Search TQA Weekly
Log into your TQA Weekly

Firewalls - Hardware, Software, the pros and cons, security flaws and issues

Introspective look into firewall technology and security issues

This episode is on firewalls, hardware versus software, and combined usage, security flaws, issues, and tactics to remain safe.

Episode #1-01 released on September 19, 2010

This is Technology Questions Answered, Produced by Zed Axis Productions, Hosted by Steve Smith. Recorded: September 19th, 2010 and available on iTunes and our web-site at http://www.zedaxis.net/.

We record using audacity, open-source, free to use, cross platform, sound recorder and editor, head over to audacity.sourceforge.net and support Audacity by donating or buying exclusive merchandise, or head over to our site and view the links in the show notes of this episode.

First of all, let's start off with some introductions, I am Steve Smith, Digital Technologies Consultant, head, and founder for Zed Axis Productions, which was founded in 2001.

This week's topic is firewalls. Hardware solutions, software solutions, the pros and cons of this technology, why we need it, and how this can be rendered useless. And what to do as a result.

Let's start with the positives of hardware based firewalls. The most notable positive of any hardware firewall solution, be it dedicated firewall hardware or internet router, is the very fact that it is virtually impossible to bypass without a direct connection to the router or firewall. Most routers and firewalls require that a lan cable be connected directly to access the administration interface that allows to control all the behaviours of the firewalls. You have to know the user name and password, the IP address of the gateway, and you rarely can connect from outside the network because of the very nature of these devices. Hardware in this way will always be a better choice as you are not required to install software in each computer on a network because it blocks all incoming traffic not requested from a computer inside the network. This is the very reason that it fails to live to its whole potential. Firewalls that are hardware based are unable to determine if a computer is infected by Trojans, viruses or root-kits. So these malicious software could connect to the internet allowing the bad guys to access your PC, bypassing the hardware solutions put into place unless you lock down all the ports with code preventing connections outside of various times, or require passwords to access the network, or network administrative permissions. You can't hack the router or firewall, and neither are you required to hack it as long as a user inside the network can be convinced to download by one means or another software intended to bring down to its knees the whole of the security hardware put into place to prevent unauthorized intrusions into the network. There is also the part of how many people install routers and firewalls with default user names and passwords. Viruses, Trojans and malicious software look for these default accesses in all hardware technologies and with so few security choices on the market, it is very easy to program for.

Software firewalls, very easy to use, very powerful, adaptable, programmable and also resistant to external connections like Zone Alarm, which also includes software to detect malicious software and unauthorized intrusions from both inside the computer and in the network. The user is forced to authorized all communications to the internet for a period of time to allow the computer software to learn what is normal behaviour, and what is considered acceptable. Combined with a powerful anti-virus solution this is virtually a better choice. However, like hardware firewalls and routers, if the user does not know what is acceptable behaviour then the computer can be compromised with Trojans, viruses and root-kits rendering all security precautions useless. The silver lining is, that used correctly, professional firewall software like Zone Alarm, using separate user name and password protection, can block all outbound traffic that was not previously allowed before the infection of the computers, this could stonewall all attempts to access parts of the computer and network not previously accessible.

Seeing how easy it is to defeat these firewalls, you'd assume that it was not worth the time to go get these solutions. Well, all these security problems are caused by improper internet ethic. You have to be careful where you go online, what you download, be suspect of all e-mail attachments, links, and assume the worst of everything online unless you get proof that what your doing on the internet site is safe. This means learning to verify certificates on web-sites, and not entering personal information into unencrypted web-pages. All encrypted web-sites using SSL, secure socket layers, start with HTTPS and not HTTP. All new modern browsers also display secured site access warnings inline with the internet address and in the lower status bar of the browser. Even cellphones, hand-held devices, net-books, etc... on all platforms show these warnings inline with the address or on some sort of status bar. This is standard across all platforms and distributions of operating systems.

So as long as you watch what you are doing online and not downloading illegal and possibly infected materials, you will be safer from infections that would attempt to access your computer to compromise your identity and personal files.

So which is the firewall solution for you, that all depends on what you are doing with your computer and where you use it. If you have a desktop in a home, you'll be protected by Windows, Apples or your Linux distribution's firewall. If your inside a work place, university, or using a wireless connection go software and hardware. The routers and hardware firewalls network address translation acts as a natural firewall preventing access to your computer by allowing no direct connections not established by your computer beforehand, which means that if you don't use your browser, no port 80 applications can access your computer from the outside.

Well, wondering what a firewall is supposed to do? The same thing as routers with network address translation, however they universally deny all access to the network without administrative permissions, these permissions have to be programmed into the firewall, or router, beforehand. If your business requires off-site backups to connect inside of other networks you'd program this ability before, hopefully with independent user names and passwords. Done correctly, all the ports that are not supposed to be open to connections, deny all unauthorized access without replying with an error code, otherwise known as a stealth porting. There should be no reply from the firewall so that unauthorized users are unable to connect to your network or detect its existence. This is the same for all hardware and software solutions.

The absolute safest way to access the internet would be through the use of software firewall like Zone Alarm, using a router or firewall, while equipped with and up to date anti-virus and anti-malware solution; however, this will only protect you from people trying to get into your network. Outside the firewalls, routers and network, your internet connection is not encrypted unless your on an SSL enabled web-site. You also have to be aware that certain programs like Net nanny also use custom certificates that may decrypt your data before re-encrypting your data and sending it on to the SSL enabled web-site. This also renders Strict Transport Security from working correctly, for all those who use Firefox's plugin called Force-TLS 2.0. So if you wish to keep your banking, email, and online store purchase sessions safe, do not install custom certificates on your pc, or use a live-disc based in linux to access these web-sites in total security. Live Discs also have the advantage of being immune to all viruses, malware, and hackers as a result, because it does not write to a hard-drive. You can download a great version of linux called Ubuntu for free. If you have a clean computer with no custom certificates you may also use something called a private session in your browser where add-ons, toolbars, etc... are all disabled and surf the internet in nearly complete security.

The best way to stay safe is to steer clear of unsafe internet practises. Do not access unknown and unsecure web-sites, do not open emails from unknown people or companies, never divulge your user name or password to anyone but a secure login page on the actual web-site, always check the certificate and address in the browser to be sure that this is in fact the right web-page. Verify your secure sessions internet address starts with the protocol HTTPS and not HTTP. Maintain update anti-virus, anti-malware and firewall software, and make sure to apply the necessary updates to routers, firewalls, and inform yourself, your family and co-workers of safe internet practises. If you have to, lock down ports that you do not use, program routers and firewalls with periods of time for internet access to broken and inaccessible, use Wake-On-LAN technology to wake computers for backups instead of keeping them online providing for a safer environment for the prevention of whole network viral infections. And remember, all infected computers are permanently comprised, so make backups as often as possible or needed. Format and rebuild computers that have been comprised. You should also make a list of passwords, some for accounts that you have nothing particularly important, and separate user names and passwords for web-sites with sensitive information like banks, online stores, game accounts like World Of War craft, Aion, lineage 2, so no one can use a universal account information to access you whole life. And change default user names and passwords in all hardware like routers and firewalls, illicit programmers know about these default names and newer virus variants access whole networks with this information.

So listeners, till next week, stay safe, and stay tuned, our next episode will be on backing up your documents and photos, hardware solutions, cloud storage and the use of encryption to protect Discs, hard drives and cloud storage. If you have any questions or want to find a list of sources, software, hardware suggestions you may find them on our web-site at http://www.zedaxis.net/, as well as a list of important pod casts that you should also listen to. This has been a podcast, hosted by Steve Smith, Digital Technologies Consultant for Zed Axis Productions, Stay Safe and Online. This has been Technology Questions Answered.

Host : Steve Smith | Music : Steve Smith | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources