Firewalls Up Mr. Scott!

James Doohan, aka Chief Engineer Montgomery Scott got his star on the Hollywood walk recently in case you missed it. I haven’t watched StarTrek in some time, but if I tuned in StarGenX or whatever the most recent version is, I would expect the latest Captain Whatshisname to be saying things like “Firewalls Up, Mr. Scott“.
Microsoft’s Number 1 of three steps to protecting your PC is Use an Internet Firewall. I don’t always agree with Microsoft, but these days you really should have some kind of firewall between you and the Internet.
Firewalls come in hardware and software varieties. I tend to favor a hardware firewall for several reasons, although host based software firewalls have their advantages too.
A hardware firewall router for broadband will generally also provide several switch ports so you can also network several computers with the same piece of equipment. Its been my experience that once these are setup correctly there’s less chance the average end-user will try to reconfigure it, and correspondingly less risk of leaving holes open.
Personal, or software based firewalls are nice because they are so easy to update. If an exploit is released, users these days seem to feel comfortable downloading applications and following instructions, so a software based firewall may be easier to maintain.
Ideally, end users would understand the intricacies of packet filtering and IP routing, and they could maintain a mixed environment of hardware AND software based firewalls for the extra protection this kind of layered approach offers. However in my experience, a single firewall at the perimeter of these stub networks is likely to be the most uniform and fairly fool proof way to offer an acceptable trade between usability and security.
I’ve just seen too many turned off host based firewalls to really trust my clients’ network security to them. I’ve also seen installations of host based firewall software that were so restrictive that they couldn’t update themselves; and VPN connections dead as a doornail.
If you have an office LAN you should talk to your consultant or integrator. They will be able to tell you what kind of firewall you have now, and if it has been reviewed and updated recently. (If you have a consultant or an integrator, and you don’t have any firewall protecting your LAN from the Internet, you may have a larger problem.)
SOHO hardware firewalls start at around $50, and they’re pretty small so you can even take them with you on the road. If you can get someone to configure it for you once, chances are good you’ll never have to mess with it again.
In the end, whatever firewall that users will actually put up and maintain between them and the Internet is the firewall that’s best.
A couple of postscript notes here:
1) Microsoft’s three steps leave out a very important one too, use strong passwords.
2) Remember that wireless thingies can be hacked from a distance of 2000 feet; perimeter firewalls don’t even begin to address that hole. (Why would someone break into your firewall, if they can just hack away at your wireless LAN on the other side until they get in?)
3) Firewalls actually come in more than two flavors, there also are three technical categories: packet filtering; proxy based; stateful packet inspection.

Comments are closed, but trackbacks and pingbacks are open.