Are Consumer-Grade Firewalls Really Secure?

With the growing demand for always-on high-speed Internet access, consumer-grade firewall boxes are becoming as common in computing as modems and mice. The prevalence of these devices makes sense, as network security and protection against intruders have become topics of great concern for home-office telecommuters as well as for IT staff in upscale corporations.

But despite the hype associated with popular over-the-counter security products, the general consensus among network security experts is that consumers are not protected if they rely solely on router hardware devices and software firewalls.

Consumer-grade network-address translation boxes are barely adequate for home users, according to Sigmund Fidyke, product and program manager for WatchGuard‘s SOHO line. These devices, he said, are geared more toward the home user with low traffic and limited online exposure.

Knowing the Basics

The general consensus in the industry is that accessing the Internet with a dial-up connection doesn’t require much intrusion protection beyond an antivirus package. Once a dial-up user disconnects from the Net, the hacking threat is removed. When the connection to the Internet is made through broadband, however, an unprotected cable or DSL modem can present a more inviting target to hackers.

At the corporate level, IT departments typically install hardware-based firewalls to protect their networks. At home, users often rely on software firewalls to protect individual workstations and their networks from attack.

In both cases, routers connect one or more computers to a broadband connection. Consumer-level routers — such as those made by Linksys, Netgear and D-Link — contain simple network address translation (NAT) capabilities. They enable a LAN to use one set of Internet Protocol (IP) addresses for internal traffic and a second set of addresses for external traffic. Such NAT boxes handle all of the necessary address translations.

“A NAT box doesn’t broadcast your machine’s IP address, so it’s a little hidden,” said Fidyke. “But NAT boxes don’t protect you once a hacker finds your open connection.”

In terms of security, basic NAT boxes offer little more than packet filtering, a technology that can block traffic coming from a specific IP address or coming in on a specific protocol — such as e-mail, FTP, HTTP and so forth. Packet-filtering firewall devices look at each data packet entering or leaving the network and accept or reject it on the basis of user-defined rules.

A better level of security, according to Fidyke, is to purchase a device that uses stateful packet inspection — a technology that goes beyond simple packet filtering to track transactions to ensure that inbound packets are actually requested by the user. Data that fails this filtering at multiple layers is blocked.

How Good Is Your Firewall?

Consumers shouldn’t trust entry-level firewall hardware and software, Paul Henry, vice president at CyberGuard, told TechNewsWorld. Both, he said, are incomplete security solutions.

“Router/NAT boxes only have security by obscurity,” he said. “They provide only a one-way block. NAT boxes show closed ports, but they don’t prevent outbound connections through ports 80 or 25.” A real firewall, he suggested, should deny all outbound access unless explicitly allowed. Some consumer-grade software firewalls have been moving in this general direction — particularly with vendors like Symantec and Zone Labs implementing block-everything-unless-allowed features.

But most of the industrial-strength firewall vendors would not suggest using these. Henry, whose company provides security appliances for governments and commercial enterprises around the world, is critical of the hype associated with NAT boxes and consumer-grade firewall software. “Throughout the security industry, vendors dupe customers,” he said, adding that product performance claims lead users to think they are more protected than they are.

Mark Adams, IT specialist for the Home Loan Center site, noted that there are two general categories of firewall protection. One targets the home user; the other is commercial grade for business and industry users. “Both hardware and software products in the consumer level provide a false sense of security,” Adams said.

Settings Measure Security

Despite the inherent weaknesses associated with consumer-grade NAT boxes and firewalls, tweaking the settings can raise your level of protection. According to Adams, even larger companies don’t take advantage of optimum security settings in their industrial-strength hardware firewalls. The number one mistake consumers make is not changing the default password for access to their routers. If all a hacker has to do when he or she finds an open Internet connection is enter the factory default password, all of the security features in the router can be bypassed.

Equally essential is keeping every system on a home network up to date, with the latest security patches installed. Worms and viruses can gain access to computers through newly discovered security holes in Windows. Microsoft releases patches regularly, and it is important to use the Windows Update feature to patch these holes as the patches become available.

How about that wireless router? Intruders can easily piggyback their way to your data if you haven’t turned on the WiFi encryption feature or haven’t locked down your WiFi router by MAC address. You can also set most routers so that they won’t broadcast their network names.

An additional security tweak is to turn off all nonessential ports. If software you use to access the Internet needs access to a specific port, then turn on that port. Many default settings leave all ports open, creating a floodgate of opportunity for hackers to enter at will. In this area, the latest versions of Symantec’s Internet Security and ZoneLabs’ ZoneAlarm software can prove to be useful for consumers. These packages have features that let users block all Internet traffic on all ports unless specifically allowed.

The Last Resort

CyberGuard’s Paul Henry told TechNewsWorld that much of the problem with Internet security is caused by cable and DSL users who are not aware that they need to be proactive in their pursuit of good security strategies. But, in general, he said, computer users at all levels are not as well informed as they need to be on security issues.

“People just don’t have a clue,” he said, noting that they think if they have an antivirus program installed, they aren’t at risk.

“Virus software is a last resort,” Henry said about alternatives to hardware and software firewalls. “Software firewalls can be reliable, but low-end products can be penetrated.”

It is unlikely that home users will purchase expensive security appliances to protect their home networks from intrusion. In light of this fact, consumer-grade software and hardware makers are developing products that are more sophisticated and will better protect consumers against malicious threats.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

Technewsworld Channels