How hard is your firewall to install and set up?
Actually, it is very simple! Here are the installation instructions packaged with every firewall.
I can buy a software package from [Norton/McAfee/ZoneAlarm] that says it is all the firewall I'll ever need. What is the difference between your firewall and theirs?
There are three main differences between these software firewalls and a separate unit running a separate and secure operating system.
The first is performance. If you have a software firewall running on your Windows computer, you will find that it requires a substantial increase in the system resources used. These software firewalls are fairly complex programs that are constantly scanning for inbound TCP/IP packets to determine if they should pass or be blocked. This is exactly what it should be doing, but at the same time you are using Internet Explorer to surf the web while listening to streaming audio over Real Player, and in the background you are recalculating that 15 page Excel spreadsheet due for work tomorrow.
Each of these running programs will cause the others to slow. Adding the complexity of a software based firewall only worsens the problem, and it gets really noticable when the firewall starts blocking packets.
You might recall the Nimda worm that made the internet rounds during the fall of 2001. Our firewalls had just entered beta testing at the time. The system logs showed a tremendous spike in blocked internet traffic. Before the release of Nimda, our firewalls were blocking about 200 packets a day that were bound for port 80. When Nimda was released, that number jumped to over 2,000. Software firewalls brought the systems running them to a grindingly slow crawl, but our beta testers reported no problems with their Windows computers behind our firewalls other than a decrease in internet download speeds. This decrease was from the drastically increased amount of traffic in general on the internet during those "storms" and not the result of any interference from the firewall. Games, word processors, spreadsheets, all performed as well as usual.
The second difference is reliability. As all Windows users know, applications crash. The Windows operating system itself can crash, although it is reportedly much more stable now than in the past. What happens to the TCP/IP stack during a crash, either of Windows itself or of the software firewall? I don't know for sure, but I wouldn't want to find out the hard way that the software firewall I was relying on to protect my system was no longer doing the job and I didn't know it.
The operating system running on our firewalls is UNIX-based OpenBSD. OpenBSD's UNIX heritage enables it to draw on 30 years of stability and security. The packet filtering routines are integrated tightly into the kernel--the heart, if you will--of the operating system. The kernel simply does not crash. You will find that the "uptimes" of the firewall will match your power outages to the microsecond, and if you plug the firewall into a UPS backed power source, you might never need to reboot it.
Finally, running a software based firewall on the machine it is protecting puts all of your eggs in one basket. Once past your software firewall, a cracker is home free and in the promised land, free to set up a porn or warez relay site or to just start deleting files.
A hardware based separate firewall is a different story altogether. First the cracker actually has to get in the firewall, and we believe that this is not possible. We base this belief on the quality of the OpenBSD code, and on the amount of effort we've put into making these firewalls impervious to attack.
But, just for sake of argument let's assume that someone, somehow, manages the impossible and cracks our OpenBSD firewall. What's there? Nothing of value to the cracker, just a very small hard drive with a minimal operating system on it. To get anything of value, the cracker has to get to the computers behind the firewall. To do that, the cracker needs more operating system "privileges", so the next task is to get what is called "root" access on the firewall. Given the extremely long and complicated password that the root user has, this task is daunting. But, again, for sake of argument, assume that miracle of miracles comes to pass and the cracker is able to force the root password. Now the cracker is faced with the task of cracking into the computers behind the firewall.
These multiple layers of security all work to protect your computer, your data, and your privacy. Most crackers aren't even going to make the attempt, especially when there are so many of your friends and neighbors with broadband and no firewall of any kind. Who wants to spend the effort to scale these mountain ranges of security when there is so much "low hanging fruit" around just waiting to be picked?Back to Frequently Asked Questions
My software firewall package is constantly being updated for new threats from the internet. What update mechanism does your firewall use?
There are two schools of thought concerning firewall security. The first states "Everything that is not explicitly denied is allowed." The second is the opposite. "Everything that is not explicitly allowed is denied."
Our firewalls use the second rule. As a result, we do not need to modify the packet filtering rule set to react to new threats that appear, because virtually all packets originating from the internet are already blocked. The exception to this "block all" rule is that the default rule set does allow technicians from Open Vistas Networking, Inc. (and only Open Vistas!) to login to your firewall via the Secure Shell to perform minor maintenance tasks.
However, once your firewall is installed, you can totally lockdown the firewall with a simple web based pulldown menu and nothing will be able to get in.
In the rare event a bug should turn up in the operating system that would need to be fixed, Open Vistas Networking, Inc. will contact you (if you have registered your firewall and if you have granted permission to be contacted) and inform you of the situation. Again, this upgrade would be at your discretion.Back to Frequently Asked Questions
Is there any kind of threat from the internet that your firewall won't protect me from?
Actually, yes. Viruses and worms attached to e-mail, and malicious programs that you choose to download from the web.
E-mail is downloaded from your ISP's mail servers when you request it with your e-mail client. Because you've requested it, the transaction initiates from inside the firewall and is allowed to pass. The firewall will not scan your e-mail in any manner.
Why would anyone choose to download a malicious program from the web? Because it is masquerading as a program that is not malicious. A screensaver that actually removes all of the files from your hard drive the first time it runs would be a good example of this kind of "trojan horse" program. Obviously the screensaver isn't going to tell you that it will wipe your hard drive before you download it!
This is a totally different area of internet security. Don't download programs from sources you don't trust. Ever. And please install a good virus protection program to stop e-mail viruses.
Windows users can download a free program from Finjan Software called SurfinGuard that does a fabulous job protecting against any kind of internet downloaded malicious programs. We highly recommend it be installed on all Windows computers.
Mac users are fortunate in that virtually all of the malicious content circulating out there is specifically for the Windows operating system. We suspect that as the MacOS gains more marketshare, we will see an increase in the malicious content targeted specifically for Macs. Until then, install a good e-mail virus program, keep it up-to-date, and don't download programs from sources you don't trust.Back to Frequently Asked Questions
What about a warranty?
You bet there is a warranty!
If you decide in the first 90 days that our firewall is not the product for you, return it for a full refund. After 90 days, please contact us. If the firewall has already been doing its job for 3 months, we'd like to know why it isn't living up to your expectations, but the same guarantee applies.
Worried about a hardware problem? Although we use "previously owned" hardware in our firewalls, we are confident that the hardware will last for many years to come, and will serve your firewall needs well into the future.
If you do have a problem, please first try to access the web server on the firewall itself (http://10.1.1.1) and work through the Troubleshooting pages before contacting our Technical Support people. Many of the troubles you might think you have with the firewall will turn out to be with your broadband ISP!Back to Frequently Asked Questions
What do I need to do to share my one broadband connection with the other computers in my home or office?
Surprisingly little. In addition to our firewall, you will need:
Directions for Sharing One Broadband Connection
The following instructions are written under the assumption that you have already installed the firewall and are using it for one computer. If you have not yet installed the firewall, please do so and test it before proceeding on to this setup.
As it is installed now, you have one ethernet cable running from the cable or DSL modem to the firewall and another ethernet cable running from the firewall to your computer. Although these two cables look the same, they are not. To use your new switch, these two cables must be switched. The cable that runs between the cable or DSL modem and the firewall must be removed, and the cable that runs from the firewall to your computer must be put in its place. The first cable is then plugged into the lan (YELLOW) jack of the firewall and then plugged into a port on the switch. Your new ethernet cables are also plugged into the switch and then into their respective computers.