Why you really, really need a firewall--or two

I've been covering computer security long enough to see that, given time, security technologies employed on big corporate systems eventually trickle down to individual desktop users like you and me.

Case in point: A few years ago, almost nobody talked about firewalls for desktops, though firewalls were used by most corporations. Now, they're the latest must-have item. Personal firewalls probably weren't talked about much before because few thought a single, slow PC would ever be worth a hacker's time.

More PC threats today
Well, times change. Desktop computers are now faster and more numerous than ever before. So are Internet connections. And while most people used to dial up to their ISP for limited amounts of time, now many are online 24/7, thanks to their broadband Net connection, and some even host their own Web servers.

In addition, more and more computers are networked, often to allow multiple systems to share one fast Net connection.

Combine these trends with a hacker's ability to coordinate thousands of desktop computers in distributed denial-of-service attacks on major Web sites, and I think it's time we started taking home PC security seriously.

My advice: Use a firewall. If your PCs are networked, layer your defenses by using both router-based hardware and desktop-based software firewalls. If you have only one computer connected to the Internet, a software firewall should suffice.

(For those of you who don't know, a firewall is a system that intercepts all data entering or leaving your PC or network. Most often, it is software or hardware--actually firmware on a chip--that either hides true network addresses, preventing outsiders from gaining access to information stored on individual PCs, or blocks sensitive internal data from escaping to the Internet--or both.)

A layered approach
Every network's first layer of defense should be at the router--the device that allows your computers to communicate with other local computers and the Net. These days, some routers (a.k.a. gateways), such as the NetGear RP614 Cable/DSL Web-safe router gateway (for wired networks) and the Netgear CG814M wireless cable modem gateway (for wireless nets), include built-in firewalls. So you're all set, right? Not really.

The firewall included in most routers is based on what's known as Network Address Translation (NAT). Basically, this means the router creates its own set of local IP (Internet protocol) addresses for each computer on your network. The NAT router hides your local network addresses from the Internet by translating those individual addresses into one common IP address. It also keeps track of all outgoing data packets, translating them to the common IP address, as well as all the incoming packets, translating them to the individual desktop addresses.

It works similarly to the way a phone system at a large company works. When you dial out from your office, the person you're calling won't see your direct telephone extension, just the company's main phone number. In the same way, someone looking for vulnerable computers on the Internet sees only one IP address for a network with a NAT router. Since no one outside your network can see the address for your PC, no one can attack it.

More than a NAT firewall
While NAT routers will keep hackers from discovering the nature of your network (how many systems you have, what OSs they're running, and so on) and help protect you from attackers trying to break in, that's only half the battle. The other half is protecting your network from hackers who have already broken in--via a Trojan horse or spyware, for example--and are trying to send outgoing messages to the Internet from your systems.

That's why you need yet a second layer of defense: outbound protection.

You can get this extra layer of security by installing a software firewall on each desktop or laptop on your network--or on your individual PC, if you have only one computer. This software will alert you whenever malicious programs on your system try to connect to the Internet.

The best software firewall, in my opinion, is ZoneAlarm Pro. ZoneAlarm is pretty smart; not only does it monitor which apps on your desktop have permission to connect to the Net, it also checks the integrity of those apps. That way, if someone sends you a piece of malicious code disguised to look like it came from, say, Quicken, ZoneAlarm will shut it down. Other capable firewalls include McAfee Firewall 4.0, Sygate Personal Firewall, and BlackIce.

I'm also starting to see more advanced technologies--once used only by companies--in the latest desktop security products. Norton Personal Firewall 2003, for example, includes an intrusion-detection system (IDS), which is commonly used on corporate gateways. An IDS checks individual packets coming across the Internet for the existence of malicious code, including worms such as Code Red or SQL Slammer. Though there is some debate about whether the average desktop computer needs this technology, because Norton included it in its latest personal firewall, I expect other firewall makers will add this feature to forthcoming releases of their products, too.

More trickle-down security
I predict that the next security technology to arrive on your desktop will be all-in-one hardware devices that provide antivirus protection, a firewall, an IDS, VPN capabilities, and content filtering. At present, these appliances make sense for networks with 100 users or more. But I expect within the next two years to see scaled-down versions for networks of, say, 10 users or fewer.

It may seem a little daunting to set up one firewall, let alone two, but most personal firewalls are easy to use, with plenty of wizards to walk you through the process. It's such a small hassle when you consider the larger picture. After all, each secure network is one less place for hackers to look for systems to use in attacks on larger commercial or governmental Web sites.

Do you have a firewall? Why or why not? How do you protect your PC? Are you worried about hackers compromising your system? TalkBack to me!

Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know!