Home

Choosing a Home or Small Office Firewall

Mon, 08/27/2007 - 13:22 — Daniel

The intention of the guide is to give a quick easy to read guide to the pros and cons of three different approached to firewalling your home or small office. This is far from a complete guide but it will get you started in the right direction to figure out exactly what you need in order to protect yourself. This particular guide comes out of my desire to provide a quick and easy comparison for a friend who had a small business and was trying to decide what to use for protection. If you are looking for specific reviews of products I recommend the Home PC Firewall Guide.

If you have a question about terms I do not define check out www.whatis.com.

Host Based Firewall (Software you load on a local PC to protect that PC)

Pros

  • Inexpensive or free.
  • May identify software attempting to reach the Internet that you may be unaware of (for example spyware and trojans).
  • Can detect internal threats missed by hardware firewalls and NAT devices at the perimeter of your network.
  • Range in complexity from very simple to complex.
  • Most software firewalls can be set up in a manner that they learn what is acceptable and what is not by asking you and then remembering your responses. Thus making setup easy.
  • May be able to "stealth" or hide your PC making it appear to port scans that there is not a PC on the IP you are assigned.

Cons

  • Spyware and trojans can trick the software into allowing them access the Internet or other local devices by claiming to be another program. Some programs are better than others.
  • Can be expensive for a business since a firewall must be placed on each desktop and maintained.
  • Can be intentionally or inadvertently disabled.
  • Can be difficult (or impossible) to set up networking between protected computers in your local area network (LAN) without opening up holes exploitable by attackers.
  • Security weaknesses in the Operating System's networking functionality may be exploitable even with the firewall running if they can come in at a level lower than the software firewall protects. In other words the network stack may still be vulnerable to some degree.
  • Protection may not be started until you the computer has fully loaded (and has been logged into if there is a log-in process.) This gives a window of opportunity for an attacker to have free access to your PC without any form of firewall to deter him. I do not have any experience with Macs so this may only be a Windows issue.
  • Will take up some amount of the computer's processing time thus it may reduce performance.
  • Not all software firewalls do checking of connections going out. (most do)
  • Most products do not have central management abilities so they will be limited to a very small SOHO or home users.

NAT Device

Pros

  • Invisible to the end user.
  • Can hide the total number of actual computers residing inside the home or office network behind one IP address.

Cons

  • IPs of attackers can be spoofed to appear as though they are local to your protected network when in reality they are not.
  • There is no way to prevent devices internal to the network from initiating connections to a hostile source that will return into your protected network unhampered.
  • Trojans or spyware making connections will not raise any sort of flag.
  • Port filtering is not an option so any request will be allowed to go out. In other words there is not a way to block user/programs from using certain services.
  • I have assumed there are no internal servers. Please refer to the Assumptions as well as Static NAT Adds No Security for details.

Hardware Firewall Device (Packet Filtering/Stateful Inspection not Application Proxy)

NOTE: for the purpose of this discussion I will include software based firewalls that reside on a box separate from the protected computer. After all a "hardware firewall" is still a blackbox consisting of hardware, a firewall software and some sort of specialized OS.

All of the consumer/small office hardware firewalls I have seen to this date fall into this category although some may be able to act as a limited application proxy.

Pros

  • Invisible to the end user.
  • Spoofed IPs can be detected and blocked.
  • Many devices will interact with third party software to allow virus scanning, URL filtering and other services at the perimeter of your network.
  • The logs for hardware firewalls may be better than those for others products.
  • Some of these devices can defend against a denial of service attack.
  • Most if not all will act as an improved NAT device thus providing all positive aspects of a NAT device if NAT is enabled.
  • They should stop attacks before they ever reach the target system.

Cons

  • Can be more complex to configure.
  • It is unlikely that Trojans or spyware making connections over common ports (HTTP port 80 for example) will raise any sort of flag.
  • While it is possible to block hostile sites this is usually an extra cost or completely manual process.
  • Many consumer devices for broadband sharing have built in firewall capabilities. As a general rule these companies products have not been proven by fire as much as some of the more established security companies products have been therefore the security of these low end hardware firewalls may be somewhat suspect.

NOTE: If you have five or less hosts to protect and have an extra machine to spare you may want to consider Gnatbox Light. It is a floppy based commercial firewall that has a free low end version. It's not the easiest system on the market but the price is right and it is ICSA certified.

 

Parting Comment

Hardware firewalls are probably the easiest of these groups to misconfigure leaving a hole for attack. Conversely properly configured a hardware firewall will likely offer the highest level of security. I will not attempt to tell you what is best for your particular configuration but I do hope that these points will help lead you in the direction of your best choice.

(original date 2002 or 2003)