|
||
 |
||
|
| Behind The Wall |
 Email This
 Print ThisView My Personal Library |
|
Internet & E-mail Safety April 2002 • Vol.8 Issue 4 Page(s) 91-93 in print issue |
Behind The Wall Protect Yourself With A Firewall | ||
 There is no doubt that the Internet has changed the way most of us live. It delivers news, weather, sports, educational information, entertainment, and e-mail, all on demand. But the Internet also provides a new point of entry into your home or business that malicious and dishonest individuals from anywhere in the world can exploit. It is important to secure this electronic portal just as you would a physical window or door. One of the more common ways to protect a standalone computer or a private network from hostile intrusion is to install a firewall.  The Wall. The term "firewall" was taken from the construction industry, where a firewall is used to prevent a fire from spreading from one section of a building to another. The word first appeared in electronics literature in the late 1980s and was used to describe a hypothetical device for blocking unwanted network traffic while letting other traffic pass through. Although the technology and sophistication of modern firewalls has changed significantly in the past decade, the basic function remains the same: keep out the bad guys. A network firewall can be a physical, hardware-based device or software running on a specially configured gateway computer. In either case, two network interfaces are required, one connected to the Internet (the outside) and the other connected to the network being protected (the inside). The firewall acts as a bridge between the two networks and monitors all traffic passing in either direction to see if it meets certain criteria. If it does, it is allowed to pass; otherwise, it is blocked. A personal firewall, designed to protect dial-up Internet users from intrusions, is a software product installed directly on the computer being protected. Personal firewalls generally offer less protection than the dedicated units, but an intermittent dial-up connection with a temporary IP (Internet Protocol) address presents a much smaller target to potential intruders than the always-on, static IP addresses associated with DSL (Digital Subscriber Line) and cable modem connections. For these full-time, always-on services, a hardware firewall is preferred but a personal firewall is better than no firewall at all. Pass The Test. One of the ways a firewall protects against unauthorized access is by examining certain portions of each data packet and applying some preprogrammed rules. This process is known as packet filtering. The rules used in packet filtering vary from firewall to firewall, but they fall into two basic categories: (1) deny all access unless the packet meets certain conditions or (2) allow all access unless the packet meets certain conditions. In the first case, all packets are assumed to be bad unless they are proven to be good, and in the second case, all packets are assumed to be good unless they are proven to be bad. We prefer the first case because it is more restrictive, but it may also be more difficult and time-consuming to manage. The criteria. Packet-filtering criteria can be based on the packet's source IP address, destination IP address, source port, destination port, protocol type, or a combination of these. An IP port is a virtual, or software-assigned, door through which data passes to a particular application or function. For example, your computer can browse a Web page and download e-mail at the same time using a single IP address because traffic to and from the Web server uses port 80 while traffic to and from the mail server uses port 110. Data packets reach your computer based on the computer's unique IP address and are directed to the proper application based on their port numbers. The protocol specifies what type of data a packet contains. By examining this information, the firewall can determine if a packet contains Web page data (HTTP; Hypertext Transfer Protocol) or file transfer data (FTP; File Transfer Protocol). A firewall protecting a private Web server might allow HTTP packets from any source IP address to pass but block all other types of packets, regardless of the source. Going Up. When networking is implemented on a PC, the architecture is designed around a seven-layer model developed by the ISO (International Organization for Standardization). This model for computer networking is called the OSI (Open Systems Interconnect) Reference Model (see chart on the next page), and it describes the flow of data in a network, from the lowest layer (the physical connections) up to the layer containing the user's applications. Data going to and from the network passes through this protocol stack from layer to layer. Each layer has its own set of responsibilities and is able to communicate only with the layer immediately above and below it. This concept is important when choosing a firewall product because firewalls operate at different layers depending on their filtering schemes.
Firewalls that operate at Layer 4, the Transport layer, know a little more about the data packet and are able to apply more sophisticated filtering criteria. At Level 7, the Application layer, firewalls know a great deal about the packet and its contents, and the selection criteria can be very specific. Application filtering is performed at this level. Unfortunately, the higher up in the protocol stack a malicious data packet gets, the easier it is for the intruder to cause damage. If the intruder cannot get past Layer 3, he can't gain control of the PC's OS (operating system). Stone Wall. In addition to packet filtering, many firewalls utilize a technology called NAT (Network Address Translation). NAT completely hides the IP addresses of the computers behind the firewall by translating outside (public) addresses into inside (private) addresses. The private IP addresses of computers behind the firewall are never revealed to any users on the outside. A special type of NAT, called dynamic NAT, even lets many computers share a single assigned or static IP address by assigning different port numbers to each outgoing request. Normally dynamic NAT is used when you are trying to connect small home or office networks to the Internet through a broadband service, such as DSL or cable modem. How it works. For example, suppose your broadband provider assigned you a single static IP address, such as 208.49.13.185. To implement dynamic NAT, you would need to assign this address to the external (outside) network interface of your firewall and assign the internal (inside) interface an address consistent with your private network. Ranges. IP addresses that range from 10.0.0.0 through 10.255.255.255, from 172.16.0.0 through 172.31.255.255, and from 192.168.0.0 through 192. 168.255.255 are reserved for private networks and can never be assigned to public devices. It is a good practice to address your firewall or router at 192.168.0.1 and assign other devices on your private network addresses ranging anywhere from 192.168.0.2 to 192.168.0.254. When a computer behind the firewall requests a Web page, the request appears to originate from IP address 208.49.13.185:xxxxx, where xxxxx is a port number between 61000 and 65535 assigned arbitrarily by the firewall. When the remote Web server returns the page content, the firewall translates the IP:port address back into the private address (and port) that made the original request. Besides being an excellent security tool, dynamic NAT also reduces the number of public IP addresses required to connect a private network to the Internet. This is important because we are running out of public IP addresses due to the explosive growth of the Internet. The widespread use of dynamic NAT is helping preserve the remaining pool of available addresses.
Hole In The Wall. Firewalls that depend solely on source address packet filtering can be fooled into letting bogus traffic pass if a cracker uses a technique called IP spoofing. This tactic involves sending your computer packets with forged source IP addresses. Because the packets appear to have originated at a trusted location, the packet filter may let them through unless they fail to meet some other filtering criteria. One defense against IP spoofing is the use of a VPN (virtual private network) protocol, such as IPSec. This involves the encryption of both the source address and the data in each packet before the packet is transmitted. VPN software or firmware in the firewall decrypts the arriving packet and performs a checksum test. If either the address or the data have been tampered with, the entire packet is rejected. In order to successfully alter a packet, an intruder would have to gain access to the private encryption keys. Personal Firewalls. If you only connect to the Internet with a single computer and a dial-up connection, you can't use a hardware or gateway firewall because there are no Ethernet ports used by a modem. In this case, you should consider using a software firewall. Many Web surfers forget that whenever they are connected to the Web, the Web is also connected to them. When you establish a dial-up connection with your ISP (Internet service provider), you are assigned a public IP address for the duration of that session and exposed to the same types of attacks that threaten any other Internet user. If you want to see how easy it is for someone to detect and record your dial-up IP address, browse to Network-Tools.com (http://www.network-tools.com) and click the Submit button. Not only will the Web page display your current IP address and host name, it will also display a wealth of information about your ISP. The good and bad. Software firewalls have their own set of pros and cons, of course. Because they use the computer's processor to examine the incoming traffic, software firewalls tend to let undesirable packets get much closer to the OS, thereby increasing the risk of intrusion. This use of the processor also adds to the system's overall overhead and may reduce performance on older machines. On the other hand, software firewalls can do something no hardware firewall can: alert the user of an attack as it happens. This real-time warning provides the user the opportunity to monitor the event or even take some external action, such as manually terminating the connection to the Internet. A number of good firewall packages are available to the home user, and they range in price from free to about $70. Tiny Software's Tiny Personal Firewall (http://www.tinysoftware.com) is free for home users, and Symantec's Norton Personal Firewall 2002 (http://www.symantec.com/sabu/nis/npf) sells for $49.95. Going Someplace? The firewall protection schemes described thus far have mainly been concerned with keeping unwanted data packets from getting into your home computer or network, but some personal firewall software also prevents unwanted packets from being sent from your PC, blocking all outbound packets, except those that originate from applications specifically authorized to initiate traffic. Certain applications, especially your Web browser, require that you have access to the Internet. WeatherBug, Norton's LiveUpdate, and other programs that periodically download their updates from a Web server also need the ability to initiate outbound traffic. But some applications, namely hidden spyware or Trojan horses that are secretly planted on your machine, will be blocked from communicating with their target Web sites. Spyware is a special kind of program that periodically collects and transmits your personal information, passwords, or browsing habits back to a secret location, sometimes without your knowledge. A Trojan horse is a program that resides on your computer and lets an intruder take over your system and use it to perform DoS (Denial of Service) attacks on others, for example. Two Firewalls Are Better Than One. Because hardware and software firewalls each have different capabilities, you may want to consider using both. The hardware firewall will provide dynamic NAT and security against incoming threats and the personal firewall software will protect against outbound threats, such as Trojan horses. Of course, you will also want to have current antivirus software installed and running regardless of which firewall scheme you choose. The only sure way to protect your computer or network from intrusion is to never connect it to the Internet. Even with firewalls in place, a determined individual with the right knowledge and enough time could probably gain access to your PC if he or she wanted to badly enough. The good news is that these high-tech vandals are not interested in individuals or small businesses, and firewall protection will discourage most intruders and send them looking for easier prey.  by Dick Archer View the chart that accompanies this article.
|
|
Home Copyright & Legal Information Privacy Policy Site Map Contact Us