The most common method of securing a home network is to use a firewall. A firewall is a computer, hub, or router configured specifically to stop unwanted outside traffic from accessing your internal network. For example, you don't want people to gain access to your computer, but you do want people to view pages on a web server. Think of a firewall as the first line of defense against outside attacks. And that's exactly what it is, no more, no less. You give yourself a false sense of security by stopping at the firewall level. In fact there is much more to be done, but a properly configured firewall goes a long way toward stopping cyber criminals. For the purposes of this article, we concentrate on the firewall. Future articles will cover other security issues.
Figure 1: A typical firewall setup.
A firewall computer includes at least two Ethernet cards. One card is connected to the cable modem; the other is connected to the hub for your internal network. (See Figure 1). The firewall then acts as a single point of access. However, to make things harder for a would-be attacker, the internal network is generally configured to use non-routable IP addresses. One range of non-routable IP addresses exists for each IP class:
Class A 10.0.0.0 to 10.255.255.255 Class B 172.16.0.0 to 172.31.255.255 Class C 192.168.0.0 to 192.168.255.255
Which address range you choose is completely arbitrary. Larger networks will use the Class A address range, and smaller networks often use Class C. These address ranges are only available on the local network. For example, my Linux systems can talk to each other and transfer files across my LAN. But I cannot access the same IP range on someone else's network. Similarly, someone trying to access my network is prevented from doing so. (Actually, that is a bit of a misnomer. If the attacker gets through your firewall, she/he can then access your internal network because your firewall "knows" about the computers on your LAN. The point is that crackers cannot just try to access your internal IP address range directly from their system).
So how does a computer with a non-routable IP address access the Internet? Remember that the firewall has one interface with access to the Internet and uses an IP address obtained from the ISP. The firewall uses IP masquerading to make the outside world think that traffic from your internal network is coming from the firewall's IP address. A series of IP masquerading kernel modules are loaded on the firewall to take care of this process and any special protocols (such as RealAudio) for you.
localhost# lsmod Module Pages Used by ip_masq_user 2408 0 (unused) ip_masq_raudio 2800 0 (unused) ip_masq_portfw 2320 11 ip_masq_mfw 3008 0 (unused) ip_masq_FTP 2384 0 ip_masq_autofw 2304 0 (unused)
There's a ton of information on firewalls available on the Internet and in your local bookstore. (See resources sidebar for more information.) Read as much information as you can, keeping in mind your requirements. Robert Ziegler's excellent book Linux Firewalls goes into great detail about the different kinds of firewalls as well as where they can best be used.
Know Your Enemy (four part series)
Maximum Linux Security (SAMS) ISBN: 0-672-31670-6
Linux Firewalls (New Riders) ISBN: 0-7357-0900-9
Practical Unix and Internet Security (O'Reilly) ISBN: 1565921488
Linux System Security (Prentice Hall) ISBN: 0130158070
Additionally, Mr. Ziegler maintains the Linux Firewall and Security Site, which contains many links to other sources of security information, including the Firewall HowTo document, information on types of network attacks, other books and resources on firewalls and network security, and much more. I have corresponded with Mr. Ziegler over e-mail and found him to be responsive, helpful, and funny.
After looking at many web pages, reading many books, and discussing issues with my fellow Linux User Group members, I finally picked a firewall solution for my setup.
Life on the Edge
Edge FirePlug is a very well-designed firewall solution from FirePlug Computers, Inc. in Vancouver, BC. One of the reasons I chose Edge FirePlug (just called Edge) is that it's designed specifically for use on cable modem and DSL connections. Another reason I chose Edge is that it is very easy to set up and customize to the needs of my network.
Edge is a thinlinux client, which means it contains the absolute bare minimum required to run Linux in a concise package. Edge comes in three flavors: floppy version, hard-drive version, dial-on-demand. The floppy version allows you to have a complete firewall boot-up off a floppy drive, but with limited extra functionality (no editors for example) due to space restrictions, whereas the hard-drive version is the same thing but includes the extra goodies. The dial-on-demand is the same as the floppy install but is set up for ISDN or other dial-up connections.
The floppy version offers some additional functionality that is very important to consider.
- The floppy can be write protected or even removed to prevent would-be crackers from corrupting your firewall should they gain access.
- Most firewalls running from a hard drive need to be shut down properly (shutdown -h command) or corruption could occur. Edge loads everything into RAM (both floppy and hard drive installs) and runs from there. Problems due to power failures or accidental resets dissappear.
- It's easy to make copies of the firewall boot disk in case you experience media problems.
Due to the minimalist approach taken by Edge (and some other firewall solutions), you do not need a computer with a lot of horsepower to run a full Linux distribution. That old 486/66 you have lying around does nicely. If you don't have an old 486 yourself, shop around at the secondhand stores, ask your friends, or pester your local hardware geek. The important thing is that the firewall computer should be dedicated to operating as a firewall. Do not run any other services on this computer at all. Edge comes pre-setup to forward the common services to a dedicated server inside your network. Which computer gets which service is completely customizable.
My firewall is a 486 DX4 100 with 32 MB RAM and two 3Com 3C509 ISA Ethernet cards, using the floppy version of Edge. Despite the low horsepower of the firewall, network slowdown is virtually nonexistent. Web surfing, FTP downloads, and even network games such as Quake 3 all work at the same speed.