Low End PC
Protect Your Computer with a Firewall
- 2001.11.19
A firewall/WAN router is perhaps the smartest investment a computer user can make.
The Internet is a very dangerous place. There are worms that can affect PCs running Windows. There are worms that can affect PCs running Linux. There are even exploits that can affect Mac users.
However, not since Colt started selling his first six-shooters has there been such an effective "equalizer" out there as the common firewall/WAN router box. Companies such as SMC, Linksys, MacSense, 3Com, DLink, and many others make effective little firewall boxes that run under US$100. Many are going for US$80 or less.
The one thing these little guys have in common is this: an ethernet port to plug in a cable or DSL modem* and an ethernet port to plug in your computer. Most have a 4-port switch built in, so you can plug in up to four computers into the box. And these devices play well with other switches (I have an 8-port Addtron switch hooked into the uplink port of my SMC Barricade firewall/WAN router), so if you have more, the more the merrier.
* Since there is no modulation/demodulation process that goes on in DSL, it is a misnomer to call a DSL interface device a "modem." However, since nobody's come up with a better term for it, "modem" will have to do.
Many of these little boxes, including my SMC Barricade, have a serial port for an external analog modem. Until I recently got cable modem service through Adelphia, I used mine with my trusty Best Data v90 external modem. Now the analog modem provides automatic failover should I lose my cable connection.
Why would someone who uses a narrowband dialup connection - where the connection is opened and closed and is never "always on" - want one of these devices? Well, even a PPP connection can get stumbled upon by a script kiddie or attacked by a zombie computer under control of a worm like Code Red or Nimda. You do get an IP address when you log into a PPP connection, just like everyone else on the Internet. Thus you are just as vulnerable when you are using a dialup connection as when you are using a cable or DSL connection. "Always on" connections like cable and DSL are more stationary targets and therefore more attractive to the predators that lurk on the Internet. But if someone stumbles upon the pool of IPs that your ISP assigns to users via PPP, they can wreak as much havoc as they want to.
Software firewalls are as vulnerable as the operating systems they run on.
Yes, there are software firewall solutions. But there is recent evidence that they are not enough, according to a security firm quoted on Cnet's site</a>. Software firewalls are as vulnerable as the operating systems they run on. There are real and potential exploits that use "features" of Microsoft Windows to allow a person to rummage around a remote computer and peep at your private files.
As of Mac OS 9, there are now hooks in the Mac OS to allow AppleScripts to remotely control a Mac. And in Unix-derived operating systems like Mac OS X and Linux, there are similar processes that can be hijacked by a hostile intruder or hostile code for similar uses. Antivirus programs for Windows and Mac are useful and should be used as an adjunct to a hardware firewall.
Most hardware firewalls use some type of Web browser interface for initially programming the device to accept an Internet connection. The SMC Barricade uses one, and although it's not the prettiest thing I've ever seen, it serves its purpose.
Before you turn your firewall on, you need to prepare your computer to use it. Most firewalls use an IP address in the 192.168.x.x range of non-routable addresses. These are addresses specifically designed to not go out over the Internet. By the use of something called Network Address Translation (NAT) you can use one IP address, whether dynamically configured or static, for many computers. All anyone on the outside of your network sees is the single IP address your ISP gives you. In itself, NAT is a measure of protection against crackers. It is also a way of conserving IP addresses, a precious commodity nowadays. (A new version of the Internet Protocol, IPv6, is on the way and will support many, many more IP addresses that the current version, IPv4, can. Until then, we've got NAT.)
My SMC Barricade uses the 192.168.2.0 network, and it defaults to the IP address of 192.168.2.1. Most firewall devices will want that x.x.x.1 address as it's the traditional one to give the gateway router in a network. Another word for a WAN router is a gateway. You will need to know what a gateway is for the next step.
You can do things the easy way or the hard way with one of these devices. The easy way to set up your computer is to tell it to use DHCP to get its IP address, default gateway, DNS address, etc. In Windows, that's the way the TCP/IP setup defaults. If you have information already in your Network control panel, just by setting the radio button to the "Obtain an IP address automatically" setting, you can allow it to use DHCP for configuration information.
On a Mac running the classic Mac OS, you have reliable support for DHCP from System 8 onwards. There had been DHCP options for Open Transport since it first came out, but it was not very dependable until the version of OT that came with System 8.
On a Linux box and with Mac OS X, you can also specify that DHCP is used. DHCP was originally designed to ease the burden of setting up TCP/IP on Unix systems, so your Unix-derived OS will handle DHCP very well.
However, if you are dealing with older machines running Windows 3.1 or earlier versions of the Mac OS that either use early versions of Open Transport or MacTCP, you cannot use DHCP. Those machines have to have a static IP to connect to your WAN router and the outside world. In a home network, sometimes it's a lot handier to use static IPs for connecting your computers. By using static IPs and either maintaining a "hosts" file linking your computers' IPs with friendly names (or doing like I do and just keeping a written-out list of which IP goes with which box), you can utilize TCP/IP servers and clients to pass files back and forth between your computers, regardless of their operating system. That's the beauty of open standards.
In my network I have PCs running Windows, PCs running Linux, and Macs of various vintages running versions of the Mac OS that range from 7.1 to 8.5.1. The Mac OS has Web sharing, Windows has the Personal Web Server for Windows9x and the version of IIS that comes with Windows 2000 Pro and with Windows XP. And a Linux box comes with all the servers you'd want - Apache for the Web and FTPd for FTP. Mac OS X also comes with Apache. Behind a firewall you can run any number of services which will enable your networked machines to communicate with each other and swap files. The point is to make sure nobody from the outside can use them, and that's where your firewall/WAN router box comes in.
When you give your machines static IPs, you have to be on the same subnet as your firewall/WAN router. Like I said before, my SMC Barricade uses the 192.168.2.0 network and automatically gets 192.168.2.1. You can use any number from 2 to 254 for your machines. I have everything using low numbers (from 2 to 150) on my network. Since DHCP is handy for guests to come in and use with their laptops, I have the internal DHCP server handing out addresses from 151 to 254. As if I'm really going to have 103 guests here! ;-) 255 is a number you can't use because it means "broadcast to everyone on the subnet." And the TCP/IP network uses zero to denote a network address.
There is also something called a subnet mask that is used to tell TCP/IP which bits mean the network and which mean the host or individual computer. You will probably never encounter one that isn't 255.255.255.0. This mask tells the routers out on the Internet and your firewall/WAN router box that the first three of the four IP address numbers are used by your network, and the fourth one is the individual address of each computer. One can do a lot of funky stuff by changing numbers around in a subnet mask, from further dividing a subnet into smaller subnets to concatenating several subnets into one big subnet - that's called supernetting. But that's not our concern here. Your firewall/WAN router box is designed to keep things simple.
So when you input your static IP information, use the network address that the box defaults to, the host number you want to assign to a given computer, (remember, they must always be unique) usually the subnet mask of 255.255.255.0, and the pre-programmed IP address of your firewall/router box as the default gateway. The term Apple uses instead of default gateway is router - simple, right?
Before you put your firewall online, the first thing you will need to do is password-protect it. If you don't have a password on your device, a malicious individual could conceivably get in and mess around with your settings - or worse. Most software (SMC included) will not allow you to proceed further until setting a password. You need to use a strong password on the device. By a strong password, I mean
- One that is not a word in a dictionary. Many crackers use electronic dictionaries as lists of potential passwords.
- Uses both upper and lowercase letters.
- Uses numbers and punctuation marks.
- Is at least 6 characters long - longer is better.
These are also good tips for the creation of passwords for use on websites and on password-protected computers. If you have an operating system like Linux, Windows NT4, 2000, or XP, or Mac OS X, you have to use passwords on your computer.
Okay, we're done with that, and now we're at the point of configuring the box to handle your incoming Internet connection. If you have a cable modem or DSL connection, the ISP usually uses our friend DHCP to configure your connection. Sometimes DSL service providers use an awkward, horrible method called PPP over Ethernet (PPPoE) to connect you to the Internet. It's a lot like the PPP you are used to using with your dialup connection and requires logging in when you begin use and logging out after use. It's not an "always on" connection. However, most firewall/WAN router boxes do PPPoE effortlessly, unlike some of the software PPPoE solutions which are notoriously flaky.
If you are lucky, your cable or DSL provider will give you a static IP address. I say that's lucky, because if your service provider's Terms Of Service/Acceptable Use Policy allows you to run servers, you can do so. Most service providers won't let you do that even if you do get a static IP, so I won't say any more about it other than to say the manual for your firewall/WAN Router will show you how in the "virtual server" section.
Firewall/WAN router boxes that have a serial port will also have a section in setup on how to configure your modem connection. If you have an ISDN modem (not likely), it will allow you to use that rather than an analog modem. Connect the modem before you power up your firewall/WAN Router box with a PC-type serial cable. Don't use a Mac cable; it won't work. Usually your setup method will be PPP. Use the user and password your ISP assigned you when you got your dialup account. There is a checkbox on the dialup section of the SMC Barricade setup which allows you to specify whether the PPP connection is the only connection you will use, or whether it's there to be used when your broadband connection goes offline.
Get out your manual and the paperwork from your ISP and configure your firewall/WAN router for your Internet connection. It's usually a very easy process, a lot like filling out a form on a website. I cannot hold your hand through the process, because every make and model of firewall/WAN router box is different. If you have a Mac or a Linux PC, make sure you have a firewall/WAN router that can be setup via a Web browser interface. There are some out there that require the use of a Windows program for setup - avoid those. Fortunately there are less and less of them out there.
Two very important thing to mention before I finish up. One is that most broadband service providers don't really like router boxes. They will not support your router, period. They would rather sell you extra IP addresses and have you leave your computer out in the open, without firewall protection other than the software firewalls which we have already discussed are as vulnerable as whatever operating system you use. I hope their attitudes change as more information comes out about the problems that exist with software firewalls.
The other is that no firewall, hardware or software, will protect you from spyware, Trojan horse programs, or other programs that "phone home" for either benign or malignant purposes. On the GRC site there are programs like Leak Test which will let you know if there are some of these programs present on your system. A good anti-virus program will find and remove known Trojan horse programs like Back Orifice (no, I am not making this up - that's the name of the program) and Sub-Seven.
Aside from AdAware from Lavasoft, there is really no way to remove spyware from your computer. Steve Gibson is working on a new program for Windows computers called Net Filter, which will be a more complete solution to these problems. Unfortunately, Gibson is not doing anything similar on the Mac side, primarily because he's a master x86 Assembly Language programmer and has no interest in learning PPC or 68xxx Assembly Language. So unfortunately those of us who are running on Macs have no recourse. (sigh)
Anyway, to wind this up, here are a few very good links on home networking and broadband:
Join us on Facebook, follow us on Twitter, or read Low End Mac's RSS news feed
Recent Content
Go to our home page for a listing of recent content.
About Low End PC Support Usage Privacy Contact
Follow
Low End PC on Twitter
Join Low End PC
on Facebook
Favorite Sites
MacWindows
Deal Brothers
DealMac
Affiliates
Amazon.com
The iTunes Store
PC Connection Express
Parallels Desktop for Mac
eBay