Two months ago I published Part 1 of this Beginner’s Guide to Firewalls series. Part 1 was called ‘What Hacker’s Don’t Want You to Know About Firewalls.’ It serves as an introduction to what became a quite large body of information which I’ve struggled to organize and publish in a way that my readers could best utilize.
My main goal for this entire series is to provide important and current safety information to regular people…people who aren’t tech inclined and who have no desire to spend their days thinking about technology.
The first time I ever heard the term Firewall used in relation to computer networks was at the tail end of a 2 year ordeal my family experienced when a Botnet had taken over our home computer network. As we were in the last stage of banishing the Botnet permanently we were discussing ways to prevent this from ever happening again. My husband who’s a businessman operating his own small company, had recently installed a firewall for his business computer network. I was intrigued and the more I learned the more I realized that a firewall was the one strategic move we could take that would assure this would never happen again.
Below: Part 1 of The Beginner’s Guide to Small Network Firewalls
Goals for This Beginners’ Guide to Hardware Firewalls
It may be a bit of an understatement to say that the average American just doesn’t seem to get very excited when discussing the latest advances in network technology. I’ve personally witnessed this on many occasions myself when my husband’s eyes begin to glaze over as I’m excitedly telling him about some cool discovery I made. Depending upon the time of day, his breathing may slow down just enough for me to know that unless something changes quickly he’ll most certainly doze off. Life experiences have shown me that the vast majority of people find network conversations to be repugnant and something to be avoided at all costs! That’s why I’ve tried really hard to keep this series both extremely relevant for my specific audience (households and small businesses that need reliable and consistent networks) as well as relevant regarding the technology and hardware I present for discussion. By keeping focused on presenting only the latest, the greatest, and the broadest use types of hardware on the market currently, while at the same time presenting all of the information readers need to understand about hardware Firewalls and how they function within networks.
This Part 2 strives to advance that goal by explaining how Firewalls fit into small networks and to introduce the one factor beyond the obvious safety features which should receive the heaviest weight when making hardware selection decisions. Last I discuss some additional factors to consider when deciding what type will be most appropriate in any given environment.
Firewall’s in a Historical Context & Today’s Present Forms
It used to be that large companies were the only entities that installed hardware firewalls. Today’s world has changed drastically in that regard. Our daily news is often flooded with stories about new security vulnerabilities that impact almost everyone. Those along with new forms of attacks by hackers can have harmful or even devastating impact upon even the one most common form of technology used almost universally by people all around the world, so much so in fact that they’ve come to be considered one of life’s basic necessities. I’m talking about our cell phones. They, alongside the common targets like computers and IoT devices are now the primary vehicles for attack. Thankfully, there are many more forward thinking individuals who, although geographically strewn across the globe, have been quietly working towards the same common goal…addressing these new threats to our personal security long before many of the threats themselves have even emerged!
Many of these individuals have been working on fulfilling their life’s goals…protecting people and their families from cyber threats…for many years. The challenges they face must be incredible, because oftentimes their plans to bring their devices to the market have been delayed by years. You can tell this by Googling something like ‘Home Firewall Appliances.’ You’ll find complete and professionally polished websites which show off new devices that sound amazing… but there’s no obvious means for someone to actually purchase the device shown. Nor can you even find launch dates for many of these new products. It was only after I spent hours and hours of research time that I was able to determine what the likely product life cycle was and when many of these new devices were hoping to launch.
Happily it looks to me like most of the new devices that I found highly intriguing are actually finally launching now, or did launch in the very recent past or will do so in the near future, most likely while we are still in the year 2017. Evidence of my excitement about these new launches can be ascertained by the fact that I recently purchased a device I’ve been watching for a few years shortly after it launched in August. Even further evidence is that I did so despite the fact that our family’s network is protected by an enterprise grade firewall…Sonicwall’s TX600 (I’d also recently purchased our current model when I upgraded our slower Firewall in March at a cost of $2500 + the Labor costs to setup and install it.)
The new device I just bought is called a Fingbox. It cost $139 and I was able to set it up myself! I love it and will discuss it greater detail in several future parts of this series as well as in a stand-alone post I’m currently working on. But if you’re really interested you can read what I wrote about it the day that I discovered that it was finally available for purchase.
To wrap up this introduction I’ll also touch upon how firewall appliances go about their job of protecting the small network they are installed in…but in a very general way in Part 2 of my series. I’ll delve much deeper into that subject in future sections and will also discuss a number of newer advances and twists Firewalls have undergone to engage directly in combatting the plethora of online dangers which seemingly are lurking at every turn threatening to destroy the generally pretty good levels of Internet safety that we’ve reached as a whole despite the continual bombardment of negative indicators. These circumstances point to the eventual and inevitable adoption by greater numbers of a host of new high level kinds of technology that are rapidly appearing on the market.
Network 101 | Basic Network Design
If you read Part 1 of this Firewall Series, you’re probably wondering how exactly firewalls go about providing the extra protection to networks that they
do…and perhaps you’re even interested in learning more about how they really work. I’ll try to explain as much as I understand, but truthfully, firewall technology is so incredibly complex and powerful that the intricate details regarding firewall’s inner-workings usually tend to go above my head. There’s a good reason most network engineers have had years of specialized training in their field!
An easy way to understand the role that firewalls play is to look at how they are incorporated into the actual configuration of a network. Typical small networks use a modem to receive a signal from their internet provider which supplies them with the ability to use the internet. Usually modems just have one port in and one port out, so that modem is then connected to a router which divides the signal, making it available to more than one device.
The router may have several LAN ports for computers or other devices to plug into for a wired connection. This is the best and fastest connection that you’ll get on any network. But the router also usually creates a wireless network too, by
broadcasting radio signals that any wireless devices can find and connect too.
While these are great and they are what’s driven the whole mobile technology industry to become one of the fastest growing industries around today, (along with cellular networks of course)wireless networks just can’t approach the speed that their wired counterparts do.
Throughput Should Probably Be Your Most Important Consideration When Purchasing A New Firewall Appliance
While these speed considerations are getting off the track for purposes of my firewall example…they are nice to know about. But I’ve mentioned them for another, more important reason too.
There can be a downside to using a firewall that needs to be factored into the equation when someone is considering getting one. The main downside is the firewall’s impact upon your networks’ speed.
Generally internet service provider alternatives are differentiated by one main factor, which is usually referred to as bandwidth in recent years. Bandwidth is most often quoted in ‘megabits per second‘ or ‘Mbps.’ Most internet service providers (isps) offer several speed options…typical ones today may be 15, 50, 100 or 300 Mbps down and a smaller # (or if synchronous an equal #) like 5-15 up. That scenario holds true for most of the United States…unless you’re really lucky and live somewhere where gigabit speeds are available…usually via Google or fiber optic technology…then your bandwidth speed may be measured in gigabits instead of megabits.)It’s this number and the speed of service it represents that can and usually does take a significant ‘hit’ from the addition of a firewall.
How much of a hit has been the subject of lengthy discussions, but the main takeaway is that there is a way firewall makers designate their devices impact upon this bandwidth, which is referred to as throughput.
Throughput’s definition is essentially the bandwidth speed you should expect to be available to you once all firewall services you’ll be utilizing have been factored into the equation.
Your final throughput number may be ascertained once the specific sets of tasks your firewall may perform is determined. Most often these overall throughput numbers for any given individual situation are usually derived by a network engineer. They can usually calculate it using a base number provided by the firewall manufacturer’s specifications for any of their model’s when all of their standard security services are turned on at the same time. From this number they then subtract any services their specific client won’t be utilizing. Figuring this part out isn’t easy, nor is it set in stone because networks aren’t static…they’re dynamic…meaning they’re constantly changing…so this number in practice will constantly fluctuate too. The aim then tends to be more of a range than it is a single number.
While this final throughput number may be hard to figure out it’s really important to ascertain before you make your final decision regarding which firewall you should purchase (or if you have it narrowed down to one brand…which particular model within their lineup.) Ideally a firewall maker should be able to give you a rough estimate of what their product’s overall throughput will be in your unique environment.
The reason this is so important to ascertain beforehand is because whatever number (or range) it ends up being, this throughput calculation is then used to determine what your overall network bandwidth will be after its subtracted from that bandwidth number your isp promise you. The remainder from that equation will become the actual bandwidth speed that your network will operate at after the firewall appliance is incorporated into your network.
Believe me, I wish someone had told us all this the first time we added a traditional firewall appliance into our home network. Sadly, many firewall manufacturers still don’t volunteer throughput data. Oftentimes home buyers will only get that information if you specifically ask for it.
Where do Firewalls Get Placed in Most Network Configurations?
At some point along the way when someone is making the decision to purchase their first hardware firewall they’ll begin to wonder where exactly their hardware firewall will fall in their own network’s configuration.
Firewalls are almost always situated in front of the router in a network’s design…meaning that they are as close to the main source that’s providing the entire network technology as is possible. In most cases with home networks that very first network device is a modem…or a combination modem and router.
It’s most likely that a new hardware firewall will plug into and occupy the one and only outgoing port found on the network’s modem, taking the usual position of your router. The reason for doing this is so that the firewall acts as a sort of clearing house of all web data for any and all devices within a network. All data coming into or going out of that network, must first go through the firewall.
If you’re wondering what happens to the router then, there are 2 likely scenarios. Either the firewall itself has routing functionality built into it and it takes the place of the router completely or the router plugs into the firewall and becomes the 3rd device in the network’s chain…because unlike modems, firewall appliances usually have several outgoing ports.
Other Important Factors to Consider When Purchasing a Firewall Appliance for Home and Small Business Networks
IoT Device Considerations
In some cases a firewall has enough ports to serve all of the network’s needs for LAN connected devices. But as more kinds of equipment are being built with internet connectivity, especially the kinds of things collectively known to as the ‘Internet of Things’(or IoT devices for short)these also need ways to connect to the network.
What kind of devices are included under the IoT moniker? Examples of some common IoT devices are those which people use to create ‘smart home’s’ which can encompass many different small devices like light bulbs, smart outlets and switches and thermostats, and also much larger ones such as refrigerators, furnaces, cars and even entire security systems.
Security Cameras | A Unique Group of IoT Devices Pose a Conundrum
Security systems often employ the use of cameras. The cameras themselves fall into one of 2 categories. They can be IP cameras which are an older technology but still the most widely used because IP cameras are relatively inexpensive. They are usually sold in multi-packs so they can protect larger areas than the newer entries in the market which are commonly called standalone or single wireless cameras. If you do a Google search for security cameras, probably 95% of what you’ll find are IP cameras…which may also be referred to as CATV or internet cameras. IP cameras are complete systems which require the use of some kind of receiving DVR for recording the captured video streams. IP cameras come in many different forms too. The most popular of these are bullet and dome styles.
Standalone wireless cameras emerged from the smart home industry. These cameras don’t require much setup or a DVR for recording, so they’ve become popular for DIY’er’s. Some popular models in this category currently include ones by Nest, Canary and Netgear’s Arlo cameras. PC magazine recently reviewed some of the best in this category in this article.
In this article by Safewise security cameras are categorized by indoor versus outdoor usage. The indoor cameras they include are all of the newer stand-alone variety…but their categorization is somewhat skewed because there are good stand-alone outdoor cameras too. The outdoor cameras they talk about all fall into the IP category, but again their categorization isn’t entirely correct because IP cameras are also the ones most commonly used in indoor settings too. The reason I’ve included their article is because, despite the slightly misleading categorization, the article does a good job describing the kinds of features found on both types of cameras.
How IoT Compounds Networks’ Security Problems
In general these many different new types of devices don’t use very much of the network’s one main resource…which is generally referred to as bandwidth. But they do contribute to increasing the overall complexity of a network in 2 important ways.
First of all, these Iot devices, when added to the regular communications and computing devices which are more typical in a small network (computers, tablets and cellphones)can drastically increase the physical size of the network. Each device needs either a port to plug into the network or a wireless receiver built into the IoT hardware to receive the router’s wireless broadcast signal.
Brief Look at How Smart Light Bulbs Work
Oftentimes really small devices like light bulbs use an extra piece of hardware strictly for purposes of communicating with the network…this additional hardware which is commonly called a bridge, may or may not be included bundled with the IoT device itself when it’s purchased. So if anyone is thinking about buying smart light bulbs, it’s important to know that you may be required to buy this bridge separately too…which is something I didn’t know myself at first.
Incorporating smart light bulbs into a network then means that the bridge device plugs into the network and it broadcasts a Bluetooth signal out (which is just a very short-range kind of wireless signal) for the lightbulbs to find and connect to.
The net effect of adding even a few smart light bulbs is that the network size is increased…it has more devices connected to it.This alone doesn’t really have any negative consequence beyond just making the overall network diagram appear more complex and because of its size there are increased difficulties managing it.
The 2nd way that all these devices impact a network is that they create more opportunities or targets for hackers to attack. Because the IoT industry is an emerging industry, a large portion of these devices don’t have very good security measures built into them. What’s worse is that there is usually no way that users can alter the security of these devices. Any built-in security measures would usually reside in the device’s firmware and user’s don’t have any means of accessing it. Inherent to these kind of devices’ simplicity is the fact that it’s close to impossible for their makers’ to send out firmware updates…because there isn’t any good way to install updates. So, while they are cool, fun to use and helpful in many ways, they can also act as an open invitation to hackers. Here’s a link to one of the most recent attacks on IP cameras which ironically are most often used for security systems.
What Attracts Hackers Today
You’d think that something as insignificant as a light bulb wouldn’t interest hackers…but they do. They’re attractive because when you take a whole lot of those little devices and combine them together you gain something that’s a desirable commodity in the hacking community…armies of zombie devices that will do their bidding.
Some of my readers may remember the post I wrote about how my family’s network was taken over and made part of a Botnet. While that seemed an unlikely scenario then, we know that Botnets are still a huge problem even now. Hackers find IoT devices so attractive today because there are so many of them and most lack even basic security. There are a quite a few of these massive Botnets that are used to commit cyber crimes against corporations, and even against individuals like my favorite security news source Brian Krebs.
I was really surprised recently to discover that many of my friends weren’t entirely sure of what a Botnet really is. Here are a few quick YouTube videos which explain Botnets, how they are formed and how they function.
ESET Botnet Video
What is a Botnet? by the InfoSecurity Academy
What is a DDOS Attack by a Botnet
Hacker’s Are Businessmen and Botnets Offer Big Business Profits
In today’s world hackers are usually businessmen, (although recent focus on this topic at the widely popular SXSW Conference in Austin Texas seemed to indicate this might be changing, and that a new breed of teenage hackers might soon disrupt this reality.)
In recent times however, hacker’s haven’t hacked into things for the fun of it. They hack for profit. Botnets’ are one lucrative avenue towards that goal. The most successful Botnets are leased out to other hackers who need them to carry out attacks against corporate computers or servers that provide large-scale computing services to some of the biggest companies in the world. It’s often these servers,which most regular people have never heard of, that are the main targets of hackers.
By employing the combined power of thousands of IoT devices the main attacks aimed at these service providers are a type of attack known as a DDoS attacks. In a typical DDoS attack, a company’s computers are barraged with thousands, upon thousands of requests that ultimately overwhelm them so much that they simply come to a grinding halt and are unable to function in any meaningful way. When servers are hit they may also take down all of the clients they are serving…raising the victim rate exponentially. That’s exactly what occurred in a recent attack against a company no one’s ever heard of called Dyn.
On October 21, 2016 Dyn was attacked by a huge Botnet known as Mirai, which controls thousands of IoT devices like printers, baby monitors, IP security cameras and smart home controllers.
The attacks lasted for an entire day. Dyn is a service company that provides DNS services which help to map domains so that end users can reach their desired website. When Dyn was attacked this mapping service was disrupted and at least 70 well known companies were affected. Companies like the Wall Street Journal, Twitter, Airbnb, Amazon, Netflix, Comcast, HBO, Fox News, Reddit, Etsy, Walgreens, Zillow, Pinterest, PayPal and many more. As the day progressed one news source after another proclaimed that more than 1/2 of the Internet was completely shut down.
The numbers of Botnets created to harm other systems is rising, as discussed in this recent MIT Technology Review article.They will continue to do so until manufacturers begin adding serious security measures into these devices.
These types of attacks are one of the key reasons that every home and business user should consider protecting their network with a firewall.
But What can we as individuals do about this? If you like all of the benefits that IoT devices offer, and you plan on turning your home or office into a modern smart environment by using many different IoT devices to address many different functions, then installing a hardware firewall at the front end of your network may prove to be your best defense. If you were to install one of the all-encompassing traditional firewalls, they too can be configured to provide coverage for IoT devices. But as we’ve recently learned, there are a few newer, less expensive firewalls which are designed specifically to protect IoT devices. This emerging market promises much better solutions for individuals and families who use small networks they’ve setup themselves. Parts 3 and 4 in this Beginner’s Guide to Firewalls will cover several of these newer device types and discuss the varying, unique, and sometimes brilliant approaches their developers have utilized to make inexpensive hardware perform incredibly complex tasks.
You can leave comments by scrolling further down the page and looking for the small reply box.