| Question History! |
|
| From |
: |
cloaknight |
|
| To |
: |
saintly |
| Rating |
: |
 |
| Message Status |
: |
Confidential |
|
|
[08-17-2000] cloaknight : I like computers a lot too, but there has been one question that has been annoying me since day one. We are about to upgrade to DSL and my parents say we need a firewall (I agree, due to an "always-open" broadband connection, but to a different degree). They say we need to take a Pentium I built and turn it into a firewall. I personally beileve ZoneAlarm is good enough. I thought u only needed to sacrafice a computer if its like big company protection. What should we do?
|
 |
[08-17-2000] saintly :
Unless you have a lot of confidential information that needs to be kept secure, or more than one computer that you want to connect simultaneously over the DSL line, I would expect ZoneAlarm to be fine. Having a dedicated firewall is probably more secure than running ZoneAlarm on each computer of several connected to the DSL line.
If you have a home network of several computers, then using one computer as a firewall can protect all the others behind it. That one computer would be the one connected to the DSL interface, and would be connected over a separate ethernet card to all the other computers in the house. If you intend to run servers (like a web server, ftp server or whatever) then it has to run on the firewall machine as well, because all computers behind the firewall are invisible to the Internet.
The idea behind a firewall (and you probably already know this) is that security on the firewall has to be breached before computers behind it can be accessed and attacked; it adds a layer of extra protection. It's also a headache for casual surfers; it disallows connections to services behind it, like ICQ, AIM, Napster, Secure (HTTPS) web transactions and any other servers you might run behind it. All those services would have to be specifically enabled again.
Security decisions like that need to consider the risks and disadvantages of each security system. Some typical questions you (or a major corporation) would ask yourself are:
Would just being broken into, even if no damage is done, cause us significant harm? (Banks would look bad, so they answer yes)
Do we have confidential information that would cause us harm if it was released? (Banks, Military installations, companies that store credit-card information, medical records, legal records, whatever, answer yes)
What is the most damage someone could cause our computers if they broke in? (People running Win95, Win98 and Win2kPro/WinME can answer "none, if we take some precautions")
How many people would have an interest in breaking in? (You can always say that some random bored hacker or amateur kiddie haXor may stumble across your IP and decide to give it a try)
In Win95/98/2kPro/ME go to your network control panel. Remove NetBEUI and IPX/SPX for the card connected to the DSL line. If you're not sharing files over your home network, click 'File and Print sharing' and disable 'I want to give others access to my files' and 'I want .. printers' for whatever you don't need.
Hope that helps! Do you have more questions? Reply and I'll try to take care of them too.
|
|
|
[08-17-2000] cloaknight : Thanks, its very helpful. I am gonna use my computer as the DSL connection and share connection witht the others on my LAN. So if waht youre saying is correct, ZoneAlarm will be sufficient to my network. (The only one that uses AIM is the host, the others just play games and surf).
|
|
[08-17-2000] saintly :
ZoneAlarm is only intended to protect the one individual computer. It does not appear to have the routing services it would need to protect the other computers on the LAN.
You can use software like WinProxy to protect the whole LAN from your computer without having to dedicate your other computer to full-time service as a firewall.
A full firewall has two separate network connections on two separate ethernet cards. One connection is made to the internet/DSL, the other is made to the rest of the computers on the home network. It protects the other computers by selectively routing between them. Since ZoneAlarm (and similar 'personal firewall' products like McAfee Personal Firewall) only watch connections inbound direct to your computer and what your own applications are doing they do not have the necessary capabilities to protect the rest of the LAN.
At home, I have a 486 running UNIX as a full-time firewall/proxy/router/web-server. 486s can make good routers/firewalls because it's not that technically demanding and they can keep up with the rest of a small home LAN just fine.
|
|
|
[08-20-2000] cloaknight : Sounds good, i think i can scrounge up some old computer parts and make a firewall (its what i was gonna do anyway). Thanks for the info on some possible options.
|
|
[08-20-2000] saintly :
Glad to help! You can still use your personal computer to run the firewall as long as you
a) Run WinProxy (or other full firewall software)
and
b) Install a second NIC to connect to the rest of the home LAN.
Or turn some old 486 into the firewall...
If you have more questions later, feel free to come back and ask.
|
|
|