Inexpensive Firewalls for SOHO Environments

For the small office environment it is just too expensive to hire a full-time person to manage an enterprise firewall. However, you can still protect your LAN to a large degree by using a few simple products. There are both hardware and software firewall solutions. For example, cable/DSL routers use NAT, which helps to hide addresses of computers on the LAN so that hackers on the Internet will find it difficult to obtain that information. That's just the first step, however. For example, if your ISP gives you a static address that is valid on the Internet, the cable or DSL modem itself can be the subject of an attack, as well as the attached router. Thus, although clients inside your LAN might not be easy to get at directly, it could be very simple to reconfigure the router using the same type of software you used to set it up in the first place!

Tip

Even if you use NAT and an inexpensive firewall, don't forget that one of the easiest ways to penetrate your LAN is to send a virus or another similar program to you as an email attachment. A good virus-checking program that is kept up-to-date with the latest virus definitions can help prevent this problem. I would recommend that you use a virus-checking program on every computer on your network, because a well-crafted virus can spread easily after it gets onto one machine on the LAN. The price you pay for a virus checker is insignificant when compared to the cost of restoring data, which itself may have been corrupted weeks or months before you discover the virus.

Hardware Solutions

Hardware firewalls are more expensive than software firewalls because the actual hardware itself costs more to produce. Software products can be replicated for a few dollars, including packaging. However, a hardware-based firewall is not beyond the reach of a SOHO environment. You just need to be sure that the firewall you purchase performs well, as described earlier in this chapter, and that the firmware can be upgraded when necessary. The latter may not be possible on an inexpensive hardware firewall, but it is a good feature to look for when making a purchase.

Following is a list of some typical hardware-based firewalls. This is not meant to be an exhaustive list or a recommended list, but instead is presented here to give you an idea of the variety of products available:

• Cisco Systems www.cisco.com. Although Cisco is better known for its enterprise-level network hardware, it offers the SOHO 96 and small-business Cisco 831 routers. These routers feature SPI and support for IPSec VPNs (about $450). Other models incorporate cable or DSL modems.

• D-Link www.dlink.com. This venerable manufacturer of inexpensive routers, switches, and other hardware products offers several routers with SPI firewall and VPN support that vary in price and capabilities, including DI-808HV for SOHO networks, and the DFL 200, DFL-300 and DFL-700 for small-business networks. Prices range from around $100 to $430. You can make a purchase online at D-Link's website, or from many online web vendors.

• Linksys www.linksys.com. This popular manufacturer of network products makes several routers with SPI and other advanced firewall features. The BEFSX41 ($100; SOHO users with VPN support); RV0041, RV016, RV042, RV082 ($170$410; SOHO and small-office users with VPN support).

• Netgear www.netgear.com. Its line of ProSafe VPN firewalls include SPI with prices ranging from $65 to $190.

• Sonicwall www.sonicwall.com. From SOHO to enterprise networks, this manufacturer has a solution. The TZ 150 and TZ 150 Wireless (802.11b/g) for SOHO and small-business networks feature SPI packet inspection, integrated antivirus and antispyware protection, and hardware acceleration for popular encryption standards for around $400$500. These products are sold through third-party resellers, and the website lets you choose by state so that you can find a local reseller. You can also call the sales office to find a reseller.

• WatchGuard SOHO and Firebox SOHO Security Appliance www.watchguard.com. This company offers firewalls that range from SOHO appliances to enterprise-scale firewall devices. The WatchGuard Firebox SOHO 6, which comes with a 10user license, can be had for around $300. This product offers VPN functionality, stateful packet filtering, and optional Web content filtering, among other features. Antivirus software is also included. The Firebox SOHO 6 Wireless has similar features, and includes an IEEE-802.11b-compatible wireless access point (around $430$500). To purchase either product, read the technical literature at the website and then select a reseller or an online distributor recommended by the company.

Tip

Although I don't usually recommend where to purchase network devices or software, I will in this case. After you have read the specifications for a firewall appliance you would like to purchase, it doesn't hurt to search the Internet to find a good price. Most of the discount sites, such as www.buy.com, will enable you to get the product at a discount off the manufacturer's suggested retail price. Oh, watch out for those shipping charges, though! Another feature that similar websites offer is a rating for each vendor. Don't necessarily go for the lowest price. Read about other users' experiences before you choose a reseller. For network hardware reviews, check out www.tomsnetworking.com (the network section of Tom's Hardware) and www.practicallynetworked.com.

Software Solutions

Many firewall solutions are based on software. One of the problems with this approach is that you must purchase a copy for each computer on the networkthough this is not always the case. You can also set up one of your computers to act as a router for other computers, but this process can be complicated if you are not computer savvy. Yet a software solution that also includes an antivirus program may well be worth the cost. Windows XP also comes with a very basic packet filtering firewall, but this simple firewall does not go far in protecting your LAN. Other techniques discussed earlier in this chapter should be part of a software solution.

Some software firewalls to consider are listed here:

• ZoneAlarm and ZoneAlarm Pro www.zonealarm.com. The basic ZoneAlarm firewall is available at no cost. ZoneAlarm Pro provides enhanced protection, can be run as a free trial, and can also be purchased as part of a security suite with antivirus and antispyware applications.

• Norton Internet Security 2006 www.symantic.com. Includes firewall, intrusion detection, standard application (port) blocking, antivirus, antispam, privacy controls, and parental controls. Norton AntiVirus 2006 and Norton Personal Firewall 2006 are also available as separate products.

• McAfee Internet Security Suite www.mcafee.com. Includes firewall, antivirus, spyware and adware detection, privacy controls, parental controls. McAfee Personal Firewall Plus and McAfee VirusScan are also available separately. McAfee Wireless Home Network Security protects wireless ethernet (Wi-Fi) networks against intrusions.

• Sygate Personal Firewall Pro www.sygate.com. A good solution that offers some features that other similar products do not. Intrusion detection, VPN support, and automatic termination of known Trojan horse programs are part of this firewall, among others.

Using Both Hardware and Software Firewalls

Although the Windows Firewall built into Windows XP starting with Service Pack 2 provides stateful packet inspection, it only protects against inbound threats. Consequently, you should not count on it as the only protection between your computer and the Internet.

To provide a greater deal of security, you might want to use both a hardware and a software solution. Use the hardware firewall appliance as the front end of the network by attaching it to your broadband connection. Note that most SOHO and small office firewall appliances include multiport Ethernet switches, and some also include a Wi-Fi AP. Then use a software firewall package on computer(s) in your network.

Whichever you choose, keep in mind that no firewall can provide a complete solution to protect a network from outsiders. New viruses, Trojan horse programs, and the like are being created every day. All antivirus and firewall devices/software should have an update feature that you can use to download new software and virus definitions on a frequent basis. This type of service typically comes free for the first year, and then you can pay a small fee for following years.