WHY?
To this user of a cable modem, you might ask why? Why a firewall? Doesn't your ISP already have a firewall? Proxy? IP masqerading? Why? Why?? Why???? Hopefully when you're done reading this document, these questions will be answered!
The advent of broadband or high-speed technology
You may be somewhat familiar with the latest internet technologies
available today that offer products and services to the "average" consumer
that were previously only available to businesses, research facilities,
schools, and government. That is, the ability to subscribe
from a household or other residence, to "broadband" internet services that
allow for faster access to and downloads of the latest internet content,
including streaming audio and video, webcasts, and video teleconferencing.
Thus, technologies such as ISDN, ADSL, and cable, have opened up a whole
new world to residential customers.
I am not going to discuss the raging debates that have errupted between the different services. Suffice it to say that each methodology has its strengths and weaknesses. However, I do want to touch on a subject that should be central to anyone planning on obtaining what will be a "24/7" service, and that is security, which will be discussed shortly.
The layout of "hard-wired" broadband access
Note that the services described here operate differently from the
traditional dial-up services, ie., these services provide for purely "digital"
data transfer as opposed to the dial-up modem's use of the common phone
line for analog data transfer. Thus, with suitable data compression
software, you have the ability to achieve up to multi-megabit/sec speeds
over existing copper-based wiring. Since I have never subscribed
to ISDN or ADSL services, I can't say much about them except to distinguish
them from what I am currently subscribed to, and that is cable modem access.
In general, ISDN service is provided on a special type of "dedicated" phone/data line run into the residence and attached to a special modem. This line goes to the local phone company's switch, where it will join with other lines and will eventually come under the control of the ISP. Alternately, ADSL can operate on an existing phone line in the residence, which is split and channeled through special equipment installed at the residence, allowing for both voice and data to traverse it. Like ISDN, this line is also "dedicated" until it reaches the phone company's switch, whereby like ISDN, it will join with other lines and will come under control of the provider. Take note that both of these services can only provide "dedicated" or unshared access up until the point (up to 3 miles for ADSL) of the phone switch, whereby data sharing will commence regardless, as you have now moved into an internet-like environment.
Cable modem service on the other hand, is run over an existing or newly run coax and/or fiber line, that is installed in the residence. The cable itself is divided up into a number of "channels" with different frequencies, that like ISDN or ADSL, with suitable compression software, will allow multi-megabit/sec data transfers. If the customer currently subscribes to cable television, the data and television signals can be run concurrently. What distinguishes this type of service from ISDN or ADSL, is the fact that the cable line is not "dedicated" but is "shared" from the point where it leaves the residence until it reaches the provider. With multiple subscribers on a particular, single cable run, you are then in essence, "on a LAN" or local area network. Thus your machine is "exposed" on this network, along with others similarly subscribed, and these "others" are now considered your "neighbors". This is no different than networked machines in a typical office environment except that the closest machine to you is not a desk or cubicle away, but may be a house or two away or even across or down the street. Since most of the cable companies offering this service are quite large, they break down groups of subscribers into a geographic area or "node". A "node" might consist of 200 subscribers (say out of a total of 10,000 subscribers) per node. The nodes will then route to the provider's central access point and content.
Networking over cable
Nearly 95% of the computer-using world are users of Microsoft products
for the desktop, and in particular, the popular Windows 9x products.
As a feature of this desktop environment, networking is built-in, eg.,
with the purchase and installation of networking hardware, you have the
ability to configure your machine to "share" files and printing.
Thus, using Windows' built-in file and print sharing tools, users can share
files between machines very easily. In fact, many Windows users
have acquired multiple machines at home over the years and have begun to
"network" them, to allow for transfers of data and games between the machines.
To do this, the user would enable the Windows "file and print sharing"
feature.
Now, take this one step further and place such an enabled machine on a 24/7 internet service. If you subscribe to a service such as that offered for cable, with other "neighbors" sharing your "cable LAN", imagine what you can do! You can copy files between your machine and your buddy's across the street! You can even install Microsoft's full networking clients and protocols and use the "Network Neighborhood" feature to view any other machine on your cable LAN with similar networking enabled. This is useful, however the dangers should now be obvious to you. Just as you can copy a file to your buddy's machine, so too can some nefarious individual copy a file or virus or whatever to your machine unless you take steps to protect yourself! This is the perfect segue into the topic of security, which will be covered in the next couple of sections.
Securing your assets
Most if not all cable providers warn their customers to turn off Microsoft's
"file and print sharing" feature in order to provide some sort of security
for their internet-connected machines. And although most providers
may also support the MacOS and no others, and will warn Mac users similarly,
any networkable OS on a machine, including the Unixes such as Linux,
should be similarly protected. Although doing this defeats
the purpose of being able to share data between your other machines at
home, it is best to familarize yourself with networking and security and
make an informed judgment as to what you perceive as your risks in enabling
such a feature. There are ways to configure file and print sharing
to only allow access to designated individuals via shares and password
protection, however, there are other ways to protect your valuable data.
This leads to the subject of the "firewall".
The "Firewall"
Just what is a firewall, anyway? Well, in it's original
usage, the "fire wall" was just that, a wall that was built (usually of
brick or cinder block) between houses or businesses, that would prevent
the spread of a fire. So too, in a more modern usage, is the
"computer network firewall" such a device, whereby it is designed to "block"
unwanted transgressions or damaging intrusions (like the fire in older
usage) into your machine or network.
I would expect that all ISPs and ICPs (internet content providers) are running some type of firewall designed to protect themselves and their own content, as well as to protect the data of any subscribers who utilize their equipment to store data files, email, and web pages. These firewalls are generally located at a point in the provider's facility where subcribers are funneled out onto the internet. In the case of cable modem service, this is also the case -- ie., at the point of access to the internet, however, the costs of doing the same within a cable node would certainly be prohibitive. Thus, it's up to the cable modem subscriber to take adequate precautions while connected and online, to secure him or herself against that portion of their cable run that is unprotected.
I don't want to go into the intricacies of firewalls, as I am by no means an expert or even close to being one on the subject. Suffice it to say that there are generally two types of firewalls: router-based or application-based and these can be hardware-enabled and/or software-enabled. Both types might be in place at your workplace and/or ISP/ICP, and their costs vary depending on the features that are desired. Basically, you can obtain firewall software (or create your own) for your machine (or for a dedicated firewall machine like I have), that will allow you to add safeguards and restrictions to who or what can access your data, but before you do so, I urge you to do alot of research on the subject of security, networking, and firewalls before you begin. This is critical so that you fully understand what it is you are protecting yourself against! Researching this will open your eyes and will help you make an informed decision as to what your needs are based on a number of risks and an equally informed choice as to the solution that is right for you. I only offer this page on my site as my solution and because I currently run an operating system (Linux) that is fully capable of functioning as a firewall, with little or no cost but networking hardware.
The big bad wolf
A popular children's song goes - "Who's afraid of the big bad wolf,
the big bad wolf, the big bad wolf...?", and nowadays, the networked residential
broadband customer needs to really think about just who the "big bad wolf"
is. In essence, who is out there that should make you take
pause and read about security and go through alot of effort to protect
yourself and your assets, ie., your machine and/or internal home network?
Well, beginning in the early to mid-1980s, there were a number of high profile computer break-ins and the requisite Hollywood movies dramatizing these exploits. The term "hacker" was instantly applied to those who took pleasure in breaking into such systems and otherwise creating havok in the computer world. The unfortunate misnomer (ie., the use of the term "hacker", a designation generally used in a positive manner to refer simply to a programmer), to describe those who commit illegal or criminal mischief using computers, has caused much consternation among the programmer community. The more correct term is "cracker", in reference to the nefarious (and often helpful, for security purposes in a bizarre sort of way) individual, who "cracks" the "code" or restrictions for accessing a system, and this is the preferred moniker. Regardless of what you call them, be aware that the methods and tools that they use today are 20 years more sophisticated than those used in early attempts. Much of what is done today involves breaking into an innocent "victim"'s machine (say your lone Windows 95 machine sitting on a cable network with file and print sharing enabled or Unix-based machine with various application-level remote services enabled, such as FTP and Telnet) and planting programs on that machine, which they can now use to launch an attack on a larger target... thus masking their identity by using YOUR machine and assigned internet address.
This is just one example and I am not going to go into any indepth discussion of these types of exploits, as there are literally thousands of security sites and reference guides that you can access that describe some particularly nasty but successful break-in, denial-of-service, virus introduction, etc., attempts. However, I will say that with the technologies available today, the exponential increase of 24/7-connected machines, and alot of bored, bitter, and disgruntled people out there, it would be wise for you to be prepared. No, you can't hope to provide a fool-proof, un-crackable wall between yourself and that individual, as he/she will get in if determined enough, but you can make it more difficult, and that is what the firewall will help you do. Besides, the only true full-proof way to protect yourself is to disconnect yourself from that 24/7 service!
But then you ask, what if I do have multiple machines? And what if I want them all to have access to the 24/7 service plus be protected? That will be the subject of the next sections.
Home networking
With the precipitous drop in the price of the PC and the increased
need to be "online", many have found themselves with multiple machines
at home, each with access to an internet service. A number
of networking vendors have taken notice of this, discovering what is becoming
a vast, untapped market. Thus, the term "home networking" was coined.
Granted, many computer "geeks", engineers, multimedia producers, and others
who must use a computer in their day to day work, have always networked
multiple machines in their residences, but with the costs as low as they
are, the average consumer is now getting into the act. Couple
this with the newness of 24/7 broadband services, the desire to have all
of your home machines with this access, and the uncertainty of the technical
aspects of computer networking in general, the ability to do this simply
and cheaply isn't very obvious as yet.
Most broadband service providers readily offer multiple network addresses (and even encourage it) to cover all of the machines in your household. This naturally comes at a cost, ie., the cost of the additional addresses paid to the provider as part of your monthly bill and the cost of additional networking equipment, including network interface cards and more recently, networking "hubs" or devices that will allow you to connect multiple machines to a common device for sharing of the network line that you have put in place. And without getting into any technical discussion on networking, which you should have some knowledge of before you begin this type of project, be aware that each of your machines must have a unique network address before they can access any data on your home network or the internet.
So how can you do this without incurring substantial costs? That is the subject of the next section!
Proxying and IP Masquerading
So, just how can you have all of you home-networked machines access
your broadband service without breaking the bank? Well, your
provider will usually offer you the ability to put multiple machines on
your service and actually, the extra cost isn't too bad. However, there
is a way to do this with what is known as a "proxy server".
Basically, a proxy server is a computer that will "act on behalf" of your
machine, ie., it receives your commands, encodes them with it's own network
identity, and then executes them out over your internet service.
Note that the machine designated to act as your proxy server and/or your firewall, will need two network cards, one for your "internal" network and one for your "external" network, ie., your cable service connection. In order to implement proxying, you would need software on that standalone machine that will be able to run what is known as "IP masquerading", ie., hiding your other machines' assigned network addresses behind the proxy machine's own "paid for" address. It will use what is known as "NAT" or network address translation to accomplish this.
All of these terms can be researched in any reference guides on networking and again, I don't want to get too technical here, but suffice it to say, it works, and generally flawlessly. In fact, the use of proxy servers has been in effect for quite some time at a number of small to medium-sized businesses who had a limited number of internet addresses that they were paying for and suddenly found themselves out of addresses as they expanded their computing resources. The use of the proxy filled a vital need for those companies as they now had the ability to juggle their few addresses to cover their now many machines. In addition, many large corporations have found that using a proxy for their networks provides them a significant amount of security, as machines "outside of" their internal networks or "intranets" could be prohibited, by design, from reaching any of their internal machines, due to the internet addressing scheme assigned to those internal machines. Specifically, by international standard, certain internet address ranges were purposely set aside for "internal use" only, ie., those addresses would be invalid "outside" on the internet, as the networking equipment on the internet are pre-programmed to automatically reject data going to or coming from addresses in those specified ranges. Thus, no data can be sent directly to the internal machine, nor can data go outside from that same machine, without passing through the proxy. This provides the IT staff with some control as to what data is being exchanged, particularly data that could prove harmful to a corporate intranet. The proxy is usually directly connected to a firewall or may be part of the same box, and so the two interact to provide a relatively secure, controlled (or at least controllable) computing environment. In the case of your small home network, you would implement a similar scheme of assigning those "restricted" network addresses to your machines and funnel their access to your service through your proxy.
Thus, the use of the proxy server, utilizing IP masquerading, is a way to not only offer all of your home-networked machines access through a single, internet-connected machine, but will also help to further protect your internal network from unauthorized access and intrusions! Just as there are a number of vendors who provide software for firewalls, so too are there vendors who provide proxying software. The added advantage of the Linux OS that I use is the fact that most of this type of software offered for it is offered as "open source" under the GPL (general public license), meaning that it is freely available for download and use, at no cost whatsoever. In addition, due to the incredible efficiency of the kernel code in the Linux OS, this type of machine can be created on older hardware, such as a 386 or 486 PC, whereas other operating systems might require newer, higher speed machines to do the same thing. Thus, there is life for your old clunker after all, which is why I had originally considering using my old 486, "Tank", which I recently upgraded, for this task! I later decided to do other things with him... :)
Conclusion
Hopefully this document has explained some of the reasons why I found
it advantageous to create "Stealth", my proxy/firewall, particularly since
I have a total of four machines in my home network, and each can access
the internet via my cable modem service, by doing so through Stealth.
Although I know that I can never be fully protected unless I disconnect
everyday, I do have a modicum of piece of mind knowing that I have my "computer
club" (like the car "club") up, hoping that it will at least deter, while
offering me the vital service of providing my machines access to my 24/7
connection. And believe me, after months of reading Stealth's
logs everyday, I have found that there are alot of folks out there who
are "tapping" on me everyday (ie., attempting to Telnet or FTP to my machine),
and I consider that unwanted.
NOTICE: "Linux" is a trademark of Linus Torvalds. "Microsoft","Windows 3.x/9x/NT" (and related apps), "The Club", and any other product/company mentioned on this page or at this site, are trademarks and/or copyrights of their respective companies.
| Back |