Firewall Protection for Your Computer
By Michael Ross
This article was published by ComputorEdge, issue #2222, 2004-05-28, as the cover article, in both their print edition (on pages 16 and 18) and their website.
For connecting to the Internet, most people in the U.S. have several options, which fall into two categories: broadband (cable and DSL) and narrowband (i.e., dial-up, an older and slower technology). American usage of broadband has increased dramatically, despite the fact that the U.S. is still significantly lagging behind other countries in broadband adoption. Specifically, we rank only 11th in the world, far behind the top countries, such as South Korea, Hong Kong, and Japan.
Nonetheless, more Americans are transitioning from dial-up to broadband Internet access. There are many benefits to broadband, with greater speed being the foremost advantage. There are also some downsides, including higher cost. But from a security standpoint, the primary disadvantage is that your computer, when connected to the Internet via broadband, is more vulnerable to attack by hackers.
This increased vulnerability is a result of your computer now having a fixed address on the Internet, by which ill-intentioned hackers and other troublemakers can try to directly access your computer. To better understand why this is so, we should briefly review how your computer is recognized on the Internet.
Computers attached to the Internet are able to communicate with one another by using the Internet Protocol (IP), a standard that specifies the structure of data exchange (in the form of "packets"), as well as the addressing used to deliver those packets to their correct destinations. Each computer is given a specific IP address, which is a long integer that has two equally valid formats. For example, Yahoo uses the IP address 126.96.36.199 (this is the "dotted quads" format), which is equivalent to 1113515563 (the "long address" format). In fact, instead of typing the domain name "www.yahoo.com" into your Web browser, you could also use "188.8.131.52" as a valid address.
It should be pointed out that the IP address assigned to your computer (when it is connected to the Internet via broadband) is not permanent and unchanging. In fact, broadband ISPs (such as Road Runner and Cox Communications) are free to change your IP address at any time, which may require you to reboot your hardware so it picks up the new address. However, many broadband ISPs do not change IP addresses frequently, possibly to reduce service calls from people who believe they have lost their connections to the Internet.
Malicious computer hackers wasted no time in recognizing the potential for mischief, because every computer on the Internet with a fixed IP address, can be tested by the hackers to see if they can access that computer. In the past, if and when you used dial-up to connect to the Internet, your computer's modem dialed into the modem bank of your ISP, and your computer was not as directly exposed to the Internet. Back then, the primary danger was downloading viruses attached to e-mail messages.
Now hackers can use your IP address to try to "probe" all of the possible connections (called "ports") on your computer, to see if any are wide open and vulnerable to intrusion. If any such unprotected ports are discovered, then the hackers can engage in various malicious activities, such as destroying your data, or storing illegal or pornographic material on your computer. They can even configure your computer to send out their spam, or host their pornography (without giving you a cut of the profits, of course). Even worse from a liability perspective, your computer could be turned into one of countless "zombies", designed to participate in future denial-of-service (DoS) attacks against any target websites chosen by the hackers.
You may be wondering how such hackers obtain your particular IP address. After all, since there are millions of possible addresses, how do they get yours? It's the same principle that telemarketers use to get your phone number: They simply try almost all possible combinations, and see if they get a "hit". So it's nothing personal. Cold comfort, though, when you learn that some Internet miscreants have turned your beloved computer into a kiddie porn server, available to the world… or at least the paying portion thereof.
Defend the Walls!
Fortunately, there is a way to defend yourself, short of disconnecting from the Internet and moving to Amish country. You can, and should, use a firewall. Like a building's firewall, which is intended to keep a raging fire out of parts of the building as long as possible, a computer firewall is designed to keep attackers out of networks and individual computers. The methods by which computer firewalls achieve this, can be technically involved, and can vary depending upon the type of firewall and the additional features included. But the ultimate purpose is the same.
There are two varieties of firewall — hardware and software. Hardware firewalls are typically built into routers, whose job it is to route Internet traffic within a network, including a simple network you set up at home. This is what allows you to have more than one computer at home using a single Internet connection. The router acts as a traffic cop, sending Internet requests from all of your home computers out through the same Internet connection, and then directing the responses from the Internet back to the correct computer in your home network.
Linksys and Belkin are two of the leading hardware vendors who manufacture routers with built-in firewalls — wired and wireless. Hardware router setup is fairly straightforward. For example, the paper instructions that came with my Linksys router were quite clear. And Belkin has a terrific set of illustrated procedures on their website showing you exactly how to set up their routers. Once your router is plugged in properly, you can log into it from a Web browser and then change the router's settings, including its access password (this is recommended).
Software firewalls, on the other hand, are security applications that run on a computer, rather than being built into another piece of hardware. Perhaps the best-known one is Zone Alarm, which, like so many other popular applications, started off as a free utility, and then went commercial. But there is still a basic, free version available, though the ads are reportedly annoying. An alternative is Tiny Personal Firewall.
Lastly, Windows XP has a built-in firewall, the Internet Connection Firewall (ICF), which can be enabled on your computer when you are logged in with an administrator account. However, given Microsoft's track record when it comes to security in its operating systems and applications, I personally cannot recommend using any native Windows firewall.
If you have multiple computers at home that you would like to connect to the Internet, then your best option is to get a router with built-in firewall, since you will be buying a router anyway. In addition, a software firewall would simply be one more application consuming your computer's resources. But regardless of whether you choose to go with a hardware or a software firewall, it is essential that you have something in place to help secure your connection to the Internet.
Copyright © 2004 Michael J. Ross. All rights reserved.