How Safe is Your Success? Part 7 - Firewalls

"How Safe is Your Success" is a series of eight articles. Each article addresses a different aspect of a universal problem which is of particular importance to those who do business on-line. Most Internet users are at least aware there are dangers "out there", but few appreciate the real extent of those dangers, the possible (even likely) consequences, or the best, most practical and least expensive means of countering them. This series is intended to at least provide some useful awareness of the situation.

Part 7 - Firewalls

Now, the nature and purpose of this article dictates that I don't tell all of the story all of the time. For example, I am now telling you there are two types of firewall to consider. In actual fact the number of "types" depends entirely on how you choose to categorize them. For our purposes a simplistic breakdown is both adequate and legitimate.

The two types we'll discuss are software and hardware firewalls. The latter usually takes the form of a small "black box" that plugs into your Internet connectivity device (e.g. cable, ADSL or dial-up modem) and also into your PC or into some network component such as a Hub or Switch. By the way, "black boxes" are almost never black; the term simply denotes a device whose exact inner workings are irrelevant to the discussion. It is only what goes in and what comes out that matters.

Frequently called a Personal Firewall because it only protects one PC, a software firewall is, as the name suggests, simply a computer program. What software and hardware Firewalls have in common is that they both receive, inspect and make decisions about all incoming data before passing it on to other parts of the system.

A most important difference between software and hardware firewalls is that the hardware Firewall doesn’t control outbound communications to any significant degree. This becomes a real problem once some scumware program that has the capability to communicate back out to the Internet gets into your hard drive.

On the other hand, the software Firewall offers strong control over both incoming and outgoing data. You will be justified in wondering why you need to use two different types that both control incoming connections. There are several reasons but, from the point of view of a computer user, as good a reason as any is “much improved usability”.

The software Firewall’s control over incoming connections is quite powerful. Using its programmed “intelligence”, it can analyze incoming data streams. However it cannot make final “block or allow” decisions without your help until you have “taught” it how to respond to different situations. It needs to learn as it goes. In short, the software type will frequently need to ask you to make decisions on what to do about certain incoming data packets – whether to allow them in or not.

That’s fine, until the frequency of the alarms becomes distracting to the point of being annoying. While you are trying to concentrate on other things in the face of these interruptions, there is a very real risk that you will take the easy way out and command the software Firewall to “always allow” or “always deny” such data packets, without giving careful thought to the consequences — which could be significant either way.

The hardware Firewall, on the other hand, enforces a very simple policy on incoming connections: if the connection wasn’t requested by a PC from within its “walls”, the connection is refused or ignored. In most situations such simplistic decision making is quite OK. If you think about that for a moment, you will see that the stubborn inflexibility of the hardware Firewall makes the software Firewall's job much easier. You’ll recall that the hardware device is a “perimeter” Firewall placed between your PC (or your network) and the Internet, so it gets first look at any incoming data. The software Firewall is on a local PC and thus inside the perimeter, so it only gets to see incoming data that has survived the hardware Firewall. And the only incoming data that does survive is that requested by an internal PC in the first place.

With a hardware Firewall in place, there will be less questionable incoming traffic for the software Firewall to analyze, thus fewer excuses for it to bother you with a request for a decision. And therefore fewer chances for you to give a dangerous answer.

This improvement in usability is not a minor matter. The difference can be so pronounced that people who install a hardware Firewall after having a software type in place for a while, begin to wonder if the latter is still working, so reduced are the “alarms” they have to respond to.

Another reason for using both hardware and software Firewalls is that software is … well, software. And software, any software, can be compromised. On the other hand the hardware Firewall, with very few exceptions, can only be “got at” physically – a baddie has to have hands-on access to the Firewall to do anything nefarious with it.

Finally, both software and hardware can fail for any number of reasons. If a good software firewall encounters a problem it should be designed to fall back to some sort of safe mode, blocking all Internet traffic until the problem is dealt with.

But if something should occur that forced the software Firewall to shut down or that prevents it from loading at all (something many Trojans attempt to do), it is no longer an impediment to unauthorized data. You could well be vulnerable to attack and remain blissfully unaware of the fact. On the other hand, if the hardware Firewall fails it will do so in such a way that access to and from the Internet is cut off altogether. The hardware Firewall, by its very nature, can only fail on the side of complete safety. If it's "not there", neither is the Internet connection.

Well … does that make the software Firewall too much trouble? No way !!!  A good software Firewall that does its job properly is positively invaluable for its management of outgoing connections, which is where one of the biggest threats to your security lies. A very, very strong case can be made for having both types in place. I do, as do most professionals with an understanding of, and a respect for, data security.

At the very least you should install a good software Firewall on each PC for which you are responsible. A consistent Editor's Choice selection, probably the most-recommended by IT professionals, and my personal choice is ZoneAlarm from Zone Labs. There are both free and PRO versions, with various licensing options. Even if you are eligible to use the free version I do encourage you to at least give PRO serious consideration and look at the extra features you get over the free version.
http://HackersNightmare.com?res=ZoneAlarmPRO

There is no space here to discuss hardware firewall recommendations, as the most suitable type will depend on a number of factors. Seek advice from a reputable computer dealer or consult a more detailed resource such as my book "The Hacker’s Nightmare".

If this newsletter has been passed on to you by a friend, please subscribe to it yourself so you can be sure of receiving the next part in this series, when I'll show you how to keep your sensitive electronic correspondence completely confidential, even if someone does manage to intercept your eMail.

-------------------------
Bill Hely is a technologist, consultant and author living in Brisbane, Australia. For most of the last two decades his professional focus has been on advising and supporting small business operators in Information Technology and Office Productivity issues — and rescuing them when they didn't heed his advice the first time around. He is the author of several books on technology for the business operator, including the Bible of Internet and computer security "The Hacker's Nightmare". For more information on this must-read tutorial and reference visit: http://HackersNightmare.com