Web Informant #217, 4 October 2000:
Buying a firewall for your home network

http://www.strom.com/awards/217.html

More homes continue to use broadband Internet connections, and the biggest issue for many home networkers is just hooking up their computers for the first time. Perhaps the best way to do this is to purchase a firewall appliance with a built-in Ethernet hub. Here are the three units I would recommend:

  1. Umax Ugate 3000, $230 (what I use at home)
  2. Linksys EtherFast 4-Port Cable/DSL Router, $170
  3. Watchguard Soho, $449

All three devices come with a four-port Ethernet hub included, and are managed with a web browser. All three are very easy to setup, especially if you have never set up a network before and the notion of setting up TCP/IP addresses is a daunting one. And all three are better than installing a software-based firewall on your primary PC, because they are inexpensive protection contained in a separate piece of hardware that is ultimately expendable if someone should try to attack you over the Internet.

What do I mean by this? All of the software-based firewalls make use of your PC and a second network card to do their jobs. That still means that your PC could be vulnerable in case of an attack, or that you might mess up its configuration if you aren't careful. If you think adding one network card is going to be hard enough, then consider these firewall appliances.

Of the three, the Umax is still my favorite, but perhaps because of the familiarity of its menus. Umax and Linksys also make devices with more ports (7 and 8 respectively) in case you need to connect more computers on your network: remember if you have an Ethernet-based laser printer or print server, that counts for another connection on your device's hub.

The Linksys device has a more cumbersome firmware upgrade process than either the Umax or Watchguard units: the latter two have menu items inside the web interface to make updating the features and protective measures easier. (Regularly updating the firmware is a very good security practice.)

The Watchguard seems a bit pricey but includes a one-year subscription to its security monitoring service, where you can stay up to date on the current attacks, viruses, and other developments of the bad guys. It also has a more advanced firewall and supports virtual private networking using IPsec: if you don't know what this means, then it isn't worth the extra dough.

Each device includes support for Network Address Translation, which is a good way for you to share a single IP address around your home network. Many cable and DSL providers only allocate one address per residence: using these devices, you can share that address and get some security benefit as well.

Setting up these appliances is relatively straightforward. First, you need to get a working network card in one of your PCs. If you have a PC more than three years old that does have PCI slots, I would buy an ISA Ethernet card. If you have a more recent model, the PCI card should work fine. I'd steer clear from USB-based Ethernet adapters unless you are running Windows 98. Next, you need cables. Most computer stores will sell them, or if you purchase a cable modem the cables might be included in the box. I am assuming, of course, that your PC, cable modem, and firewall can be located in the same room of your house. If not, then you'll need to figure out your wiring plan and start drilling holes in the walls.

If you have never bought Ethernet cables before, you should know there are two types: "straight through" and "crossover". The former are usually used between two PCs or two hubs, and you might need one of these depending on your firewall (the Watchguard in particular uses this kind) and cable or DSL modem. In general, you know you have the wrong kind when you plug in the cable between your PC and hub and the little port light doesn't immediately come on. Some firewalls automatically detect the type of cable, and some have a switch that needs to be set.

Finally, you need to setup your IP network using the Network or TCP Control Panels and enable DHCP on your computers. If you have a print server, you'll also need to make sure it supports grabbing a DHCP address: if not, you'll have to set it up manually.

To test whether DHCP is working, connect your PC to the firewall and reboot. If you don't get any error messages, go to the Start menu and choose Run Program | WINIPCFG if you are running Windows, or Control Panel | TCPIP if you have a Macintosh. You should see the IP address listed under your Ethernet card. You should also see a light illuminated by the port on your firewall, indicating that your network connection is working properly. Finally, you should see something called the "gateway address" listed in one of these screens: this is the address of your firewall. Make note of it now.

You'll also need the DNS server information from your cable modem or DSL provider, and you may need to enter this information in one of the device's web configuration screens. How do you know if you need this? Try bringing up a web browser and typing in some random web site address, say Microsoft.com. If nothing comes up, your name server information is required.

Use the firewall IP address noted above and type that into your web browser. You should see the administration screens for your firewall, and you should now open the manual and follow its instructions on how to set up your DNS address and do other tasks. Each of the three devices comes out of the box to block all incoming Internet traffic but to allow all outgoing traffic. Your needs maybe different -- say if you want to run your own web server and have it available to the outside world from your home network -- so you'll need to spend some time getting everything set up.

I realize that my description here might be too much or too little information, depending on your level of expertise. But I do want to impress upon you that you should get one of these devices today, and start protecting your home network. If you lock your doors to your home, you need to do the equivalent of your data resources too.

CODA:

Since writing this, I came across an excellent site that goes into further details about low-end firewalls and routers.

To subscribe, send a blank email to
webinformant-subscribe@egroups.com

To be removed from this list, send a blank email to
webinformant-unsubscribe@egroups.com

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 2000 by David Strom, Inc.
Web Informant is registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.