FIREWALLS ?
Do I need one?
Layers of Security.
Who's on
your network?
One of the reasons that people buy a router, aside from sharing their
Internet connection, is to protect their LAN computers from Internet based
attack. The primary means of protection is the firewall function that a
router or proxy provides. What's a firewall? The ICSA
Firewall Buyers Guide provides a good definition:
Put simply, a firewall is a mechanism used to protect a trusted network from an untrusted network, usually while still allowing traffic between the two.
There are many ways to implement a firewall, but the most popular for both
hardware and software routers is Network Address Translation or NAT.
Most inexpensive routers use NAT as the means to share one IP address among many
computers. NAT also provides a natural firewall that will protect
the computers behind it from access by unauthorized users. How?
The following excerpt from the Vicomsoft page linked above explains:
NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network.
This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that.
|
Check out those packets! |
While looking at sharing product information, you might come across the term "stateful inspection" (sometimes abbreviated as "SPI"). What is this and why do you care?
All
NAT firewalls perform a simple form of "stateful inspection" of the
packets that flow through them. (If you want to know more about how this
works, this part of the Vicomsoft
NAT article provides a pretty clear explanation.)
This "stateful inspection" is a good thing and is what prevents unrequested data from coming into your LAN from the Internet (unless you configure the router to allow the data to come in). NAT's basic capability actually provides a good amount of protection! All properly configured NAT-based routers protect against the following types of attacks:
Port Scans
WinNuke (and other Port 139-based attacks)
Smurf (protection against LAN Clients being used as part of the "Amplifier network")
Connection or service requests that did not originate from the LAN side of the firewall.
"SPI" based routers implement some form of advanced "stateful inspection" in their firewall. There are many methods used, but this means that the router takes a closer look at the contents of the data packet before deciding whether to pass or block it. For example, Sonic Systems' Sonicwall series of routers can provide additional protection such as:
blocking Java, ActiveX, and Cookie portions of downloaded web pages
blocking access to WAN Proxy servers
blocking "IP Spoofing" attacks
blocking malformed IP packet attacks such as "Ping of Death", and variants such as "Teardrop", "Bonk", and "Nestea"
blocking SYN flood and LAND attacks
Note: A NAT firewall does not protect you against viruses, worms, Trojans and other Internet-borne nasties. You'll need up-to-date anti-Virus software to protect against those! See security threats for more info.
"SPI" based routers usually can log detected attacks and email an alert to you so that you know that someone's trying to gain access to your LAN.
|
Open with Care! |
Most all routers come with some sort of ability to place a computer outside the firewall or open holes in the firewall. Use these features with care! Any port that you open in the firewall can allow unrequested data to come into your LAN from the Internet
Opening
holes in your firewall can compromise your LAN's security if done incorrectly.
Be sure to also set a strong administrator password on the routers that provide this feature. A router with a computer outside its firewall, or holes opened in the firewall, and no password is an invitation for trouble!
Visit the Secure your LAN area for more info on what you need to do to have a healthy and happy LAN. This info in particular is important if you are doing anything with your router's firewall.
|
Personal Firewalls |
No matter how you protect the Internet/LAN border, you may need to add another layer of security by using a software personal firewall. These programs must be run on each computer on your LAN that you want to be protected. They monitor network activity and protect against unauthorized use of the Internet by programs that manage to get onto your LAN's computers.
You should consider adding this additional layer of security if:
-
You are opening/forwarding/mapping ports to any LAN computers
-
You have a computer running in DMZ (outside your NAT firewall)
-
You have been a victim of an email attachment virus attack, i.e. "I Love You", Kournakova, etc.
These programs can be a bit of a pain to get correctly configured, but when they reveal something going on in your network that you didn't know about, you'll be glad you installed them!
Go to this page for a list of these programs.
|
Learn more! |
If you're interested in learning more about NAT and firewalls, check these articles:
-
Vicomsoft has a good tutorial on NAT.
-
The ICSA Online Firewall Buyers Guide (free in HTML or PDF form, but you'll need to register to access it) provides clear explanations of virtually all aspects of firewalls.
-
This article from SonicWall on Stateful Packet Inspection.
-
This article from SonicWall describes common Denial of Service (DoS) attacks (2.6MB PDF file)
Base Line Internet Security Service (BLISS) PDF
Gramm Leach Bliley Act - GLBA Compliance PDF
Health Insurance Portability and Accountability Act - HIPAA