You need a firewall. Yes, even you with only one computer at home. Yes, even you that works from a laptop at a coffee shop (especially you).
You don’t necessarily need a hardware firewall, which is what most people think of when I say “firewall”. A software firewall is sufficient, and sometimes the best option.
There are several types of firewalls, the two I’m going to break down here are hardware and software. You *always* want a firewall that claims SPI – Stateful Packet Inspection, or you’re going to have a lovely time figuring out which ports to open and close – luckily, all the newer ones I know of are stateful.
Firewalls prevent network connections from attackers, so they’re stopped “at the door” so to speak. There are ways around firewalls, but a firewall will protect you from many of the random attacks that are continuously going on on the Internet. They are one of the most basic, most available, and easiest to implement security protections you can have.
If you have more than one computer at home, a hardware firewall is ideal. One point protects most of your systems. If you have cable or FIOS high speed Internet access, you probably already have one (and it’s likely enabled) as part of your cable modem or FIOS router. If you have a wireless router, it’s a good chance that you’ve got a hardware firewall. If you don’t have one, or aren’t sure, the Cisco/Linksys WRT54G* series of home routers is pretty decent, and the ones I’ve had in the past have been solid – that doesn’t mean the current crop is as good, each manufacturer has had their issues. Other brands to check out are: Dlink and Netgear. I’m not a big fan of D-link, and that model might have a backdoor in it, but not confirmed and it’s cheap. Pretty much any “router” you buy should claim that they have a “SPI” firewall, and you’re good to go, pick whichever manufacturer, and “other” features you like.
These “home” firewalls are not as powerful or configurable as an enterprise/business firewall, but they’re “good enough” for home users. One of the biggest differences between a home firewall and an enterprise firewall is the lack of an Intrusion Detection System (IDS). This isn’t a huge deal for home users, but if you want an IDS on your firewall, most providers sell small business firewalls that have that capability (although none of them have good ratings on Amazon). You can also put your own IDS on your network. Snort is (was?) the best free one, but the company supporting it was just acquired by Cisco, and no one knows how well that will go over yet.
Hardware firewalls build a virtual “wall” around your network to help prevent attacks. Given the number of casual attacks that go across networks every day, a hardware firewall can also lighten the CPU/memory load on the systems inside that wall.
Even if you have a hardware firewall, you want to have a software firewall enabled for all of your “portable” devices – laptops that will leave your network, etc.
Windows and Macs have come with built-in software firewalls for several years. This must be enabled on a laptop or machine that travels outside of your network. It’s an added bonus to desktop systems, but not required. The Windows firewall can be enabled by going to Control Panel then Security. The “Windows Firewall” should be turned on. On a Mac, go to System Preferences, Security & Privacy, and under Firewall, it should be turned on.
Almost all anti-virus software also offers a “personal firewall” as well, so you can opt for one of those. They tend to work on the ports and protocols method, and some people prefer that.
Software firewalls only protect the one computer that it is enabled on, and there are actually *many* holes in software firewalls by default to support operating system services (network drive sharing, etc). It’s a balance between usability and security, and the vendors tend towards usability in home systems.
Where hardware firewalls almost always work on the concepts of “ports and protocols”, software firewalls generally work at the application level – allowing specific processes or applications access, and blocking others.
Log into your firewall/router via the web page and pay attention to what your firewall settings say – print the screen, write them down, etc. Become familiar with them, find a manual for your router/firewall and twiddle with settings (and know how to hard reset the device!).
Most home users are going to want to completely block all incoming traffic at a hardware firewall and some software firewalls. But won’t it keep things from working? It shouldn’t. This is where the Stateful Packet Inspection part comes in. Something inside the wall initiates a connection to the outside. The firewall allows back in all related traffic – responses from web pages, game servers, Netflix, etc.
There are some things that home users use which may require ports/protocols to be open from the outside. All home routers will have NAT (Network Address Translation) enabled – it’s sort of a firewall by itself, but not sufficient. You’ll find some settings related to port forwarding if you need to open up any ports/protocols in your firewall. Common situations that may require you to have ports open: VoIP service (although most have fixed this routing issue), remote control software (like Hamachi), and provider management control – your cable company or phone company may have remote control access to phones/routers/etc. Personally, I close off access to anyone but me, but you’re taking the chance that your cable/phone company may not be able to help you remotely if you have problems. Generally, I suggest closing everything off, then testing various items – call your VoIP number from your cell – does the call go through? If not, you may need to open specific ports.
If you’re comfortable with networking concepts, I suggest blocking outgoing ports you know aren’t used as well. This helps prevent attackers from using your network to attack others, and helps prevent what I call “callback” attacks, where the attacker has the target send traffic back to them over an open outgoing port. This steps over the security vs. useability line, so take this advice with caution.
With a software firewall, I also suggest blocking all incoming traffic, but with Windows, there are a lot of applications that can access the machine by default. Microsoft has a decent write-up of the settings options for Windows, and Apple has a corresponding document for Macs. Yes, it applies to Lion, Mountain Lion and Mavericks. One setting I would caution you *not* to apply on the Mac firewall is logging – it will completely bog down your system, and if you’re not looking at the logs, why turn them on?
How Firewalls Work (optional reading)
Firewalls work on the concepts of ports and protocols or the newer software ones work based on applications. A network connection is defined by two endpoints, each endpoint has an IP address, and a port. The connection itself has a protocol. That’s 5 pieces of information you can use to restrict access to your network. Generally, home users do not worry about IP addresses, but they do worry about ports and the protocol. Protocol is usually either TCP or UDP, although others exist, and port is a number from 1 to 65535 – although there are “well-known” ports that various services use. Don’t bother remembering them unless you’re interested, you can always look them up 🙂 Most firewalls do this by creating “rules” that have at least one of the 5 pieces of information – with the assumption that the undefined pieces mean “all”.
Most (newer) software firewalls work on the concept of applications. An application asks the firewall for permission to listen from the outside, and the user says “yes” this application can or “no” it can’t. If the user says “yes”, the firewall allows any network connection to or from that application that the application requests – no matter what the port or protocol is. This is more user-friendly, but can open a lot of holes that the user is unaware of – but you can bet attackers are.
Disclaimer, any links to products are affiliate links through Amazon.
Other Posts in this Series