As a systems administrator for an ISP, my primary function is to support several thousand customers by ensuring that equipment and services are operating correctly. Depending on the customer, this job can include maintaining on-site routing and firewall equipment, which can vary depending on the specific needs of the customer.
When it comes to supplying Internet access, ISPs provision a single IP address or a subnet for their customers. Either way, I always suggest that anyone accessing the Internet protect systems with a hardware or software firewall.
Of course, IT pros know that a firewall is anything that protects a computer or network from the ravages of the Internet. But when talking to end users, I try to describe the level of questionable activity on the Internet in terms of worldwide accessibility.
Because public Internet addresses are readily accessible from anywhere in the world, even a simple dial-up Internet connection with a public IP address exposes your computer to the rest of the world while you're connected. This means your computer can be identified by anyone on the Internet and perhaps scanned to see whether it's running vulnerable software or services; it can even be broken into unless, of course, you use a firewall to try to protect it.
Hardware vs. software firewalls
As I tell my customers, deciding what type of firewall to use depends on what you're trying to protect. If you're just worried about a single computer system with Internet access, ZoneAlarm works well enough for most people.
ZoneAlarm not only alerts you when someone tries to access your computer, but it alerts you when a program on your computer attempts unauthorized access to the Internet. If the access is valid, you can instruct ZoneAlarm to remember the program and allow access in the future without alerts. Although it's not an antivirus program, ZoneAlarm can also detect Trojan horse and spyware programs.
I suggest using a hardware firewall in these situations:
Even though it's possible to share an Internet connection and firewall software using one computer as the router, I think it's a bad idea to use a workstation in this manner. Everyone on the network becomes dependent on the reliability of someone else's computer.
If it locks up or gets rebooted, the Internet gets cut off. Then people call the ISP to complain, even when it's not the source of the problem. Hardware firewalls don't have to be expensive. For instance, NetGear and LinkSys models have sufficient features and cost less than $100.
Do you need advanced firewall features?
If clients telecommute or are setting up a branch office of a larger corporation, they probably need to use virtual private networking (VPN) features. Clients may also need Network Address Translation (NAT) when there are multiple internal computers and only one public IP address.
If customers need a subnet to support public Internet servers, I recommend using port forwarding and "hiding" the real service behind the firewall. No matter which advanced feature your clients need, they should choose a hardware firewall that supports these advanced features.
Another thing to keep in mind when dealing with telecommuters or branch offices is to always check with the company's IT department before buying anything. I can't tell you how many times I've needed to replace equipment and fix VPN settings because branch offices and telecommuters didn't check with their IT department before buying equipment.
Regardless of your clients' specific needs, using a firewall does improve security. Anything they can do to "hide" their computer systems and services from the public Internet reduces risk.
My personal preference is to always use hardware firewalls, but software programs such as ZoneAlarm are better than nothing at all. Firewalls can't prevent your computer from being taken over by a virus or worm—that's typically the job of antivirus software. Internet security is accomplished in layers. Consider a firewall system to be the first layer of your clients' security needs.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.