Wednesday, October 29, 2008

Firewalls

I (somewhat surprisingly, to me at least) got some interesting feedback on yesterday's post about testing your firewall.

Anyone who doesn't use dial-up (e.g. AOL) needs to have a firewall, and this includes you Mac and Linux fanboys. A firewall is the Internet equivalent of a one-way valve - you can connect to the Internet through it, but the Internet can't connect to you. Firewall software has been shipping in all sorts of things for quite some time now, and it's very likely that if you have a low cost Internet router (like a Linksys), it comes with firewall capability, no extra charge.

This isn't a panacea - it's not for nothing that I keep repeating Borepatch's Law of Security:
"Free Download" is Internet-speak for "open your mouth and close your eyes."
Firewalls have gotten very good, at least as far as home users are concerned. They are very effective in stopping attacks that we used to see all the time. That is, they are if they're turned on. If the firewall software is disabled, then your home computer is almost certainly riddled with malware. So you should check it out, by using one of these online scanners (note: while I think Steve Gibson has an over-the-top description of what's happening, his scanner is safe and effective).

When you run it, you should expect to see solid green in the results. This means that you're entirely invisible to the Internet, at least until you connect there with your browser, iTunes, etc. Even then, only what you're connecting to will be able to communicate with your computer. This is A Good Thing, because it means that you don't have to scramble to patch the Windows Vulnerability From Hell.

Corporate firewalls are a whole different kettle of fish that I won't get into here. If you're interested, start with this.

Mac and Linux fanboys need to do this, too. Remember, you're both running Unix, which has tons of server processes (well, some, anyway). Linux fanboys probably already know this, and know that if they run sendmail, they need to set up a Firewall/DMZ configuration with Snort. Mere mortals will live with Gmail. ;-)

Mac guys, make sure your firewall's on. You're a smaller target, but there's a ton of legacy BSD code in OS X, and lots of people know how to write exploits for BSD.

UPDATE 29 October 2008 21:29: Heh.

No comments: