Firewalls for Home Use

The growth of the Internet and the available services has created an exciting era in the information technology industry. During this time, both corporate networks and home users have become more Internet savvy. There has, however, been a vast gap that existed between the speed of the access at work and the speed available to home users. Coupled with the fact that these same users have grown accustomed to the speeds available at work, the demand for high-speed home access has grown dramatically. As a result, several high-speed home Internet access options have been developed. Two of the most popular, Cable modems and DSL modems, now offer the speeds equal to or sometimes better than those found on corporate networks. Both of these services provide the benefits of speed, but along with those benefits come the same drawbacks network administrators have faced for years: the need for heightened security.

One of the realities of having high-speed Internet access is the fact that the connections are essentially network connections. These connections, much like those of corporate LANs, are vulnerable to a variety of attacks. Within these connections are two inherent weaknesses that can be exploited by malicious hackers. The first is the operating system security. The vast majority of home users purchasing high-speed access are running Microsoft operating systems. Security issues have plagued these operating systems since the days of DOS (Parnell 137). Windows 9x incarnations have limited security that can easily be bypassed and Windows NT/2000, although largely secure, still suffers from an occasional security breach (Parnell 138).

The second issue of concern with these high-speed connections is their “always on” nature. Due to this nature, experienced hackers may be able to gain access to financial records, personal information, and the like.

To solve this these problems, high-speed Internet access purchasers should highly consider purchasing one of the firewall products being offered by the various networking vendors. These vendors have begun to target the security needs of Cable/DSL users by producing both software and hardware firewalls. These home-use firewalls perform essentially the same functions as their corporate counterparts. Although the kinds of services vary by vendor, their primary goal remains the same. They all function to keep intruders out.

To gain a better understanding of how these relatively new home-use firewalls function, one can look at how the tried and true implementations function in corporate networks. “Firewall” is used commonly as a term describing any of the various methods and devices for protecting one’s network from outside intrusion. In fact, the term is often extended to describe any network security device, such as a hardware encryption device, a screening router, or an application-level gateway (Siyan 274). The traditional definition of a firewall, however, as defined by the ICSA, is a “system or group of systems that enforces an access control policy between two networks” (Greenstein 268). Such systems, according to the ICSA definition, must be immune to penetration, allow only authorized traffic to pass through the network, and must be positioned in the network so that all traffic from inside or outside the network passes through it (Greenstein 268). Generally, firewalls are placed between the internal trusted network and the external untrusted network (Siyan 274).

This type of firewall usually falls into one of four designs. The first, router-based firewalls, is the simplest form. These firewalls are incorporated into routers that sit between the Internet and the network they are designed to protect. They act as the only gateway between the two networks. Similarly, an operating system can be loaded up with firewall software and also sit between the Internet and the network (Parnell 143).

The second type is called a dual-homed host. This is a computer with two network interfaces. One interface reaches out to the Internet and the other reaches out to the LAN. All traffic passes through the dual-homed host and all connectivity is proxied (Parnell 143).

A third type is called a bastion host. The bastion host approach employs a screening router as the only entry point to the Internet. This router is backed up by the Bastion host, which provides the needed services for the LAN (Parnell 144).

The final type is to employ multiple routers, with each router becoming progressively more complex and secure (Parnell 144).

There are two different approaches to setting up a firewall. The first approach involves programming an in-house firewall that meets the specific needs of the network. While this can be a very effective approach, it involves many hours of programming and is expensive. However, it is also very attractive because it is a custom solution that can be integrated effectively into the network (Siyan 274). The second approach involves purchasing a product from a vendor and then configuring it to match the network security policy (Siyan 274). While both approaches are effective, most organizations by “off the shelf” products as a way of expediting the process of securing the network. This is also the most effective approach for home users interested in firewall protection.

Firewalls can be divided into two different types based on functionality. The first type is considered static. Static firewalls either permit all traffic except that which is specifically blocked (default permit) or they deny all traffic except that which is specifically allowed (default deny). Default deny is usually held to be more secure (Greenstein 270).

The second type of firewall is considered dynamic. These firewalls are more fluid in the ways they manage configuration. They allow both denial and permission of any service according to established rules (Greenstein 271).

Firewalls are designed to operate at the highest levels of the OSI model, thus giving them complete information about the types of data flowing through the network. The main objective of any firewall is to protect one network from another network, preventing unauthorized users from accessing the network and allowing legitimate users to access the network (Siyan 274). However, depending on the vendor, many other functions are available. Most firewalls are constructed with a variety of functionalities. These functionalities include packet filtering, network address translation, application-level proxies, stateful inspection, virtual private networking, and real-time monitoring (Greenstein 272).

The most crucial of all of the firewall capabilities is the ability to filter packets, which is the process of examining every packet and passing it along to its recipient or discarding the packet if it is unauthorized (Greenstein 274). Packets can be filtered based on their inbound and outbound status, source IP address, destination IP address, TCP type, and by port number (Parnell 142).

Another important function of firewalls is network address translation. Network address translation lets the network administrator assign IP addresses from a different subnet to the LAN used for the firewall itself. Network address translation was originally conceived as a way to get around the IP address shortage, but it has found its way into firewall technology as a way of making the internal network theoretically invisible to the outside world, using IP addresses that cannot be used on the Internet (Parnell 142).

Maintaining control over network services is another important feature offered by some firewall products. Firewalls that include Application Level Proxies substitute normal network services by allowing the firewall to provide the service (Greenstein 275). The proxies run services on behalf of the network’s client machines that could be potentially damaging to the network if used maliciously. All requests are forwarded back and forth from the proxy to the clients, providing some degree of control of the services (Parnell 142).

Other firewall services include stateful inspection, whereby the firewall verifies whether packets are authorized by checking a rulebase (Greenstein 278). Still others include Virtual Private Networking. Some firewall vendors incorporate this capability, allowing the creation of secure private “tunnels” on public networks, such as the Internet (Greenstein 279).

Finally, the ability to monitor a firewall in real-time is crucial to staying on top of the status of the network. Many firewalls feature paging and notification services as well as logging capabilities that allow network administrators to keep track of activity (Parnell 142).

All of these capabilities server to protect the network from a variety of attacks. These include TCP hijacking, IP spoofing, and network sniffing (Greenstein 269). The most common, and simplest is taking advantage of weak or default passwords (Parnell 140). A second and popular kind of attack today is the Denial of Service attack. These attacks simply overload the servers with requests until the servers crash. Attacks such as SYN flooding take advantage of a weakness in the TCP three-way handshake, rendering servers inoperable. Other similar attacks include DNS attacks and the Solaris “suicide ping.” Even more complex attacks involve exploiting network operating system holes (Parnell 141).

Most of these attacks are limited to large corporate LANs. However, as the line blurs between home networks with high-speed access and corporate LANs, the threat of attacks in increasing for home users. Since Cable and DSL users are part of larger LANs, they face threats similar to those faced by large corporate LANs. Currently, the most common attack on home users is the Trojan horse attack.

A Trojan horse attack begins by placing the Trojan horse on a user’s machine. Usually, these programs are downloaded unknowingly as disguised programs through newsgroup postings and email attachments, or by hackers exploiting Microsoft’s File and Printer sharing. Once the file is on the user’s computer, a hacker can attempt to perform malicious acts. A typical and frequently used attack is the Sub-Seven attack. It is a remote access Trojan that contains many so-called “tricks” that allow hackers to post messages and sniff passwords from a user’s computer. Sub-Seven attacks can use AOL Instant Messenger, ICQ, and Yahoo Instant Messenger to perform these acts. Hackers can also speak through the user’s soundcard and speaker and view the content of the victim’s screen using Sub-Seven attacks (Graham).

Realizing the increasing need for security on home computers, several larger vendors who produce enterprise networking solutions, have begun to produce similar solutions for home use. These options include both software and hardware based firewalls.

Several software firewalls have been developed for home use. Symantec’s Norton Internet Security 2000 and Network ICE’s Black ICE Defender are two such products. Both feature a rule-based firewall that runs in the background protecting the user’s PC while connected to the Internet. Both protect against hackers, unauthorized intrusions, and attempts at discovering personal information such as passwords, financial information, and other sensitive data (Symantec, Network ICE). This type of protection is becoming increasingly important, as indicated by Intel’s investment in Network ICE. Intel has also begun to bundle Black Ice Defender with its DSL modems (Intel).

For those home users who prefer hardware based solutions, several network hardware providers have begun to include firewall technology into their hubs and switches. These vendors are targeting home users wishing to connect several PCs and create a network, as well as those who wish to employ firewall protection. The vendors currently offering Cable/DSL firewall devices include Linksys, Netopia, Macsense, NetGear, Cayman, WebRamp, and UMAX. Each of the offerings from these vendors feature similar functionality, but the Linksys is set apart due to its switching capability (Linksys). This market is just beginning to develop, but there are already several available products boasting impressive home networking features as well as incorporating firewall protection. Some of the features included in these products are the ability to create a home network using a Cable/DSL link, virtual private networking capabilities, DHCP serving, IP filters, and real-time monitoring.

With the birth of high-speed Internet connections for the home, the world of personal computing is becoming less personal and more connected. With malicious intent, the personal aspect of computing is compromised, resulting in security breaches. Several options are available to home users who wish to enjoy the benefits of high-speed and still keep their information safe.



Works Cited

Graham, Robert. “FAQ: Firewall Forensics.” RobetGraham. 2000.

Greenstein, Marilyn; Feinman, Todd. Electronic Commerce. Massachusetts: Irwin McGraw-Hill, 2000.

Parnell, Tere; Null, Christopher. Network Administrator’s Reference. California: Osborne, 1999

Siyan, Karanjit. Internet Firewalls and Network Security. Indiana: New riders Publishing, 1995.

“BlackICE Defender.” Network ICE. 2000. http://www.networkice.com/Products/BlackICE/blackice%20defender.htm

“Cable/DSL Router Peer Matrix.” Linksys. 2000. http://www.linksys.com/pdf/befsr41cm.pdf

“Intel To Become First Company To Offer Advanced Internet Security Software From
Network ICE With Its High Speed DSL Modem.” Intel. 2000.
http://www.intel.com/pressroom/archive/releases/cn033000.htm

“Norton Internet Security 2000 Features: Comprehensive Security Suite.” Symantec. 2000.
http://www.symantec.com/sabu/nis/featuresA.html

Read the complete text of this post

On Quantum Computing

As computer manufacturers move closer to the physical manufacturing limits imposed by nature, some new form of computing will need to be devised in order to continue the explosive growth that the computer industry is experiencing today. Indeed, if a new form is not devised, the current computing age will come to an abrupt halt. While a few unimplemented possibilities exist that will stretch today’s technology into the next century, scientists and computer engineers alike have feverishly begun to examine alternative methods to today’s silicon based computer systems. Currently, the leading alternative candidate, a conjugate of the two realms of quantum physics and computability, is what has been termed quantum computing.

To understand the need for alternative methods such as quantum computing, one must examine the modern history and development of computers. In the early portion of the 1900’s, when computing technology made the transition from mechanical gears to electromechanical units based on telephone relay systems, the major driving force behind technological advance was the United States government. This was primarily for code-breaking purposes (Clearwater 5-6).

As time passed, further advances were made, resulting in computers that were constructed with vacuum tubes. All of the advances resulted in faster computers, but the capabilities remained basically the same (Brooks 17). In fact, even today’s supercomputers are based on essentially the same design concepts as the earliest computers of the 1900’s, differing only in speed and memory (Brooks 15).

Noticing an emerging pattern with the increases in speed and memory, Gordon Moore, co-founder of Intel, proposed what has become “Moore’s Law” in the early 1970’s (Clearwater 7). Stating that the memory capacity of a chip doubles every eighteen months, Moore’s Law continues to hold today. During the almost thirty years since it was proclaimed, the number of transistors located on a computer chip has increased by a factor of one million, and at the same time, both the price and power consumption have been reduced by a factor of one-hundred-thousand (Milburn 158). However, the long-term viability of Moore’s Law has come into question recently. In October 1999, Paul Packan, a researcher at Intel’s labs, raised concerns that Intel may have reached the limit of its ability to miniaturize the microprocessor. Limited by nature’s maximum speed limit of the speed of light, engineers have compensated by squeezing more components together, shortening the distance the signals travel (Clearwater 7). This technique, however, has been stretched as far as it can, as Packan states that “There are currently no known solutions” to the problems they are facing (Yahoo News). Less than a month later, researchers Jack Hergenrother and Don Monroe at Lucent Technologies Bell Labs experienced a breakthrough. Claiming to be able to construct chips vertically rather than horizontally, they believe that many more transistors can be crammed onto a chip using this method. They also devised a method allowing for the potential doubling of processing power, by using two logic gates per transistor instead of one. Hergenrother and Monroe believe that this may be the breakthrough that would allow manufacturers to cross the “point one barrier.” (Wired News).

The “point-one barrier” is the point where engineers believe a shift must take place in the way computers are designed. This is the point where we reach the limits of today’s photographic etching process. At 0.1 microns in length, circuit patterns begin to blur, and the light used to etch the chips gets absorbed before it reaches the surface (Milburn 159). Also, it is at this point that the rules of the physical world cease to apply, as only a few atoms are need to construct the memory registers. At such small sizes, the rules of quantum mechanics take over. The Lucent breakthrough, however, looks to extend current methods into the next decade, but it is believed that by 2020, the laws of quantum physics will have to be adopted as the method of reading and writing bits (Clearwater 7-8).

Quantum physics arose at the turn of the 20th century as a result of the failure of classical physics to explain and predict the outcomes of experiments on both light and particles (Clearwater 49). The beginnings of quantum theory began in 1900, when Max Planck recognized the quantum nature of radiation, and in 1926, when Erwin Schrodinger provided a mathematical model of quantum mechanics (Brooks 5).

Using the principles established by Planck and Schrodinger, scientists started to examine the relationship of physics to computability in the mid 1970’s (Clearwater 45). In their book Explorations in Quantum Computing, Williams and Clearwater describe this relationship, stating

There are a number of properties that quantum systems possess that lend themselves to computational applications. For example, at the quantum level, the values of certain observable quantities are restricted to a finite set of possibilities. The significance of this is that, in any computer, each bit must be stored in the state of some physical system. In a quantum computer, each bit could be represented by the state of a simple 2-state quantum system such as the spin state of spin-1/2 particle. As the spin of a particle is quantized, we can use one spin state to represent the binary value 0, and the other state to represent the binary value 1. Any 2-state quantum system, such as the direction of the polarization of a photon, or the discrete energy levels in an excited atom would work equally well. Once you have a way of encoding the binary values 0 and 1 in the states of a physical system, you can envisage making a complete memory register out of a chain of such systems (50).

Essentially, the way information exists in computers today is easily translatable to storage in a quantum computer. Whether a computer uses today’s on and off switch mechanism or the quantum spin states, the fact remains that all that is needed is a method of distinguishing the values of one and zero.

With the passage of time, a greater understanding of quantum physics developed and the Nobel Prize-winning physicist Richard Feynman suggested the possibility of developing a computer based on quantum principles in 1982 (PC MAG). Envisioning a system that exploited these principles, Feynman saw a system that promised to offer much more than another incremental increase in processing power (Brooks 17). In fact, the newest theories involving quantum computing predict a time where quantum computers perform calculations exponentially faster than conventional computers. They also offer the promise of teleporting information, cracking unbreakable security codes, generating true random numbers, and communicating with correspondence that alerts authorized users to the presence of unauthorized trespassers (Clearwater 1).

These promising advantages of quantum computing are based on the notion that quantum methods of processing information are a radical departure from traditional classical methods. As a result of a quantum phenomenon, termed superposition, information can exist in undefined states and still maintain usability. In a quantum superposition, a bit of information can be both the values of zero and one simultaneously (Brooks 10). Consequently, quantum computing promises to offer entirely novel ways of computation with qualitatively new algorithms defined using the principles of quantum physics. At the same time, improvements in the speed, security, and quality of transferred information are possible (Brooks 4).

In theory, it is possible to construct a complete quantum computer. In November 1999, it was announced that scientists at MIT and the Los Alamos National Labs had developed the first quantum computer. While only capable of counting to four, this is held to be a significant advance. Such advances have led research team member David Cory to suggest a quantum equivalent to Moore’s Law. He states that “’in the last two years we’ve gone from two qubits to six qubits. This is a sixteenfold increase in power. We may have ten qubits in 2001, another sixteenfold increase’” (Groz 43).

Such power increases are not the only advantage of quantum computing. Quantum computers also offer an advantage in terms of energy efficiency. Theoretically, quantum computers are examples of reversible computers. Essentially, this feature of reversibility allows for the phenomenon of no net energy consumption. This is achieved because quantum computers have the ability to redeem expended input energy at the end of a computation (Clearwater 12).

Another advantage offered by quantum computers is the ability to perform the same calculations as a classical computer, but in less logical operations. The feature responsible for achieving this is the ability of a quantum computer to evaluate all possible inputs of an equation simultaneously (Clearwater 12).

However, even though complete marketable quantum computers are theoretically a possibility, there are problems that must be addressed in order for them to fulfill their promises and achieve their full potential (Clearwater 10). The largest of these problems is that at a quantum level, computers will be vulnerable to stray interactions with the environment in which the are placed (Clearwater 10). Compounding this issue is the fact that the environment may be affected by the quantum superpositions that exist within a quantum computer. There is a possibility that the quantum information will diffuse outside of the computer, spoiling storage and computation at the same time. It will become necessary to initiate some methods of stabilization to combat the effects of this process, decoherence (Brooks 23).

Currently, there are two proposed methods for combating the effects of decoherence. The first, proposed by David Deutsch in 1993, involves redundancy of data. Having multiple complete copies will reduce the chances of data loss, as data can be rebuilt from the backup copies (Brooks 23). The other method, independently proposed by both Peter Shor and Andrew Stearne in 1995, finds its roots in today’s Error Correction Code Random Access Memory (ECC RAM). Shor and Stearne’s ECC method of quantum computing involves a similar usage of error correction codes, whereby a single cubit is encoded by a string of qubits. Much like ECC RAM, if an error occurs, the original information can be rebuilt from the data stored within the single cubit (Brooks 24).

With an understanding of how to maintain data integrity, the first generation of quantum information technology is beginning to take shape. In fact, quantum-engineering solutions have been devised in the field of optical telecommunications (Brooks 33). In this field, classical bits of data (zero and one) are transmitted, amplified, and distributed using quantum mechanics. This hybrid is the first step toward the level of quantum computing that will arise in the second generation. In the second generation, quantum physics will be extended to the bits of information, resulting in information called qubits. Applications using these qubits will adhere to the principles of quantum superposition, and will be the realization of true quantum computing (Brooks 33).

Quantum computing applications for are already beginning to develop. Searching for at least one feasible application where an infant quantum computer could outperform a classical computer, Peter Shor discovered that a quantum computer could factor large integers highly efficiently. As David Deutsch discovered in his research, this is due to the ability of a quantum computer to examine all of the prime numbers at one time. The ability to factor large integers by a quantum computer is the key to breaking security methods such as the RSA-cryptosystem (Clearwater 113). Such an encryption scheme relies on the difficulty of factoring to create its security strength, as it is extremely difficult to factor a number such as 239812014798221 with today’s computers. However, with a quantum computer, this number can be factored with relative ease into its factors X and Y, simply by examining all prime numbers at once.

The ability to factor these prime numbers, or keys, could have a profound impact on secure transactions, effectively crippling today’s method of security. However, the laws of quantum mechanics seem to naturally provide a way to allow for the power of factorization and at the same time implement methods of security. In a world of quantum computers, the RSA-cryptosystem will no longer be needed. Quantum computers adhere to the Heisenberg Uncertainty Principle, which states that whenever and however a quantity is measure, “noise is added” to the measured quantity. This effectively alters the value of the measurement (Brooks 43). In the realm of quantum computing, this means that if an unauthorized eavesdropper taps into the quantum system to collect data, noise will be added to the data. This, in turn, can be easily detected by the authorized users, neutralizing the power of hacking techniques (Brooks 44). In other words, it is impossible to measure quantum systems without disturbing the data (Brooks 140). This ability is the result of a combination of the qubits’ natural superpositional state and the state of entanglement, where two or more quantum systems loose individuality by linking together to form one entity. Thus, disturbing the system is detectable throughout the entire system (Brooks 141).

With the capability of high-power number manipulation and its built-in security measures, quantum computing has the potential of becoming the successor of the immensely successful silicon microprocessor. If quantum computing is the heir apparent, many changes will take place in all facets of life. In terms of information technology, a new paradigm would be created in the ways information is processed. One can imagine a world where bank transactions are ultrasecure due to the natural security features of quantum entanglements and where computing speed will increase exponentially due to the ability to examine all inputs at one time, processing them in one operation. Instant access to information will also become a reality.

Such changes will also have a profound economic impact. For example, the advance could spark economic development across all types of industries. The power, speed, and security offered by quantum computers could be applied to many fields, from those who manufacture the technology to those who purchase it. However, many industries will need to make a huge shift in order to stay competitive. No longer will the status quo apply, because of the differences between the physical world and the quantum world. If the companies fall behind, the industries could experience an economic collapse due to the change to quantum computing. To avoid this, the entire industries may need to collaborate in creating the shift.

Education will have to shift as well. Institutions of learning will need to incorporate both quantum physics and quantum computing into the computer science curriculum. Fortunately, this has already begun to happen, as the University of Oxford, Caltech, and several other large universities have started teaching the theories behind quantum computing.

The advance toward quantum computing does pose a problem, however, for millions of computer scientists trained in what will be considered the “old way.” Years of education will abruptly no longer apply, as the shift to quantum computing is such a radical one. Many computer scientists may find themselves without a job until they complete their “re-education.”

A social division could also result from the change to quantum computing. Much like the division some believe to be taking place today with access to the Internet, a division could form between those who compute with quantum computers and those who do not. However, if the current trends in the computer industry can be used as a precedent, then perhaps a social division is not a tremendous problem as some might suggest. Initially, a division may take place, but the gap created would eventually shrink as time passes and prices fall.

The future looks bright, as quantum computing seems to offer an alternative way of computing. While not without its problems, quantum computers have the potential of changing the way information is processed. Indeed, such a development in the world of computers is needed, and with time, could solve the limitations being experienced today.

Read the complete text of this post