BROADBAND Part 5
|by Wayne M. Krakau - Chicago Computer Guide, December, 2001|
| It's the time for me to cover the security implications of having a broadband connection. But first,
I'd like to apologize to anyone who might have been confused or mislead by a major mistake that I made in
last month's article. I let my fingers, not my brain, do the walking and used the terms "synchronous" and
"asynchronous" to describe the two major types of DSL when I should have used "symmetric" (SDSL) and
"asymmetric" (ADSL). This was with a 6-inch stack of reference material in front of me that I had just
reread. Obviously, old habits (and communications terms) die hard. (I'm blaming it on several years of
inhaling fumes from keypunch machine lubricating oil followed by many years of exposure to radiation from
monitors. That's my story and I'm sticking to it!)
The first thing to do for security when you have a broadband connection (or, for that matter, even a dial-up connection) is to put anti-virus software on every computer and religiously keep it updated. You will almost certainly have to reconfigure the software to the settings appropriate for your system, as the default settings for anti-virus software are usually both inefficient and incomplete. You might not wish to scan all files going to and from your C: drive and your server, but you certainly will want to scan everything coming down the pipe from the Internet, including e-mails, attachments, downloaded files, and Web pages. A recent option is to put in a hardware-based anti-virus product, but, so far, I have only seen that option used in the field as an addition to, but not as a replacement for, anti-virus software.
Next, if your router does not have firewall capabilities, or those capabilities are inadequate for your situation, get a separate, hardware firewall. This advice is aimed at business computers and at any home computers that can attach to a business network, but it couldn't hurt for pure home users to heed it as well.
You may optionally add software firewalls to your computers, but they have a lot of limitations. Most of the products in this category are worse than useless, as they are easily cracked by even the simplest attack, while giving the user a false sense of security. Check out Gibson Research (www.grc.com) for the latest test results. The only products that have consistently passed Steve Gibson's (and other) tests from the beginning are ZoneAlarm and ZoneAlarm Pro, from Zone Labs, Inc. (www.zonelabs.com). You can download and perform the tests yourself. Other products are just now adding improvements to tighten up and pass these tests.
I have found, in my experiments with software firewalls, they can be a real pain to use. They won't even run on some computers, and when they do run, they have the potential to conflict with lots of software. Even the one that I like the most, ZoneAlarm Pro, is probably going to bombard your computer users with confusing and potentially panic-inducing messages. Also, if, as non-techies, they respond, "Yes" to every warning message, the software will allow inappropriate actions. (I don't even want to get into the argument about basing security products on Windows.)
Step one in configuring your router or firewall is to CHANGE THE DEFAULT PASSWORDS! This is such a common mistake that it is really ridiculous. While you are changing the password, make to make it the largest, most complicated, password you can possibly tolerate, and make sure it is completely unrelated to anything in the real world (words, names, dates, places, ID numbers, etc.). Also don't cheat by writing it on a Post-It note and sticking it to the firewall!
Then you need to turn off command access to the firewall from the outside world. It can take several commands or menu selections to do this. With this access turned off, the router or firewall will ignore commands originating from its Internet-connection socket (typically called the WAN - Wide Area Network - port). Just make sure that you document the procedure so you can temporarily open up access if the manufacturer, your ISP (Internet Service Provider), or your systems integrator (like me) needs to tap into it. (Don't forget to close it up afterward.) Leaving this access open is the second most common mistake that I see.
The simplest router/firewall-based security feature is Network Address Translation, or NAT. It translates non-routable addresses that your individual computers can use into the real address of your router, which is visible to the outside world. It also solves the problem of having more computers and other network devices than you have assigned, real IP addresses. NAT is reasonably effective on its own for non-controversial, not widely known sites that have no internal Web, mail, or other servers that need to be accessed from the outside world. NAT is not perfect. It can be hacked, but only if someone is willing to make the extra effort to monitor your traffic. Using NAT alone is like buying only a basic insurance policy. You have to decide just how risk-averse you are given your particular circumstances. If you want something more than basic, you have to pay.
Adding software firewalls to your computers is one way of overcoming some of NAT's weaknesses. The most common way, however, is to activate stateful inspection (your buzzword - or really buzz phrase - for the day) on your hardware firewall, and to program the firewall to filter out inappropriate traffic, both inbound and outbound. This is where some free, or heavily discounted, router/firewall combinations may be inadequate for your system.
Firewall programming and maintenance take time and money, either for education and day-to-day log file and security bulletin tracking by in-house staff, or for outside organizations to do it for you. That is why it this technique isn't done often enough or as thoroughly as is necessary to provide adequate security.
An additional option is to have your ISP activate a security feature at their end as a replacement for or (more likely) in addition to your own firewall. Presumably, they already have the staff needed to keep their system up to date. In addition to taking on all of the maintenance overhead, they can block Denial of Service (DOS) attacks, which you can't really do from the customer end of a broadband connection.
That's it for my limited summary of the security responsibilities that you take on when you fire up your broadband connection. You need to take this subject very seriously, or you will regret it.
©2001, Wayne M. Krakau