What is a firewall and why would I need one?
Security, according to Rob Davis, a Network Consultant at Lucent Technologies' Network Consulting Group, is a lot of smoke and mirrors sometimes. The technology to develop a *secure* firewall, he maintains, is very well understood today. Like many network consultants, he advocates the use of a so-called firewall as an important component of a comprehensive effort to block unwanted intrusion attempts. A firewall operates by separating the network from the rest of the Internet. It does this by blocking access to open ports and hiding (typically via "IP masquerading," ) the actual IP addresses of the machines on the network. There is another, related service provided by some products called an application proxy. In this case, a specific application (say, an Oracle database) is similarly protected from unwanted access.
There are a number of different ways of setting up a firewall on your network, and each of the solutions has its pros and cons. Some users prefer to have a box that combines a firewall with a router and/or a wireless access point. These boxes may or may not have full logging features, allowing you to track exactly what traffic is being blocked. They may also block or otherwise limit access to streaming video, networked games, NetMeeting-type remote access, or introduce other limitations into a networked system. Virtually all boxes block incoming attacks by default; some, such as the US$169 AlphaShield, can also be configured to restrict outgoing traffic as desired.
Those seeking the simplest possible will probably be content with an incoming attack blocker such as the built-in firewall in Windows XP only; those favoring absolute control will want a two-way blocker such as Zone Labs' ZoneAlarm, that monitors traffic in both directions and, as such, tends to ask a lot more "do you want to allow this?" type questions.
So what is the best firewall?
"Best" is, as always, dependent on the conditions in which it is tested. There have been a number of independent lab tests, but these tests don't necessarily reflect your environment. In short, your solution needs to consider your situation's unique environmental variables.
Some network admins opt for a simple solution, such as an IPX to IP gateway, from a provider such as CISCO, Novell, Bay Networks, etc.
Chris Halsall and Carolyn Schneider are founders of the Victoria Linux Users Group (www.vlug.org) and, not surprisingly, prefer Linux-based solutions. Says Halsall, you could easily use a Linux box with freely available tools (such as the Linux firewall "ipfwadm," bundled with many distributions) installed on an old 486 that would be very secure and support the most commonly available services. Halsall and Schneider, as quoted on the CFAX online program in March, 2000, told PC Buyer's Guide that Windows-based solutions are not secure enough for them.
Brian Livingston, author of the books Windows 98 Secrets and the new Windows 2000 Secrets, disagrees. Livingston says ZoneAlarm (http://www.zonelabs.com/zonealarm.htm) is "even better" than his previous solution-of-choice, BlackICE Defender, a US$39.95 software firewall for Windows from Network ICE.(www.networkice.com).
Indeed, ZoneAlarm was, as of Dec. 2000, the only leading software-based firewall not compromised by "LeakTest," a new "demonstration Trojan" by security expert Steve Gibson of www.grc.com that impersonates a trusted application to slip past security barriers. Other vendors, including Symantec, McAfee.com, and Sygate, all failed this test. They say they're working on modifications to their firewall apps. However, Symantec declined to make its upgrade to Norton Internet Security 2000 freely available, electing to charge US$39.95 for an upgrade to the 2001 edition instead.
There are many other highly regarded firewall solutions. A few popular firewalls include FireWall-1, eTrust/SessionWall (http://www.abirnet.com), WatchGuard, ConSeal PC firewall version 1.3 (www.signal9.com, now owned by McAfee.com) and a title regarded by many as the best in its class, Gauntlet Firewall (www.tis.com). You may also want to look at Gauntlet's freely available cousin, The FireWall ToolKit (FWTK). FWTK is a set of proxies which you can use to build your own firewall.
Also worth noting is Red Hat version 7.1 (or later) which is available for free download. This version of the Linux operating system includes a wizard designed to help you set up a basic firewall on your system. We configured a Red Hat 7.1 system with the "high security" settings and found that it passed all the Shields Up and port-scanning tests at GRC.com, revealing nothing but the test machine's IP address. Mandrake Linux provides a security configuration tool called Bastille that provides similar capabilities.
Apple's Mac OS X contains a built-in firewall, although it comes without a graphical interface and in need of manual configuration of the necessary rules required to keep hackers out. A graphical configuration utility called BrickHouse addresses the former issue, while a collection of rules common to BSD-based firewalls can be adapted to Mac OS X using the guidelines posted at http://www3.sympatico.ca/dccote/firewall.html
Microsoft's Windows XP, as noted above, also includes a built-in firewall. It is considerably easier to configure than many others: right-click on your network connection, click the "advanced" tab and click "enable firewall." That's it. Note, however, that XP's firewall can't be used with the operating system's Internet sharing feature turned on, and it may cause problems for those hoping to share drives with other users via TCP/IP.
Ok, so there are lots of firewalls out there. What's the best one?
Computer Associates' eTrust Intrusion Detection (formerly AbirNet's SessionWall-3) is considered by many to be the product requiring the least setup and administrative work. Of course, being a Windows-based solution, it's not for everyone. A free trial version is available for download.
Lucent's Rob Davis says he prefers to install Check Point and Raptor as firewall solutions. These two firewalls, he says, approach security from different philosophical viewpoints, but both have their place depending on what the customer wants and their environment. He advocates both UNIX and NT-based solutions as well, maintaining that both have their place depending on the customer's environment and skill set.
At the middle to high end, products such as Cyberguard, Sidewinder, and Gauntlet FW-1 are often cited as the best in their class.
Gateway Guardian, announced at Comdex Canada, is a solution from Chilliwack, BC-based NetMaster, Inc. The company says it provides affordable protection for computer networks connected together or to the Internet. It is, claims Netmaster, a reliable, responsible guardian for protecting networks from intruders and hackers. Prices start at $49 USD for a Personal edition; Professional edition is $265 USD and the Virtual Private Network edition is $365 USD.security Companies interested in Gateway Guardian can go on-line and download a free time-limited demonstration copy at: www.GatewayGuardian.com.
Many computer experts recommend ZoneAlarm. It's not a bad program, but it is worth mentioning that, according to computer service technicians at Voyus, it is their number one source of problems. A somewhat easier to configure and manage firewall is Norton Internet Security 2002. We've also had good results from both Sygate and Tiny Personal Firewall (although neither seems to work on a dual-CPU machine.)
We've also had many reports from satisfied users of hardware-based firewalls from D-Link, Linksys and other vendors, which sell for as little as $109 or so. Some of these units, which vary widely in price according to their capabilities, include wireless and/or wired Ethernet router and internet connection sharing features, as well.
We're currently testing a model called the ISB WaveBase from NexLand, that includes both wired Ethernet and wireless 802.11b connection capabilities. As detailed in our Lemon List, we had quite a few problems with it initially, although a firmware update released in July 2002 fixed the problem to our complete satisfaction.
Almost any firewall is better than no firewall at all. With that said, some firewalls and network devices are more trouble than others, and a false sense of security can be dangerous. For example, the now-discontinued Cayman GatorBox -- one of the first VPN devices -- was vulnerable to attack by the Code Red worm. Similar vulnerabilities affect HP JetDirect Cards, the QMS 2060 printer, and some Cisco routers. Avoid low-cost routers without the ability to be easily upgraded to address future issues. It's safe to say Code Red isn't the last program of its kind to hit the Net.
How do I install one?
Firewalls, as part of a properly configured security system, are best installed by a network security expert. Thus, we recommend hiring a professional security consultant. If your network and data is important, it's money well spent.
In general, though, the configuration will depend on what you are trying to protect. An ISP, for example, might use a configuration like this:
Internet --- Router w/ACL Filter --- (DMZ ftp, ssh, www services) --- Firewall --- LAN
However, a configuration better suited to protecting against "e-mail bombing" might be:
Internet --- Firewall ---Public servers (WWW,ftp etc) --- Internal LAN
In most cases, a firewall machine is configured with two NICs ( network interface cards); one set up for non-routable IP addresses (e.g., 192.168.xxx.xxx) to talk to the internal network, and the other, a table of routable addresses (IP addresses 20x.xxx.xxx.xxx) talking to the gateway and beyond.
Unix system admins should also consider setting up CHROOT aliases so that, should a hacker somehow successfully penetrate system defenses (for example, by means of the increasingly widely exploited weaknesses in BIND8), they would still not be able to gain ROOT access to the system. This is, of course, a rather complex procedure best understood and implemented by a Unix-oriented network security expert.
What Features Should I Look For?
Davis sums it up by saying, "Don't ask what is the best firewall. Assess the needs and requirements of your organization and then ask which firewall best meets your requirements for a price you can afford. After this assessment you may have to adjust the price you are willing to pay or modify your requirements."
Will I encounter any problems?
You probably will, if you use files-swapping programs that allow other users access to your computer. A popular file-sharing tool called eDonkey2000, for example, won't work correctly unless the security settings in ZoneAlarm are set to "Medium security." Other firewalls will behave similarly. You may also encounter problems when attempting to network computers via TCP/IP, view streaming video, remotely administer your PC, play Internet games or engage in other internet-access activities. Even attempting to run WindowBlinds, a Windows desktop customization tool, and certain other types of programs may cause problems if ZoneAlarm is installed. However, don't let these snags put you off the idea of using a firewall. Virtually all firewalls, routers and "Internet sharing boxes" provide a "Pass through" capability that allows you to define privileged applications, ports or protocols that will be transmitted with or without special filtering.
For Further Reading
Post new comment