Skip to content

Defense In Depth: Firewalls, Part 1

Let’s continue this mini blog-a-thon by talking about a concept called Defense In Depth. In essence, this is really nothing more than not relying on any one system to protect your computer.

There’s actually a very good reason for this. If one component of your defense mechanism fails, you have a fallback system. Think of it as having a building surrounded by two fences. If an intruder cuts a hole in the first one, they still need to get through the second one before they can get to your building (where they will hopefully encounter bars on the windows, triple-locked, double-bolted doors, security systems, cameras, maybe armed guards, attack dogs… get the picture?).

Another good reason for this is because many pieces of your Defense in Depth system are designed to protect against only one kind of threat. For example, firewall software is designed to keep unwanted traffic out of your home network and computer, but it can’t tell if something you allow (like Internet traffic) contains a virus, so you need anti-virus software to do that. We’ll be covering several components of a recommended Defense in Depth as the mini blog-a-thon progresses, so if this doesn’t make sense, hang in there!

I also want to apologize in advance for the “quality” of the following posts. As I mentioned in my last post, I deviated from my planned topics and I simply don’t have any links to free versions of the types of software that I’ll be recommending. Hopefully I’ll be able to rectify that sometime in the days to come. In the meantime, I’m going to recommend some products that will cost you a bit, but in most cases, they will cost you less than $20 per computer per product and are made by reputable companies. These posts will also tend to be longer than most; since they weren’t really prepared in advance, I haven’t had time to do a bunch of nice editing on them…

With that out of the way, let’s talk about firewalls, shall we?

A firewall is a system that is designed to look at network traffic and either block it or allow it, based on rules that you set. Best Practices state that all traffic should be denied by a firewall at first, then the actual traffic you want to allow should be passed by making an exception to your “block all” rule. That way, your web browser, email, and other important information can still flow to your computer and network while blocking the stuff you don’t want.

There are two types of firewalls. The first type, hardware, works much faster than the second type, which is software based. A hardware firewall usually operates on a dedicated piece of equipment called a router — and you may have one of these in your home or office and not even realize it! If you have a DSL connection for your small network, you have a router, and chances are good that you have a hardware firewall on it. I’ll cover these “small routers” in an upcoming post and give you some tips on getting the maximum security benefit from these routers.

A software firewall sits on a piece of hardware but it’s not “baked” into the system. You have to download it and install it, and as you can probably surmise from that statement, they are usually installed on a computer. It does run a bit slower than a hardware firewall and can slow down your computer a little bit, but in most cases, the additional protection they provide is worth the small cost in terms of money and performance.

In short, if possible, I recommend that you use a hardware firewall at the perimeter of your network (or where it connects to the Internet), and in most cases, the firewall component of your DSL modem will work just fine. You should also download and install a software firewall for your computer, and for that, I’m going to recommend Kerio Firewall, which is a product of Sunbelt Software. Kerio is a top-notch firewall product that is backed by the resources of Sunbelt Software. Even better, you can get a free trial of Kerio Firewall by clicking on that link. If you like it, just pay the small registration fee; if not, simply uninstall it and look for something else. But whatever you do, use both a hardware and software firewall.

Thanks for listening,
Tom

P.S. — The Windows XP / Vista firewall isn’t sufficient. I’m already a minute late for this post, so I’ll tell you more in the next one…

This was written by Administrator. Posted on Saturday, September 15, 2007, at 8:14 pm. Filed under Security, Tips, Tools, blog-a-thon, news. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

One Trackback/Pingback

  1. The Intuitive and Compelling Concept of Defense in Depth - Network Sentry on Thursday, October 18, 2007 at 7:36 pm

    [...] is the first of a two-part blog post at News By Tom Brownsword on defense in depth. The writer describes the basic idea and discusses hardware (fast and [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*