Why You Could Get By Without a Firewall Before Now
There are three main reasons you could get by without using a firewall before now.
First, you used a modem and each time you wanted to send or receive e-mail or surf the web you had to dial up your internet service provider. Chances are very good that each time you did this you got a different IP number. This creates a level of security for your computer because it makes it a "moving target" on the internet.
Second, these connections to the internet were temporary. If you didn't hang up the modem when you were done, the ISP or your own connection software would automatically hang up the modem after a few minutes of inactivity. This creates another layer of security because it limits the amount of time that your "moving target" is even available.
So, What's Changed?
For those who have switched to a broadband connection to the internet, these three levels of security are gone. Broadband means that your computer is connected from the moment you start up, and the IP number you are assigned will probably not change for as long as your computer is on--days or even weeks.
And the latest generations of operating systems--Windows 2000 and XP, and MacOS X, do support remote logins. Furthermore, Windows XP, as it was installed on many new computer systems, is so full of security holes that crackers can login and hijack your entire system. These systems are so easily compromised that the National Infrastructure Protection Center, an agency created by the Department of Justice and the FBI, released its own security alert about the dangers of not applying the operating system patches released by Microsoft.
MacOS X, based on BSD Unix, is, by its design, much more security conscious than Windows, but it, too, has an early history of security vulnerabilities.
Do You Know What's On Your Hard Drive?
What are crackers after, anyway? There are three reasons that someone will try to crack into your system. To get data, to steal bandwidth, and to destroy your system "just for kicks".
Businesses may have a treasure trove--literally--of valuable information stored on their systems. Everything from credit card and social security numbers to the valid e-mail addresses of their customers. The compromise of this information can result in identity theft, credit card fraud, and a variety of other criminal endeavours.
If a thief breaks into an office in the middle of the night and steals the server, the incident is noticed right away. The door to the office was forced and the server itself is missing. Measures can be put into action to immediately protect the information that was stolen. Customers and credit card companies can be alerted.
Unlike this physical theft though, the careful cracker can gain access to a system once and then keep accessing it over and over again, stealing new critical information as soon as it is entered, and no one will ever know!
A typical home user may not have the same kind of data stored that a business does, but the home system can be a lucrative target for crackers nonetheless. By cracking into your system and gaining access to your hard drive, crackers can use your hard drive as a storage device. Typically, it would be used to store stolen commercial software, pirated videos, or pornography.
Worse, your home system can be turned into a delivery point for any kind of file, and you might not even know it. You may become an unwitting accomplice between the seller of pornography and the buyer of pornography. When the authorities begin tracing the pornography trail, your system could be identified by its IP number. That is not a situation many of us would enjoy.
How is it possible that your system could be used like this without your knowledge? Simply by making those file folders "invisible" to casual inspection, so browsing your hard drive with Windows Explorer or the MacOS Finder will not display them. The only indications the typical home user might have that their system has been hijacked are hearing the hard drive in use and seeing the "activity" light on the modem stay on when no one is surfing the net. All the while, megabyte after megabyte of illicit files are being stored or retrieved from your system's hard drive.
Finally, some crackers are motivated just by the thrill of destruction. Once access to your system is gained, it is again a simple matter to erase virtually every file on your hard drive. Most of us know that we should have backup copies of our hard drives, but how up to date are yours?
What You Can Do to Protect Yourself
The best way to protect your system, your data, and your privacy, whether for a business or a home user, is to put a firewall between the internet and your computer.
Open Vistas Networking, Inc., in cooperation with WizBang Computers, is pleased to produce what we consider to be the best firewall you can buy. Our firewall is a hardware based, packet filtering, stateful, and routing firewall. Wow, that's a handful of jargon, so let's break those terms down one at a time.
First, though, let me warn you that the information to follow gets a bit technical, so feel free to skip ahead if all you need to know is that "It Works!" Those brave enough to go on will meet you on the other side.
Our firewall is built into a business grade computer, such as a Compaq Deskpro. Each unit has a Pentium 75 or faster processor, and 16 megabytes of RAM. These quality computers feature one built in ethernet network interface that handles traffic from the internet, and we add one 3COM network interface to handle traffic to your workstation or local area network. This system can handle network speeds exceeding 750 Kilobytes per second, so it easily surpasses the maximum network speeds a user will see from either a cable modem or a DSL connection to the internet.
Running on the computer is a highly customized installation of OpenBSD. Internal to the OpenBSD kernel is the pf packet filtering software.
Internet traffic is comprised of TCP/IP packets. The headers of each packet are examined by the pf routines in the kernel to determine if that specific packet passes the firewall rules or if it is to be blocked by the firewall. This is the mechanism that stops crackers cold.
Basically, our firewall rules can be summarized in two lines:
Stateful means that once a packet passes the rule set, it is marked in a table held in memory and any packets that are a part of that continuing transmission are passed through immediately, without going through all of the checks of the rest of the rules.
An example will help clarify this. Suppose you want to do a little web surfing and check out what's new and exciting at Open Vistas Networking, Inc.. You fire up your web browser and type in http://www.openvistas.net . You have just initiated a connection to the server at www.openvistas.net. As the outgoing packets pass through the firewall, they are marked in the kernel's state table. When answering packets from the web server at openvistas.net get back to the firewall, they are passed through immediately, because they are part of a kept state.
Let's say that a cracker tries a simple login on the firewall's external IP. The cracker has already determined through a variety of scanning techniques that the firewall is running some sort of unix operating system. First thing the cracker will try is a telnet login to port 22. There is no response whatsoever from our firewall, because those inbound packets originated from the internet. No matter what the unlucky cracker tries, our firewall will not respond. (1)
There is one more level of protection afforded workstations behind the firewall, and this feature also allows many computers to share one internet connection with the addition of an inexpensive networking switch. TCP/IP packets cannot be sent to certain IP addresses. These blocks of addresses are for internal network use only. Our firewall automatically assigns each workstation a unique but non-routable IP number in the 10.1.1.x range. When data from a workstation enters the firewall, Network Address Translation rewrites the packet headers to show that the packet actually originated from the firewall before it sends it out over the internet to its destination. When the return packets arrive, NAT again rewrites the headers and the packet is forwarded on to the correct workstation.
If a picture is worth a thousand words, let's see if this helps.
If you look at the diagram above, you will notice that each of the computers behind the firewall has a different IP address, and each of those addresses is in the range of non-routable addresses. If you are using the Mac, the only IP address it has is 10.1.1.6. Any internet traffic bound for the Mac that's directly addressed to 10.1.1.6 will never make it past the first router on the internet. All inbound packets must pass through the firewall, where NAT can rewrite the headers appropriately.
Believe me, It Works!
Congratulations to those of you that slogged through the technical stuff--I hope the effort was worth it!
Some Frequently Asked Questions
Order Your Firewall Today!
Firewalls can be picked up at WizBang Computers, located at 1609 Seymour Avenue in Cheyenne, Wyoming. The cost of the firewall, if picked up at WizBang Computers, is $125.00 plus sales tax of 6%, for a total price of $132.50.
Out of area customers can place an order by e-mail or by telephone at (307) 421-7949. Price is $125 plus actual shippng costs. Wyoming residents must add 5% sales tax.
Secure on-line ordering is now available through the PayPal system.
Open Vistas Networking
26 Ray Creek Road
Townsend, MT 59644