The best way to optimize your firewall: Use hardware

Let’s get back to talking about utility replacements. We last talked about antivirus programs, but what about the other component of what’s commonly now called a “security suite,” the firewall?

The answer is, don’t use firewall software if at all possible–which means every man, woman and child who has a cable or DSL connection. Use a separate device.There are several good reasons for this. First, there’s the fundamental problem with running your security on the same system you’re trying to protect. If your firewall software goes haywire and crashes, you run the risk of being unprotected. It’s much safer to rely on an external device that doesn’t have an Intel or AMD processor in it and isn’t running Windows. So when someone tries to send a Windows exploit or virus to it, it bounces off because the device just doesn’t understand.

The second reason is price. A plain no-frills cable/DSL router/firewall costs about $20 at Newegg today. The unit I generally recommend is the Linksys WRT54G, which sells for about $50 new or as little as $25 used and adds wireless capability. That’s about the same as the retail price of a software firewall anyway, and it gives you better protection without robbing your system of performance.

A cheaper alternative, which was what I used to do when these devices cost $200, was to take an obsolete PC, put in a couple of cheap network cards, and run Freesco on it. It will run on any PC with a 386 processor or better (I recommend a Pentium with PCI slots for ease of setup). A 100 MHz Pentium is more than powerful enough and if you don’t already have an obsolete PC to run it on, you probably won’t have to ask around very long before finding one for a very low price or free. Today I prefer a Linksys-type box though, since they take less space, consume less electricity, generate less heat and noise, and take less time to set up.

Performance is the third reason. Two years ago I was working at a large broadband ISP that will remain nameless. It provides a “high speed security suite” as part of the subscription price. The system requirements for this suite are ridiculous–the suite itself needs anywhere from 128 to 192 megabytes of RAM all to itself to function. Basically, if you have a PC with 256 megs of RAM (which is what a fair number of PCs out there still have), loading this security suite on it will bring it to its knees. But if your firewall is running on a separate device, 256 megs of RAM is a comfortable amount of memory to run Windows XP or 2000 and basic applications.

Reliability is the fourth reason. Every high-speed security suite I’ve ever dealt with, be it a freebie provided by your ISP, or an off-the-shelf suite, hooks itself into winsock.dll. Three of the last four computer problems I’ve fixed have been related to this problem, and the symptoms are difficult to diagnose unless you’ve seen the problem before. Basically the computer loses any and all ability to do any networking, but when you call tech support, enough things work that tech support will probably tell you to reload your operating system. Unfortunately, the WinSockFix utility doesn’t seem to be well-known at ISPs.

If messing around with your Winsock isn’t bad enough, the security suite my former employer provided was overly paranoid about piracy. If you did any number of things, including but not limited to trying to install it on a second PC without getting a second key from the ISP, it would disable itself and not necessarily warn the user that it had left the PC unprotected. It was my job, when I was working there, to go through all of the disabled accounts by hand. It wasn’t an automated process. So if the security suite decided to go jump off a cliff sometime on Friday after I’d pulled the current report, it would be sometime on Monday before I would even be aware of the problem. Given that it usually takes about 20 minutes for some exploit to find an unprotected Windows box sitting on the Internet, that 48-72 hour window that you could be sitting unprotected is anything but ideal.

Things may have changed since I left that employer in November 2005, but if it’s my PC, I’m not willing to risk it. I’d much rather spend $20-$50 on a cable/DSL router to give myself firewall protection that I know I can just set up once and then ignore for a few years and won’t cause my PC to constantly fall behind on the upgrade treadmill.

And finally, the fifth reason to use a hardware firewall is apathy. Software firewalls tend to throw a lot of popups at the user, warning the user that this or that is trying to access the Internet, or come in, or whatever. Most users are likely to do one of two things: either allow everything or deny everything. The result is either a PC on which nothing works, or whose firewall is full of so many holes there might as well not be one. It’s much better to have a hardware firewall that just does its job. If you’re worried about unauthorized applications hitting the Internet, that’s the job of antivirus and antispyware software, not the firewall.

2 thoughts on “The best way to optimize your firewall: Use hardware

  • June 27, 2007 at 12:11 am
    Permalink

    …and as a bonus, this particular unit is extremely hackable, both with commercial software and at least two communities of "roll your own".

    (Make sure to confirm your series number first as version 5 is a different deal. You’ll also void your warranty; and it’s likely your hair may turn blue. …but you can gain functionality and boost your power output. Plus, hacking commercial stuff is just … well… yeah.)

    • June 27, 2007 at 7:43 am
      Permalink

      Good point. I plan to get another old WRT54G and load one of the 3rd-party packages on it to give it a wireless repeater mode. That should improve the range of my wireless network quite a bit, and it’ll cost half as much as buying a commercial repeater.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux