This article was originally published in the Summer 2003 issue of LINK magazine.

<< Penmachine.com home  | < Long article index

The Walled Garden
Helping the Internet grow up with firewalls, virtual private networks, and other network security technologies

by Derek K. Miller

The Internet was young once, and naive. It was built by researchers and enthusiasts who shared information and trusted each other, like neighbours in a small town. Until a few years ago, you could believe the "From" line in an e-mail message (almost all were from someone you knew, anyway), open downloaded files safely, and connect a server to the Net without worry.

But as a town grows into a city, we learn that some of our fellow citizens aren't so trustworthy. We have to start locking our doors, installing alarms, and watching our backs—without turning into paranoid shut-ins. Large organizations were the first to use security technologies such as data firewalls and virtual private networks, to make life in today's big-city Internet safer and more pleasant. Today, widespread broadband Internet access means that home and small business users need that kind of protection too.

All Hooked Up

"I access the Internet via broadband," says Michael J. Miller, a columnist for PC Magazine, "and would never dream of going back." Anyone with a cable modem or digital subscriber line (DSL) shares Miller's disdain for the low bandwidth and connection delays of dial-up connections. As cable and telephone companies compete fiercely for high- speed Internet customers, the price has come down. So too has the cost of broadband connection hardware, such as D-Link's DSL-300G ADSL modem. Subscriber numbers in North America are up 70% in the last year.

Dial-up Internet does have one hidden benefit, though. Since connections are typically short and relatively infrequent, and because a computer is usually assigned a different Internet Protocol (IP) address for each dial-up session, it's pretty difficult for anyone to eavesdrop on or try to hack into a dial-up–connected machine. Those of us with high-speed connections, however, are hooked up to the Internet whenever our computers are switched on.

Manufacturers encourage us to keep them on day and night—operating systems spin down hard drives and shut off energy-sucking display screens automatically, and some machines, such as Apple's new iMacs, even put the power switch in the back where it's hard to reach.

A computer that's always online and has a stable Net address is an easier target for crackers, worms, and other digital nasties. Tiny flaws in modern operating systems make breaches quite feasible, and if you have a home network with files shared between machines, you may unknowingly have extended that sharing to the outside world. Nefarious programmers create automated programs to hunt for such vulnerabilities, sometimes using compromised machines as "zombies" to launch attacks on larger servers or networks. One way to keep them out is to use a firewall or router.

Fighting Fire

"Often, when a PC falls victim to an attack, it's through an exploit that can only take place if the PC is directly accessible from the Internet itself," says Barclay McInnes, a senior network engineer in Vancouver.

Like a physical concrete firewall between townhouses, or a metal one between the passenger and engine compartments of a car, a data firewall keeps data traffic inside isolated from that outside. Physical firewalls also let important things through: water pipes or steering controls, for instance. Data firewalls are even more flexible. You can configure them to block all traffic except certain types—e-mail and Web traffic can go through, for example, but file sharing, instant messages, FTP file transfers, telnet remote- control, and other protocols can all be blocked, or might only be allowed in one direction. If you need a particular service such as FTP for a short time, you can "poke a hole" in the firewall, then close it up again when you're done.

"A firewall acts as a sort of traffic cop, regulating the flow of information to and from the PC," says McInnes. A broadband router performs a different function which also keeps your computers safer. To the outside world, it looks like a single device, with a single IP address, connected to the Internet. On the inside, it can connect a number of other computers (each with its own, individual IP address) to the Net, while keeping those machines' addresses hidden from outside eyes—a process known as network address translation (NAT).

Early data firewalls and routers were specially-configured, dedicated computers, usually requiring a team of networking experts to set up. Now, stand-alone devices—such as those in D-Link's Digital Home Broadband line—combine a firewall, router, and sometimes other switching or wireless features into a single device that sits between your high-speed modem and your computer or home network.

McInnes thinks broadband users need firewall protection. "Using something like the D-Link DI-804HV or DI-604 Internet gateways protects users by removing their PC from direct connection to the Internet, dramatically cutting the effectiveness of many types of attacks."

Calling Home

Locking out intruders is fine while you can still access the Internet from behind your firewall, but what if you want someone to have access from the outside—such as yourself, when you go on vacation or a business trip? Again, big organizations were first to find a solution: the virtual private network, or VPN.

A VPN is a way to extend the privacy of your internal network—behind its protective layer of firewalls, routers, and gateways—to remote locations. Large organizations use VPNs to link remote offices to each other and their main headquarters, and to give travelling employees access to e-mail, company files, and intranets.

While there are techniques for providing secure access to those services individually, a VPN essentially extends the entire internal network, so remote users work as if they were plugged into a network jack inside the main firewall. VPN connections are often called "tunnels," because the network traffic is mathematically encrypted and authenticated so that only authorized people can access the network from outside. VPNs also minimize firewall openings by putting all traffic through a single set of ports.

Two years ago, Bill Dobie co- founded Navarik Corp., a fast-growing company that makes software for maritime shipping firms around the world. "In the last year, I flew 45 times, over 90,000 miles," he says. "We have a very secure data policy in our office, so when I'm on the road or overseas, I must use a VPN to log in."

The most widespread standard for secure VPNs is IPSec (the IP Security protocol). Client software is available from various vendors for Windows, Macintosh, Linux, handhelds, and even smartphones to connect to a protected network from anywhere in the world. For homes and small businesses, a device with IPSec support, such as the D-Link DI-804HV Internet gateway, can simplify connecting to your network while on the road, by enclosing all your network traffic in a VPN tunnel, instead of requiring you to set up separate secure connections (with appropriate holes through your firewall) for e-mail, file sharing, intranet, and other services.

Securing the Air

Lately, wireless network access has become especially popular, but it also has new vulnerabilities. Snoopers can simply try sitting with a wireless- equipped laptop in a building or car within wireless range to see if your network's security encryption is turned on.

"The biggest problem with wireless encryption today is that a lot of organizations aren't using it," says McInnes. "so anyone can grab a free connection to the Internet using your resources, or worse. You would never let somebody wander in, sit down at one of your PCs, and just start playing around. Without encryption, you essentially do the same thing wirelessly."

Fortunately, all modern wireless network equipment using the 802.11 Wi-Fi standard supports wireless encryption—and better encryption is in development. D-Link's entire line of Air, AirPlus, AirPro, and Extreme G adapters, cards, base stations, and gateways also makes that security easy to activate, and inter-operates with wireless equipment from other manufacturers.

Doing It Simply

Network security devices for homes and small businesses are simple and quick to set up, as Bill Arab—a Web designer and technical specialist working in Omaha, Nebraska for Illuminated Technologies—discovered.

"A friend was going to pop out to the store while I set up his home network with a simple firewall/router device," he says, "so he went to find his coat and feed the cat. By the time he came back to tell me he was leaving, everything was ready and I was checking my e-mail."

Donate with PayPalIf you found this article useful, feel free to consider making a donation (any amount, credit cards accepted), which helps pay for hosting this website. Thanks!

[back to start of article]

<< Penmachine.com home  | < Long article index

Page BBEdited on 19-Mar-04 (originally published June 2003)

© 2003 Derek K. Miller. Some rights reserved. You may use content from this site non-commercially if you give me credit, under the terms of my Creative Commons license.
Valid XHTML 1.0!

[Tracking]