It wasn't that many years ago that people rarely locked the doors to their homes. There wasn't a need. If you lived in rural parts and weren't home, often the milkman would walk right into your home and put it in the fridge.
Now, however, every door, window, or access point to your house is locked tight. And in some areas, people put bars on the windows to make it more difficult for would-be criminals to gain access to their home. And where milk is still being delivered ... well, it's most likely left on your doorstep instead of staying cold in the fridge.
The same is true with the Internet. Not long ago, if your computer had access to the Internet, you roamed around freely without peeking around each corner first. At the time, dedicated Internet access was expensive, and only the major educational and government institutions could afford it. Still fewer people even knew what the Internet was, never mind the need for a secure system.
Today's world of inexpensive high-speed access via cable modems or various incarnations of DSL technology has changed the landscape. Almost everyone knows about or uses the Internet on a daily basis. In today's world, malicious crackers attempt to break into systems to destroy data, steal information, or plant various computer viruses. While not every computer hacker is a cyber criminal, the threat is very real, and everything you do to discourage access to your computer or make it difficult to gain access to your computer goes a long way toward keeping your data safe.
Inexpensive high-speed Internet access has allowed the average home computer user to set up a small dedicated Internet server to share files with friends, send e-mail, and more. However, computer security is an afterthought. Many people think they don't need to worry about their system being compromised. "I have nothing of value," they rationalize. That is the worst thing anyone can possibly say.
Admittedly, I myself took a passive role in securing my system, shrugging off the idea that anyone would want to gain access to my system. However, after several discussions about Internet security and firewalls on our Linux Users Group mail list, I decided to research things further and set up my own firewall in the process for the experience.
Securing your home computer or home network requires that you understand a little about your setup. Important considerations include the kind of network connection you have (cable, DSL, or dedicated T1-T3), the approximate amount of network traffic that goes through your system, any extra hardware that can be used as a dedicated firewall, and operating system choice. Knowing this information greatly helps you make informed decisions later on. For the sake of argument and a point of reference, consider the following hardware setup:
The most common method of securing a home network is to use a firewall. A firewall is a computer, hub, or router configured specifically to stop unwanted outside traffic from accessing your internal network. For example, you don't want people to gain access to your computer, but you do want people to view pages on a web server. Think of a firewall as the first line of defense against outside attacks. And that's exactly what it is, no more, no less. You give yourself a false sense of security by stopping at the firewall level. In fact there is much more to be done, but a properly configured firewall goes a long way toward stopping cyber criminals. For the purposes of this article, we concentrate on the firewall. Future articles will cover other security issues.
Figure 1: A typical firewall setup.
A firewall computer includes at least two Ethernet cards. One card is connected to the cable modem; the other is connected to the hub for your internal network. (See Figure 1). The firewall then acts as a single point of access. However, to make things harder for a would-be attacker, the internal network is generally configured to use non-routable IP addresses. One range of non-routable IP addresses exists for each IP class:
Class A 10.0.0.0 to 10.255.255.255 Class B 172.16.0.0 to 172.31.255.255 Class C 192.168.0.0 to 192.168.255.255
Which address range you choose is completely arbitrary. Larger networks will use the Class A address range, and smaller networks often use Class C. These address ranges are only available on the local network. For example, my Linux systems can talk to each other and transfer files across my LAN. But I cannot access the same IP range on someone else's network. Similarly, someone trying to access my network is prevented from doing so. (Actually, that is a bit of a misnomer. If the attacker gets through your firewall, she/he can then access your internal network because your firewall "knows" about the computers on your LAN. The point is that crackers cannot just try to access your internal IP address range directly from their system).
So how does a computer with a non-routable IP address access the Internet? Remember that the firewall has one interface with access to the Internet and uses an IP address obtained from the ISP. The firewall uses IP masquerading to make the outside world think that traffic from your internal network is coming from the firewall's IP address. A series of IP masquerading kernel modules are loaded on the firewall to take care of this process and any special protocols (such as RealAudio) for you.
localhost# lsmod Module Pages Used by ip_masq_user 2408 0 (unused) ip_masq_raudio 2800 0 (unused) ip_masq_portfw 2320 11 ip_masq_mfw 3008 0 (unused) ip_masq_FTP 2384 0 ip_masq_autofw 2304 0 (unused)
There's a ton of information on firewalls available on the Internet and in your local bookstore. (See resources sidebar for more information.) Read as much information as you can, keeping in mind your requirements. Robert Ziegler's excellent book Linux Firewalls goes into great detail about the different kinds of firewalls as well as where they can best be used.
Know Your Enemy (four part series)
Maximum Linux Security (SAMS) ISBN: 0-672-31670-6
Linux Firewalls (New Riders) ISBN: 0-7357-0900-9
Practical Unix and Internet Security (O'Reilly) ISBN: 1565921488
Linux System Security (Prentice Hall) ISBN: 0130158070
Additionally, Mr. Ziegler maintains the Linux Firewall and Security Site, which contains many links to other sources of security information, including the Firewall HowTo document, information on types of network attacks, other books and resources on firewalls and network security, and much more. I have corresponded with Mr. Ziegler over e-mail and found him to be responsive, helpful, and funny.
After looking at many web pages, reading many books, and discussing issues with my fellow Linux User Group members, I finally picked a firewall solution for my setup.
Edge FirePlug is a very well-designed firewall solution from FirePlug Computers, Inc. in Vancouver, BC. One of the reasons I chose Edge FirePlug (just called Edge) is that it's designed specifically for use on cable modem and DSL connections. Another reason I chose Edge is that it is very easy to set up and customize to the needs of my network.
Edge is a thinlinux client, which means it contains the absolute bare minimum required to run Linux in a concise package. Edge comes in three flavors: floppy version, hard-drive version, dial-on-demand. The floppy version allows you to have a complete firewall boot-up off a floppy drive, but with limited extra functionality (no editors for example) due to space restrictions, whereas the hard-drive version is the same thing but includes the extra goodies. The dial-on-demand is the same as the floppy install but is set up for ISDN or other dial-up connections.
The floppy version offers some additional functionality that is very important to consider.
Due to the minimalist approach taken by Edge (and some other firewall solutions), you do not need a computer with a lot of horsepower to run a full Linux distribution. That old 486/66 you have lying around does nicely. If you don't have an old 486 yourself, shop around at the secondhand stores, ask your friends, or pester your local hardware geek. The important thing is that the firewall computer should be dedicated to operating as a firewall. Do not run any other services on this computer at all. Edge comes pre-setup to forward the common services to a dedicated server inside your network. Which computer gets which service is completely customizable.
My firewall is a 486 DX4 100 with 32 MB RAM and two 3Com 3C509 ISA Ethernet cards, using the floppy version of Edge. Despite the low horsepower of the firewall, network slowdown is virtually nonexistent. Web surfing, FTP downloads, and even network games such as Quake 3 all work at the same speed.
The Edge web site contains detailed instructions for installing their software. I'll summarize here. You download Edge as a series of ZIP files (or one ZIP if you use the hard-drive version). The archives contain disk images for initial boot, network drivers, and other tools. One archive (called cable.zip) contains the actual disk contents for the final boot disk. You create disks for the supplied disk image files. You unzip cable.zip and change the configuration files in the config directory to match what you want to do on your network.
For example, Edge comes pre-setup to route all main Internet services to a single server with an IP of 192.168.1.1. You can change the configuration so that some services go to one server (HTTP for example) and other services (such as FTP) go to a completely different server. Once your configuration has been set up to your liking, you create a new 1.72MB floppy for the new boot disk. You must use Windows 95 or 98 for this task as Windows NT does not recognize this floppy size. As I only have Windows NT, I used a Windows 98 boot disk and then copied the files over in DOS, after which I had to rename a couple files within the firewall as the file names got mangled in the DOS mode.
Once your configuration is complete, boot the firewall with the first boot disk and configure your Ethernet drivers. Edge provides a few scripts to automate this process and save the setup back to the new firewall boot disk. It's a good idea to make a backup copy of this disk if you use the floppy version in case you encounter bad media. Boot up your firewall and test it out. That's all there is to it.
If you have a monitor attached to your system, you can use CTRL-ALT-F5 through F10 to view the logs of your system. If, like me, you do not have a monitor attached, the log files are kept in /var/log, as shown in Figure 2. The logs are archived nightly to keep the memory use to a minimum. You should archive these log files to a floppy disk for later analysis.
Figure 2: Log files are kept in /var/log. (click on image for full-size view)
Once the firewall was set up and running, I left it alone for a week and then checked the logs. The sheer number of portscans and other attack attempts on my system left my jaw on the floor. Most of the attacks came from other cable modem users on the same system and seemed targeted at Windows users (scanning for open file shares) or trying to exploit specific ports (HTTP and DNS ports were the most common). I also received attacks from as far away as Germany and Australia.
What can you do? Well, the attacking computer's IP address is contained in the logs as well as what port they were trying to access and at what time. (See Figure 3.) Gather this information up and send it to their ISP, demanding that action be taken. Alternatively you can ignore it, refreshed by the fact they didn't get anything. However, that is a dangerous stance as someone might just cause damage to your system in the future.
Figure 3: Short log of attacks (click on image for full-size view).
As mentioned previously, security is not passive, it's active. You need to stay on top of new security exploits all the time. Join the firewall listserver, and watch for new versions of the software, which often contain bug fixes and security fixes. Watch your logs and see if anyone has managed to gain access to your system. Report attackers to their ISP and the firewall developers so the hole can be closed as soon as possible.
Again, a firewall is a first-line-of-defense system. Don't lull yourself to complacency just because your firewall is "working" as expected. Now that your defense lines are set up, you can go about taking other measures to ensure that your network remains secure.
Carl Constantine works for Open Source Solutions, Inc. (www.os-s.com) as a Linux Trainer and Programmer.
Shining Light Into the Realtime Blackhole List
Sound Out on the RBL
Cell Phone Viruses: The New Frontier
Discuss this article in the O'Reilly Linux Forum.
Return to the O'Reilly Network Hub.
Copyright © 2009 O'Reilly Media, Inc.