Update December 2020
Most ISPs provide (or recommend) an “Internet Gateway”, which is basically a combined router, 2 or 4 port switch and WAP (Wireless Access Point) and these routers tend to have some form of built-in firewall. Virgin Media and Sky provide the router and others may do too.The Internet Gateways provided by Virgin and Sky are pretty good and offer a good degree of protection but could be improved.
Network security is best achieved by having a “layered defence” system and with this in mind, I would recommend that the ISP provided router (Internet Gateway) is considered to be the “border defence”. This will give most people a reasonable amount of security and keep most unwanted “visitors” out your home “LAN” (Local Area Network).
If you have read the main Firewall topic, you will know that a “Hardware” firewall is actually a separate device to your PC and this provides “better protection” for devices on your LAN. A hardware firewall is usually more configurable for your needs. The following are basically “Linux” based “Operating systems” designed to run on low spec desktops.
2. IPCOP. Again Linux based.
3. Monowall. Based on FreeBSB. Now discontinued.
To use these “Free” (Open source) firewalls you will need: –
1. A spare computer – ideally a quiet one but it doesn’t need to be very powerful.
2. An extra Network Interface card (NIC). Fitting an extra card is a must to enable the (spare) PC to become a router (see below). You can have 3 NICs if you want a DMZ! (Demilitarised Zone). I recommend not using a DMZ unless you fully understand what it does.
3. The firewall software/ operating system of choice on a CD/DVD or USB stick.
4. Plenty of time to play 🙂
The hardware firewalls can, in some cases, act as a DHCP and DNS server and Web Proxy but in all cases they would need to be the “default gateway” for all devices on the LAN to ensure that all devices on the LAN use the firewall device as a “gateway” to the ISP router. This means that all Internet traffic (from and to the LAN) would have to go through the firewall device and then on to the ISP Gateway router or to your LAN.
Some bits you will need to know.
Router. By installing 2 NICs, you create a situation where “networks” can communicate with each other. In a firewall, one NIC is often called the “red” interface and this is the NIC that connects to the ISP Gateway. The other NIC is connected to your network switch and often called the “Green” interface. Red = danger, Green = safe!
They way a hardware firewall works is basically by making use of the routing capability. The two NICs create 2 “doors” connected by a “virtual” corridor (similar to an Air lock). the firewall software (OS) intercepts the network traffic from both the Red & Green interface and then applies rules to either allow the passage of data (traffic) or to deny the passage of data.
Typically, you would connect the (Red) NIC to the ISP Router (Internet Gateway) and the (Green) NIC to a switch using Ethernet cables. All the devices on your LAN would be connected to the switch (and ultimately to the Firewall). All your devices on the LAN would use the “Firewall” device as the default gateway, which would also be the *DHCP server (this allocates IP Addresses to each device on your LAN). You can use WiFi instead of Ethernet cables but the “Firewall Device” NEEDS to be the “default gateway”.
*DHCP server. Each network device on your LAN needs a Unique IP Address, the “DHCP server” provides the an IP Address to any network device connected to your LAN. If your Firewall / DHCP servers IP address is say 192.168.4.1, any network device connecting to your LAN would get an IP Address of 192.168.4.?.
NAT (Network Address Translation). This is built-in to all (Internet Gateway) routers, partly because of the shortage of IP v4 addresses. Your router has an external (WAN) *routable* IP address, which is usually dynamically applied by your ISP (it changes) and it has an internal (none routable) (private) IP address, which only changes if you change it.
Routable just means that the IP address is capable of being used outside of your LAN. Non Routable IP addresses (private) are designed to be incapable of being used outside of your LAN.
Internal / Private IP address ranges :- 192.168.0.0 – 192.168.255.255 and 172.16.0.0. – 184.108.40.206 and 10.0.0.0 – 10.255.255.255. The internal IP addresses can only be used on a LAN. The router allows you to “route” traffic from a “Public IP address” to a “Private IP address” and vice versa.
A typical LAN IP address of ISP supplied routers is 192.168.0.1 or 192.168.0.254, the 3rd “octet” is sometimes 1, 2 or any other number up to 254. You would typically use a web browser to configure the Router / Firewall by entering the LAN IP address in the address bar of the browser. If the router LAN IP address was 192.168.2.1, you would enter this number in the browser address bar and it should take you to the config screen. Sometimes you might need to specify the port e.g. 192.168.2.1:1000 but most tend to use port 80 so you don’t need to specify the port.
External IP “routable” Addresses would be anything not in the Internal address ranges.
In a nutshell, NAT hides the internal IP address of the device on the LAN. Any websites that you visit will be seen as coming from your external (WAN) IP address so this is just a very basic firewall but very useful. If NAT wasn’t available, all the devices on your LAN would need a separate external IP address and there isn’t enough IPv4 IP addresses for this to happen.
For those that are interested, one way that ISPs are getting round the shortage of IPV4 addresses is to use “Super Netting”. An IPv4 address uses the “dotted quad notation” which uses a 32 bit system of addressing e.g.220.127.116.11 basically you have 4 sections of 8 bits (octets), each separated by a “.” (dot). In the example the IP address would be 66 dot 102 dot 15 dot 255 (total of 32 bits in binary). Back a few years, the IP addresses were in “classes” e,g, A, B, C but due to the shortage of IPv4 addresses CIDR (Classless Inter-Domain Routing) is used.
IP addresses are made up of “Network bits” and “Host bits” e.g. a class C address would use the first 24 bits as the network “identity” and the remaining 8 bits would be for the “host identity”. A class C address would give you 254 host address e.g. you can have 254 devices attached to the LAN, the LAN / Network identity would be e.g. 192.168.0. and the host would then be anything from (192.168.0).0 to 255. The way this works is by using a “Network Mask”, which separates the network ID from the Host ID.
Super netting works by amending the “Network / Subnet Mask”, Class C uses 24 bits for the subnet mask and allows 254 hosts but by amending the number of bits the subnet mask uses, the number of hosts can be increased by many fold. If you want to play, hop over to IP Subnet Calculator and meridianoutpost Try amending the number of bits from 24 to maybe 27 or maybe 18 and see how this affects the number of “hosts” you can have on your LAN. have fun 🙂
IPv6 is slowly taking over and is most definitely the way to go to avoid the shortage of IP addresses as it uses 128 bit addressing to give something in the order of approximately 340 trillion trillion IP addresses instead of the 4.3 billion provided by IPv4 .Here’s a good read about IPv6, it’s not for the faint hearted 🙂 It uses Hexadecimal instead of Binary and it doesn’t use the dotted quad notation.
Firewalls, anti-virus / anti malware are your friends and will help keep you safe when connected to the Internet..