Firewall Basics | Routers | Software Firewalls | Testing Your Firewall
All trademarks, company names or logos are the property of their respective owners.
Simply stated, a firewall is a software or hardware product that screens the information coming into and leaving your computer to ensure that there is no unauthorized access to your computer.
Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices.
— Ars Technica
Firewalls provide your first line of defense and can help you control what accesses and leaves your computer.
Without a firewall, your computer is operating with an 'open door' policy. Bank account information, passwords, credit card numbers, virtually any sensitive information on your computer becomes available to hackers. Hackers can get in, take what they want, and even leave one of their own 'back doors' in place for ongoing access to your computer whenever they like.
— ZoneAlarm
There are two basic types of computer firewalls:
Both monitor and control access to the Internet and to your network (if you have one) for programs and components on your computer.
The nature of threats has evolved and so must the technology used to protect your network.
Next-Generation Firewalls (NGFWs) are designed to protect you from the sorts of threats that a static solution cannot protect against.
While traditional firewalls tend to provide stateful inspection of outgoing and incoming network traffic, an NGFW provides additional features such as integrated intrusion prevention, application awareness and control, and cloud-delivered threat intelligence.This type of firewall also comes with the ability to address evolving security threats, which means, it is not as static as traditional methods.
— The Windows Club
If you are continually connected to the Internet you cannot afford to be without a firewall.
Most software today wants to "call home" using the Internet for various reasons:
Beware of using obsolete (unsupported) programs & apps as well as those that request unnecessary access to the Internet, contacts, etc.
Can you trust the information these apps are sending and receiving? Perhaps not.
A decent software firewall, when configured properly, allows you to control what software and components have access while your hardware firewall (router) can help protect you from inbound threats.
A router is a hardware device that creates a network for devices within a local area then allows those devices to connect to the Internet.
It serves as a hardware firewall that provides the first line of protection by hiding your computer(s) and devices (smartphones, tablets, virtual assistants, etc.) from those trying to gain unauthorized access.
A router provides secure shared access to high-speed Internet services for all your connected devices and allows you to share information across the network if you wish.
Most units sold today have four wired outputs and can support up to 253 additional computers via the wireless connection.
High speed modems provided by ISPs like Shaw, Rogers and Telus combine a router and modem into one package.
More expensive routers can provide more options like blocking or allowing certain sites or automatically turning off the access to the Internet when you're usually not home such as working hours.
Because wireless router signals are available to anyone within range, you need to take special precautions.
Wireless routers should be secured using encryption. What is available to you depends upon both the age of the router and the computers that connect to that router.
The most commonly used encryption today are WPA and WPA2.
Disable wireless connections or dispose of devices incapable of current encryption (resetting the router so that your private security keys are no longer present on the device).
Be sure that your firewall is actually protecting you.
You should upgrade your router when it no longer provides for current security protocols. Older protocols are vulnerable to being hacked.
Protocols change over time, but vulnerabilities become known to hackers and governments wishing to view your Internet traffic or redirect you to less safe versions of websites.
The recommendation is to replace your router if it is more than a few years old, especially if it is listed here:
WiFi Protected Setup (WPS) is a push button technology that makes connections very easy, but there is a flaw that makes it vulnerable. The flaw explained.
My recommendation is to disable WPS using router's browser-based configuration tools. I've experienced difficulties following this procedure when trying to connect wireless printers and accessories — usually because of a manufacturer's flawed assumption that “easy” is better than secure.
Here's the settings on a D-Link router. Your configuration may differ.
The process to disable WPS varies by router, but these are the basic steps:
http://192.168.0.1/
) with the user name and password.During the above setup, Firefox indicated a potential security risk because this D-Link router doesn't support the HTTPS protocol (it wouldn't load the HTTPS page).
The Netgear AC750 instructs you to log into http://www.routerlogin.net
while setting up your login credentials. Not only are you providing your login details to the router's manufacturer, but are vulnerable to malicious activity on the web while you do so.
What I did was to setup dummy login credentials, then use the http://192.168.0.1/
(which wasn't included in the quickstart guide) to login and change the login username and password to something more secure.
You should NEVER use the default settings for your wireless router. These standards are well known and easily found on the Internet.
If your devices are unable to use WPA or WPA2 protocols, replace them. Downgrading your security makes your entire network vulnerable.
There is more detailed information about wireless security on Wikipedia.
I used to recommend using a router in addition to the units provided by Shaw or Telus, but this is trickier today and the units provided by both Shaw and Telus have improved significantly.
Cable companies (such as Shaw and Rogers) used to block your computer's access to their services like email and other customer-only services once your computer is behind a router. This practice has stopped because it didn't work with the smartphones and tablets used by their customers.
Some recent equipment provided by Telus has made it more difficult to use your own router, especially if you subscribe to Telus TV. Fortunately, the quality of Telus' routers have improved.
If you need to run your own router, these instructions may help.
Bridging sends the raw IP addresses coming in directly to your DHCP-enabled router rather than allowing the Telus router to manage traffic.
The following may help with this process:
These are some of the common manufacturers of routers:
The reliability of these routers varies and you should do some research before purchasing a new router. Replace anything more than a few years old.
For example, there are security vulnerabilities in D-Link products that contributed significantly to botnet attacks:
I think the FTC was feeling the heat from the botnet attacks, of which we believe there were a lot of D-Link devices included. And let me be clear, D-Link is absolutely at fault for a lot of this. Some of the most basic vulnerabilities have existed in their products for over 10 years that they haven't patched. And that's a pretty — yeah, that's bad. But as you mentioned, it's not illegal to make a bad product.
— Security Now! Transcript of Episode #630.
Other brands can suffer similar issues and some models of the same brand may be more reliable than others.
If you are having trouble with a router, check the manufacturer's site for firmware updates specific to your router (check for FAQs, firmware and other information under Support).
Be sure that you are selecting the right version for firmware as similarly-named models vary between countries as well as versions. An improperly updated device may cease to work.
Unfortunately few manufacturers are willing to update the firmware on older products to repair known issues. They'd rather sell you a new unit and have you send your old one to the landfill.
In 2013 a security vulnerability was reported for several routers including some of D-Link's product line where there is a secret code that bypasses the router's security. Not all D-Link routers are affected and updating the firmware can be somewhat tricky so you might want to review the videos on D-Link's site for the warnings and help.
These resources can help to explain some of these issues in greater detail:
Software firewalls and routers are each more adept at different, but complimentary, tasks.
You need a software firewall since routers are designed to protect you from intrusions, but can do nothing to protect you from the malware or viruses already present on your computer.
A firewall program verifies whether software programs and components are allowed access to the Internet and then enforces it by either allowing or denying access.
A software firewall is an essential part of your protection, particularly if your Internet access is through a broadband connection (which includes virtually everyone these days).
As programs are both sending information and receiving information or installing software, be sure your software firewall is effective and that it protects you from outgoing as well as incoming attacks.
You can purchase several firewall software packages in retail stores and download and purchase others on-line but the effectiveness of these products varies.
Gibson Research Corporation's evaluations are quite dated, but will provide you with a better understanding of the many variables that must be considered in designing a good firewall.
I strongly recommend ZoneAlarm Extreme Security NextGen for complete security protection while protecting your privacy. A free version is available for personal use.
Windows users should not depend upon the Internet Connection Firewall that comes with Windows since it offers limited outbound protection.
Microsoft's detection of malware and spyware has improved but most third-party security solutions provide better protection.
Mac OS X's firewall, like its Windows counterpart, provides only inbound protection. There is no outbound protection and provides no additional protection if you're behind a router.
You should know how to configure the software properly to avoid a security breach.
Firewalls with ready-made lists of "acceptable" programs probably aren't the safest way to configure a firewall for security — at least not unless you are able to easily change those settings.
While firewalls preset to allow the most common programs are an attractive feature, the most popular products are often not the safest to use.
If you've spent any time on this site, it will be clear to you that commonly used Microsoft products are some of the worst choices when it comes to security.
You should have the ability to determine for yourself if a program needs access. Disabling access for lesser-known (but more secure) products does no service to the user and may have more to do with the lack of research by the vendor than actual safety issues.
I strongly recommend a current version of ZoneAlarm Extreme Security.
Whatever firewall solution you choose, you need to continue to check for breaches of your security.
Hackers are always testing for ways around any solution that is available to the consumer.
The following sites and software will enable you to check your current status and verify the integrity of your firewall.
On this site:
Return to top
RussHarvey.bc.ca/resources/firewalls.html
Updated: February 19, 2024