The diagram below shows an improved setup that addresses the issues with the unsafe networking setup. Since 100% safety and security is a near impossibility, I would call this alternative a safer networking setup.
Although at first glance this setup may look a lot more complicated than the previous one, in reality it only requires two additional network switches (3) and a small computer that functions as an application proxy server (5). A good network switch nowadays can be purchased easily for under $25.00 each. The application proxy server can be set up on a machine that costs as little as $199.00. The benefits of having this setup, in terms of computer network safety, however, far exceeds the total cost of the additional equipments.
Isolated Networks
With the additional network switches and an application proxy server, your home network is now split into two separate and disconnected local area networks. Although the cable or DSL modem still provides an always-on connectivity, access to the private and protected network, colored blue in the diagram, is now barricaded by the application proxy server. Similarly, computers connected to the wireless LAN, colored yellow in the diagram, can freely access the Internet as before, but cannot readily access the private and protected LAN. If you limit the use of wireless Internet access to laptop computers, chances are these computers will not be turned on all the time, and therefore will not provide an easy target that could be used to compromise the private and protected network. This setup solves the issue of always-on connectivity to malicious hackers and crackers.
A Dedicated Firewall and Application Proxy Server
Computers in the protected LAN accesses the Internet indirectly through the application proxy server. For example, when you use a protected desktop to search on Google, the desktop will first request the proxy server to connect to Google. When receiving such a request, the proxy server will first verify that you have the authorization to use its services, and then create a connection to Google on your behalf. As a result, there will be two isolated network connections or "sessions": one between your desktop machine and the proxy server, and another between the proxy server and the Google server. This is so much safer than a single, direct connection between your desktop machine and Google.
With a direct connection, the desktop machine will be fully exposed to the Internet as it connects to Google. An Internet worm such as Zotob could penetrate the desktop machine using the same path that connects it to the Internet. With an indirect connection, only the proxy server, and none of the protected machines will be fully exposed. In effect, the proxy server provides a perimeter defense against unforeseen network attacks.
While this setup moves the vulnerability away from the machines in the protected network, it also means that the proxy server bears the responsibility of buffering network attacks, and must itself be protected from being compromised. This can be addressed by "hardening" the proxy server and by using well-known, clever techniques such as booting the proxy server entirely from a read-only medium, so that it will be so much more difficult for a malicious hacker to compromise the proxy server itself.
How About TiVo, Squeezebox, and Other Appliances?
In this setup, the firewall in the application proxy server protects everything in the private network, including appliances that may not have good, builtin protection, but houses private data that you don't want stolen or destroyed by malicious hackers. Although you still won't be able to install your favorite firewall software on these appliances, you can now install it on the proxy server. In the end, you've achieved the objective to protect these network appliances by using the firewall software on the proxy server.
I Want My Proxy Server!!! How can I get one?
If money is no object, you can buy a dedicated firewall and application proxy server from well-known networking vendors like Cisco, Juniper Networks, and others. They tend to be expensive, and may require much familiarity with the vendors technologies to operate and maintain. For a small business, this may not be a bad option, depending on the budget available. For a homeowner trying to protect his or her home network, this option is probably overkill.
In my next article, I will provide a recipe on how to build a dedicated firewall and application proxy server so you could save some money and keep the cost of protecting your home and small business computer network low and have a greatly safer computing environment at the same time. ♦
Copyright © Julian I. Kamil — All Rights Reserved
About the Author: Julian is a technologist and a computer systems architect who moved to Dominion Valley about two years ago. He is running a small business that provides services to other small businesses in the Haymarket area including website design and development and computer networking consultation, setup, and maintenance. You can reach him by email at: julian.kamil@gmail.com
Comments and Questions: Please send comments and questions about this article to: feedback@marketine.com.
