Firewalls - Overview

There are two kinds of firewalls and SSO recommends you use both.

Hardware Firewalls

Hardware firewalls are what you would expect, a physical piece of equipment that creates a barrier between your computer and the outside world.

“Geeks” often build their own hardware firewalls using old computers. But for a relatively small amount of money you can buy one and get the added capability to run a home network.

Of course we are talking about getting a “router.”

Note it must be a router and not a “hub.” Hubs offer no protection at all and are certainly not firewalls.

A router takes requests from the internet and “routes” them to a local machine (your computer). Before it allows the request to pass to your system, it has to pass the firewall tests that protect you against the bad guys.

You are likely to see references to “NAT” and “SPI” in your wanderings about routers. NAT stands for “network address translation.”  It is the process that translates the external IP address of your location into a local area network address. This allows you to have two or more computers connected to the internet through the router. If the device you are looking at does not do NAT, then it will be ineffective as a hardware firewall and you should not purchase it.

SPI is “stateful packet inspection.” All data is transmitted from and to your IP address in “packets.” There are many more packets being exchanged than just the data you are reading or the e-mail you are sending. There are packets that tell both sides of the connection how to talk to one another (what “protocol” to use for example), packets that carry the end destination addresses and many other kinds of packets. All reputable routers on the market today provide for SPI.

Importantly, you do not need to know all the details of operating a firewall because any good choice will get you up and running with little preparation and no direct expertises required at all.

You will need to make some feature choices before you decide exactly what kind of router to buy and you can check out those choices here.

Software Firewall

In individual articles we discuss other specific software firewalls. For this overview, we are going to just jump in and recommend one, using it to explain software firewalls in general.

Commodo Firewall

Commodo provides a seriously professional piece of software at no charge for your use. It is easy enough for those of us who have neither the time nor the interest to become security geeks, but has the ability to fine tune control down to the individual connection such that seasoned pros can love it.

This is not a trial program or one of those “personal editions” that prevents users from using some features. It is completely enabled and fully functional.

One word of advice: if you are not knowledgeable about firewalls, ports, application permissions and so, you are well-advised to leave settings at their defaults. They are set to give you strong security without crippling your ability to use your own system.

Unusual for a free program, particularly one that is so full-featured, Commodo Firewall also provides free support to its free “customers.” So if you are having difficulty with something there really is somewhere there to help.

So, what’s a software firewall supposed to do?

First, it serves as barrier to unwanted connection both inbound and outbound.

Some technology gurus have suggested that have the ability to block unwanted outbound connections is pointless and remain happy with a router that only filters inbound attacks. This is a shortsighted, possibly arrogant position. There are several good reasons to maintain good outbound protections, including preventing your computer from becoming a slave to some external person. It is possible that your machine could become infected with a new virus that takes over the system and until new anti-malware tools are made available the only thing preventing that outside person from using your system to mass distribute kiddy porn or launch mass attacks on innocent targets, is your outbound firewall.

A good firewall like Comodo will also offer direct protection against unknown or unwanted applications from even launching. Some good anti-virus software provides similar protection and in both cases, they are similar to the “User Access Control” feature of Microsoft Windows that was so badly implemented in Vista. These tools are important because they can be highly successful at stopping a virus from even getting started, ensuring there is no infection.

A good firewall allows the user to make the choice between convenience or precision of control. With Comodo you get that choice in spades.

If you wish to prevent your system from ever connecting to any IP address for which you have not given permission, you can do that. This NOT recommended for the average user as it will result in a lengthy period of responding to permission alerts. At the Secure Surfing Organization we do have Comodo setup to provide exactly that level of control and we gained some possible insights. In the first couple of weeks of doing routine internet operations, we were required to respond to a large number of permission requests like the one you see pictured here.

First it informs you what application is trying to connect to the internet — firefox.exe. We know this is our web browser so there is no alarm about that. It discloses the IP address and protocol. Here we see there is a connection attempt using TCP on port 80 to a site at 70.242.249.31.

In the “considerations” area, we are told that Comodo recognizes firefox and that the application is carrying a secure certificate authenticating it is from Mozilla, the publisher.

Any good firewall will provide all these elements of information to you, they will just do so in slightly different ways or with greater or lesser detail.

Because we have configured Comodo to ask us about every single attempted connection, we receive this alert every time we browse to a web site which we have before never visited. In fact, we will usually get this alert a half dozen or more times for each new site, because a great many web sites have many pieces of content being served from completely different IP addresses.

This extensive repetition of permission requests is why we do not recommend regular users enable this level of protection. You are likely to become frustrated and possibly discontinue using the firewall, or worse just start permitting everything.

In Comodo’s alert notice the choices. To never again be asked whether or not Firefox should be allowed to connect to a specific IP address you would simply click on the radio button “Treat this application as,” leave it at the default “Web Browser,” select “Remember my answer” and click OK.

Now, in our case we do want to be asked about every single connection attempt, whether by Firefox or any other application. But here is what we learned. For the first couple of weeks we did indeed receive a great many alerts. But then the number of alerts declined sharply and then became fairly rare, perhaps a few a week. Why?

It seems that even a service such as the Secure Surfing Organization spends 90% of its internet usage going to the same web sites. Once those sites had been explicitly permitted, we only received alert queries when we were visiting an entirely new site. It is likely true for most people that they do spend by the greatest amount of their time visiting a couple of dozen web sites and so if they had the patience to get through the initial annoyance of repeated permission requests, they would also experience the same decline in alerts.

Regardless, it is not particularly helpful for an individual user to go through this exercise so we recommend that you accept the convenient choices of allowing Firefox access to any internet site. We explain the process as a means of illustrating what software firewalls can do and in particular the degree of control possible with Comodo.

But do not be overwhelmed by the example. The default settings for Comodo are perfectly adequate for your needs and will provide you with very strong protection without any excessive alerts.

While we are running Commodo Firewall on our systems, we have tested it with novice users. The novices experienced no difficulties. We really believe in this product, it is free, it is better than most of the paid-for firewalls and did we mention it is free!

We do consider Comodo to have one significant weakness and that is its installation package. Comodo has chosen to ship the firewall with an integrated anti-virus product. To avoid installing the anti-virus while successfully installing the firewall, the user needs to take care not to simply click his or her way “okay” through the set up process. This is important because the Comodo anti-virus product is not even close to matching the power and features of alternative free anti-virus software.

Note that we also do not recommend all of Commodo’s other free alternatives. For example, their back-up solution does not stand up to Cobian Backup, our recommended free alternative back-up solution. Of course, we strongly encourage you to spend some money on backup software because it is probably the single most important part of your arsenal. When all else fails, you have your backups.