|
Firewalls and You
By
Dirk
J. Hedlund
Originally Posted March 11, 2004
I seem to be always telling my clients about the three things they
need to do, at a minimum, to keep their computers safe. These
three things, in no particular order, are:
1) Update your system with the latest available patches.
2) Run antivirus software, and keep it up to date.
3) Install a firewall.
As it turns out, The US Computer Emergency Readiness Team (US-CERT)
recently sent out a security tip about item number 3 on my list.
This is Cyber Security Tip ST04-004, which you can read
here.
It's a brief but informational article that I think applies to home
users as well as small business owners. I won't rehash the
entire article, but I do think everyone should have a look at it.
I personally prefer a combination of the hardware and
software-based firewalls. The hardware firewalls do a great job
at blocking incoming traffic, but they don't really do anything to
stop traffic going the other way. Okay, usually that's what you
want to happen. You WANT to let Internet Explorer get to that
web page you're trying to look at. You DON'T want spyware, key
loggers, Trojan horses, and viruses to get out to the Internet with
your personal information. The software firewalls are better at
stopping those sorts of things.
Ah, but aren't there hardware firewalls that can stop those things,
too? Sure there is. Unfortunately, these devices are still
too expensive for homes or small businesses. They're designed
more for larger companies with deeper pockets. Homes and small
businesses can get just about the same effect by combining inexpensive
hardware firewalls with a software firewall on the desktops.
Hardware firewalls are pretty easy to come by, these days.
Places like Staples and Best Buy usually have several different models
and manufacturers to choose from. Even Target and Wal Mart have
a few of these things on their shelves from time to time. You
can get a basic "NAT" firewall for about $30 to $50, from
manufacturers like Belkin, Linksys, or Netgear, to name just a few.
For a few dollars more, you can even get one with built-in wireless
support, although you should disable that feature if you aren't going
to use it.
I prefer a hardware firewall that includes SPI, which stands for
"Stateful Packet Inspection," even though they are slightly more
expensive. I've seen a lot of these in the $75 to $150 price
range. To me, the extra level of protection is worth it.
These firewalls are "smarter" than the NAT firewalls, in that they
look at the information they're sending, to see if it makes sense.
The firewall can decide if some piece of data is harmful, and can
block it, even data a NAT firewall would normally let pass. Once
again, you can get one with a wireless option, and you can even get a
few that support VPN connections, which stands for Virtual Private
Networking.
VPN isn't an option that a lot of home users will probably make use
of, although some will. This feature is generally used to
connected two networks together across the Internet. It works by
making an encrypted connection between two devices, using the
Internet. This connection is called a VPN Tunnel. This
lets users from either network get to resources on the other network.
To the user, it's just like everyone is on the same network, except
the VPN connected resources may seem slower because the Internet isn't
as fast as most networks. Because the data is encrypted, nobody
else on the Internet can get in.
Software firewalls are plentiful and cheap, too. If you have
Windows XP, you have one built right in to your system already.
There are other free ones that you can download from the Internet,
such as Sygate and Zone Alarm. You may want more features than
the free options allow, in which case you should look into software
firewalls from Symantec, McAfee or similar offerings. These
usually cost between $30 and $50 again. Check the
Links page for more information.
Nearly all software firewalls need a little "tweaking" to get them
setup just right. Out of the box, they tend to lock every
application from accessing the Internet or your network. You
obviously want SOME programs to get through, so you'll have to tell it
which ones. In most cases, the firewall software will prompt you
when a new program tries to connect to the network or the Internet.
Your response to these prompts will determine whether or not it will
be allowed to, and whether or not it will prompt you again about it in
the future. You may decide, for example, that you will always
let Internet Explorer access the Internet, or let your antivirus
program access the Internet this time, but prompt you later if it
tries to do it again. Once you get through this period of
adjustment, you'll have a pretty good system of protection going.
Just don't allow everything all the time. If you do that, why
bother having the firewall in the first place? If you aren't
sure, don't allow it. If that "breaks" one of your programs, you
can change your mind later.
Caution: In a managed network environment, a firewall on
your computer will probably "break" some, if not all, of the
management features. You should talk to your network
administrator before installing a firewall, and work with him to
configure it properly. Your company may have a policy in place
that prohibits this kind of software, too, so be sure to ask first.
Whether or not to use a firewall is a no-brainer. Whether to
use hardware vs. software, or a combination of both is up to you.
The important thing is that you use a firewall. If you don't
feel comfortable installing and configuring one, get someone who is
both trusted and knowledgeable in the field to help set it up for you.
Ask that person to explain what they're doing, and make a point to
learn a little about it on your own. The Internet is a big
hostile place, and you need to take steps to protect yourself if
you're going to use it.
Dirk Hedlund is a computer consultant with Klatt
& Associates, CPA, PC. He can be reached at
dirk.hedlund@klatt-assoc.com
, or by calling (515) 232-5642. |
