This is Part 8 of the Securing Your WHS & Network series. In this part we address the threats and vulnerabilities that can be expected by being connected to the Internet. We explain the role of the router, its capabilities, and its limitations. We look at several methods that can be used to protect the network by comparing cost, level of protection, and ease of use.
We all recognize that having access to the Internet has become a necessity in today's communication environment. In Part 3 we identified the different types of Internet service providers or ISPs and how they deliver Internet content. We identified that a network device called a router is what connects the local network to the Internet.
The network router plays two roles. One is to connect the local network to the Internet. The other is the first line of defense to protect the network from unauthorized intrusion.
Part 5 documented how to configure the router to connect to the Internet. This connection is called the WAN or wide area network. The most beneficial function of the router is how it is able to allow each computer on the local network to connect to the Internet. The router takes care of all the details to allow each computer on the network to connect to another computer anywhere in the world.
Think of the router as the telephone operator who asks you to whom you want to speak and dials the number for you. The router does the same job. When "www.microsoft.com" is typed in a browser, the router places a request to the Internet "phone book", called domain name system or DNS, and "places a call" to a numerical address of "207.46.197.32" or the IP (Internet protocol) address of Microsoft. The router continues to act as an intermediary between your computer, your network, and the website you are browsing.
The router not only connects the network to the Internet, it is the first line of defense to protect the network from unauthorized intrusion. The router handles requests from computers outside the network that want to connect to computers on your network. Just like the telephone, we do not want to accept a call from everyone. This is why caller-id and answering machines are handy tools. They allow us to screen the caller before we talk to them. The router performs the same function to screen requests for information from other computers.
When a new router is installed by the ISP, the router is programmed to reject any request for information from computers outside your network. Does this mean you are safe? Certainly not! There are ways hackers can attack your computer if you connect to their site with an Internet browser. Even though the router does not accept outside requests, it allows the computers inside your network to communicate with computers outside the network. So for each request that your computer initiates the router permits the information to return. Below is a depiction of how a router blocks requests that originate from the Internet while permitting browser traffic to be sent and received.
There are many ways hackers can use this return of this information to gain access to your computer or files. In Part 7 we explained how email messages or by visiting a website can insert a malicious computer program that can take advantage of vulnerabilities with the computer's operating system. This may result in unauthorized disclosure of private information, cause the computer to run slowly, or cause damage to data stored on the hard drive.
Stateful packet inspection or SPI is a technique that should be performed by the router to ensure that all the data that is being sent to your computer has originated from the source from which you requested information. Data that is exchanged between computers are divided into small chunks called packets and each packet has information about the sender and receiver.
Think of SPI as a letter. Let's say an envelope can hold a letter that weighs no more than 1 oz. The envelope has the address of who is to receive the letter, the address of the sender, and a stamp. If we want to send a letter that weighs 2 oz, we would address two envelopes and divide the letter into pieces that do not exceed 1 oz. The two envelopes are placed in the mail box and a postal employee collects, sorts, and delivers each envelope.
During the delivery, the post office ensures, by examining the envelope, that the letter has not been altered. The two envelopes may get separated from each other but eventually both get delivered to the appropriate address. If the envelope shows evidence of damage, the post office affixes a note indicating that damage has occurred. In this example, SPI occurs when the two letters are delivered to the addressee and the envelopes are inspected to ensure that the mailing and return addresses match, the envelopes look similar, and there is no evidence that the envelopes have been damaged.
The router uses SPI to identify damaged or altered packets. These packets are rejected and the router makes a request to resend the packet. If a hacker attempts to insert a malicious program within the packet, the router detects that an alteration has been made. The router then rejects the packet and requests that the reply packet be resent. The router should make a determination of how many times the packet is denied and if excessive should stop requesting the packet. The excessive request of altered packets is called denial of service. This occurs when the traffic generated with the reject and resend cycle can exceed both the upload and download speed of your Internet service.
Today's homes and small businesses have evolved into technology areas that were once in the domain of large corporations. Small businesses want to publish a website, host their own email system, and provide on-line commerce to their customers. Home users want to be able to share photos and home movies with friends and family. Many users want to access files on their computer via the Internet when they are away from the home or office. Offering these services places the need for network security at its highest level of concern. We now need to have the ability to control what information we want to share and with whom to share.
When a home or small business decides that they want to allow access from the Internet they must establish a boundary between sensitive and non-sensitive information and have a way to verify the identity of a user that has a need to access sensitive information.
The industry standard is to dedicate a computer to host services that are available to the general public. In addition, anything on that computer must be non-sensitive public information and both the computer and information is considered to be expendable. This environment is known as a DMZ or dead man's zone or demilitarized zone. Computers used to host a public web site, email, or other services are put in the DMZ.
The private network address for the DMZ should be different than the one used for the main network. For example, if the private network address is 192.168.145.xxx, then the private network address for the DMZ should be any other number than 145. It is important that switches and routers do not define a route between the two private networks. Having a route defined defeats the purpose for putting the computer in the DMZ because a hacker could navigate their way to any computer on the network.
Below is an example of a web server that is placed in a DMZ. The private network address range is 192.168.145.xxx and the DMZ private address range is 192.168.150.xxx.
The use, cost, and maintenance of a DMZ are usually beyond the resources of home and small business networks. An alternate method to protect the network is by the use of network perimeter routers and firewalls.
The capabilities and limitations of the router must be examined. Since it is the first line of defense, it establishes a security perimeter between the private network and Internet. The objective is to make sure that data packets cannot permit unauthorized intrusion to the network. We are asking for more information to identify the incoming request and make sure the request and data that is exchanged relates to each other.
As explained earlier, the router must be capable of providing at least SPI. Routers that support SPI are called firewall routers. These types of routers track and maintain information for each active Internet session. They are able to examine the packet to ensure it has not been altered.
Hackers have found methods to take advantage of vulnerabilities of SPI. To keep abreast of current threats and attacks at the SPI level, the router should be capable of providing deep packet inspection or DPI. Deep packet inspection examines the information that is received by the router to search for viruses, spam, intrusion attempts, or other threat related criteria to determine whether or not to accept the packet.
In other words, DPI is similar to sending a letter by certified mail where the post office ensures that the letter they deliver is the same letter that was sent. Each time the certified letter is passed through a sorting station, the letter is physically examined to ensure that the contents have not been changed and the sorting station makes a record that the validation has been conducted. Thus a chain of custody is created from when the letter was dropped off to the post office until its delivery.
The technical difference between SPI and DPI can be explained by the Open Systems Interconnection Reference Model, commonly called the OSI Model. This model describes how a message gets disassembled into packets, transmitted, received, and reassembled. The model is based on seven layers that start at the application or user layer, and works its way through the presentation, session, transport, network, data link, and finally the physical layer. The physical layer is the actual transmission of a packet using specific electrical and physical specifications used by devices such as network cards, analog modems, and wireless access points. The following displays the seven layers of the OSI Model and how deeply the packet is inspected.
Stateful packet inspection stops inspecting for malicious programs at the network layer. The network layer is responsible for the routing of the packet. The Internet protocol or IP is the most common example of the network layer. The layer manages the packet as it is delivered. It is analogous to the routing of a letter within the post office.
Deep packet inspection stops at the data link layer. The data link layer is how the packet is transferred between routing points. It can detect and correct errors that can occur at the physical layer. This layer can be compared to how a certified letter is routed within the post office. The letter is physically accounted for prior to routing to the next sorting point or final delivery.
Having the ability to provide DPI is beyond the scope of the majority of routers commonly used today. This means that most routers can allow some traffic designed to attack computers to enter the network.
As a method of accounting for this limitation and to protect the computer, Internet security suites are commonly used. These suites contain virus, spyware, and spam detection and include a firewall software program. The Internet security suite prevents malicious programs from being installed on the computer. However, the router can permit malicious programs to enter the network where they can exploit computers that are not properly configured or protected.
There are routers that are capable of performing DPI and they examine all network traffic from the Internet for viruses and spyware. Using a router with these capabilities makes certain that malicious programs are not permitted to enter the network. Since the router performs virus and spyware detection, Internet security suites are redundant, resource intensive, and are not necessary. All that is needed to protect the computer is to install a free version of anti-virus programs and the use of Windows Firewall. By eliminating the Internet security suite, less computer resources are needed, and the computer's performance can increase.
The Home Server Land team has a considerable amount of experience with computer and network security and has been engaged to provide secure solutions for numerous businesses and homes. Based on this experience and actually working with numerous routers we have found that the SonicWALL TZ-180 firewall router is easy to configure and provides the maximum level of security for home and small business networks. We have obtained from popular on-line retailers acquisition and maintenance costs for this router. These costs are used as a basis for Alternative 2.
The administrator must have a uniform method to compare the capabilities and costs of alternative solutions that are designed to provide the highest level of security for the local network. The comparison should be based on an implementation period that addresses life cycle costs.
Part 1 addressed the life cycle of computer products. The life cycle is a combination of how long the product can physically last and how long the manufacturer continues to support the product. Usually hardware devices such as routers have a six year life span, during which time the manufacturer provides software and firmware updates. Usually there is a one year life span for Internet security software. During this year, product maintenance and virus and spyware subscription updates are provided. At the end of the year, there is a combination of product upgrade and subscription renewal for another year or two, based on the manufacturer's offerings.
Our intention is to perform an analysis of products that can perform deep packet inspection of network traffic to prevent unauthorized intrusion and malicious attacks to all devices that are connected to the local network. This analysis includes long-term costs and the identification of strengths and weaknesses as they relate to the level of security that is provided. Our network consists of a router, six Microsoft-based computers and one Windows Home Server. We compare the cost of obtaining a firewall that is capable of DPI with the cost of purchasing Internet security suite software that includes anti-virus, spyware, and firewall for each computer.
The following compares the annual and total costs for each alternative.
When comparing the costs of the three alternatives, Alternative 1 stands out as being the most expensive. This alternative is the least secure because it is vulnerable to SPI level attacks and the router can allow attacks to enter the local network.
Purchasing a DPI firewall router provides a significantly greater level of network security that Alternative 1. The device can catch the majority of threats before they can enter the local network. This is an important factor if the WHS is to be used to publish web content or allow remote access. It is possible to improve the performance of the computers on the local network by eliminating the large resource requirements of the Internet security suite with anti-virus software. The maintenance and upgrade cost of the WHS anti-virus and Internet security suites can be avoided, resulting is a $94 savings as compared to Alternative 1.
Installing a software firewall provides the greatest level of security and the cost is much less than the other two alternatives. It does require a dedicated Pentium D-class. If a spare computer is not available, add $300 for the cost of a new computer. As in Alternative 2, there is no need for anti-virus software on the WHS nor is an Internet security suite needed on the local network computers. The software is very robust but can be very challenging to configure; therefore requiring a high level of technical ability
Perimeter firewalls can be a software program that is run on a dedicated computer or it can be bundled with a router. There are pros and cons for each method. Below is example of how a perimeter firewall blocks traffic before an attack is permitted to enter the local network.
Purchasing a hardware based firewall router is convenient because one device can be used to interface with the Internet and it addresses the majority of threats before they are permitted to enter the network. There is less of a need for Internet security suites that duplicate the anti-virus, anti-spyware, and firewall functions of the router. The free version of AVG Anti-Virus together with Windows Firewall is more than adequate to protect the computer and files. This reduces the overall bloat that is associated with integrated security products. However; the service life of most network devices is usually six to seven years. Within eight years the product is usually discontinued and subscription updates are no longer available. At this point the firewall router is no longer capable of keeping current with new threats.
Installing a software firewall requires having a computer that is dedicated to performing the routing and firewall security tasks. This computer must have at least two network interface cards - one to connect to the ISP interface device and one to connect to the internal network.
The advantages are that the software can be constantly upgraded to stay current with new threats at no cost. A router is not needed because the software program performs the routing functions. Therefore; the firewall server can be connected directly to a 1000Mbit/s network switch.
The disadvantages are that a dedicated computer is required to perform the firewall and routing tasks. The computer must be on all the time which increases the electrical bill. And the computer, CPU, and the components must be fast enough to handle all the network traffic; otherwise it can reduce the overall performance of the Internet connection and network activity. Finally, one must have a high degree of technical experience to configure the software.
Examples of software firewalls include Astaro Security Gateway V7 and Snort Security Platform or SnortSP 2.8.4. These programs are capable of deep packet inspection and use perimeter based security for user authorization and virus and spyware scanning.
We at Home Server Land make the following recommendations to enhance the security of computer and your privacy as it applies to general Internet threats.
This blog identified threats that are associated with general Internet use. The security plan should be updated to identify threats specific to your network and address methods to resolve each threat. We have developed the General Internet Threats Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 8 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated with the use of the Internet. The router is the first line of defense to protect the network from attacks by unauthorized people. Based on our experience, the SonicWALL TZ-180 provides the maximum level of security for most small networks. The administrator should make sure that all computers have anti-virus software installed and that the virus signatures are up-to-date. Also, a software firewall like Windows Firewall or its equivalent should be in use on every computer.
In Part 9, we will cover threats related to the use of computers that are available to the general public. In addition, we will identify threats exposed by hosting a website and the role the network router plays to secure the network.
In the meantime, we invite your discussion in response to this blog.
Threat and Risk Assessment Worksheet
How does the SonicWall DPI / UTM compare against the Netgear UTM series?
prosecure.netgear.com/.../prosecure-utm-series.php
I took a quick look at the demo screens and specs. While I could not use an emulator/demonstrator to get a feel for configuring the device, it looks similar to the SonicWALL devices. The Netgear only performs SPI, while SonicWALL performs DPI. Lastly, the Netgear UTM does not include a wireless radio. But the Netgear UTM supports gigabit networking ports.
I could not get pricing on the UTM series. It looks like it should be priced competively against the TZ-180 or TZ-190 devices. I am not sure of the pricing for subscription and firmware updates. Netgear's 3 year extended maintenance is $383 at CDW, but I do not know if that includes the anti-viurs and anti-spam subscription.
I am going to look at the Netgear UTM a little farther. Maybe I'll get a 30 day demo. Thanks for suggesting this device.
Every article in this series has topped the previous one so far. This article is no exception. I like that the article weaves a nice path by using an envelope analogy to describe network traffic, displaying easy to understand network diagrams and culminating in a side-by-side comparison of SPI, DPI and software based solutions. Never one for leaving the reader at a loss, Chuck also provides his recommendation for the best suite to purchase. It's a no-brainer the way you laid it out here. I appreciate that you've shared this networking experience with us to keep our computers safe and secure.
Thank you dennis for your kind comments. Alexander also liked the analogy. It is a good way to explain something very technical in a way that anyone can relate.