Mar
21
2010

Routers – Hardware Firewalls Vs Software Firewalls Part 2 Hardware

Hardware Firewall

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer based application upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

The first two paragraphs are kind of a definition of what a hardware firewall is.  I got this directly from the Wikipedia article.   This reference is a great start to understanding some of the concepts that are beyond this blog post.

Typical Firewall Setup

In the above picture we see a hardware device that sits between your computer and your internet. The normal flow of data is represented below.  This is a from your computer out to the internet and back again.

Normal Traffic

In the case of a hardware router, your computer should in normal circumstances never see things from the internet that were not asked for by the computer.  In the case of a hardware device like a router, the data sent to your computer from the outside is discarded.  It is discarded simply because it did not start with your computer.  This is where the power of the hardware firewall is invaluable.

Evil Bad Guy Traffic

The hardware firewall effectively gives your computer a line of defense that is difficult to bypass (Not Impossible).  This hardware device places your computer in a “non route-able IP range.”  This is why the packets are discarded.  The computer does not know about anything on the internet except for your router.  The router is your guide to the internet, it protects you on your journey and keeps you from falling into places in the dark.

Because your device is electronic, it is more difficult to bypass using software.  The isolation that is provided by the device is the very condition we are looking for.  The very nature of the hardware is why my preference is to use hardware over software as a firewall choice.

In a prior article I recommended that a software firewall could be compromised and allow a person to gain access to your computer.  This is not a simple process but it is not impossible.  That is why when ever possible I recommend the use of both types of firewall be up and functioning.  A hardware firewall will protect you from the people around the world, but if there is a computer with a virus or a Trojan on it, then the threat is already inside with you.  That is why it is important to run the software firewall as well.

Travel Concerns

When I travel I will also carry a hardware firewall with me.  Many of the new devices have portable versions that are much more compact than the home based version.  I realize that you can’t always travel with one but if you have the room to pack it, it will give you a much improved level of security.  Hotel WiFi and Ethernet connections are a dangerous place.  If you have the ability to put your router between you and the rest of the hotel you are in a much safer condition.  There are times the hotel will not even have a hookup or that you have to log in to the connection then put your router up, but the additional safety is worth the little bit of hassle.

Summary

It is my personal opinion that a hardware firewall is a necessary choice.  With the cost of a wireless router starting in the $40 range, it is not difficult to justify the expenditure.  That being said, the hardware combined with the software firewall built in on a computer is the best way of staying protected.  The world is an unsafe place, do you want to be there without your best armor on?

Happy Surfing (and hopefully safer too)!!!

Mar
16
2010

Routers – Hardware Firewalls Vs Software Firewalls Part 1 Software

I am starting with the software version. Examples of this include: Mcafee, Norton, Panda, Computer Associates (CA), Trend Micro, and Black Ice.

The above examples may be included in a bundled package but not always. They may be bundled with Anti-Spyware, Spam Controls, Parental Controls, and other types of programs. The theory is you are getting a LOT of protection for a single price and as a single program to work with. Ironically, I myself have yet to find a 3rd party packages on a clients machine that did not either slow the machine down significantly or out right cause it problems. Many of the third party applications can be problematic to configure, update and run in a way that does not cause further problems.

A software firewall sometimes is the only thing that may be standing between you and the entire world. There is a saying on the internet that you and all your friends and enemy’s are only a couple milliseconds away from each other. That is a scary thought!!!

Software firewalls have a very difficult job! They are expected to let all the good traffic from your computer out, and then deny all the bad stuff from causing a problem on your computer. This theory is great, most software packages tend to fall very short in their application. In my opinion, many actually fail miserably. The implementations I have witnessed so far, have shown the firewalls to be too restrictive. I have many times had to remove the entire package and install separate programs to replace the “bundles”.

Did you know that every version of Windows since Windows XP (Service Pack 2) comes with its own firewall? Right out of the box, the firewall is turned on. Is this the most extreme firewall, not by any means but in most cases it works extremely well and will seldom cause you problems with programs that run. The version of the firewall that comes with XP, Vista, Windows 7, and the Mac is actually fairly good. It is also a LOT better than not having any firewall turned on at all. So please ensure your firewall is turned on.

At the start of this post I stated that I am not a fan of the software firewalls. OK, so if I am not a fan why would I actually recommend the use of one. Well like every other rule in the world there are exceptions to rules. If I am at home and I am using my known secure router, then I can relax the rules for needing my software firewall turned on. Reality, I seldom spend the amount of time that I desire at home, and instead spend it in hostile networks. I am on clients networks, work networks, servers, and OPEN WIFI. With this in mind, I keep the software firewall I have on my mac at full strength. I know you are saying that I am contradicting myself, but hear me out. The software firewall is up and working because of the hostile open nature of the networks I am on. I trust my machine as I am personally cautious of what i download and run. What is don’t trust is the rest of the world!

On an open wireless connection you are connected to everyone else in that may be in the shop as well as many who may be outside you don’t know. On an open wifi, there is normally a hardware routers / firewall, and it will protect you some from the people outside on the internet. The juicy inside of the open wifi is where you are wide open to everyone else in the area. Wireless is a omnidirectional signal. This means that not only is the signal 360 degrees around the wireless device, it is also top and bottom. This means you can have someone a couple floors up seeing what signals are being sent out and the person on the internet will never know they even exist. At the moment I will not go into secure wireless vice non secure wireless. On the open wifi you can be seen without your firewall turned on. You can test your firewall and if it is working by going to https://www.grc.com/x/ne.dll?bh0bkyd2

If you travel with your laptop, you should have a firewall turned on. If you have a laptop and take it to friends or coffee shops to work or play, you should have your firewall turned on. If you have kids on computers and the computers may be infected with what ever, you should have a firewall turned on.

Summary:
If you are not 100% positive of where your network is or who is on it, turn your firewall on!!!

Mar
14
2010

Turning on a Software Firewall on a Mac Prep Step

This post is here to provide information on how to turn on a software firewall.  It is done in preparation for my series Routers – Hardware Firewalls Vs Software Firewalls.

Software Firewall

I would like to start by saying please check the status of your firewall.   If you are on a Mac I have included screen captures for you to check with.  Yes on a mac you should have your firewall turned on as well.  Unlike current Windows, the Macs software firewall is NOT turned on by default.

Mac

Mar
14
2010

Turning on a Software Firewall in Windows XP Prep Step

This post is here to provide information on how to turn on a software firewall.  It is done in preparation for my series Routers – Hardware Firewalls Vs Software Firewalls.

Software Firewall

I would like to start by saying please check the status of your firewall.  I have included a video in order to see how to do it on Vista and Windows 7, and two pictures to show you how to do so on Windows XP.  If you are on a Mac I have included screen captures for that as well.  Yes on a mac you should have your firewall turned on as well.  Unlike current Windows, the Macs software firewall is NOT turned on by default.

XP

Mar
14
2010

Turning on a Software Firewall in Vista / Windows7 Prep Step

This post is here to provide information on how to turn on a software firewall.  It is done in preparation for my series Routers – Hardware Firewalls Vs Software Firewalls.

Software Firewall

I would like to start by saying please check the status of your firewall.  I have included a video in order to see how to do it on Vista and Windows 7, and two pictures to show you how to do so on Windows XP.  If you are on a Mac I have included screen captures for that as well.  Yes on a mac you should have your firewall turned on as well.  Unlike current Windows, the Macs software firewall is NOT turned on by default.

Windows Vista / Windows 7

Feb
22
2010

Password Security – Time to rethink about passwords

How many passwords do you have?
Does someone have your password?
How do you protect yourself from this?

Passwords are a big deal!!!  They control access to everything in our lives.  This means we should be as secure about our passwords as possible.  Most people have a tendency to have a low medium and high security password.  This is a great theory, but a very misguided thought process.  Computers have a lot of horsepower now and the time to break a password is trivial.  Add to this that Google will tend to have a LOT of information about you, makes passwords easy to guess.

Example: a Child’s name password
Low – ben
Med – Ben72
High – @Ben1972!

All of these passwords are valid.  The question is where did you use these passwords at?  If you use them on a network that is not secure, or a service such as POP email, then you may not be the only person that has these passwords.

Human nature is to keep passwords simple, but in the world of computers simple passwords don’t help.  The other trait of people is to have password we can remember, if it is too hard to remember we simply write it down and leave it on our desk.  Well people will look at your desk and see your password taped to the monitor and now have access to your data.

There are several ways to fix this
1) Never reuse your passwords (there are programs that will make every combination of passwords available from you lowest level password)
2) Keep passwords in a secure location
3) A recommended method of the above solutions is to use something like lastpass.com ‘s password manager from http://lastpass.com The free or premium both work well.  Another great product is Keepass from http://keepass.com/ and if you are on a Mac 1pasword from agile web is the way to go.

The advantage of these products is they will give you a random password and the ability to both store your password as well as simplify the login process by putting in your login and password and you only need to remember 1 password.  Which you wont’ give out!!!

Happy and Safe Surfing!!!!

Feb
18
2010

Paranoia Refresher – Laptop Theft

The weekend of the 7th of February I was at a security professionals conference. (Shmoocon) Yes it is a hacker convention, but it is a great place to learn about higher level security issues that affect people. It also refreshed my mind on some basic ideas of security. Many times the security talks that are presented are simply not useful for the average person. That being said it did raise the level of paranoia I have about computer security in general.

Another reminder that added to this was the theft of two different laptops. The laptop was left unattended for what ever reason and sprouted legs and walked away. The other reminder was from a parked car with a laptop in the back seat. A brick though the window and the laptop disappears.

I won’t go into the data security on this blog post but suffice it to say these were crimes of opportunity. It is extremely easy to have a laptop walk away in a crowded restaurant. So on to the security of laptops

If you have a laptop in your car, in a crowded parking lot, put the laptop in your trunk. As simple as that. If a thief can’t see the laptop it is harder to steal. In a restaurant, if you make your laptop even remotely difficult to steal it will be pushed to the bottom of the list to be stolen. In a crowded environment where you might get up to get coffee or use the restroom lock your laptop to the table. This does require a slight investment of anywhere from $8 (US) on up depending on how secure you want it (I will not go into the exceptionally simple methods shown in the lock pick village to defeat a lock). In the case of the person’s laptop being stolen in a restaurant, even the cheapest lock would have prevented this theft.

When a laptop is sitting on a table, no one will think twice about someone walking buy and grabbing it. If a bolt cutters, or even lock picks is brought out to cut a cable lock that will bring attention. A thief will avoid attention at all costs. There is a very important element to this scenario, LOCK the laptop don’t just make it look like it is.

I personally have not ever seen a laptop that does not have a locking port on the side of the laptop. So please use it!!

Summary:

Lock your physical laptop when leaving it in public

Do not leave your laptop in plain site in your car

Feb
2
2010

Domain Highlighting

Internet Explorer 8 (IE8) has an interesting security feature worth exploring and understanding, Domain Highlighting.

This is a simple feature which highlights the Top Level Domain of a website in black while graying out the rest of the website link.

A Top Level Domain is the primary Domain Name of any site which can have any number of Sub-Domains highlighting the Top Level Domain of a website in the address bar always ensures that the user is always aware of site he is in. This is very important when it comes to secured sites like your online banking website or a site like PayPal where the information you enter (anything from a access user name and password to account & credit card information) is critical.  And, making this look very clearer and highlighted in the address bar from the rest of the link makes the user that extra vigilant about where he is and be sure he is in the website that he intended to visit and not a spoofed or phishing website.

What this feature does is give you a very quick way to know what domain you are actually entering.  (Reference: http://www.windowsreference.com )

Most people do not know how a domain name / web page name should look.  When you actually dissect the way a domain name looks it will lead you to the insight to keep yourself protected.  The most important thing to look for on a domain is the . (period)  This will show you the type of web site you are going to be going to.  The . (from dot com) is what they call a Top Level Domain.  There were at one time only 13 servers that controlled the Top Level Domain Servers.  There are many more now.  What i hope you will bring from this is the .com .net .edu etc are what they call Top Level Domains.

In the examples above you have http://www.microsoft.com/en/us/default.aspx as the web site that the person was on.  In this system you see the top level domain of .com and the sub domain of Microsoft.com.  If what you want to do is go to Microsoft.com then you are where you wish to be.

The evil bad guys are really trying to confuse you in order to get you to sign into their site instead of a real site.  The most targeted example is banks.  They want very much to get you to go to their web site put your user name and password in and try to check your account.  If you accidentally do this they now have your real user name and real password to your bank.  This is a very bad idea!!!!

For example, a URL of the following form will open http://example.com, but the URL in the Address bar or the Status bar in Internet Explorer may appear as

http://www.wingtiptoys.com:

http://www.wingtiptoys.com%01@example.com

All that to tell you to read the address bar and see what web site you are on.  So if you typed Microsoft.com then you will know Microsoft.com is the site are you on because it is the ONLY part that is in bold letters.   As of right now, IE8 is the only browser that does this without some kind of add on program.

I have found this to be a great feature and one that is easy to use when a person knows to look for it.

Happy and Safe Surfing!!!

Jan
16
2010

Computer Recycling

  • What do you do with that computer sitting in your closet?
  • What do you do about the data on that computer?
  • What kind of data is on the computers hard drive?
  • Is my computer safe to give to a friend or relative?
  • Is it safe to put that machine out with the trash

These are just a few of the questions that a person should consider before that computer can be recycled.  The environmental side of this conversation is only going to be referenced briefly.  I will provide some links that will allow you to find a recycling center in your area to dispose of your computer.  Office Depot offers a technology recycling program.

  • What kind of data is on the computers hard drive?

I would like to address a couple of the questions above.  What kind of data do you have on your computer?  It is probably an older computer that you are getting rid of, which means that you may have older software and less secure software on your computer.  The older browser may have held your credit card or user names and passwords that a newer more modern browser may have fixed.  You might have pictures that you have downloaded that may be private or even family pictures that are for just your own family.  How do you prevent this from being given out?

Back up any data before you do this.  There are some simple methods to avoid this issue.  One of the 99.999% most effective methods of preventing your data being released is to remove the hard drive from the computer and store the hard drive. The hard drive is one of the smallest pieces of the computer so easy to store.  If you need to dispose of the hard drive and have access to a drill you can put two holes in the platter.  This prevents the hard drive from being used.  When you drill the hard drive you should aim for the physical platter of the hard drive.  If you drill the two holes 90 degrees apart, that platter will never be able to spin up again.  The above methods are the most aggressive of my suggestions.

Example of points to drill the hard drive

Where to drill the hard drive

Anther method of disposal is a shredding company.  Many of the companies out there offer a service that will shred the physical hard drive.  (Run it though an industrial wood / metal chipper). This will also guarantee complete destruction of the hard drive.

  • Is my computer safe to give to a friend or relative?

If you would like to give away your computer to something like a charity, then you should run a program that will delete all data from your computer.    There is a simple program you can download from the internet called Boot and Nuke.  This program will do exactly what it says.  You download this file to a floppy disk, boot off it, and it will over write every file and bit on your computer.  Obliterating all data on the hard drive.  http://www.dban.org/ is the place to get this utility.  There is a download on this site as well at http://www.dban.org/download The link to the cd / dvd version is found at DBAN CD / DVD version.  There is one more utility that is faster and as secure as the DBAN process but it may be a bit geekier to perform.  It is called Secure Erase and should work on drives after the 2001-2002 time frame.

One other method that will leave your computer, as a computer is to simply run the restore disks on your computer.  I would recommend that you run a disk defrag on your computer before you do the recovery.  This will move your data around before you format the computer during the recovery process.  It is important that during the recover when it asks or states that you will lose all data you answer yes.  The program normally will start by formatting the hard drive and then installing everything as if it was factory fresh.  At this point you can do the updates to the computer and feel fairly safe that 99% of the data of the drive will have been formatted and destroyed.  This method is not 100% safe due to a “Professional Restoration Company” may be employed to recover data from this machine but that process is not an inexpensive thing.  So please donate to a friend or family that needs a computer.  If the computer is worth doing so with.

I don’t recommend re-use of the drive with out Dban or Secure erase, since programs such as recuva allow anyone to recover deleted & formatted data fairly simply.

  • Is it safe to put that machine out with the trash

What do you do now?  If the computer is one that can be reused and is in working condition, you can many times donate it to various charities.  Goodwill many times will take this type of donation.  This will sometimes entitle you to a tax write off, but not always.  There may be people who can use it for kids who need a machine for homework.  This will give your equipment a second life, before it heads off to the landfill.

There are no set ways to get rid of your computer.  The SPSA (local waste management) does not have a specific policy on recycling e-waste.  That means they may very well pick up your computer with the rest of the trash.  In theory, best buy, and other locations such as Office Max also offer recycling but there is many times a fee for this.  The theory is it will be a more responsible recycling than throwing it in a landfill.

Jan
11
2010

Verizon Wisdom!!!

At a recent site visit, a client of mine recently installed the FIOS service from Verizon.  I was brought in to repair a laptop that was no longer browsing the web.  The prior evening it was working fine but in the morning it could no longer surf the web.  The computer was able to receive an IP address.  The client had removed the Norton 360 and installed the security suit now being offered for free by Verizon.  I proceeded to do the typical troubleshooting for when you get an IP address but still not able to surf the web.  This did not get anywhere.

I was looking at the software provided by Verizon and it appears to be a product they recently created on their own.  As per my luck with Verizon products when I went to uninstall the product and restore to normal, I found the uninstaller failed to work.

I then called Verizon’s technical support for two reasons.  I wanted to gain access to the router and I wished to get the removal tool for their malware program.  I started with the removal first.  I asked for the file location and was told it was fairly complex address to download it from. The tech seemed unsure how to get it to the laptop since it couldn’t get on the Internet.  Of course this was 90 seconds after I had told him my laptop worked fine on the router and was 6 inches away.   The tech offered to take over my computer so that he could easily give me the address to the file.  I consented and allowed access, downloaded the file, used sneaker net to transfer the file, and removed the malware program.  This did not resolve the problem.

My next step was to examine the connection to the router.  I asked for the user name and password to the router and was completely thrown off guard when I found the answer.  The user name I had no issue with of being admin, but I was shocked to find out the password was simply password1.  I without even thinking asked the tech “REALLY”.  You use password1 as your password for your routers.  I was then told that the techs in the field are to use this password as their password and it is configured via a USB key that the tech runs the setup from.  My next set of questions to the tech was semi rapid fire.  You use a WEP key on your router (granted random character), and you use a password of password1.  I then asked him why they would configure a WPA2 capable router with WEP, and then secure it with a horrible password.  I asked the tech if he had heard that WEP is broken and takes less than a minute to crack?  There were no answers from the tech.

I was completely surprised when I realized just how bad this security really was.  I then proceed to put a much more secure password on the router, and added a quality WPA Key.  I simply do not understand why they ever considered this a good idea.

Summary Verizon uses a default password of password1 on a WEP key standard broadcasting router.  This is a REALLY bad idea and exceptionally bad implementation of that technology.

The views of this post are 100% the view of Anthony Gartner