of the minibombs bury themselves into your outgoing mail and parcels, and pretty soon everyone in your address book has been mailed minibombs. They themselves start mailing minibombs, and pretty soon everyone with Windows is doing it.

The biggest problem with Firewall and Anti-Virus software packages is that they cannot defend against certain exploits that attack Windows itself. They cannot understand how to analyze certain programs that pass through them. They cannot be told to stop all such programs because that would mean shutting down your Internet capabilities completely.

Just to be sure, you phone the original manufacturer of the Windows to see what solution they offer, but the solution they provide only opens up more Windows to attack!

Microsoft Windows is always left open to attack through the Internet Explorer browser even after all the patches have been applied. There is no fix because the hole is at the very center of the product. It was designed that way.

Then one day a salesman drives up and shows you a new product that replaces your Windows with more heavily constructed, less failure prone ones that have screens that stop the minibombs but still let the air through so that everyone can safely breathe. He points out that while it would be best for you to move to a home like the Macintoshes or even to Linux armor, you like your present house so you take his advice and switch over to one of his new products. The minibombs die off, and you give the salesman a regular call to come over and visit to update them with the latest new materials.

The Mozilla Firefox and Opera web browsers tend to be faster, have more customizable features, and are much more secure than the Microsoft Internet Explorer web browser. They also require patching and updating, but they are vastly more secure than IE.

I hope you enjoyed my little fable, and I wish you safe browsing, all!

[BC0000]

DEAR LORDY STAMPY... love the system setup ! oh my Um we could launch rockets with that. I too share the disdain for an RF path. A safe way would be creating a multiple V-lan through your router to bridge and isolate.

Since so many want the cheapest possible firewall, a physical hardware is the cheapest, least amount of down loads to keep 'updated' (a lot of that is smoke and mirrors to let you think they are taking good care of you by keeping you up to date)

for those where price is an issue, a spare PC running as a firewall uses alot of engery (some pwr supplies 250w etc) vs say a Linksys router that runs <5watts on a step down transformer.

the OTHER best benefit from using a standalone firewall/router is utitilzing the ability of cloaking your machine from the internet by disquising the IP address. There are a few hidden rules of the internet, you can hide your machines, printers, all-in-ones etc from the outside word by using a 10. or 192. ip naming convention. Which will stop someone from seeing your box or other peripherals and preying on them. Ensure that the flash over network features of all your peripherals are disabled.

[stampeder]

Well, actually... the firewall PC's power supply is labeled as 200W peak, but since the machine is doing almost everything it is supposed to do in kernel space (in RAM but rarely swapping out to disk) the hardware is not tasked at all so it uses very little power. I disconnected the power supply fan to make it silent (it doesn't overheat) and the only time I can hear the machine is when it is saving its system logs to disk. I don't run a windowing system on the firewall either - just command line.

[Wabbit]

Nice analogy Stampeder, thanks for that, is that your own discription?

[Dog Byte]

I've used ZoneAlarm Pro for a long time and now I've added a LinkSys router for 2 moats around the computer. I like ZA because I can block certain addresses (like doubleclick.net) to get rid of a lot of annoying ads. I can also control which programs can access the Internet or act as a server. Handy because there's no reason for WMP or iTunes to wander onto the Internet most of the time.

I don't like ZAs new subscription model since you lose a little fuctionality after the first year. I never used it's virus and mail security features anyway.

Your security is still limited by the software you're running. Using a torrent client (or kazaa or LimeWire) opens a bunch of ports that stay open until you reboot Windows. Every now and then I get an alert that "Mozilla wants to act as a server" from ZA -- I'm assuming that some Web site wants to kick Mozilla into server mode for their own benefit.