Home Network Security Simplified
Now that you understand a bit about how they work, let's take a look at where you should place firewalls in your home network and then go ahead and turn them on. Keep in mind that even if your device comes with a built-in firewall, it may not be turned on by default. Figure 1-5 shows where firewalls are recommended in your home network. First, it is absolutely essential to place an SPI firewall between your high-speed broadband service and your home network. Fortunately, most home network routers now ship with a built-in SPI firewall, so it might require just turning it on. Figure 1-5. Where You Need Firewalls in Your Home Network
Next, you need to install personal software firewalls on each of the computers in your network. As mentioned before, if the personal software firewalls on the computers also contain SPI firewall functions, all the better. Each type of firewall presents several options. The next few sections explore the options, help you decide what is best for you, and help you install and turn them on. Putting a Firewall Between You and the Internet
As previously mentioned, you first need to place an SPI firewall between your home network and the Internet. You can do so either by installing a dedicated firewall device between your broadband cable or digital subscriber line (DSL) modem and your home network router or, if available, just turning the SPI firewall on inside your home router. Very Important We highly recommend you install a home network router between your high-speed broadband connection and the computers in your home. The router itself provides critical security functions such as Network Address Translation (NAT), providing a level of defense for your home network. For more information, see Home Networking Simplified, which contains a complete discussion on the importance of home routers.
To make it really easy, many home network routers are being shipped with built-in SPI firewalls, so all you have to do is turn it on. Nearly all new Linksys wired and wireless routers are equipped with a built-in SPI firewall. If your home router already has an SPI firewall, turn it on and you are done. If it does not, you need to make a decision about how to proceed. Very Important Make sure whatever you buy has an SPI firewall. Some products claim to include a firewall, but the term firewall can be interpreted several ways. Look on the box or ask a store professional to make sure what you are buying has SPI.
Routers with a Built-In Firewall
Because a home network router already has to handle all the messages between your computers and the Internet, it is also a convenient place to put an SPI firewall. To activate it, you need to access the router's administration function, usually with an Internet browser or a client on one of your computers. Figure 1-6 shows turning on the SPI firewall in a Linksys wireless router (model WRT54GS in this example). Figure 1-6. Turning On a Home Router-Based Firewall
The steps for turning on your firewall are as follows:
That's it. Now your SPI firewall is running and protecting your home network from the Internet. You have just taken an extremely important step to protecting your home network. You might ask, "How do I know it is working?" Great question. See you are already learning to become suspicious and think security. Read on and we will give you some tips to make sure what you think you have working really is protecting you like you think. Dedicated Firewall Devices
If your home network router does not offer a built-in SPI firewall, you must decide whether to replace your home network router with one that does or purchase and install a dedicated firewall device. A dedicated firewall device is essentially a box that you place between your broadband modem and your home router that acts 100 percent of the time as a firewall. It provides no other networking functions. In corporate security circles, dedicated firewalls are preferred because security-minded folks argue that if you keep the software in the box simple, it will have fewer security holes, and as soon as you start adding other functions to it, you add complexity and open up the possibility for holes. For your home network, dedicated firewalls are becoming extremely rare because it is much more economical and space efficient to have the home router provide the function. If you decide to go with a dedicated firewall, be aware that each one differs according to the manufacturer. We suggest following the manufacturer's installation instructions. Very Important If you already have an older home network router installed that does not have an SPI firewallfor example, an older Wireless-B standard routeryou might want to kill two birds and consider upgrading to a faster Wireless-G or Wireless-N router and at the same time get the built-in SPI firewall. Chances are you can make both upgrades for the same or less than buying a dedicated firewall device to add to an existing older router.
Enabling Personal Firewalls on Your Computers
Now that the SPI firewall is protecting the edge of your home network, it's time to turn your attention to the computers on the home network. Each computer needs to have a personal software firewall installed. Unlike SPI firewalls, which usually come in physical devices, personal firewalls generally come in the form of software you install on the computer you want to protect. Here again you have a choice of several options. The first option is Windows XP Service Pack 2 (SP2) and later offers a built-in software firewall. The second option is Zone Labs, which offers its basic ZoneAlarm software firewall for free. Finally, several software firewall programs are available for purchase. Which you choose depends on your needs, but we try to highlight the advantages and disadvantages of each in the sections that follow. Windows XP Built-In Firewall
Starting with Windows XP SP2, Windows offers a built-in personal firewall. If you have XP, but do not already have XP SP2 installed, you can obtain it here: http://www.microsoft.com/windowsxp/sp2/default.mspx If you have an older version of Windows (including 98SE, ME, or 2000), you are out of luck until you upgrade to XP. See the next sections for other personal software firewall options. The Windows XP firewall is a basic firewall with program access control (blocking computer to Internet) and SPI (blocking Internet to computer). It is a no-frills approach, but the price is right. Figures 1-7 and 1-8 show how to enable the Windows XP built-in firewall. Figure 1-7. Windows XP Security Center
Figure 1-8. Enabling the Built-In Firewall in Windows XP
The following are the steps to enable the Windows XP built-in firewall:
The Windows XP built-in firewall is now enabled. There are not a lot of other things to configure, and the granularity of control you have is somewhat limited. But, all in all, it is an easy and cost-effective way to enable a personal software firewall on each of your computers. If you want a turn-it-on-and-forget-it firewall and you are running XP, this is a good option. Very Important Having the firewall program log interesting events (meaning when it detects unusual activity and takes an action such as dropping the packet) can prove useful for debugging. To enable logging with Windows Firewall, go to the Windows Security Center, click Windows Firewall, and go to the Advanced tab. In the Security Logging section, click Settings and then checkmark what you want to log and choose a location for the log file. To view the log, you must use Notepad to browse the file.
ZoneAlarm Personal Software Firewall
Another relatively easy and cost-effective option for a personal software firewall is ZoneAlarm. Zone Labs offers several versions of its firewall program, including a basic firewall program that is free and a couple more sophisticated versions for purchase. Let's look at the free version here. The for-purchase version is discussed in the next section. The free ZoneAlarm firewall is a fully functional, pretty good firewall program that includes the functionality you need to protect the computers in your home network. ZoneAlarm is somewhat more configurable than the Windows XP built-in firewall and provides more visibility into what is being blocked or allowed. This could be needed if you run into issues where certain programs you want to have access are being blocked for some reason. With ZoneAlarm, you can see what is being blocked and easily adjust the settings. Very Important Typically, only one personal software firewall program can be installed and active on a computer at a time. You generally cannot, for example, run both Windows XP Firewall and ZoneAlarm. Additional firewall programs do not offer any additional protection, and it could lead to complex problems. Pick one, not several. ZoneAlarm in particular disables Windows Firewall when it is installed to avoid such conflicts.
ZoneAlarm is available for download here: http://www.zonelabs.com Go to the download area and download the version that is just called ZoneAlarm for the free version. The following covers some brief installation and setup steps that refer to Figures 1-9 and 1-10. Figure 1-9. ZoneAlarm Personal Software Firewall
Figure 1-10. ZoneAlarm Requesting Internet Access for a New Program
The ZoneAlarm firewall is now enabled. It is a good idea at this point to try to use the programs you normally use, especially those that access the Internet, including Outlook Express (or the alternate e-mail program you use), instant messaging, Internet Explorer (or the alternate browser you use), and so on. Each time a new program tries to access the Internet, ZoneAlarm will prompt you to grant or deny access. In general, ZoneAlarm initially blocks everything that automatically attempts to access the Internet, including things such as updates to your antivirus programs, which, of course, you want. You can usually read the popup warning and figure it out; if you are not sure what ZoneAlarm is attempting to block, choose the block function and then check the programs you use most often to make sure they are still operating correctly. If one or more of the programs you used to use no longer works, or if a new program you install does not work properly, you might want to check the access settings in ZoneAlarm to make sure they are not incorrectly set:
Very Important You will notice two sets of columns in the Program Control dialog: Access and Server. Access permissions apply to programs on your computer that need access to the Internet. In general, all programs that you want to allow to access the Internet need a minimum of Access permission. Server permission is an additional authorization needed by some programs that legitimately send unsolicited traffic to your computer, such as some e-mail and IM programs. Try allowing Access permissions first; if the program you are using still is not working correctly, try setting the Server permissions to Allow (green checks), too. In summary, ZoneAlarm firewall is another relatively easy and cost-effective method for enabling a personal software firewall on each of your computers. If you want a firewall program that offers a bit more control and visibility, ZoneAlarm is a good option. If you are not running Windows XP and have no intention to upgrade, again ZoneAlarm is a good option for you. Very Important Having the firewall program log interesting events (meaning when it detects unusual activity and takes an action such as dropping the packet) can prove useful for debugging. Logging is enabled in ZoneAlarm by default. To view the log, bring up the ZoneAlarm main control dialog, click Alerts & Logs, and click the Log Viewer tab.
Personal Software Firewalls for Purchase
A third option for personal software firewall programs is to purchase one. You may ask, "Why buy one when there are two free options?" Two reasons. First, you get what you pay for, meaning the for-purchase firewall programs are typically going to be kept much more current and have features added to them (not to say that Windows XP Firewall or ZoneAlarm will not). Second, when you purchase an antivirus software program (notice we said when, not if), you have the option of paying a little more money for an entire security bundle. We cover antivirus programs in Chapter 3. Security bundles are offered by the major security software vendors and include a whole suite of protection, including antivirus, firewall, spyware/adware blocking, parental control, antispam, and so on. We recommend checking out the security bundles from the leading security software vendors in Table 1-1.
This book lacks space to show them all. Just to give you a feel for how the security packages look, however, the following discussion covers two of them. Keep in mind that you only need one of these firewall programs for your home network; adding a second will only disable the previously loaded firewall programs. Figure 1-12 shows the main control panel for Symantec's product, Norton Internet Security 200x. You can see that the Personal Firewall component that came included in the bundle is enabled. Figure 1-12. Symantec Norton Internet Security 200x
Figure 1-13 shows the main control panel for McAfee's product, Internet Security Suite. Once again, you can see that the Personal Firewall component that came included in the bundle is enabled. Figure 1-13. McAfee Internet Security Suite
Both of these personal software firewalls operate similarly to ZoneAlarm. Each learns as new programs attempt to access the Internet, and you specify whether to grant or deny access. Both are also configurable and allow for relatively easy control and visibility. If you decide to purchase a security bundle, the included personal firewall component is a good option. Also, if you need a fully functional firewall program with all the bells and whistles, one of these for-purchase programs is a good option for you. You should also check your Internet service provider's security pages. They often offer bundles and good advice on firewalls and bundled security services. Very Important We highly recommended that you set up personal software firewall programs to automatically start when Windows starts. Having to remember to start the firewall program manually is going to be a pain and hit or miss if you remember to trigger it or not.
|