Technology & You
The Problem with Firewalls
As software, they're a complex afterthought. Built into hardware, they'd protect us all
In this world, one person's misfortune is another's marketing opportunity. So it's not surprising that the recent spate of "denial of service" attacks that shut down major Web sites has inspired companies to push software designed to defend us from the invasion of the computer snatchers.
There's no question that millions of home and small-office computers are vulnerable, especially those connected to the Internet full time through cable modems or fast telephone digital subscriber lines (DSLs). Protective programs such as Norton Internet Security 2000, $55 from Symantec (www.symantec.com), and BlackICE Defender, downloadable for $39.95 from Network ICE (www.networkice.com), are better than nothing at keeping someone bent on mischief away from your computer. But I don't think such software "firewalls" are a satisfactory solution. Most people would be better off with hardware protection, either as a stand-alone device or built into cable DSL modems.
A firewall works by examining all communications between your computer and the network to prevent improper access. If, for example, someone attempts to gain access to a computer on which remote log-ins are not authorized or tries to fetch data from a machine not set up for file transfer, the firewall blocks the request.
So why not just have a program running on a PC do the job? There are several reasons. First, the programs are too complex. Norton Internet Security is a Swiss army knife of utilities, including a firewall, a component parents can use to restrict children's access to the Web, antivirus protection, and the ability to block ads from Web sites. It's big and awkward. Configuring it for the appropriate amount of security requires technical knowledge more appropriate to a network administrator than a home user.
BlackICE Defender is simpler and less obtrusive but still a bit complicated for the average computer owner. One good feature is the ability to pick from among four security levels, from "trusting" to "paranoid." Macintosh users who want a software firewall might consider DoorStop (which I have not tested), a $59 download from Open Door Networks (www.opendoor.com/doorstop).
In addition to the complicated nature of these programs, I worry about the impact of one more background programs on the already fragile stability of Windows. Norton Internet Security runs only on the crash-prone Win 95 or 98. BlackICE can also be used with Windows NT or 2000, a happier combination.
Worst of all, a computer running protective software can still be vulnerable to attack. So security experts recommend that the firewall run on dedicated hardware, which can be made more bulletproof than a general-purpose computer. A good example of such a device is the WatchGuard SOHO from WatchGuard Technologies (www.watchguard.com). It's a little red box about the size of a CD player. You connect the WatchGuard to a broadband modem with a standard Ethernet cable and then plug in up to four computers using the Internet connection. What little configuration is needed is done with a Web browser.
The main drawback to the WatchGuard is its price: At $315, it's the cheapest hardware firewall I've seen, but that's still steep for the home user. Mass production and incorporating firewall function into the modem could produce much lower prices. Brent Lang, marketing director for home-networking products at 3Com, believes that all Internet access devices will eventually come with minimal firewall protection, with additional flexibility available at extra cost. Intel is considering building firewalls into home gateway products that could provide Internet access for both PCs and special-purpose network appliances.
A final argument for embedding protection into modems concerns what might be called the public health of the Internet. The denial-of-service attacks that can cripple Web sites cause only minor inconvenience to those whose computers are hijacked as launching pads. But guarding personal computers is a little like vaccinating people: Once enough of the population is protected, the disease effectively disappears, as polio has done. By making firewalls simple, cheap, and ubiquitous, we could produce a much safer Internet for everyone.Questions? Comments? E-mail firstname.lastname@example.org or fax (202) 383-2125By Stephen H. Wildstrom