Firewalls: Your First Line of Defense
Firewall Basics | Routers | Software Firewalls | Testing Your Firewall
What Does a Firewall Do?
Simply stated, a firewall is a software or hardware product that screens the information coming into and leaving your computer to ensure that there is no unauthorized access to your computer.
Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices.
— Ars Technica
Firewalls provide your first line of defense and can help you control what accesses and leaves your computer.
Without a firewall, your computer is operating with an 'open door' policy. Bank account information, passwords, credit card numbers, virtually any sensitive information on your computer becomes available to hackers. Hackers can get in, take what they want, and even leave one of their own 'back doors' in place for ongoing access to your computer whenever they like.
Two Types of Firewalls
There are two basic types of computer firewalls:
- Routers are a hardware firewall that provides the first line of defense.
- Software firewalls are a security program on your computer.
Both monitor and control access to the Internet and to your network (if you have one) for programs and components on your computer.
Firewalls are Evolving
The nature of threats has evolved and so must the technology used to protect your network.
Next-Generation Firewalls (NGFWs) are designed to protect you from the sorts of threats that a static solution cannot protect against.
While traditional firewalls tend to provide stateful inspection of outgoing and incoming network traffic, an NGFW provides additional features such as integrated intrusion prevention, application awareness and control, and cloud-delivered threat intelligence.
This type of firewall also comes with the ability to address evolving security threats, which means, it is not as static as traditional methods.
— The Windows Club
You NEED a Firewall
If you are continually connected to the Internet you cannot afford to be without a firewall.
This includes those using ADSL or a cable modems or connecting through a network. But be sure that your firewall is actually protecting you.
We're More Connected Than Ever
Most software today wants to "call home" using the Internet for various reasons:
- Many help files are no longer located on your computer.
- Many hardware devices install news or update programs along with the drivers necessary to make them work.
- Media programs such as iTunes or Windows Media Player want to offer live media feeds, to retrieve album art and more. Beware of using obsolete (unsupported) programs.
Can You Trust What is Being Sent?
Can you trust the information they are sending? Perhaps not.
A decent software firewall, when configured properly, allows you to control what software and components have access while your hardware firewall (router) can help protect you from inbound threats.
Routers: Your Hardware Firewall
A router serves as a hardware firewall and provides the first line of protection by hiding your computer(s) and devices (smartphones, tablets, virtual assistants, etc.) from those trying to gain unauthorized access. A router provides secure shared access to high-speed Internet services for all your connected devices and allows you to share information across the network if you wish.
There are other hardware firewalls, but they are beyond the scope of this page (and seldom used by home or small business users).
Buying a Router
Most units sold today have four wired outputs and can support up to 253 additional computers via the wireless connection. More expensive routers can provide more options like blocking or allowing certain sites or turning the access to the Internet off when you're not usually home.
Secure Your Wireless Router
Because wireless routers are available to anyone within range, you need to take special precautions:
- Standard (non-wireless) routers provide connections only to computers physically connected to the router via a network cable. These are relatively rare today.
- Wireless routers provide connections both via network cable and via wireless (radio) connections.
Wireless routers should be secured using encryption. What is available to you depends upon both the age of the router and the computers that connect to that router.
The most commonly used encryption are WPA and WPA2.
Avoid Obsolete Security Protocols
WEP is now obsolete and provides poor security so it should not be used even if it is available.
If you are using a new router but have an old laptop you will be unable to use the most recent (and most secure) methods of encryption unless you purchase a suitable external wireless device or upgrade your computer. Disable wireless connections or dispose of devices capable of only WEP encryption.
Replace Obsolete Routers
Protocols change over time, but vulnerabilities become known to hackers and governments wishing to view your Internet traffic or redirect you to less safe versions of websites.
VPNFilter is a sophisticated piece of malware that infects mostly older home and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link, and it's a harbinger of the sorts of pervasive threats — from nation-states, criminals and hackers — that we should expect in coming years.
— Bruce Schneier
On May 25, 2018 the FBI asked everyone to reboot their routers because of VPNFilter, a very sophisticated malware that infected mostly older home and office routers. Rebooting is not a permanent solution even though the FBI now control the server VPNFilter reported to.
This doesn't entirely neutralize the malware, though. It will stay on the infected routers through reboot, and the underlying vulnerabilities remain, making the routers susceptible to reinfection with a variant controlled by a different server.
— Washington Post
The recommendation is to replace your router if it is more than a few years old, especially if it is listed here.
Turn Off WPS
WiFi Protected Setup (WPS) is a push button technology that makes connections very easy, but there is a flaw that makes it vulnerable. The flaw explained.
My recommendation is to disable WPS using router's browser-based configuration tools. I've experienced difficulties following this procedure when trying to connect wireless printers and accessories (usually a manufacturer's flawed assumption that “easy” is better than secure).
Here's the settings on a D-Link router. Your configuration may differ.
This varies by router, but these are the basic steps:
- Log into your router using the network address (usually something like
http://192.168.0.1/) with the user name and password.
- Navigate to the WiFi Protected Setup (probably under Advanced settings).
- Ensure that WPS Enable is unchecked (or otherwise disabled).
- Save the settings then log out of the router settings.
Why Are Router Setup IPs Insecure?
During the above setup, Firefox indicated a potential security risk because this D-Link router doesn't support the HTTPS protocol.
The Netgear AC750 instructs you to log into
http://www.routerlogin.net (it wouldn't load the HTTPS page) while setting up your login credentials. Not only are you providing your login details to the router's manufacturer, but are vulnerable on the web while you do so.
What I did was to setup dummy login credentials, then use the
http://192.168.0.1/ (which wasn't included in the quickstart guide) to login and change the login username and password to something more secure.
Change the Router's Password Defaults
You should NEVER use the default settings for your wireless router as these standards are well known and easily searched out on the Internet.
- First, change the user name and password used to log into the configuration screen to secure your router.
- Next, change the SSID to something meaningful to you that won't identify the router's make or its location.
- Be sure to select the most secure protocol (WPA or WPA2) using a strong password.
- If older devices are unable to use WPA or WPA2 protocols, replace them. Downgrading your security can make your entire network vulnerable.
There is more detailed information about wireless security on Wikipedia.
Router Recommended with Shaw or Telus Provided Router/Modems
I used to recommend using a router in addition to the units provided by Shaw or Telus, but this is trickier today and the units provided by both Shaw and Telus have improved significantly.
Cable Access Blocked?
Cable companies (such as Shaw and Rogers) can block your computer's access to their services like email and other customer-only services once your computer is behind a router. This practice has become less common because of the proliferation of smartphones and tablets used by cable company customers.
- Shaw customers should use Shaw's documented Mail Server Names, which can differ if you're using IMAP or POP/SMTP.
- Customers of other cable companies should check with their ISP for details.
Using a Third-party Router with Telus
Some recent equipment provided by Telus has made it more difficult to use your own router, especially if you subscribe to Telus TV. Fortunately, the quality of Telus' routers have improved.
If you need to run your own router, these instructions may help.
- Log into the Telus router and navigate to the Advanced Wireless Configuration settings using a network cable.
- Look for the option to bridge the connection then save the settings.
- Connect your router to the Telus router's Port 1 (NOT the WAN port).
- Now turn off and restart both your Telus and other router.
- Connect your computer to the third-party router. You may need to restart your computer or refresh your network settings.
Bridging sends the raw IP addresses coming in directly to your DHCP-enabled router rather than allowing the Telus router to manage traffic . You'll probably need to reboot your router (and possibly your computer) to see the new network.
The following may help with this process:
- Bridge Mode - Using Your Own Router on the Telus forum.
- How to hook up my existing Wireless N router with a Telus modem may help but didn't match the configuration of my current Telus router.
These are some of the common manufacturers of routers:
The reliability of these routers varies and you should do some research before purchasing a new router and should replace anything over a few years old.
For example, there are security vulnerabilities in D-Link products that contributed significantly to botnet attacks:
I think the FTC was feeling the heat from the botnet attacks, of which we believe there were a lot of D-Link devices included. And let me be clear, D-Link is absolutely at fault for a lot of this. Some of the most basic vulnerabilities have existed in their products for over 10 years that they haven't patched. And that's a pretty — yeah, that's bad. But as you mentioned, it's not illegal to make a bad product.
— Security Now! Transcript of Episode #630.
Other brands can suffer similar issues and some models of the same brand may be more reliable than others.
Update Your Firmware
If you are having trouble with a router, check the manufacturer's site for firmware updates specific to your router (check for FAQs, firmware and other information under Support).
Be sure that you are selecting the right version for firmware as similarly-named models vary between countries as well as versions. An improperly updated device may cease to work.
Unfortunately few manufacturers are willing to update the firmware on older products to repair known issues. They'd rather sell you a new unit and have you send your old one to the landfill.
D-Link Router Security Issue
A security vulnerability was reported for several routers including some of D-Link's product line where there is a secret code that bypasses the router's security. Not all D-Link routers are affected and updating the firmware can be somewhat tricky so you might want to review the videos on D-Link's site for the warnings and help.
- Story: D-Link Routers Vulnerable to 'Backdoor' Exploit.
- D-Link (UK) list of affected router models.
- I was unable to locate this information on the Canadian D-Link site but care should be taken to download updates only on the Canadian site for your model if it is affected.
- My clients may wish to contact me if they are concerned. Others should contact their own support or hire me.
These resources can help to explain some of these issues in greater detail:
- What is a personal firewall?
- Hardware router backgrounder.
- A guide to router hardware terminology.
- Firewall Router Reviews compares several brands and models.
- FAQ: Firewall forensics (What am I seeing?) helps to explain firewall terms and what your logs are telling you.
Back Up Your Router with a Software Firewall
Software firewalls and routers are each more adept at different, but complimentary, tasks.
You need a software firewall since routers are designed to protect you from intrusions, not the malware or viruses already present on your computer.
What Firewall Programs Do
A firewall program verifies whether software programs and components are allowed access to the Internet and then enforces it by either allowing or denying access.
A software firewall is an essential part of your protection, particularly if your Internet access is through a broadband connection (which includes virtually everyone these days).
As programs are both sending information and receiving information or installing software, be sure your software firewall is effective and that it protects you from outgoing as well as incoming attacks.
Many Choices — Not All Effective
You can purchase several firewall software packages in retail stores and download and purchase others on-line but the effectiveness of these products varies.
Firewall Quality Varies
Gibson Research Corporation's evaluations are quite dated, but will provide you with a better understanding of the many variables that must be considered in designing a good firewall.
ZoneAlarm Extreme Security Recommended
I strongly recommend ZoneAlarm Extreme Security for complete security protection while protecting your privacy. Free versions are available for personal use. Learn more on my ZoneAlarm Security page.
Windows Firewall Inadequate
Windows users should not depend upon the Internet Connection Firewall that comes with Windows since it offers limited outbound protection.
Microsoft's detection of malware and spyware has improved but most third-party security solutions provide better protection.
Mac OS X's firewall, like its Windows counterpart, provides only inbound protection. There is no outbound protection and provides no additional protection if you're behind a router.
Connection Problems May Be Firewall Issues
Programs that are unable to access the Internet may be having difficulty with your firewall.
- Firewalls can stop programs from accessing the Internet. Sometimes you may not know that a firewall is running or it may be misconfigured.
- You're better running a firewall integrated with your security software to avoid conflicts or holes in your protection.
- Running more than one firewall (except perhaps the Windows firewall) can create conflicts that can allow malicious software to get past your security because the actions of security software often look malicious to another security program.
Avoiding Security Breaches
You should know how to configure the software properly to avoid a security breach.
- Ensure that your firewall is not circumvented by someone with physical access to your computer.
- Don't automatically give permission to any program requesting access — most setup programs only need access once.
- Personal Internet Firewalls that really work! explains some of the issues.
"Easy" Solutions Have Drawbacks
Firewalls with ready-made lists of "acceptable" programs probably aren't the safest way to configure a firewall for security — at least not unless you are able to easily change those settings.
Popular Programs Often Poorest Choices
While firewalls preset to allow the most common programs are an attractive feature, the most popular products are often not the safest to use.
If you've spent any time on this site, it will be clear to you that commonly used Microsoft products are some of the worst choices when it comes to security.
Can You Determine Program Access?
You should have the ability to determine for yourself if a program needs access. Disabling access for lesser-known (but more secure) products does no service to the user and may have more to do with the lack of research by the vendor than actual safety issues.