For the small office environment it is just too expensive to hire a full-time person to manage an enterprise firewall. However, you can still protect your LAN to a large degree by using a few simple products. There are both hardware and software firewall solutions. For example, cable/DSL routers use NAT, which helps to hide addresses of computers on the LAN so that hackers on the Internet will find it difficult to obtain that information. That's just the first step, however. For example, if your ISP gives you a static address that is valid on the Internet, the cable or DSL modem itself can be the subject of an attack, as well as the attached router. Thus, although clients inside your LAN might not be easy to get at directly, it could be very simple to reconfigure the router using the same type of software you used to set it up in the first place! Tip Even if you use NAT and an inexpensive firewall, don't forget that one of the easiest ways to penetrate your LAN is to send a virus or another similar program to you as an email attachment. A good virus-checking program that is kept up-to-date with the latest virus definitions can help prevent this problem. I would recommend that you use a virus-checking program on every computer on your network, because a well-crafted virus can spread easily after it gets onto one machine on the LAN. The price you pay for a virus checker is insignificant when compared to the cost of restoring data, which itself may have been corrupted weeks or months before you discover the virus. Hardware SolutionsHardware firewalls are more expensive than software firewalls because the actual hardware itself costs more to produce. Software products can be replicated for a few dollars, including packaging. However, a hardware-based firewall is not beyond the reach of a SOHO environment. You just need to be sure that the firewall you purchase performs well, as described earlier in this chapter, and that the firmware can be upgraded when necessary. The latter may not be possible on an inexpensive hardware firewall, but it is a good feature to look for when making a purchase. Following is a list of some typical hardware-based firewalls. This is not meant to be an exhaustive list or a recommended list, but instead is presented here to give you an idea of the variety of products available:
Tip Although I don't usually recommend where to purchase network devices or software, I will in this case. After you have read the specifications for a firewall appliance you would like to purchase, it doesn't hurt to search the Internet to find a good price. Most of the discount sites, such as www.buy.com, will enable you to get the product at a discount off the manufacturer's suggested retail price. Oh, watch out for those shipping charges, though! Another feature that similar websites offer is a rating for each vendor. Don't necessarily go for the lowest price. Read about other users' experiences before you choose a reseller. For network hardware reviews, check out www.tomsnetworking.com (the network section of Tom's Hardware) and www.practicallynetworked.com. Software SolutionsMany firewall solutions are based on software. One of the problems with this approach is that you must purchase a copy for each computer on the networkthough this is not always the case. You can also set up one of your computers to act as a router for other computers, but this process can be complicated if you are not computer savvy. Yet a software solution that also includes an antivirus program may well be worth the cost. Windows XP also comes with a very basic packet filtering firewall, but this simple firewall does not go far in protecting your LAN. Other techniques discussed earlier in this chapter should be part of a software solution. Some software firewalls to consider are listed here:
Using Both Hardware and Software FirewallsAlthough the Windows Firewall built into Windows XP starting with Service Pack 2 provides stateful packet inspection, it only protects against inbound threats. Consequently, you should not count on it as the only protection between your computer and the Internet. To provide a greater deal of security, you might want to use both a hardware and a software solution. Use the hardware firewall appliance as the front end of the network by attaching it to your broadband connection. Note that most SOHO and small office firewall appliances include multiport Ethernet switches, and some also include a Wi-Fi AP. Then use a software firewall package on computer(s) in your network. Whichever you choose, keep in mind that no firewall can provide a complete solution to protect a network from outsiders. New viruses, Trojan horse programs, and the like are being created every day. All antivirus and firewall devices/software should have an update feature that you can use to download new software and virus definitions on a frequent basis. This type of service typically comes free for the first year, and then you can pay a small fee for following years. |