Protect your PC

A firewall/WAN router is perhaps the smartest investment a computer user can make. The Internet is a very dangerous place. There are worms and/or virus that can affect PCs running Windows. There are worms that can affect PCs running Linux. There are even exploits that can affect Mac users. Companies such as SMC, Linksys, MacSense, 3Com, DLink, and many others make effective little firewall boxes that run under $100. Many are going for $80 or less.

The one thing these little guys have in common is this: an ethernet port to plug in a cable and an ethernet port to plug in your computer. Most have a 4-port switch built in, so you can plug in up to four computers into the box. And these devices play well with other switches, so if you have more, the more the merrier.

Why would someone who uses a narrowband dialup connection (where the connection is opened and closed and is never “always on”) want one of these devices? Well, even a PPP connection can get stumbled upon by a script kiddie or attacked by a zombie computer under control of a worm like Nimda. You do get an IP address when you log into a PPP connection, just like everyone else on the Internet. Thus you are just as vulnerable when you are using a dialup connection as when you are using a cable or DSL connection. “Always-on” connections like cable and DSL are more stationary targets and therefore more attractive to the predators that lurk on the Internet.

Yes, there are software firewall solutions. But there is recent evidence that they are not enough. Software firewalls are as vulnerable as the operating systems they run on. There are real and potential exploits that use “features” of Microsoft Windows to allow a person to rummage around a remote computer and peep at your private files.

These filtering firewall products can take many forms. They may be a replacement TCP/IP stack that you load on an existing system, or a software module that exclusively communicates with an existing stack. At the other end of the extreme, the product may be a completely independent operating system written explicitly with Internet security as the objective. There are also application-specific firewall products that only offer protection for certain types of Internet connectivity, such as SMTP or HTTP. There are also hardware-based products that typically fall into the router realm, allowing you to set filters for incoming and outgoing connections. Prices range from free (bundled with the stack or app) to tens of thousands of dollars.

At the least, almost all firewall products offer IP address filtering. These filters work by examining the header of the IP packet and making pass/fail decisions based on the source and destination IP addresses. Another might be that the firewall has been configured so that it simply will not accept any packets from a particular PC, which is the most basic type of filtering.

Using simple IP address comparison to allow or reject packets is a brute method of filtering. It doesn’t allow for the possibility that multiple services may be running on the destination host, some of which we may want to allow users to access. For example, we may not want users to Telnet into the system, but we may want them to be able to access the SMTP/POP service that’s running on it. To enable this level of control, we have to be able to set filters according to the TCP or UDP port numbers in conjunction with the IP address filters described earlier.

All of these can rightly be called “firewalls” because essentially they trap inbound or outbound packets, analyze them, and then either send them on their way or toss them out. Any one of these firewalls may or may not suit your needs. Once you’ve got a handle on the issues, however, you should be able to do your own product elimination, simply by comparing functional product specifications.

* * *

Franco Mendoza is the Webmaster of Verizon Pacifica.