Personal Firewalls at Home
In the early days of cable Internet at home, people discovered they could click on Network Neighborhood and view other computers in the same cable segment. If those other computers had resources shared, you could access them. Plunking in a personal firewall to block the specific connections used by Windows shares stops your neighbors from accessing your computer this way. A personal firewall can be a tool to protect your own privacy.
Here we discuss other risks that are of particular concern to the home user. Then we discuss the points you'll want to keep in mind as you select the personal firewall that is right for you.
Home users share the same risks as corporate users. You might not think that you make an attractive target. After all, what juicy industrial secrets do you have? Where's the brag factor in hacking your computer? Think about the type of data you store on your home computer. How could it be useful to someone else? Do you keep detailed personal financial data on your computer? Like me, do you use software to file your taxes? Your social security number is in that electronic file. If someone managed to steal it from your computer, they would be one step closer to stealing your identity and could pose as you to credit card companies and others.
If you are a dedicated worker, you probably bring work home to do on your own time. Many people find this practice allows them to spend time with their family and still put in the hours necessary to do a good job. Companies generally support such practices; after all, they get work out of you for free. However, when you bring work home, you are asking your employer to accept the same risks to that information that you have accepted for yourself. This risk may be unacceptable to your employer. If there are firewalls, intrusion detection systems and authentication requirements to protect data on the corporate network and you drive home with a floppy full of proprietary data, how can the safety of this information be ensured? What would your employer say if they learned you put that data on an unprotected computer connected to the Internet? Will you still have a job if that information is compromised? Can you afford to take this risk?
The first step in dealing with company data on your home computer is to check out your company's policy concerning working at home. The corporate IT department may already have considered the problems with such a practice and addressed them through policy. They may require that you use a company-supplied computer. They may require that you install antivirus and a personal firewall supplied by the company.
Your employer may have concerns regarding data that a firewall cannot address. If other people use your computer, you may need to take steps to ensure that only authorized people have access to the work data. So, you will have to find a way to keep your kids from accessing your files. A firewall is not going to help you here. You need to be aware of corporate policy regarding work at home.
A remote connection to the corporate network poses another threat to your employer. You don't want to allow someone to use your computer as a gateway to the corporate network. For example, let's say you can connect to your office through a virtual private network (VPN). One day, while not connected to the VPN, you are infected with the virus QAZ. This virus creates a backdoor that will allow a remote user to connect to and control your computer. Later, you establish the VPN connection to your office. Under certain conditions, a remote user can connect to your computer via the QAZ backdoor, then through your computer to the corporate network. The remote attacker can now access corporate resources as if they were you. It was widely speculated that this was the method used in a 2000 incident where someone managed to access the source code for Microsoft products on their network. Microsoft has not confirmed this speculation.
Your computer is also attractive to someone who is trying to break into an entirely different location. By compromising your computer, your machine can be used to launch an attack on the real target. When the real target starts to trace the attacker, they'll come to you. The attacker is hiding his tracks. This technique is equally handy for targeted attacks ("Gee, I feel like hacking NASA today") as it is for setting up a distributed denial of service (DDOS) against a given site (see Figure 41). Recall the incident in February 2000 where yahoo.com was taken out of service? The Yahoo! incident was a result of a DDOS. Many innocent, unprotected computers were used to send traffic to the Yahoo! servers. The high traffic levels meant that the Yahoo! servers were flooded and unable to respond. It was an attack against the availability of the Yahoo! site. Finding the person or people responsible, though, was made very difficult by the distributed nature of the attack.
FIGURE 41 DDOS attack. Here, an attacker has managed to collect a network of computers infected with the Trinoo DDOS tool. The attacker then sends a command to the Masters instructing them to contact the Daemons, or slaves, to contact the victim. The victim is now tied up trying to deal with the flood of traffic from the Trinoo daemons and cannot respond to legitimate requests.
Now that you have looked at some of the risks to you, as a simple home user, it's time to create your personal security policy. This policy, however informal it may be, will help you focus your security efforts. There is always more you can do; more patches, more security updates, more fiddling with your operating system, maybe even a more secure operating system you can install. What do you really need? What are you willing to spend time on? And what conveniences are you willing to give up? It's true, security and usability are inversely related. It is harder to use a well-secured computer. You have to decide where the balance lies.
A sample policy might simply state that you want to be able to browse the Web, download files (FTP), retrieve your email, and connect to your office virtual private network (VPN). You do not have any services (like a Web server) running on your computer that you want to allow others on the Internet to access. We can keep this policy in mind as we look at products.
We're going to use this sample security policy as we work through some of the points in this chapter. We shall only deal with the sections of a security policy that can be addressed through the use of a firewall. If you want a more complete example, refer to the sidebar titled "Sample Security Policy" in Chapter 1.
allow outgoing traffic to:
HTTP, HTTPS to anywhere
FTP to anywhere
email to mail server
VPN client to employer
DNS to DNS server
no unsolicited incoming traffic
So, we need a personal firewall that will allow us to set up these simple ruleseasily. We'll probably discover there are applications we want or need to use that won't be allowed by this security policy, so let's keep alert to any changes we may need to make.