Saturday, March 8, 2014

. . . My Firewall-Routers Column

While it is not one of my favorite Bill Murray films, 2003's Lost in Translation, which was written and directed by Sofia Coppola, looked upon the often strange results that take place when language is a barrier, and as odd as it may sound, I think it is fair to say that the disconnect that resulted in my most recent Digital Grind column appears to lose its way largely down to the message being lost in translation -- or at least in this case, lost in direction.

I take total blame for that - the column was submitted and was edited during the span of several days in which due to health issues I was not available for consultation - so it was not entirely clear what it was that I intended it to say.

The fact that it appears to suggest that I do not know what NAT is or how it works, and perhaps even more startling -- that I appear to believe that computers can communicate via the Internet without having an IP Address -- crop up due to editing that was absolutely necessary due to space limitations.

To address the issue I thought it might be helpful to provide the original column below, in its entirety, and after doing so I will be directing the readers who email about it and my mistakes to it, so that they can both see where it was I intended to go and, perhaps of more importance, benefit from the lesson I had hoped to share.

So here is the original Digital Grind Firewall-RouterColumn (any errors in spelling or grammar are my own):

A typical home network with a Firewall-Router uses a mixture of wired computers / server with WiFi devices like gaming consoles, iPads, Skype-capable wireless phones, and other computing and entertainment devices that use Network Address Translation (NAT) to permit many devices to access the Internet using just one IP Address from the ISP.

Digital Grind Firewall Column

While it has a number of related meanings, the phrase “security through obscurity” is most often used to describe a belief that a computer or network with nothing of interest on it is safe from intrusion because it should not interest an outsider.

That notion can appear to be quite sensible, but consider this: In modern terms the phrase is also a pejorative among computer and network security engineers, having the same definition but interpreted as a dangerous fallacy not to be relied upon under any circumstances.

The reason for that is very simple: there doesn't actually have to be anything of value on a network or a computer to make it a target; access alone is reason enough to justify an attack.

That basic truth is why we go to so much effort in protecting our computers; why we keep the OS and apps up-to-date with respect to security patches and bug-fixes, why we run anti-virus and malware suites, and why security awareness extends not just to software but also to hardware.

These steps, combined with safe Internet use as well as common sense precautions, represent standard proactive and responsible efforts for establishing and maintaining a safe computer system and environment, but there is still the matter of securing your network to be considered.

The Network Connection

Modern network architecture consists of a 'net connection using a modem (for DSL) or a router (for cable or fiber) connected to which are one or more computers, network appliances, and 'net-aware consumer electronics like network-ready TVs and DVRs.

Assigned a valid IP address by your Internet service provider, the modem or router functions as the gateway device allowing every system on your network to communicate with the Internet, and vice versa using a scheme called Network Address Translation, or NAT.

Without NAT every device on a network needs a valid IP Address to access the Internet. With NAT any number of computers or devices can be connected to the world beyond, requiring only a single valid IP Address.

In the time that it took me to write this, according to the security logs on my firewall it was scanned by ten different potential attackers.

The fact that they were not targeting me specifically offers very little comfort; they were scanning the block of IP Addresses owned by my ISP to see which customers are connecting without basic security protection.

This sort of approach works because the function of the modem/router is to pass traffic to and from the Internet, and it will do that without any consideration for whether that traffic is legitimate or hostile. It is only a matter of time then, before they locate a weakness in a system on the network and compromise it.

Once that happens, in addition to the most obvious targets like banking and credit information, they can also turn the resources of the network to a variety of purposes -- like hosting pirated software or porn, or using it as a launch-point for attacking other networks and computers.

The Firewall

While the mix of anti-malware and virus programs, keeping your systems patched and up-to-date, and taking care to surf responsibly are a good start, the foundation of your network security is found in a device called a firewall-router.

Named for the partition wall used in commercial buildings to prevent the spread of fire, a network firewall is a hardware device whose function is very much like the moat and gate of a castle. It sits between your network and the Internet, serving as a gatekeeper for all of the traffic passing between them.

It has two basic jobs to perform: the first is to ensure all of the traffic coming in is legitimate, while making your network invisible from the Internet side. The second is providing a level of convenient connectivity to you.

If the modem or router you received from your ISP is the only device between your network and the Internet, you need to buy and deploy one today. The good news is that you can do this yourself because the arcane has been engineered out of these devices.

Installing a firewall on your network requires no technical knowledge beyond the ability to follow basic directions, swap network cables, and use a web browser-- nearly anyone can install and configure one.

Healthy competition among manufactures has also resulted in something of a boon for consumers, because the current generation of firewall-router happens to be a feature-rich and interesting one. And they have never been as inexpensive as they are today.

Intended to replace other older devices on your network -- particularly WiFi routers and network-accessible storage devices -- they sport features like traffic shaping and offer a measure of control over your network and how it can be used that may surprise you.

Most include a minimum of four wired ports as well as WiFi service, USB ports, and the best standard encryption and speeds available, so deciding which firewall-router you need is down to determining what added features you want -- and then selecting from the models that provide them.

Security for Gamers

If you have gamers in the house -- and on your network -- D-Link makes a line of firewall-routers that are engineered specifically with them in mind. The DGL-5500 / AC1300 Gaming Router is designed to detect when gaming devices are used and optimize traffic in support of that activity.

Its tube-like form naturally blends into the background, while its Streamboost feature and advanced UPnP support manages the traffic on your network to ensure that your PC and Console gamers get the bandwidth priority that they need for lag-free play.

With full support for the 802.11a/b/c/g/n WiFi standards, the AC1300 offers concurrent dual-band connectivity at some of the highest speeds currently available, but more important it supports both the established WiFi standards as well as the newest.

Basic security features include WPA/WPA2 wireless encryption, an SPI firewall, and anti-spoof checking, while its robust parental controls offer an added measure of convenience. Parents can specify -- device by device -- when games can be played and when they cannot, and the parental controls even permit site blocking.

Security plus Storage

For network security that also offers network-accessible backup storage, Netgear's Centria N900 (WNDR4700) neatly fits the bill.

Touted as an “All-in-One” solution, the N900 functions as a WiFi Firewall-router, Media Server, and Automatic Back-up Server supporting 802.11 b/g/n WiFi standards as well as Wireless N Dual Band.

The N900 fits into the new range of firewall-routers called “Storage Routers” thanks to the hard drive slot concealed behind a door in the side and its ReadyShare timed back-up App. Consumers have the option of adding their own SATA2 hard drive in sizes up to 2TB (the WNDR4720 model comes with a 2TB drive pre-installed).

The N900 supports WPA/WPA2 encryption and provides backup services to a wide variety of WiFi equipped devices, including notebook computers, tablets, PCs and Macs, and your iPad or smart phones.

Security plus Media

With the Internet now into traditional entertainment media thanks to streaming movies and TV, the WD My Net N750 HD Dual-Band Router from Western Digital is a stand-out firewall-router for networks heavy on media.

The N750 offers full support for 802.11 a/b/g/n WiFi standards with speeds up to 750 Mbps. With its WPA/WPA2 encryption and SPI firewall, the low-profile form blends into any entertainment center, and includes four Gigabit wired ports for connecting game consoles, DVRs and other media devices.

Smart HD streaming allows you to watch videos with accelerated steaming via its FasTrack technology, which delivers HD streams to multiple devices at the same time with combined speeds of up to 750 Mbps.

Firewall Protection

Each of these routers feature easy to use web-based configuration interfaces, with basic setup instructions that anyone can follow to quickly and conveniently get them working with the hardware already on a network.

While they differ in terms of special network and entertainment focus, each supports the standard set of security features, offering a level of protection you should expect from what is, after all, the foundation of your broadband network security.

The criteria now used for selecting a model tends to focus on what extra features and services you most desire -- and to some degree how your network is used -- so in the final analysis with security through obscurity no longer an option (if it ever was), adding a firewall-router to your network is the best path to ensuring its protection now and in the future.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Final Notes

I apologize sincerely to my readers who may have found the path in the version that appeared in the paper a bit circuitous and I apologize to my editor for my failure to make clear the purpose and the direction that I intended to take.

From here on I will endeavor to prevent those mistakes from ever happening again.

Cheers!