Firewall Debate:
Hardware vs. Software
Hardware firewalls are important
because they provide a strong degree of protection from
most forms of attack coming from the outside world.
Additionally, in most cases, they can be effective with
little or no configuration, and they can protect every
machine on a local network.
A hardware firewall in a typical
broadband router employs a technique called packet
filtering, which examines the header of a packet to
determine its source and destination addresses. This
information is compared to a set of predefined and/or
user-created rules that determine whether the packet is to
be forwarded or dropped. A more advanced technique called
Stateful Packet Inspection (SPI),
looks at additional characteristics such as a packet's
actual origin (i.e. did it come from the Internet or from
the local network) and whether incoming traffic is a
response to existing outgoing connections, like a request
for a Web page.
But most hardware residential
firewalls have an Achilles' heel in that they typically
treat any kind of traffic traveling from the local network
out to the Internet as safe, which can sometimes be a
problem.
Consider this scenario: What would
happen if you received an e-mail message or visited a
website that contained a concealed program? Let's say this
program was designed to install itself on your machine and
then surreptitiously communicate with someone via the
Internet — a distributed denial of service (DDoS)
attack zombie or a keystroke logger, for example? And
trust me, this is by no means an unlikely scenario.
To most broadband hardware
firewalls, the traffic generated by such programs would
appear legitimate since it originated inside your network
and would most likely be let through. This malevolent
traffic might be blocked if the hardware firewall was
configured to block outgoing traffic on the specific
Transmission Control Protocol/Internet Protocol (TCP/IP)
port(s) the program was using, but given that there are
over 65,000 possible ports and there's no way to know
which ports a program of this nature might use, the odds
of the right ones being blocked are slim.
Moreover, blocking too many ports
would almost certainly adversely affect your ability to
use some programs (many games, for instance). Also, some
broadband router firewalls don't even provide the ability
to restrict outgoing traffic, only incoming traffic.
Advantages of Software
Firewalls
Now consider what a software firewall might do in the
aforementioned scenario. When you first set up a software
firewall, you can specify which applications are allowed
to communicate over the Internet from that PC. Programs
that aren't explicitly allowed to do so are either blocked
or else the user is prompted for confirmation before the
traffic is allowed to pass. Therefore, it would likely
intercept this kind of traffic before it left your
computer.
Another potential scenario where a
software firewall would be useful is in the case of an
e-mail worm with its own e-mail sever, like the recent
"SoBig" worm. Its built-in mail server could
attempt to send mail on the valid Simple Mail Transfer
Protocol (SMTP)
port (25), which would probably pass through the router
because of its trusted origin.
On the other hand, a software
firewall could be configured to only allow Microsoft
Outlook to use port 25 (assuming Outlook is your e-mail
client). Any attempt by another application to use the
port would be dropped, or blocked pending user
confirmation. For that matter, the application's attempt
to use any port would be blocked if the firewall was
configured that way.
By comparison, a hardware firewall
that had the ability to filter outgoing traffic might
allow you to block most kinds of traffic from a particular
PC, but it wouldn't be able to flag you and alert you to
repeated attempts to infiltrate your computer.
One obvious downside to software
firewalls is that they can only protect the machine
they're installed on, so if you have multiple computers
(which many small offices do), you need to buy, install,
and configure a software firewall separately on each
machine. This can get expensive and can be difficult to
manage if you have a lot of computers.
But the fact of the matter is that
software firewalls generally offer the best measure of
protection against certain types of situations like Trojan
programs or e-mail worms. Speaking of which, a firewall
isn't the only protection method available to you. Whether
you end up using a software firewall or a hardware
firewall, you should always supplement it with anti-virus
software.
A good anti-virus package is just
as important as a firewall, and I would seriously suggest
that you invest in a good one (I'm partial to both Norton
and McAfee myself). However, keeping your virus
definitions updated is far more important than which
program you use. I cannot stress the importance of this
enough. Making sure your definitions are current is
absolutely critical to maintaining your protection. Many
Anti-virus programs today can be configured to
automatically update themselves, so you have no excuse for
not maintaining them.
The bottom line is that with any
home-office broadband connection, a hardware firewall
should be considered a bare minimum, and supplementing it
with a software firewall on one or more computers (and
don't forget anti-virus software) is almost always a good
idea.
Adapted from PracticallyNetworked.com.
|
