See why even a simple firewall is better than nothing

by Jonathan Yarden | Feb 17, 2006 8:00:00 AM

Tags: Firewalls, PRODUCTIVITY, Network security, SECURITY, Jonathan Yarden, firewall, computer, Internet, ZoneAlarm, software, Internet Security Focus Newsletter

Takeaway: Deciding which type of firewall to use depends on what you're trying to protect. In this edition of Internet Security Focus, Jonathan Yarden breaks down the differences between software and hardware firewalls, and he discusses situations in which advanced firewall features are necessary.

As a systems administrator for an ISP, my primary function is to support several thousand customers by ensuring that equipment and services are operating correctly. Depending on the customer, this job can include maintaining on-site routing and firewall equipment, which can vary depending on the specific needs of the customer.

When it comes to supplying Internet access, ISPs provision a single IP address or a subnet for their customers. Either way, I always suggest that anyone accessing the Internet protect systems with either a hardware or software firewall.

Of course, IT pros know that a firewall is anything that protects a computer or network from the ravages of the Internet. But when talking to end users, I try to describe the level of questionable activity on the Internet in terms of worldwide accessibility.

Because public Internet addresses are readily accessible from anywhere in the world, even a simple dial-up Internet connection with a public IP address exposes your computer to the rest of the world while you're connected. This means anyone on the Internet can identify your computer—and perhaps scan it to see whether it's running vulnerable software or services. That's why you need to implement a firewall to try to protect it.

Hardware vs. software firewalls

As I tell my customers, deciding which type of firewall to use depends on what you're trying to protect. If you're just worried about a single computer system with Internet access, ZoneAlarm software works well enough for most people.

ZoneAlarm not only alerts you when someone tries to access your computer, but it alerts you when a program on your computer attempts unauthorized access to the Internet. If the access is valid, you can instruct ZoneAlarm to remember the program and allow access in the future without alerts. Although it's not an antivirus program, ZoneAlarm can also detect Trojan horse and spyware programs.

However, sometimes a software firewall just won't cut it. I suggest using a hardware firewall in these situations:

• A customer needs Internet access on more than one computer.
• A customer needs a secure connection to a main office.
• The client is a branch office.
• A company needs to host e-mail and Web servers.

Even though it's possible to share an Internet connection and firewall software using one computer as the router, I think it's a bad idea to use a workstation in this manner. Everyone on the network becomes dependent on the reliability of someone else's computer.

If a computer locks up or reboots, it cuts off Internet access. Then people call the ISP to complain, even when it's not the source of the problem.

Hardware firewalls don't have to be expensive. For instance, NETGEAR and Linksys models sport sufficient features for a reasonable cost.

Do you need advanced firewall features?

If clients telecommute or are setting up a branch office of a larger corporation, they probably need to use virtual private networking (VPN) features. Clients may also need Network Address Translation (NAT) when there are multiple internal computers and only one public IP address.

If customers need a subnet to support public Internet servers, I recommend using port forwarding and "hiding" the real service behind the firewall. No matter which advanced features your clients need, they should choose a hardware firewall that supports these advanced features.

Another thing to keep in mind when dealing with telecommuters or branch offices is to always check with the company's IT department before buying anything. I can't tell you how many times I've needed to replace equipment and fix VPN settings because branch offices and telecommuters didn't check with their IT department before buying equipment.

Regardless of your clients' specific needs, using a firewall does improve security. Anything they can do to "hide" their computer systems and services from the public Internet reduces risk.

My personal preference is to always use hardware firewalls, but software programs such as ZoneAlarm are better than nothing at all. However, firewalls can't prevent a virus or worm from taking over your computer—that's typically the job of antivirus software.

That's why it's important to remember that effective Internet security involves several layers. Consider a firewall system to be the first layer of your clients' security needs.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Print/View all Posts Comments on this article

Simple firewall? mess484@... | 02/19/06

Smoothwall yinbig | 02/20/06

IPCopo steve@... | 03/02/06

The Linux alternative the-shelter | 02/20/06

Pros & Cons of a Linux Alternative PCSupportUK | 02/20/06

Have a look at SME Server onsiter | 02/20/06

2nd on the SME box! jim.danvers | 03/02/06

Re: Pros & Cons of a Linux Alternative the-shelter | 02/20/06

Linux firewalls apotheon | 02/20/06

FreeBSD IPF and IPNAT Is Another Option claudewatson | 02/20/06

the *BSDs apotheon | 02/20/06

Monowall ian.joseph@... | 02/20/06

Another good software firewall support@... | 02/20/06

Kerio firewall wentz1@... | 02/20/06

shame that they are going to stop making kerio mjwx | 02/20/06

Yes They're Still Making Kerio @ SunBelt Sekerob | 03/02/06

firewall types apotheon | 02/20/06

Yes You Can charincol | 02/21/06

Ooh! apotheon | 02/21/06

Double Up your Firewall Sekerob | 03/02/06

On a slightly different tangent PCSupportUK | 02/21/06

Uh, what? apotheon | 02/21/06

Software Firewalls are ... jc2it | 02/21/06

not exactly apotheon | 02/21/06

The best place to learn about this subject and others Sekerob | 03/02/06

Oh My God! rickk@... | 04/21/06

layered security jdclyde | 04/21/06

Another Story rickk@... | 04/21/06

The gist of the discussion.... Sekerob | 03/02/06

mac os x firewall omprakash@... | 02/22/06

HW and SW firewalls allan_mee@... | 03/01/06

I need your help about the windows firewall petraje@... | 03/02/06

Conciously or Unconciously Sekerob | 03/02/06

Linksys with fwbuilder roblesj428@... | 02/20/06

Software or Hardware? Both! Schuylkill | 02/21/06

I'll second that. gshollingsworth | 02/21/06

Have both gralfus | 02/21/06

Security Failure jc2it | 02/21/06

post-compromise apotheon | 02/21/06

How about a corporate environment? Schuylkill | 02/21/06

yes apotheon | 02/21/06

Absolutely DrewTipton | 03/01/06

wrong assumption gralfus | 02/21/06

Great Theory charincol | 02/21/06

I use a Pix and... petraje@... | 02/22/06

Ah Yes rickk@... | 04/21/06

indeed apotheon | 04/22/06

Communication Out Blocking Sekerob | 03/02/06

Dial Up users need a firewall ??? ludedude25@... | 03/02/06

Absolutly maybe James Schroer | 03/02/06

yes apotheon | 03/02/06