Home Network Security Simplified

Now that you understand a bit about how they work, let's take a look at where you should place firewalls in your home network and then go ahead and turn them on. Keep in mind that even if your device comes with a built-in firewall, it may not be turned on by default.

Figure 1-5 shows where firewalls are recommended in your home network. First, it is absolutely essential to place an SPI firewall between your high-speed broadband service and your home network. Fortunately, most home network routers now ship with a built-in SPI firewall, so it might require just turning it on.

Figure 1-5. Where You Need Firewalls in Your Home Network

Next, you need to install personal software firewalls on each of the computers in your network. As mentioned before, if the personal software firewalls on the computers also contain SPI firewall functions, all the better.

Each type of firewall presents several options. The next few sections explore the options, help you decide what is best for you, and help you install and turn them on.

Putting a Firewall Between You and the Internet

As previously mentioned, you first need to place an SPI firewall between your home network and the Internet. You can do so either by installing a dedicated firewall device between your broadband cable or digital subscriber line (DSL) modem and your home network router or, if available, just turning the SPI firewall on inside your home router.

Very Important

We highly recommend you install a home network router between your high-speed broadband connection and the computers in your home. The router itself provides critical security functions such as Network Address Translation (NAT), providing a level of defense for your home network. For more information, see Home Networking Simplified, which contains a complete discussion on the importance of home routers.

To make it really easy, many home network routers are being shipped with built-in SPI firewalls, so all you have to do is turn it on. Nearly all new Linksys wired and wireless routers are equipped with a built-in SPI firewall. If your home router already has an SPI firewall, turn it on and you are done. If it does not, you need to make a decision about how to proceed.

Very Important

Make sure whatever you buy has an SPI firewall. Some products claim to include a firewall, but the term firewall can be interpreted several ways. Look on the box or ask a store professional to make sure what you are buying has SPI.

Routers with a Built-In Firewall

Because a home network router already has to handle all the messages between your computers and the Internet, it is also a convenient place to put an SPI firewall.

To activate it, you need to access the router's administration function, usually with an Internet browser or a client on one of your computers. Figure 1-6 shows turning on the SPI firewall in a Linksys wireless router (model WRT54GS in this example).

Figure 1-6. Turning On a Home Router-Based Firewall

The steps for turning on your firewall are as follows:

Step 1.

Access the router's administration function. For Linksys routers, use Internet Explorer and enter the router's IP address in your home network (usually 192.168.1.1).

Step 2.

When prompted, enter the administrator user ID and password.

Step 3.

Click the Security tab.

Step 4.

Click Enable for the firewall function.

Step 5.

Also checkmark the optional additional protection functions, including Block Anonymous Internet Requests, Filter Multicast, Filter Internet NAT Redirection, and Filter IDENT(Port 113). These are to detect and block several specific known hacking attacks.

Step 6.

Click Save Settings.

That's it. Now your SPI firewall is running and protecting your home network from the Internet. You have just taken an extremely important step to protecting your home network.

You might ask, "How do I know it is working?" Great question. See you are already learning to become suspicious and think security. Read on and we will give you some tips to make sure what you think you have working really is protecting you like you think.

Dedicated Firewall Devices

If your home network router does not offer a built-in SPI firewall, you must decide whether to replace your home network router with one that does or purchase and install a dedicated firewall device. A dedicated firewall device is essentially a box that you place between your broadband modem and your home router that acts 100 percent of the time as a firewall. It provides no other networking functions.

In corporate security circles, dedicated firewalls are preferred because security-minded folks argue that if you keep the software in the box simple, it will have fewer security holes, and as soon as you start adding other functions to it, you add complexity and open up the possibility for holes.

For your home network, dedicated firewalls are becoming extremely rare because it is much more economical and space efficient to have the home router provide the function.

If you decide to go with a dedicated firewall, be aware that each one differs according to the manufacturer. We suggest following the manufacturer's installation instructions.

Very Important

If you already have an older home network router installed that does not have an SPI firewallfor example, an older Wireless-B standard routeryou might want to kill two birds and consider upgrading to a faster Wireless-G or Wireless-N router and at the same time get the built-in SPI firewall. Chances are you can make both upgrades for the same or less than buying a dedicated firewall device to add to an existing older router.

Enabling Personal Firewalls on Your Computers

Now that the SPI firewall is protecting the edge of your home network, it's time to turn your attention to the computers on the home network. Each computer needs to have a personal software firewall installed. Unlike SPI firewalls, which usually come in physical devices, personal firewalls generally come in the form of software you install on the computer you want to protect.

Here again you have a choice of several options. The first option is Windows XP Service Pack 2 (SP2) and later offers a built-in software firewall. The second option is Zone Labs, which offers its basic ZoneAlarm software firewall for free. Finally, several software firewall programs are available for purchase.

Which you choose depends on your needs, but we try to highlight the advantages and disadvantages of each in the sections that follow.

Windows XP Built-In Firewall

Starting with Windows XP SP2, Windows offers a built-in personal firewall. If you have XP, but do not already have XP SP2 installed, you can obtain it here:

http://www.microsoft.com/windowsxp/sp2/default.mspx

If you have an older version of Windows (including 98SE, ME, or 2000), you are out of luck until you upgrade to XP. See the next sections for other personal software firewall options.

The Windows XP firewall is a basic firewall with program access control (blocking computer to Internet) and SPI (blocking Internet to computer). It is a no-frills approach, but the price is right.

Figures 1-7 and 1-8 show how to enable the Windows XP built-in firewall.

Figure 1-7. Windows XP Security Center

Figure 1-8. Enabling the Built-In Firewall in Windows XP

The following are the steps to enable the Windows XP built-in firewall:

Step 1.

Click Start > Control Panel > Security Center. The main Security Center dialog will display, as shown in Figure 1-7.

Very Important

If your firewall service was not already running, you will get a popup dialog window with the message "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?"

Step 2.

Click Windows Firewall. You will see the dialog shown in Figure 1-8.

Step 3.

Enable the On (recommended) button and click OK to save the setting.

The Windows XP built-in firewall is now enabled. There are not a lot of other things to configure, and the granularity of control you have is somewhat limited. But, all in all, it is an easy and cost-effective way to enable a personal software firewall on each of your computers. If you want a turn-it-on-and-forget-it firewall and you are running XP, this is a good option.

Very Important

Having the firewall program log interesting events (meaning when it detects unusual activity and takes an action such as dropping the packet) can prove useful for debugging. To enable logging with Windows Firewall, go to the Windows Security Center, click Windows Firewall, and go to the Advanced tab. In the Security Logging section, click Settings and then checkmark what you want to log and choose a location for the log file. To view the log, you must use Notepad to browse the file.

ZoneAlarm Personal Software Firewall

Another relatively easy and cost-effective option for a personal software firewall is ZoneAlarm. Zone Labs offers several versions of its firewall program, including a basic firewall program that is free and a couple more sophisticated versions for purchase.

Let's look at the free version here. The for-purchase version is discussed in the next section. The free ZoneAlarm firewall is a fully functional, pretty good firewall program that includes the functionality you need to protect the computers in your home network. ZoneAlarm is somewhat more configurable than the Windows XP built-in firewall and provides more visibility into what is being blocked or allowed. This could be needed if you run into issues where certain programs you want to have access are being blocked for some reason. With ZoneAlarm, you can see what is being blocked and easily adjust the settings.

Very Important

Typically, only one personal software firewall program can be installed and active on a computer at a time. You generally cannot, for example, run both Windows XP Firewall and ZoneAlarm. Additional firewall programs do not offer any additional protection, and it could lead to complex problems. Pick one, not several. ZoneAlarm in particular disables Windows Firewall when it is installed to avoid such conflicts.

ZoneAlarm is available for download here:

http://www.zonelabs.com

Go to the download area and download the version that is just called ZoneAlarm for the free version.

The following covers some brief installation and setup steps that refer to Figures 1-9 and 1-10.

Figure 1-9. ZoneAlarm Personal Software Firewall

Figure 1-10. ZoneAlarm Requesting Internet Access for a New Program

Step 1.

Download and install ZoneAlarm on your computer. You will need to then restart the computer to complete the install.

Step 2.

The main ZoneAlarm control dialog is shown in Figure 1-9. If you do not see it on your computer, double-click the yellow and red ZA icon that should be in your running tasks at the bottom right of your screen.

Step 3.

ZoneAlarm learns which programs you want to allow or block access to the Internet. When a program attempts access, you will see a popup box as in Figure 1-10.

Step 4.

Decide whether you want the program to have access. If yes, click the Allow button; if not, click Deny.

Step 5.

Check the Remember this setting box prior to clicking Allow or Deny if you want ZoneAlarm to grant or deny access to this program automatically in the future.

Step 6.

If you are not sure whether you want to allow or deny access, perhaps because you do not recognize the program, you can click on More Info to seek advice from Zone Labs.

The ZoneAlarm firewall is now enabled. It is a good idea at this point to try to use the programs you normally use, especially those that access the Internet, including Outlook Express (or the alternate e-mail program you use), instant messaging, Internet Explorer (or the alternate browser you use), and so on. Each time a new program tries to access the Internet, ZoneAlarm will prompt you to grant or deny access.

In general, ZoneAlarm initially blocks everything that automatically attempts to access the Internet, including things such as updates to your antivirus programs, which, of course, you want. You can usually read the popup warning and figure it out; if you are not sure what ZoneAlarm is attempting to block, choose the block function and then check the programs you use most often to make sure they are still operating correctly.

If one or more of the programs you used to use no longer works, or if a new program you install does not work properly, you might want to check the access settings in ZoneAlarm to make sure they are not incorrectly set:

Step 1.

Double-click the ZA icon on your taskbar, or click Start > Programs > Zone Labs > Zone Labs Security to launch the ZoneAlarm control dialog. You will see the main Security Center dialog shown previously in Figure 1-9.

Step 2.

Click Program Control on the left side of the dialog, and click the Programs tab at the top. You will see the dialog shown in Figure 1-11.

Figure 1-11. Checking Program Access Settings in ZoneAlarm

Step 3.

Find the program in the list you are trying to use and verify its access control settings. For example, you can see in this case that AOL Instant Messenger has green checkmarks next to it, meaning that it is always granted access. Red Xs mean the program is always blocked. Blue question marks indicate that there is no permanent setting and ZoneAlarm will prompt you each time the program runs.

Step 4.

To change the access setting, right-click the green check or red X beside the program and select the new setting.

Very Important

You will notice two sets of columns in the Program Control dialog: Access and Server. Access permissions apply to programs on your computer that need access to the Internet. In general, all programs that you want to allow to access the Internet need a minimum of Access permission. Server permission is an additional authorization needed by some programs that legitimately send unsolicited traffic to your computer, such as some e-mail and IM programs. Try allowing Access permissions first; if the program you are using still is not working correctly, try setting the Server permissions to Allow (green checks), too.

In summary, ZoneAlarm firewall is another relatively easy and cost-effective method for enabling a personal software firewall on each of your computers. If you want a firewall program that offers a bit more control and visibility, ZoneAlarm is a good option. If you are not running Windows XP and have no intention to upgrade, again ZoneAlarm is a good option for you.

Very Important

Having the firewall program log interesting events (meaning when it detects unusual activity and takes an action such as dropping the packet) can prove useful for debugging. Logging is enabled in ZoneAlarm by default. To view the log, bring up the ZoneAlarm main control dialog, click Alerts & Logs, and click the Log Viewer tab.

Personal Software Firewalls for Purchase

A third option for personal software firewall programs is to purchase one. You may ask, "Why buy one when there are two free options?" Two reasons. First, you get what you pay for, meaning the for-purchase firewall programs are typically going to be kept much more current and have features added to them (not to say that Windows XP Firewall or ZoneAlarm will not).

Second, when you purchase an antivirus software program (notice we said when, not if), you have the option of paying a little more money for an entire security bundle. We cover antivirus programs in Chapter 3. Security bundles are offered by the major security software vendors and include a whole suite of protection, including antivirus, firewall, spyware/adware blocking, parental control, antispam, and so on.

We recommend checking out the security bundles from the leading security software vendors in Table 1-1.

Table 1-1. Leading Security Software Bundle Vendors

Security Bundle Provider

Internet Address

McAfee Internet Security Suite

http://www.mcafee.com

Symantec Norton Internet Security 200x

http://www.symantec.com

Trend Micro PC-cillin Internet Security

http://www.trendmicro.com

ZoneAlarm Security Suite

http://www.zonelabs.com

This book lacks space to show them all. Just to give you a feel for how the security packages look, however, the following discussion covers two of them. Keep in mind that you only need one of these firewall programs for your home network; adding a second will only disable the previously loaded firewall programs.

Figure 1-12 shows the main control panel for Symantec's product, Norton Internet Security 200x. You can see that the Personal Firewall component that came included in the bundle is enabled.

Figure 1-12. Symantec Norton Internet Security 200x

Figure 1-13 shows the main control panel for McAfee's product, Internet Security Suite. Once again, you can see that the Personal Firewall component that came included in the bundle is enabled.

Figure 1-13. McAfee Internet Security Suite

Both of these personal software firewalls operate similarly to ZoneAlarm. Each learns as new programs attempt to access the Internet, and you specify whether to grant or deny access. Both are also configurable and allow for relatively easy control and visibility.

If you decide to purchase a security bundle, the included personal firewall component is a good option. Also, if you need a fully functional firewall program with all the bells and whistles, one of these for-purchase programs is a good option for you. You should also check your Internet service provider's security pages. They often offer bundles and good advice on firewalls and bundled security services.

Very Important

We highly recommended that you set up personal software firewall programs to automatically start when Windows starts. Having to remember to start the firewall program manually is going to be a pain and hit or miss if you remember to trigger it or not.

Категории