IDG logo

Advertise with InfoWorld

InfoQuote Careers Opinions Forums Consulting Research tools Test Center News Subscribe Search Home

Email Story




Book reviews






Monday, Oct. 25, 1999 12:01 am PT     


Window Manager |Brian Livingston


Security appliances offer users protectionduring 'always on' high-speed access


LAST WEEK, I wrote about the risks consumers face when connecting to the Internet using high-speed services, such as cable modems and Digital Subscriber Lines (DSL).


In brief, almost any Windows workstation is a security breakdown waiting to happen when it's connected to the Internet, especially with "always on" high-speed services. A wide variety of free and easily available utilities gives any curious or malicious person the ability to scan the Net for machines that might provide an amusing diversion. As I wrote last week, the WinNuke utility is one example of a program that can crash an unprotected Windows machine remotely from another point on the Internet.


Millions of small offices and home Internet users now use cable modem and DSL services, and more people are signing up every day. This may not seem to be much of a concern for larger companies with in-house security expertise. But, most corporations have employees who take work home -- and an insecure home PC can be big trouble if your documents are important.


Despite this type of threat, the providers of high-speed access seem to be marketing their services to the general public with little or no provision of basic security features. Until they do, there are some steps that can be taken to protect PCs that are "always on." After we look at a couple of these, we'll take up the question of the service providers' responsibilities again.


SonicWall is one of a growing breed of hardware devices called Internet security appliances. It's a small box, made by a company of the same name (, that defends a PC or a small to midsized LAN against a hostile outside cyberworld.


SonicWall is one of the most aggressively priced appliances, starting at around $500. The SonicWall/10 supports 10 nodes on a LAN, while other models support from 50 to an unlimited number of nodes.


This device was a recipient of the Golden Guardian award given out by Security Watch columnists Stuart McClure and Joel Scambray earlier this year. (See "The more the merrier,"


SonicWall comes preconfigured to respond to probes of your system by outsiders scanning the Net, as well as outright attacks. For example, TCP/IP environments are subject to crippling bouts called "SYN floods." A remote computer normally sends a "synchronize" (SYN) packet to another computer it wants to establish communication with on the Net. In normal cases, the receiver of the SYN responds with a synchronize-acknowledgement. The originating computer completes the handshaking process by replying with a final acknowledgement (ACK), and the two computers are set to exchange data.


In a SYN flood, the remote computer sends a wave of SYN packets to a recipient machine, but never sends any ACK packets. This can choke or crash the recipient, which waits for acknowledgements that never come.


SonicWall prevents this situation by inserting ACKs as necessary and resetting the connection if it determines that the remote session wasn't legitimate. This type of activity is logged, which can establish the fact that someone is deliberately targeting your system for sport or for more nefarious ends.


Another line of devices that provides protection for small and midsized networks is the Firebox series from WatchGuard Technologies ( These products list at $5,000 and up and offer a paid subscription to update your protection on nearly a real-time basis.


Firebox II was reviewed some time ago by Joel Scambray. (See "Firebox II beefs up security, gains some complexity," And both SonicWall and Firebox -- including Internet Devices' Fort Knox, which won an InfoWorld Product of the Year award -- were included in a Test Center comparison of firewall appliances on Dec. 12, 1998.


It's not my purpose to repeat those reviews here. I'm more interested in why telephone companies, cable TV providers, and others who are marketing high-speed Internet access to the public aren't building in security features like this as part of their service. Most installations are wide open to attack, but the ads and salespeople who sell these services say little or nothing to customers about the problems, much less provide solutions.


You shouldn't have to be a security expert to have a high-speed service installed in your home or business and be protected against widespread hacker techniques. In a future column, I'll report on my conversations with executives of service providers and what they say about the services they're selling.


If you have a story to tell, send it to me, and I'll include some of your comments in my conclusion to this series. Use "protection" as the first word of your subject line.



Missed a column? Click here for more



Brian Livingston 's latest book is Windows 98 Secrets (IDG Books). Send tips to He regrets that he cannot answer individual questions.




HP's Fiorina talks up company to financial analysts

AT&T to build $350 million global IP network for GM

Department of Commerce backs high-tech R&D program

Microsoft settlement talks to get started Tuesday

Matsushita develops thinnest lithium battery

Go to home page


Click Here to subscribe our free e-mail newsletter.


Subscribe to InfoWorld print









Copyright © 1999 InfoWorld Media Group, Inc. is a member of complies with the ASME guidelines with IDG extensions for new media.