Phone

Metal detectors are fine, but guns are not the only way to cause damage. Someone can fax all your confidential documents to a third party, eavesdrop on your conversations, inform the competition about your current actions, or act as a sleeper and wait for orders.

It is therefore crucial to tap all the lines, monitor cell phone activity, and be alerted when someone calls inside or outside. This is the role of the firewall.

Some employees are expected to make calls on a regular basis: a web browser legitimatelly accesses the web, for instance. However, it does so from its special line, known to be used for web access. Most well-known employees have a “special line” for their work; in computer parlance, this is called a port. A port is assigned a unique number: for web browsing, this is port 80 (and 443 for secure access). To read this very text, you accessed this web page with your browser, on the port 80 of our web servers. On your side, your browser picked any available line (eg. port #17456; there are many available).

The firewall intercepts the new calls, and authorizes or rejects them based on its rules, or user interaction (you clicking on some alert popup). Indispensable too. There are several kind of firewalls; this section deals with software firewalls (a program you install on your machine).

As for antiviruses, some firewalls are better than others, and there are freeware ones too. Some of them only filter incoming calls (less desirable), some other are hardened to various kinds of attacks, like making thousands calls all at once to saturate the service. Some firewalls also sort of understand what they listen (instead of merely accepting or rejecting new calls), and can indentify dangerous content.

As good as they are, firewalls are not the panacea in security though.

Firstly, they must be properly configured to be effective. The basic services, like web browsing, are normally configured by default, but if you install further programs and services, you will have to decide if it is legitimate or not when it tries to call outside or if it is called. Sometimes it just tries to see if there is a new version available, sometimes it can send information you’d rather it didn’t. In addition, you can have unknown programs wanting to call outside, and you won’t know why and what to do. You can count on hackers to carefully choose the name and the location of their malicious software to confuse you into accepting the call…

Secondly, malicious programs can piggyback on a standard line, like that of the web browser, for their communication purposes. This can go like “can you send me the page peacenlove.org, with the third text area set to amex 456667789, exp.date 01/08, sec.code 3223?”, effectively sending your credit card number outsitde… Using the web browsing line, and pretending to make regular web accesses, a malicious program can send data of a very different nature; in fact, it can do everything it could do on another line. This is called tunneling.

Thirdly, it is well possible to tamper with the whole phone installation in your office. Someone could call, and even before the phone rings, electric signals are sent to the phone system, which are interpreted so as to perform some malicious action. The firewall never had a chance to do anything.

Fourthly, if a program can run on your machine, it can easily disable your firewall or make it ineffective.

Fifthly, if your operating system is not up-to-date, some system services can suffer from security vulnerabilities recently identified, and someone can use them against you, sometimes gaining full control of your machine. Imagine the canteen kitchen service, and someone making a ridiculously long order, like one thousand starters, ten thousands main courses, and at the end of the order, there are bank instructions asking to transfer all funds to a given account. In the confusion, the transfer order can end up in the financial service and be executed. Don’t smile, this has happened (although, as computers go, the confusion has nothing to do with the instructions being executed).

Firewalls are consequently only a part of your security plan, and other parts are at least as much important. That being said, a firewall is very useful, even if it has limitations.

Independent Security Staff

One of the main problem of personal computer security is that if your system is compromised, it is trivial to disable all security measures. Actually, Linux systems perform better in this area, since its standard policies features special accounts for administrative purposes, and users are not supposed to perform their usual tasks with the special accounts. Arguably, there are similar mechanisms on Windows XP, but there are most often not enforced.

But whatever your operating system, separating what you want to protect from the security control center is a very desirable goal. This what a hardware firewall/router offers.

This is a special device, that you put between your machine and the rest of the network (the Internet, or a corporate network). That is, you machine talks to the hardware firewall, and the firewall then “forwards” the request to the expected recipient - it acts as a middleman.

The big advantage is that even if your machine is suddenly infected with malicious programs, they cannot shutdown the hardware firewall or tamper with its configuration. It acts as an independent security team that cannot be laid off from the CEO’s office.

In addition, a dedicated device is usually going to perform much better than its software equivalent.

A minor inconvenience is that you generally have to configure new rules through a web interface, which is not as integrated as its software equivalent. You may have realized that this is exactly what makes them so useful in the first place.

Routers and hardware firewalls are very valuable and actually much better than software firewalls, even though you can use both. Some security experts even claim that software firewalls are ultimately pointless; we don’t completely agree, since it acts as a simple first line of defense. The hardware version is more expensive, though, but if this is your only objection, it is well worth it.