Firewalls for Home Use
The growth of the Internet and the available services has created an exciting era in the information technology industry. During this time, both corporate networks and home users have become more Internet savvy. There has, however, been a vast gap that existed between the speed of the access at work and the speed available to home users. Coupled with the fact that these same users have grown accustomed to the speeds available at work, the demand for high-speed home access has grown dramatically. As a result, several high-speed home Internet access options have been developed. Two of the most popular, Cable modems and DSL modems, now offer the speeds equal to or sometimes better than those found on corporate networks. Both of these services provide the benefits of speed, but along with those benefits come the same drawbacks network administrators have faced for years: the need for heightened security.
One of the realities of having high-speed Internet access is the fact that the connections are essentially network connections. These connections, much like those of corporate LANs, are vulnerable to a variety of attacks. Within these connections are two inherent weaknesses that can be exploited by malicious hackers. The first is the operating system security. The vast majority of home users purchasing high-speed access are running Microsoft operating systems. Security issues have plagued these operating systems since the days of DOS (Parnell 137). Windows 9x incarnations have limited security that can easily be bypassed and Windows NT/2000, although largely secure, still suffers from an occasional security breach (Parnell 138).
The second issue of concern with these high-speed connections is their “always on” nature. Due to this nature, experienced hackers may be able to gain access to financial records, personal information, and the like.
To solve this these problems, high-speed Internet access purchasers should highly consider purchasing one of the firewall products being offered by the various networking vendors. These vendors have begun to target the security needs of Cable/DSL users by producing both software and hardware firewalls. These home-use firewalls perform essentially the same functions as their corporate counterparts. Although the kinds of services vary by vendor, their primary goal remains the same. They all function to keep intruders out.
To gain a better understanding of how these relatively new home-use firewalls function, one can look at how the tried and true implementations function in corporate networks. “Firewall” is used commonly as a term describing any of the various methods and devices for protecting one’s network from outside intrusion. In fact, the term is often extended to describe any network security device, such as a hardware encryption device, a screening router, or an application-level gateway (Siyan 274). The traditional definition of a firewall, however, as defined by the ICSA, is a “system or group of systems that enforces an access control policy between two networks” (Greenstein 268). Such systems, according to the ICSA definition, must be immune to penetration, allow only authorized traffic to pass through the network, and must be positioned in the network so that all traffic from inside or outside the network passes through it (Greenstein 268). Generally, firewalls are placed between the internal trusted network and the external untrusted network (Siyan 274).
This type of firewall usually falls into one of four designs. The first, router-based firewalls, is the simplest form. These firewalls are incorporated into routers that sit between the Internet and the network they are designed to protect. They act as the only gateway between the two networks. Similarly, an operating system can be loaded up with firewall software and also sit between the Internet and the network (Parnell 143).
The second type is called a dual-homed host. This is a computer with two network interfaces. One interface reaches out to the Internet and the other reaches out to the LAN. All traffic passes through the dual-homed host and all connectivity is proxied (Parnell 143).
A third type is called a bastion host. The bastion host approach employs a screening router as the only entry point to the Internet. This router is backed up by the Bastion host, which provides the needed services for the LAN (Parnell 144).
The final type is to employ multiple routers, with each router becoming progressively more complex and secure (Parnell 144).
There are two different approaches to setting up a firewall. The first approach involves programming an in-house firewall that meets the specific needs of the network. While this can be a very effective approach, it involves many hours of programming and is expensive. However, it is also very attractive because it is a custom solution that can be integrated effectively into the network (Siyan 274). The second approach involves purchasing a product from a vendor and then configuring it to match the network security policy (Siyan 274). While both approaches are effective, most organizations by “off the shelf” products as a way of expediting the process of securing the network. This is also the most effective approach for home users interested in firewall protection.
Firewalls can be divided into two different types based on functionality. The first type is considered static. Static firewalls either permit all traffic except that which is specifically blocked (default permit) or they deny all traffic except that which is specifically allowed (default deny). Default deny is usually held to be more secure (Greenstein 270).
The second type of firewall is considered dynamic. These firewalls are more fluid in the ways they manage configuration. They allow both denial and permission of any service according to established rules (Greenstein 271).
Firewalls are designed to operate at the highest levels of the OSI model, thus giving them complete information about the types of data flowing through the network. The main objective of any firewall is to protect one network from another network, preventing unauthorized users from accessing the network and allowing legitimate users to access the network (Siyan 274). However, depending on the vendor, many other functions are available. Most firewalls are constructed with a variety of functionalities. These functionalities include packet filtering, network address translation, application-level proxies, stateful inspection, virtual private networking, and real-time monitoring (Greenstein 272).
The most crucial of all of the firewall capabilities is the ability to filter packets, which is the process of examining every packet and passing it along to its recipient or discarding the packet if it is unauthorized (Greenstein 274). Packets can be filtered based on their inbound and outbound status, source IP address, destination IP address, TCP type, and by port number (Parnell 142).
Another important function of firewalls is network address translation. Network address translation lets the network administrator assign IP addresses from a different subnet to the LAN used for the firewall itself. Network address translation was originally conceived as a way to get around the IP address shortage, but it has found its way into firewall technology as a way of making the internal network theoretically invisible to the outside world, using IP addresses that cannot be used on the Internet (Parnell 142).
Maintaining control over network services is another important feature offered by some firewall products. Firewalls that include Application Level Proxies substitute normal network services by allowing the firewall to provide the service (Greenstein 275). The proxies run services on behalf of the network’s client machines that could be potentially damaging to the network if used maliciously. All requests are forwarded back and forth from the proxy to the clients, providing some degree of control of the services (Parnell 142).
Other firewall services include stateful inspection, whereby the firewall verifies whether packets are authorized by checking a rulebase (Greenstein 278). Still others include Virtual Private Networking. Some firewall vendors incorporate this capability, allowing the creation of secure private “tunnels” on public networks, such as the Internet (Greenstein 279).
Finally, the ability to monitor a firewall in real-time is crucial to staying on top of the status of the network. Many firewalls feature paging and notification services as well as logging capabilities that allow network administrators to keep track of activity (Parnell 142).
All of these capabilities server to protect the network from a variety of attacks. These include TCP hijacking, IP spoofing, and network sniffing (Greenstein 269). The most common, and simplest is taking advantage of weak or default passwords (Parnell 140). A second and popular kind of attack today is the Denial of Service attack. These attacks simply overload the servers with requests until the servers crash. Attacks such as SYN flooding take advantage of a weakness in the TCP three-way handshake, rendering servers inoperable. Other similar attacks include DNS attacks and the Solaris “suicide ping.” Even more complex attacks involve exploiting network operating system holes (Parnell 141).
Most of these attacks are limited to large corporate LANs. However, as the line blurs between home networks with high-speed access and corporate LANs, the threat of attacks in increasing for home users. Since Cable and DSL users are part of larger LANs, they face threats similar to those faced by large corporate LANs. Currently, the most common attack on home users is the Trojan horse attack.
A Trojan horse attack begins by placing the Trojan horse on a user’s machine. Usually, these programs are downloaded unknowingly as disguised programs through newsgroup postings and email attachments, or by hackers exploiting Microsoft’s File and Printer sharing. Once the file is on the user’s computer, a hacker can attempt to perform malicious acts. A typical and frequently used attack is the Sub-Seven attack. It is a remote access Trojan that contains many so-called “tricks” that allow hackers to post messages and sniff passwords from a user’s computer. Sub-Seven attacks can use AOL Instant Messenger, ICQ, and Yahoo Instant Messenger to perform these acts. Hackers can also speak through the user’s soundcard and speaker and view the content of the victim’s screen using Sub-Seven attacks (Graham).
Realizing the increasing need for security on home computers, several larger vendors who produce enterprise networking solutions, have begun to produce similar solutions for home use. These options include both software and hardware based firewalls.
Several software firewalls have been developed for home use. Symantec’s Norton Internet Security 2000 and Network ICE’s Black ICE Defender are two such products. Both feature a rule-based firewall that runs in the background protecting the user’s PC while connected to the Internet. Both protect against hackers, unauthorized intrusions, and attempts at discovering personal information such as passwords, financial information, and other sensitive data (Symantec, Network ICE). This type of protection is becoming increasingly important, as indicated by Intel’s investment in Network ICE. Intel has also begun to bundle Black Ice Defender with its DSL modems (Intel).
For those home users who prefer hardware based solutions, several network hardware providers have begun to include firewall technology into their hubs and switches. These vendors are targeting home users wishing to connect several PCs and create a network, as well as those who wish to employ firewall protection. The vendors currently offering Cable/DSL firewall devices include Linksys, Netopia, Macsense, NetGear, Cayman, WebRamp, and UMAX. Each of the offerings from these vendors feature similar functionality, but the Linksys is set apart due to its switching capability (Linksys). This market is just beginning to develop, but there are already several available products boasting impressive home networking features as well as incorporating firewall protection. Some of the features included in these products are the ability to create a home network using a Cable/DSL link, virtual private networking capabilities, DHCP serving, IP filters, and real-time monitoring.
With the birth of high-speed Internet connections for the home, the world of personal computing is becoming less personal and more connected. With malicious intent, the personal aspect of computing is compromised, resulting in security breaches. Several options are available to home users who wish to enjoy the benefits of high-speed and still keep their information safe.
Works Cited
Graham, Robert. “FAQ: Firewall Forensics.” RobetGraham. 2000.
Greenstein, Marilyn; Feinman, Todd. Electronic Commerce. Massachusetts: Irwin McGraw-Hill, 2000.
Parnell, Tere; Null, Christopher. Network Administrator’s Reference. California: Osborne, 1999
Siyan, Karanjit. Internet Firewalls and Network Security. Indiana: New riders Publishing, 1995.
“BlackICE Defender.” Network ICE. 2000. http://www.networkice.com/Products/BlackICE/blackice%20defender.htm
“Cable/DSL Router Peer Matrix.” Linksys. 2000. http://www.linksys.com/pdf/befsr41cm.pdf
“Intel To Become First Company To Offer Advanced Internet Security Software From
Network ICE With Its High Speed DSL Modem.” Intel. 2000.
http://www.intel.com/pressroom/archive/releases/cn033000.htm
“Norton Internet Security 2000 Features: Comprehensive Security Suite.” Symantec. 2000.
http://www.symantec.com/sabu/nis/featuresA.html
One of the realities of having high-speed Internet access is the fact that the connections are essentially network connections. These connections, much like those of corporate LANs, are vulnerable to a variety of attacks. Within these connections are two inherent weaknesses that can be exploited by malicious hackers. The first is the operating system security. The vast majority of home users purchasing high-speed access are running Microsoft operating systems. Security issues have plagued these operating systems since the days of DOS (Parnell 137). Windows 9x incarnations have limited security that can easily be bypassed and Windows NT/2000, although largely secure, still suffers from an occasional security breach (Parnell 138).
The second issue of concern with these high-speed connections is their “always on” nature. Due to this nature, experienced hackers may be able to gain access to financial records, personal information, and the like.
To solve this these problems, high-speed Internet access purchasers should highly consider purchasing one of the firewall products being offered by the various networking vendors. These vendors have begun to target the security needs of Cable/DSL users by producing both software and hardware firewalls. These home-use firewalls perform essentially the same functions as their corporate counterparts. Although the kinds of services vary by vendor, their primary goal remains the same. They all function to keep intruders out.
To gain a better understanding of how these relatively new home-use firewalls function, one can look at how the tried and true implementations function in corporate networks. “Firewall” is used commonly as a term describing any of the various methods and devices for protecting one’s network from outside intrusion. In fact, the term is often extended to describe any network security device, such as a hardware encryption device, a screening router, or an application-level gateway (Siyan 274). The traditional definition of a firewall, however, as defined by the ICSA, is a “system or group of systems that enforces an access control policy between two networks” (Greenstein 268). Such systems, according to the ICSA definition, must be immune to penetration, allow only authorized traffic to pass through the network, and must be positioned in the network so that all traffic from inside or outside the network passes through it (Greenstein 268). Generally, firewalls are placed between the internal trusted network and the external untrusted network (Siyan 274).
This type of firewall usually falls into one of four designs. The first, router-based firewalls, is the simplest form. These firewalls are incorporated into routers that sit between the Internet and the network they are designed to protect. They act as the only gateway between the two networks. Similarly, an operating system can be loaded up with firewall software and also sit between the Internet and the network (Parnell 143).
The second type is called a dual-homed host. This is a computer with two network interfaces. One interface reaches out to the Internet and the other reaches out to the LAN. All traffic passes through the dual-homed host and all connectivity is proxied (Parnell 143).
A third type is called a bastion host. The bastion host approach employs a screening router as the only entry point to the Internet. This router is backed up by the Bastion host, which provides the needed services for the LAN (Parnell 144).
The final type is to employ multiple routers, with each router becoming progressively more complex and secure (Parnell 144).
There are two different approaches to setting up a firewall. The first approach involves programming an in-house firewall that meets the specific needs of the network. While this can be a very effective approach, it involves many hours of programming and is expensive. However, it is also very attractive because it is a custom solution that can be integrated effectively into the network (Siyan 274). The second approach involves purchasing a product from a vendor and then configuring it to match the network security policy (Siyan 274). While both approaches are effective, most organizations by “off the shelf” products as a way of expediting the process of securing the network. This is also the most effective approach for home users interested in firewall protection.
Firewalls can be divided into two different types based on functionality. The first type is considered static. Static firewalls either permit all traffic except that which is specifically blocked (default permit) or they deny all traffic except that which is specifically allowed (default deny). Default deny is usually held to be more secure (Greenstein 270).
The second type of firewall is considered dynamic. These firewalls are more fluid in the ways they manage configuration. They allow both denial and permission of any service according to established rules (Greenstein 271).
Firewalls are designed to operate at the highest levels of the OSI model, thus giving them complete information about the types of data flowing through the network. The main objective of any firewall is to protect one network from another network, preventing unauthorized users from accessing the network and allowing legitimate users to access the network (Siyan 274). However, depending on the vendor, many other functions are available. Most firewalls are constructed with a variety of functionalities. These functionalities include packet filtering, network address translation, application-level proxies, stateful inspection, virtual private networking, and real-time monitoring (Greenstein 272).
The most crucial of all of the firewall capabilities is the ability to filter packets, which is the process of examining every packet and passing it along to its recipient or discarding the packet if it is unauthorized (Greenstein 274). Packets can be filtered based on their inbound and outbound status, source IP address, destination IP address, TCP type, and by port number (Parnell 142).
Another important function of firewalls is network address translation. Network address translation lets the network administrator assign IP addresses from a different subnet to the LAN used for the firewall itself. Network address translation was originally conceived as a way to get around the IP address shortage, but it has found its way into firewall technology as a way of making the internal network theoretically invisible to the outside world, using IP addresses that cannot be used on the Internet (Parnell 142).
Maintaining control over network services is another important feature offered by some firewall products. Firewalls that include Application Level Proxies substitute normal network services by allowing the firewall to provide the service (Greenstein 275). The proxies run services on behalf of the network’s client machines that could be potentially damaging to the network if used maliciously. All requests are forwarded back and forth from the proxy to the clients, providing some degree of control of the services (Parnell 142).
Other firewall services include stateful inspection, whereby the firewall verifies whether packets are authorized by checking a rulebase (Greenstein 278). Still others include Virtual Private Networking. Some firewall vendors incorporate this capability, allowing the creation of secure private “tunnels” on public networks, such as the Internet (Greenstein 279).
Finally, the ability to monitor a firewall in real-time is crucial to staying on top of the status of the network. Many firewalls feature paging and notification services as well as logging capabilities that allow network administrators to keep track of activity (Parnell 142).
All of these capabilities server to protect the network from a variety of attacks. These include TCP hijacking, IP spoofing, and network sniffing (Greenstein 269). The most common, and simplest is taking advantage of weak or default passwords (Parnell 140). A second and popular kind of attack today is the Denial of Service attack. These attacks simply overload the servers with requests until the servers crash. Attacks such as SYN flooding take advantage of a weakness in the TCP three-way handshake, rendering servers inoperable. Other similar attacks include DNS attacks and the Solaris “suicide ping.” Even more complex attacks involve exploiting network operating system holes (Parnell 141).
Most of these attacks are limited to large corporate LANs. However, as the line blurs between home networks with high-speed access and corporate LANs, the threat of attacks in increasing for home users. Since Cable and DSL users are part of larger LANs, they face threats similar to those faced by large corporate LANs. Currently, the most common attack on home users is the Trojan horse attack.
A Trojan horse attack begins by placing the Trojan horse on a user’s machine. Usually, these programs are downloaded unknowingly as disguised programs through newsgroup postings and email attachments, or by hackers exploiting Microsoft’s File and Printer sharing. Once the file is on the user’s computer, a hacker can attempt to perform malicious acts. A typical and frequently used attack is the Sub-Seven attack. It is a remote access Trojan that contains many so-called “tricks” that allow hackers to post messages and sniff passwords from a user’s computer. Sub-Seven attacks can use AOL Instant Messenger, ICQ, and Yahoo Instant Messenger to perform these acts. Hackers can also speak through the user’s soundcard and speaker and view the content of the victim’s screen using Sub-Seven attacks (Graham).
Realizing the increasing need for security on home computers, several larger vendors who produce enterprise networking solutions, have begun to produce similar solutions for home use. These options include both software and hardware based firewalls.
Several software firewalls have been developed for home use. Symantec’s Norton Internet Security 2000 and Network ICE’s Black ICE Defender are two such products. Both feature a rule-based firewall that runs in the background protecting the user’s PC while connected to the Internet. Both protect against hackers, unauthorized intrusions, and attempts at discovering personal information such as passwords, financial information, and other sensitive data (Symantec, Network ICE). This type of protection is becoming increasingly important, as indicated by Intel’s investment in Network ICE. Intel has also begun to bundle Black Ice Defender with its DSL modems (Intel).
For those home users who prefer hardware based solutions, several network hardware providers have begun to include firewall technology into their hubs and switches. These vendors are targeting home users wishing to connect several PCs and create a network, as well as those who wish to employ firewall protection. The vendors currently offering Cable/DSL firewall devices include Linksys, Netopia, Macsense, NetGear, Cayman, WebRamp, and UMAX. Each of the offerings from these vendors feature similar functionality, but the Linksys is set apart due to its switching capability (Linksys). This market is just beginning to develop, but there are already several available products boasting impressive home networking features as well as incorporating firewall protection. Some of the features included in these products are the ability to create a home network using a Cable/DSL link, virtual private networking capabilities, DHCP serving, IP filters, and real-time monitoring.
With the birth of high-speed Internet connections for the home, the world of personal computing is becoming less personal and more connected. With malicious intent, the personal aspect of computing is compromised, resulting in security breaches. Several options are available to home users who wish to enjoy the benefits of high-speed and still keep their information safe.
Works Cited
Graham, Robert. “FAQ: Firewall Forensics.” RobetGraham. 2000.
Greenstein, Marilyn; Feinman, Todd. Electronic Commerce. Massachusetts: Irwin McGraw-Hill, 2000.
Parnell, Tere; Null, Christopher. Network Administrator’s Reference. California: Osborne, 1999
Siyan, Karanjit. Internet Firewalls and Network Security. Indiana: New riders Publishing, 1995.
“BlackICE Defender.” Network ICE. 2000. http://www.networkice.com/Products/BlackICE/blackice%20defender.htm
“Cable/DSL Router Peer Matrix.” Linksys. 2000. http://www.linksys.com/pdf/befsr41cm.pdf
“Intel To Become First Company To Offer Advanced Internet Security Software From
Network ICE With Its High Speed DSL Modem.” Intel. 2000.
http://www.intel.com/pressroom/archive/releases/cn033000.htm
“Norton Internet Security 2000 Features: Comprehensive Security Suite.” Symantec. 2000.
http://www.symantec.com/sabu/nis/featuresA.html
Labels: Academic Papers, Technology
posted by The Voice at 6:11 PM
0 Comments:
Post a Comment
<< Home