With the spread of broadband into the home, the 'always-on' connection is far more prevalent now than ever. This type of connection, while very convenient, increases the exposure of the system to worms, viruses and attacks.
By this time, home routers are widespread. Many of these routers do not, by default, provide DMZ-like connectivity to the connected computers, and therefore go a long way to stopping many automated attacks. Unless the router itself is vulnerable to exploitation, the attack surface of the home PC is greatly reduced. This is due to NAT (Network Address Translation). The router will not be able to forward malicious packets because the router does not know which IP to forward them to (unless the PC forms a connection with the malicious host FIRST).
A good hardware firewall increases security in that it allows the user more port-level control and monitoring capability than a standalone router. Most routers do not alert you if your computer is sending out malicious packets (which is a sign that you're either screwing around with Metasploit or that your computer has been compromised). A good firewall, however, is not only able to block these outgoing attacks (as well as incoming ones), but it can also alert you to this situation. Firewalls generally function as a very basic IDS/IPS (Intrusion Detection System / Intrusion Prevention System). In this design, the firewall would be a network-based IDS/IPS.
A final firewall to enact on your computer is a Host-based firewall; that is, a firewall running on your computer itself. This is necessary for two reasons. The first is that it provides the user with even more monitoring and configuration options. The second is in case of a network breach. With the large numbers of wireless access points in use, it is very possible for an intruder to gain access to ones network. In this case, the network IDS/IPS will not protect you. The Host IDS/IPS will. Another thought, especially in the case of laptops, is the protection offered regardless of which network you are on. It is irrelevant if you're using a public WiFi spot at the library, or your EAP-secured corporate wireless network; you are protected with that firewall.
No comments:
Post a Comment