Detailed Information

Firewalls in Depth      -       What is a firewall?

A firewall is a system designed to reinforce the Security of the data flowing between two Networks, the Internal Network and the outside Network.

The term "firewall" comes from methods used to separate combustible from non-combustible areas. An automobile has a firewall separating engine compartment from passengers. A duplex house has a strong firewall protecting one housing unit from the other housing unit's fire risk.

There are several ways to accomplish this but most computer firewalls use two or more of the following methods as none of them alone provides adequate security.

For the Home PC User, there are two common firewalls used: Software and Hardware Firewalls  

Hardware Firewalls

Hardware firewalls are external devices are positioned between your computer or network and your cable or DSL modem. They provide high lever of protection, and are usually used for protecting multiple computers. Many home users install a hardware router, which usually have built in firewall features. The cost has come way down so that they are an excellent investment and can include wireless connectivity.

A Linksys Network Address Translation (NAT) Hardware Router

These are simpler to use than software firewalls and they don't have any performance impact on their computer. They provide a physical layer of security between your PC(s) and your Internet connection and hide computer IP addresses from being seen and detected by Internet probing activities. The other advantage of a hardware firewall is if you happen to install some sort of malware on your system, it cannot take out your hardware firewall. Some malware can disable anti-virus programs and software firewalls but not hardware firewalls. But the hardware firewall does not filter specific applications – just ports being used and certain types of data packets.

Routers with NAT provide a basic firewall as a by-product of the way they handle Internet traffic. Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers, reducing the number of IP addresses required by the world. NAT also only allows connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.

Some NAT routers provide for extensive filtering and traffic logging. Filtering allows you to control what type of sites a computer is allowed to visit on the Web, preventing them from viewing questionable material. You can use traffic logging to create a log file of what sites are visited and generate various reports from it.

In summary, using Network Address Translation (NAT) and Dynamic Host Control Protocol (DHCP), a router distributes private IP addresses to PCs on the network, thereby hiding them from outside computers, which see only the IP number of the router itself. Routers open ports to the Internet only if you set them to open or if the PCs on the network request data (in retrieving a Web page, for example). In tests, routers easily withstood assaults from port-scanning tools, which hackers use to find vulnerable targets. Since no system on the network had requested the data packets, the routers simply dropped them. On a router we can open select ports and assign them to the IP addresses of specific PCs. Known as port forwarding, this process lets you run servers for online games or Web sites without exposing other PCs on the network.

Even if you do not have a home network - if you have a fast, broadband connection – you should purchase a hardware router with built-in firewall.

At home, you could use the Internet Connection Sharing (ICS) feature within XP, which allows a user to connect one PC to the Internet and then share that connection with the rest of the computers within his home or small office network. While it was generally a good idea when it was conceived, if you have a high speed connection - a real router is faster, easier to configure, and more secure. Some routers will also provide wireless capabilities to support Wi-Fi units, and a 4- to 8-port switch for connecting PCs into a local area network via Ethernet. The wireless access point can be disabled if you don't have any wireless-capable devices.

Software Firewalls

A Software Firewall are an application installed on your computer that may be just a firewall or combined as a  suite with other features like ad blocking, content control or antivirus. Windows XP (SP1 and SP2) comes with a built-in firewall that provides inbound protection only. Software firewalls allow users to control incoming traffic (inbound protection) and outgoing (outbound protection). Filtering outgoing traffic, meaning which application can (not) have Internet access, is one of the main reasons to install a firewall program, even if you have a hardware firewall.

ZoneAlarm's Triple Defense Firewall provides:  

1. Application protection protects your programs and operating system from malware corruption.

2. Operating System protection guards down to the kernel to protect the operating system - including the registry and file systems - from attack by malicious programs.

3. Network Layer protection offers a stealth firewall that does not have a presence on the network it is protecting and it makes it more difficult for the hacker to determine which firewall product is being used and their versions and to ascertain the topology of the network.

How Do Firewalls Work?

A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.

A network layer firewall works as a packet filter by deciding what packets will pass the firewall according to rules defined by the administrator. Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network protocols the packet contains. Network layer firewalls tend to operate very fast, and transparently to users.

Network layer firewalls generally fall into two sub-categories, stateful and non-stateful. Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only host inside the firewall can establish connections on a certain port).

Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between host have reached. Stateless firewalls therefore offer less security. Stateless firewalls somewhat resemble a router in their ability to filter packets.

A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams) traveling across it. The firewall is programmed to know what legitimate packets are for different types of connections. Only packets which match a known connection state will be allowed by the firewall; others will be rejected.

FTP, among other protocols, needs to be able to open connections to arbitrary high ports to function properly. Since the firewall has no way of knowing that the packet destined to the protected network, like to some host computer's port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem, by maintaining a table of open connections and intelligently associating new connection requests with existing, legitimate connections.

A stateful firewall is able to hold in memory significant attributes of each connection, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded.

With the traditional stateless firewalls the firewall had no way of knowing which packets belonged to existing connections and which didn't. Stateful firewalls solve this problem by monitoring network connections and matching any packets they inspect to existing or new connections. Therefore, they offer more fine grained control over network traffic.

Vulnerabilities of Software Firewalls:

A vulnerability of software firewalls is that they can be shutdown by users, stalled or terminated by other software on the PC malfunctioning, and certain viruses and Trojans disable them or shut them down. If your software firewall can have a password set to protect against tampering, use it!

Software firewalls are “permissions-based” and can affect the performance of your computer. For instance, printing on a home network might have all printing processing from other users also go through the firewall, unnecessarily.

Another vulnerability of software firewalls are that at installation, an initial configuration is performed to grant known/safe Internet-using applications the right to pass through the firewall. As you use your applications and add new ones, the user adjusts the rules further. The weakness here is that you or other family members sometimes have a hard time understanding what is being asked and you may allow permission when you shouldn’t. This is the biggest risk in using software permissions-based firewalls – especially with multiple users at differing technical levels in the home using the same computer. You can look at the configuration logs as an audit, but this is after the fact, after the application was allowed permission to do its thing. Potentially dangerous holes are allowed through our firewall unless you strictly follow the strategy to block everything unless you are absolutely sure what it is. Patience is of great importance here! Better software firewalls may use stateful packet inspection, (filtering in context of previous activity.)

On the other hand, while external hardware firewalls and NAT routers don't know exactly what is going on inside your computer, they are simple devices that are much less likely to have problems that cause them to fail dangerously. Using both software and hardware firewalls together offer excellent protection.

Software firewalls are of two types:

1. Non rule-based - are easier to install and configure
2. Rule-Based - are more flexible

Rule-Based firewalls on the other hand, like Norton Personal Firewall, offer you the ability to not only control what applications and services are granted access, but through what ports and what direction (in, out or both).

For the Corporate Office, “industrial strength” Firewalls use one or more of the following methods:

1. Packet Filtering:

Works at the Internet protocol layer and enables you to accept, reject or drop packets based on IP Address, Ports or Protocols. Packet filters perform these duties based on a set of configurable rules called Policies. Packet filtering is the original and the most basic type of fire walling and most routers provide packet filtering. Disadvantages of packet filtering however are:

a) Address information on a packet can potentially be spoofed or falsified.

b) The data contained in allowed packets can't be checked so they ultimately may contain exploits.

c) Packet filters can't provide application level or user level authentication.

d) Once a particular protocol is allowed to pass, external host can establish a direct connection to host on the Internal Network using that protocol. It could therefore expose the private Network configuration to everyone outside of the Network and reduce Network security.

The advantage of Packet filters is that they are very fast and transparent to users.

2. Circuit Relay (Circuit Level Gateways):

In this approach the firewall validates connections before allowing data to be exchanged. In other words the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules. Once validated the connection is allowed only from the valid source and perhaps for a limited time. It can be configured based on source and destination ports or IP addresses, time of day, protocol, user and password. In this method each session is validated however once the session is established the flow of data is not monitored.

Circuit level filtering is considered to be one step further than packet filtering and it makes up for shortcomings of exploitable UDP protocol wherein the source address is never verified due to the nature of the UDP protocol. It also makes IP spoofing more difficult.

The disadvantage of Circuit relay is the lack of application protocol checking. For example, if two cooperating users use an approved port number to run an unauthorized application, a circuit relay will not detect the violation.

3. Hybrids (i.e. Stateful Inspection):

Due to weaknesses in packet filtering, some firewall vendors have introduced hybrid solutions. One of the more successful Hybrids (Stateful Inspection) provides access control at the Network layer by inspecting the content of incoming packets based on complex filters. However more sophisticated techniques such as user authentication are not possible. A "stateful" firewall remembers the context of connections and continuously updates this state information in dynamic connection tables.

4. Application Gateway:

This method goes one step further. The Application Gateway acts as a Proxy for all applications and performs the data exchange with remote systems on their behalf and effectively makes the host behind the firewall invisible to the outside world. The advantages of this method are numerous. For example:

• The firewall verifies that the application data is of a format that is expected, and can filter out any known security holes.
• The Application Gateway can allow certain commands to the server but not others, limit file access, authenticate users as well as performing regular packet filtering duties.
• Fine-grained control of connections is possible, including filtering based on the user who originated the connection and the commands or operations that will be executed. It can provide detailed logs of all traffic and monitor events on the Host system.
• The firewall can be set up to trigger real time alarms when it detects events that are regarded as potentially Suspicious or hostile

Application level gateways are considered by far the most secure type of firewalls especially when running services (www, FTP, Telnet, etc...) on your Network.

Disadvantages of Application Gateways are:

a) Loss of transparency to applications and slower response time.

b) Each application requires a unique program or proxy, making the process resource intensive.

About Protocols, Network Layers and Packets:

See: http://en.wikipedia.org/wiki/OSI_seven-layer_model and a James Bond analogy at: http://www.lewistech.com/rlewis/Resources/james.aspx]

Highly recommended: Linksys Wireless Router - WRT54GS  or newer model

Editor’s Choice PC Magazine Online  5/18/04 : “Linksys routers have received good grades from us before, and with its improved interface, superior parental controls, and strong throughput performance, the WRT54GS gets our Editors' Choice award in the 802.11g category. The added S in the model name stands for Speedbooster—a performance-enhancing technology. We really like the WRT54GS's intuitive interface, which makes setup very easy. The product also provides by far the best set of parental controls for enforcing safe Web-browsing for those using your network. Though we are exceedingly impressed with the throughput performance of the D-Link DI-624 on one of our tests, the Linksys WRT54GS was simply the most well-rounded product of the bunch.”

Details and Configuring the Linksys WRT54GS Wireless-G Broadband Router:

Editors' rating:7.0 Good

User rating:6.7 Fair (from 120 users)

• The good: Fast mixed-mode speeds; removable antennas; easy to set up; VPN pass-through.
• The bad: No mounting bracket; slower enhanced speeds than those of routers from D-Link and Netgear.
• What's it for:Networks multiple computers and allows them to share a single Internet connection.
• Who's it for:The Linksys WRT54GS is well suited for families and small businesses with multiple computers.
• Business use:Lets you share files and printers and back up data to a remote computer.
• Essential extras:You need the Linksys WPC54GS to connect to your enhanced network.
• The bottom line:The Linksys WRT54GS is especially well suited for networks with both 802.11g and 802.11b connections.

Features and security

Although the Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster is easy to set up, you'll find a number of advanced features and configuration options under the hood. The Linksys WRT54GS's browser-based configuration tool gives you access to the router's networking and security settings, such as DHCP server and client settings, firewall settings, and wireless encryption settings. The router also comes with two types of firewalls. One is a Stateful Packet Inspection (SPI) firewall that makes sure packets are part of a legitimate connection; the other is a NAT firewall that effectively hides computers behind the router. You can lock your network down even tighter by configuring the router to block services such as FTP and Telnet. A DMZ function located on the configuration tool's Applications and Gaming tab lets you place one computer outside the firewall, which can be useful for Internet gaming and videoconferencing. The Linksys WRT54GS also lets you set up access-control policies that grant Internet access to specific computers on your network at predetermined times of day and days of the week. If you telecommute, the router's VPN pass-through support will help get you to work.

The Linksys WRT54GS router also has good wireless security. You can configure it to use WEP or WPA. WPA is stronger than WEP, but it's important to have both options, because you may want to connect to older 802.11b devices that lack WPA support. We also like that you can turn off the beacon on the WRT54GS's integrated 802.11g access point. This helps protect you from uninvited guests by stopping the access point from advertising its presence to the world.

The Linksys WRT54GS router comes with removable antennas, giving you the option of attaching high-gain antennas to the unit to increase its range. Our only gripe was that the router lacks a mounting bracket.

Performance

The Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster is one of a growing number of wireless routers touting proprietary speed enhancements. Like the D-Link DI-624 and the Netgear WGT624, the WRT54GS SpeedBooster router includes a technology (in this case, Broadcom's Afterburner) that substantially increases wireless network performance. The enhancements kick in only if all the devices on the network are playing by the same proprietary rules; otherwise, the device scales down to standard 802.11g speeds. We think that this limitation makes the SpeedBooster enhancement (and similar Turbo or Super-G offerings from vendors such as D-Link and Netgear) more of a marketing gimmick than a significant feature.

Proprietary solutions depend on networks molded out of homogenous gear, limiting your purchase choices and tying you to a single vendor. On the other hand, the Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster does a fine job supporting standards-based equipment from other vendors, even older 802.11b gear. In CNET Labs' mixed-mode tests, which measure throughput when both 802.11g and 802.11b transmissions occur simultaneously, the WRT54GS delivered the fastest speeds we've seen, clocking in at 25.8Mbps. The Linksys also went the distance, stretching as far as 200 feet in our range tests.

PC Mag Tests:   7/9/04

With its superior performance, myriad features, superb documentation, and very intuitive installation wizards, the Linksys Wireless-G WRT54GS bested all the other routers in the 802.11g roundup. Speedbooster, Linksys's name for Afterburner (Broadcom's specification-compliant enhancement technology), accounts for the product's top performance.

Service and support

The Linksys WRT54GS Wireless-G Broadband Router with SpeedBooster has a respectable three-year warranty that falls short of Belkin's lifetime policy but is on a par with the warranties of other networking vendors. You also get toll-free 24/7 support for the lifetime of the product. In addition, Linksys has one of the best online support offerings in the business, with product-specific setup guidelines, FAQs, troubleshooting solutions, drivers, firmware, live chat with support staff, and a copious knowledge base that contains how-to information for the WRT54GS's setup and configuration as well as problem fixes for a number of common networking issues.

Linksys offers all the latest security protocols, though we wish it had a slightly more assertive approach in establishing a secure wireless network without requiring much user input or knowledge. The Parental Control Service is unmatched (30-day free trial, then $39.95 for one year). You can configure user profiles with time-of-day access restrictions and 16 content categories tailored to users' needs. In addition, e-mail and content filtering make this a truly versatile system for parental supervision.

Linksys WPC54GS WIRELESS-G Notebook Adapter   $67 A Matter of Fax

Ebay $43 plus $10  Spring 2005

Combat security threats such as war driving, jamming, hijacking, and man-in-the-middle attacks

Implement security and controls such as MAC (Media Access Control) and protocol filtering, WEP (Wireless Equivalent Privacy), WPA, (Wi-Fi Protected Access), EAP (Extensible Authentication Protocol), and VPN (Virtual Private Network)

Important Information for Wireless Products

Linksys wants to make wireless networking as safe and easy for you as possible. So, please keep the following points in mind whenever setting up or using your wireless network.

1. Performance

The actual performance of your wireless network depends on a number of factors, including:

In an Infrastructure environment, your distance from the access point. As you get farther away, the transmission speed will decrease.

Structural interference. The shape of your building or structure, the type of construction, and the building materials used may have an adverse impact on signal quality and speed.

The placement and orientation of the wireless devices.

2. Interference

Any device operating in the 2.4 GHz spectrum may cause network interference with a 802.11b wireless device. Some devices that may prove troublesome include 2.4 GHz cordless phones, microwave ovens, adjacent public hotspots, and neighboring 802.11b wireless LANs.

3. Security

The current generation of Linksys products provide several network security features, but they require specific action on your part for implementation.

While the following is a complete list, steps A through E should, at least, be followed:

• Change the default SSID.
• Disable SSID Broadcasts.
• Change the default password for the Administrator account.
• Enable MAC Address Filtering.
• Change the SSID periodically.
• Enable WEP 128-bit Encryption. Please note that this will reduce your network performance.
• Change the WEP encryption keys periodically.

 For information on implementing these security features, please refer to the User Guide.

4. Security Threats Facing Wireless Networks

Wireless networks are easy to find. Hackers know that in order to join a wireless network, wireless networking products first listen for  "beacon messages".   These messages are unencrypted and contain much of the network’s information, such as the network’s SSID (Service Set Identifier) and the IP Address of the network PC or access point. One result of this, seen in many large cities and business districts, is called “War chalking”. This is one of the terms used for hackers looking to access free bandwidth and free Internet access through your wireless network. Here are the steps you can take:

 Change the administrator’s password regularly.  With every wireless networking device you use, keep in mind that network settings (SSID, WEP keys, etc.) are stored in its firmware. Your network administrator is the only person who can change network settings. If a hacker gets a hold of the administrator’s password, he, too, can change those settings. So, make it harder for a hacker to get that information. Change the administrator’s password regularly.

SSID There are several things to keep in mind about the SSID:

• Disable Broadcast

• Make it unique
• Change it often

Most wireless networking devices will give you the option of broadcasting the SSID. While this option may be more convenient, it allows anyone to log into your wireless network. This includes hackers. So, don’t broadcast the SSID.

Wireless networking products come with a default SSID set by the factory. (The Linksys default SSID is “linksys”.) Hackers know these defaults and can check these against your network. Change your SSID to something unique and not something related to your company or the networking products you use.

Change your SSID regularly so that any hackers who have gained access to your wireless network will have start from the beginning in trying to break in.

MAC Addresses. Enable MAC Address filtering. MAC Address filtering will allow you to provide access to only those wireless nodes with certain MAC Addresses. This makes it harder for a hacker to access your network with a random MAC Address.

WEP Encryption. Wired Equivalent Privacy (WEP) is often looked upon as a panacea for wireless security concerns. This is overstating WEP’s ability. Again, this can only provide enough security to make a hacker’s job more difficult.

There are several ways that WEP can be maximized:

• Use the highest level of encryption possible
• Use a “Shared” Key
• Use multiple WEP keys
• Change your WEP key regularly

Implementing encryption will have a negative impact on your network’s performance. If you are transmitting sensitive data over your network, encryption should be used.

These security recommendations should help keep your mind at ease while you are enjoying the most flexible and convenient technology Linksys has to offer.

User Forum Notes: Securing Wireless-G Router WRT54GS

Hello, This is my first post, sorry for the details, just some facts for my question. Basically, I want to tighten security on my new linksys Wireless-G wrt54gs.

I have the following:

- linksys Cable Modem BEFCMU10, Firmware 1.1.2.0.3

- linksys Wireless-G Router wrt54gs, Firmware 2.07.1

- linksys Wireless-G USB Adapter WUSB54G

I also have a HP psc 2510 wireless printer and have Norton Internet Security.

The installation went smooth with everything; Cable Modem, Router, 1 desktop hardwired into Router, 4 desktops with wireless adapters, 1 HP psc 2510 wireless printer and each computer has Norton Internet Security 2005. The desktops are Windows XP Professional with SP-2.

I have done the following for security:

- Changed the Router default password

- Set DHCP from default (I think it was 50) to 5. I have 5 desktops, printer is static IP

- Enabled Wireless MAC Filter “Permit Only” my MAC addresses

- Set WEP to 64 Bit

- On the desktops, I set WEP 64 Bit 10 hex:

Preferred Networks

Properties

Wireless Network Key

Network Authentication: Open

Data Encryption: WEP

Entered the Network Key

Unchecked “The key is provided for me automatically”

Finally, my 2 questions:

- When I set WEP to 128 Bit 26 Hex, there is a considerable slowness, any way to increase the speed with 128?

- When I disable SSID, my farthest wireless desktop, 52’ feet away can’t connect, I tried the linksys Wireless-G Range Expander WRE54G, but, this will not use WEP. Other than moving the desktop closer or hardwiring down the hall, any ways to disable SSID and have this connect?

Thanks. Any other security procedures are welcome. Thanks.

---------------

Since disabling SSID doesn't buy you anything with regards to security I'd leave it on.

WEP shouldn't be slow on the wrt54gs - it wasn't slow on mine when I was playing with it. Use WPA-PSK if all of your devices support it. Otherwise you should use 128 bit WEP. Perhaps some else has an idea why you see slowness with 128 bit wep.

---------------

Thank You.I called linksys and HP, HP was clueless, linksys said they have seen this before with Wireless Network Mode "Mixed". Sorry, I did not mention this before. The HP psc 2510 will not run "G Only" Mode, I had to set the Router to Mixed, but, that has to be a linksys thing with linksys 128 Slower in Mixed Mode.

You seem to have a good understanding of SSID, why is this not a security issue leaving it on?

---------------

My wrt54gs V1.0 says 2.0 hardware too in sysinfo.htm (like your V1.1). The linksys guys forgot to update this from the wrt54g v2, and left this page outdated.

You probably don't want a wrt54gs V2.0 (or WRT54G V1.0) anyway for the moment, as no 3rd party firmware supports it's hardware (until linksys will release a source).

The default power setting of the WRT54G and wrt54gs is 28 mw or 17 dBm.

WallWatcher - a very useful program to read the firewall log, freeware, runs as a SNMP server and collects events from the router as they happen:

·        provides filtering, immediate alerts, emailed alerts, historical analysis, summaries, and charts

·        filters let you choose what data and time periods to log, display, analyze, and chart

·        alerts offer real-time visual and audible signals of possible intrusion attempts

·        historical analysis helps you find patterns of recent intrusion attempts

·        summaries condense log histories for easier review

·        user-selectable charts let you spot patterns of suspicious activities

Subscribe to the DESKTOP SECURITY AUDIT – a service that provides detailed testing service, continually updated, with reports – to test your firewall port security. $9.95 per year subscription - https://secure1.securityspace.com…

• More on firewalls, see: http://www.pcworld.com/reviews/article/0,aid,115939,pg,2,00.asp
• and: http://www.pcworld.com/news/article/0,aid,117557,00.asp
• More: http://www.firewallguide.com/wireless.htm and http://www.wi-fiplanet.com
• The following chart shows reader ratings for routers in PC Magazine online, 12/01/04 issue: http://www.pcmag.com/article2/0,1759,1733165,00.asp

• Here is help with configuring Windows XP firewall ports for common program access to Internet: http://www.microsoft.com/athome/security/protect/ports...
• Software Firewalls - False Security - http://download.smoothwall.net/pdf/white.personal-firewalls.pdf
• Broadband: Always On - Always a Target - http://download.smoothwall.net/pdf/white.alwayson.pdf
• The Differences and Features of Hardware & Software Firewalls:http://www.webopedia.com/DidYouKnow...
• Firewall Debate: Hardware vs. Software: http://www.smallbusinesscomputing.com/webmaster/article...
• Microsoft firewall dispels myth of hardware superiority: http://searchwin2000.techtarget.com/originalContent/...
• Router reviews: http://www.firewallguide.com/hardware.htm
• http://www.more.net/technical/netserv/tcpip/firewalls/ - an introduction to firewalls