Security Spotlight: Firewalls, the Home Version

The following article is adapted from portions of the Hands On Computer Security course material, written and designed by Paul Asadoorian.

"A chain is no stronger than its weakest link, and life is after all a chain." This is more true now in our Internet and satellite-connected world, than perhaps psychologist/philosopher Williams James could have possibly imagined when writing these words over a hundred years ago.

Since "bad guys" have ample motivation and tools for breaking in to your computer, to be properly protected you need a security strategy with several layers of defense that covers the physical (surge protectors, cable-locks, environmental controls), data and its transmission (passwords, encryption, up-to-date patches, anti-malware protection, firewalls) and the human element (i.e., good old common sense). In other words, follow the advice of your mom on those cold winter days and dress in layers: the more, the better.

The "weakest link" quote is especially applicable to firewalls, which is the focus of this article. A firewall is a system designed to prevent unauthorized access to or from a computer or network of computers. It creates a wall between you and the "bad guys". Any weak spot could be enough for them to slip in, grab what they want and slip out. Or worse yet, they could install malicious software like keystroke loggers, use your computer to distribute SPAM and/or Pirated Media, or even launch a Denial of Service attack from
your computer.

A firewall will keep your computer from being found or scanned on the Internet, preventing attacks against your computer that could lead to complete compromise. It is also useful if patches are not yet available.

There are two types of firewalls: hardware-based (physical devices that goes between your computer and network) and software-based (installed on your computer and running constantly). Here is a quick comparison of what each option offers:

Windows XP's security features include a good example of a software-based firewall. It's part of the built-in security and turned on by default with SP2. Though it doesn't block outgoing traffic and is not as configurable as third party software, is still offers a good first step in protecting your computer.

To access it, go to Control Panel » Network Connections, then right-click on Adapter » Properties » Advanced.

Here you can turn on the firewall, set exceptions, and configure the advanced settings.

When configuring your exceptions, remember that many attacks will travel over the “File and Print Sharing” services, so you may want to lock this down, as well as remote desktop access, which leaves you vulnerable to password attacks.

Another software-based example is Kerio Personal Firewall (http://www.kerio.com), which is distributed free for personal use. Kerio is easy to configure and to administer rules. Using its Advanced Mode, it will allow you to control which applications can access you on the network.

Mac OS X also offers a built-in firewall. Note that it is not turned on by default, nor does it block everything by default. Tiger (10.4), however, does provide you more control natively.

The software is based on BSD ipfw, a firewall software application that "uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as Simple Stateful logic."

"IPFW is composed of seven components: the primary component, the kernel firewall filter rule processor and its integrated packet accounting facility; the logging facility; the 'divert' rule which triggers the NAT facility and the advanced special purpose facilities; the dummynet traffic shaper facilities; the 'fwd rule' forward facility; the bridge facility; and the ipstealth facility." (from the "FreeBSD Handbook, Chapter 26, "Firewalls")

The following is a sample configuration:

# ipfw list
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
02070 allow tcp from any to any 22 in
02080 allow tcp from any to any 139 in
12190 deny tcp from any to any
65535 allow ip from any to any

The other type of firewall is hardware-based. Linksys is a good example of this. A Linksys firewall provides many different products to choose from, has a web interface that makes it easy to configure and manage, offers several useful features, and provides regular updates to firmware. Linksys is owned by Cisco, a major networking company.

Hardware firewall protects you from attacks coming from the Internet and offers the advantage of allowing multiple computers to share the same connection. The WRT54G model, is available in both wired and wireless models. It supports two types of wireless: 802.11b and 802.11g. Though the latter is
faster, take are using it in mixed mode.

Advanced users may want to try installing Linux on your firewall box for the extra features it can provide, such as parental controls and the ability to adjust the power of your access point. Visit http://openwrt.org/
http://docs.sveasoft.com/Index-2.html for more details.

Recommendations from SANS

SANS provides a wealth of IT Security support: computer training, certification, and research. From their "Reading Room", here are their suggestions for finding the best firewall. What is the Best Firewall?

The answer is it depends, but if you are willing to invest an hour or two reading the references below, we have the information security knowledge to help you engineer the security architecture that is right for you. SANS constantly runs surveys to find out what tools you use. Currently, the three most popular firewalls used by the SANS community are:

• Checkpoint Firewall 1: (1) (2)
• Cisco Pix: (1)
• NetScreen: (1)

Perhaps you are in the market for a firewall and are in the comparison shopping phase, be sure to read paper "Comparison Shopping for Scalable Firewalls" by Laura Keadle. The best book on firewalls by far is Inside Perimeter Security by Northcutt, Zeltser, Winters, Frederick and Ritchey.

At SANS, we have been very impressed with the free Unix/Linux/BSD firewall options described in the paper "IPFilder: A Unix Host-Based Firewall".

The latest buzz in firewalls is airgaps and SANS has a number of papers on this approach to perimeter security. "Disconnect from the Internet - Whale's e-Gap In-Depth" by Kevin Gennuso and others found in GCFW Gold certifications from GIAC as well as the Reading Room's Firewall section.