Wikipedia:Reference desk/Archives/Computing/2017 May 23

Computing desk
< May 22	<< Apr | May | Jun >>	May 24 >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

May 23

Thinking about hardware firewall

This latest talk about the ransom ware scared me to death. I am thinking about purchasing a hardware firewall. I checked Amazon.com and found that there are varieties. Some of them got bad reviews, like no tech support, upgrades only by subscription with additional fees, etc. I can afford a piece of electronics up to about a grand and a half but I definitely want to study the issue in depth before I committed even a couple of hundred dollars. I wonder if anybody could comment on the issue and recommend a model? Additional description as to how the model works would be appreciated as well. Thanks, - --AboutFace 22 (talk) 00:57, 23 May 2017 (UTC)

Sounds to me like you are over-reacting. Worst-case scenario, you need to wipe your hard disk and reinstall. Just make sure you have a backup of everything, stored elsewhere. Also, I recommend you have an offline computer, you use for things like balancing your bank statement, that has no connection with the outside world. An old, obsolete PC is a good choice for this. StuRat (talk) 01:00, 23 May 2017 (UTC)

• Firewalls need to be managed, as an on-going investment in IT infrastructure. They can have vulnerabilities themselves. They can require new facilities provided in the future. This might be as simple as some new must-have app, like a 3D Skype version with added smell, that used a new series of TCP ports and so required them to be opened up. For any "fit and forget" box, I would be wary of trusting it long term.

Most such boxes are internally just simply computers (often fairly vanilla Linux) with multiple network ports. To provide the hardware for such, you can buy "a box" or you can use an existing PC running a suitable unix distro. The important need is to have it configured correctly, then managed in a small, but on-going, fashion by a competent network admin. Although there are businesses managing such boxes remotely (so that the "packaged box" solution can have a secure long-term future), I don't see the packaged box as having too much of an advantage over a PC that is more obviously a PC.

You can also do much of this through a good broadband router, without needing a second box of different type. There is a large jump in performance and features from the £50 domestic routers to the £200 small office routers. You can also use such a router (they're available cheaply S/H as people upgrade their outermost DSL modem to support the new vDSL protocol and allow a FTTC fibre broadband connection) as a pure router (not using its DSL modem) within your network.

There are many hardware options. But look at the human aspects of having it correctly managed first - who's going to do that, and what do they recommend? Andy Dingley (talk) 07:43, 23 May 2017 (UTC)

• I am not sure a "hardware firewall" is what you expect it to be. In the context of computers, a firewall is a "something" that blocks network connections depending on a certain set of rules. Unless those rules are extremely simple (a gap of air will refuse all connections, after all), you cannot have a hardware-level, no-software firewall.

Andy described above what is sold as "hardware firewall": basically a stripped-down computer that takes care only of the network rules. It should be less vulnerable to exploits because of the reduced attack surface, but that is it. It would have offered little protection against the recent ransomware episode, which did not exploit (as far as we know) any vulnerability in the firewall itself.

The only very small advantage I can see (in that context) is if you have particularly stringent firewall rules in place e.g. to deny any connection to non-authorized websites, but that is probably not the case (for instance, this prevents casual web surfing; if your browser can use port 80 to visit any URL, in particular it can visit evilmalware.com, and so can the malware - the computer firewall even has an edge here, because it can know which program attempted the connection). If your computer gets infected by a malware installer which tries to reset firewall rules to download the payload, the malware will have a harder time with an external firewall. But I am not sure this scenario ever happened. Tigraan^{Click here to contact me} 08:55, 23 May 2017 (UTC)

• You're better off dealing with the problem at your computer end. Have a means of backup that is disconnected or not visible between backups, that'll protect your data from being destroyed. If you are responsible for a lot of money have a separate computer dedicated to that job and do not use it for any email at all or for any website except those necessary for the purpose. And don't use any passwords from it on your general use PC. With something like that you will be by far the weakest link not the software, so if a friend sounds odd or sends you something strange or that requires you to click 'accept' or 'ok' ask yourself if it really is them or do you really want to accept a potential virus. And in the case you're worried about they didn't do the basics of keeping the OS up to date and having an antivrus. Dmcq (talk) 09:14, 23 May 2017 (UTC)

Thank you very much. A lot of important information that I really need. Yes, at this point all I do is backups and probably should continue to do them. Thank you. - --AboutFace 22 (talk) 13:40, 23 May 2017 (UTC)

• I know I'm late to the party, but I agree with all of the advice given here. A firewall box really isn't going to increase your security that much, and it requires a much larger investment of time and effort. Unless you're running a server room that looks like a goldmine to hackers and virus makers, you're not going to see any real benefit from it. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 14:08, 23 May 2017 (UTC)

  Well, a thousand low-computing power units with ridiculously low security can be a more attractive target than a super-secure "goldmine" server room, see Mirai (malware).The Mirai botnet was used for its DDoS capabilities, not its computing power, but the point still stands. So while the particular value of cracking the OP's devices is too low to justify the effort, if an exploit against it can be scaled up to many more targets, it could very well happen. But it is by no means obvious that the home router is more vulnerable to any attack than the firewall box, so the gain in that particular scenario is dubious. Tigraan^{Click here to contact me} 16:01, 23 May 2017 (UTC)

Good point. Replace "a server room" with "something" and my point still stands.

But it is by no means obvious that the home router is more vulnerable to any attack than the firewall box, so the gain in that particular scenario is dubious. If he's running something that looks like a goldmine to hackers, I would absolutely recommend a dedicated firewall box. Of course, I'd also recommend a lot of other things (like a well paid, full-time security professional to manage the box and other security infrastructure), without which the firewall box is almost completely pointless. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 16:14, 23 May 2017 (UTC)

Largely because people occasionally hire me to secure their networks, I make it a point to make my own computers secure. (I have systems running Windows, Android, BSS, Linux, and macOS and randomly switch from one to the other, because I don't know what a future customer might be running.) In the past, I connected everything directly to the Internet, using firewall software that ran on the systems themselves. I was always able to honestly say that I have never, every detected any malware or visus on my systems (and I have used every popular antivirus tool, again because I don't know what a future customer might be running.)

Then came the fateful day that I discovered that it was impossible to install Windows 2000 and apply the security updates available only on the Microsoft website without the PC becoming infected before I could finish installing the updates. At that time I added what is commonly called a "hardware firewall" but is actually a separate computer wthe two Ethernet connections running dedicated firewall software. Now I could complete the install and apply the security updates without becoming infected.

Thankfully, Microsoft fixed that particular problem, but I still recommend a separate firewall for any business running more than a handful of PCs.

Here is an onlline utility that tests your firewall to see how well it is protecting you: [ https://www.grc.com/x/ne.dll?bh0bkyd2 ] --Guy Macon (talk) 17:59, 23 May 2017 (UTC)

Thank you all again for your insights. In a bizarre twist I started thinking about writing my own stateful firewall. You see I already picked up some strange terms for the start. I can write C,C++,C#, FORTRAN codes. I am very proficient in all those languages, however I don't understand how such a firewall should work. All descriptions I've read so far are too vague. Is it doable? Thank you all again. --AboutFace 22 (talk) 19:43, 23 May 2017 (UTC)

That is a really, really bad idea. Anyone can write a security system that they themselves cannot defeat. Just get an old PC and run Smoothwall on it. --Guy Macon (talk) 03:05, 24 May 2017 (UTC)

@Guy Maçon, thank you but you should indent your paragraphs. It is a rule in here. --AboutFace 22 (talk) 19:45, 23 May 2017 (UTC)

No it isn't. Indentation signifies a reply to another comment. My comment was a standalone comment about the topic in the section heading. --Guy Macon (talk) 03:05, 24 May 2017 (UTC)

• Rule #1 of Infosec: If you're not an expert in it, you're not competent to do it yourself. Even (maybe especially) if you're really really smart.

I once wrote a program that used a series of one time pads to encrypt and decrypt data, thinking that since OTP's are theoretically unbreakable, that would make the ensuing ciphertext unbreakable. Makes sense, right? And they were: I submitted them to a cryptography forum and asked people to decrypt them, and they couldn't. Since my pads were random, each byte in the cyphertext was stochastic, with a stochastic relationship to every other byte. But every single person who tried knew I used OTPs to encrypt the data, and they all asked me about my method. So I described my method without giving away any of my pads, and uploaded a copy of the executable so they could see it in action.

Ten minutes later somebody posted the plaintext of the cypher I had submitted. Because all he had to do was run the program and watch memory for strings (the pads), then try each pad until it worked. My 'uncrackable' encryption turned out to be only 30 seconds of work for a competent attacker, because -being an amateur- it didn't occur to me that there were angles of attack other than pure cryptography.

So lets say you build a firewall to use on a server on a VPN. You want to be ultra-strict with it, so what you do is configure it only to let devices with a MAC address that appears on a list connect. It's awesome! It's impervious to attack, because no-one but the specified computers can connect! Then you're editing WP one day and come across MAC spoofing. Oops. So you do some research, and decide to add IP filtering to that. It works great! Now no-one can spoof their way on. Then a few hours later, one of the remote computers can't connect. Why? Well, because they have a Dynamic IP address, which has just changed.

So you permit IP ranges. Now you're covered! Right up until one of the authorized laptops gets taken over by a hacker while its owner is surfing the web at a coffee shop and used to run a buffer overflow that lets them into the configuration tool for your firewall, at which point they promptly dump ransomware on every machine on the network.

So you discover a flaw in the ransomware (the private key is hardcoded into the executable! Yay!) and fix it. Only to find a year later that, while you were infected, the ransomware installed a hidden copy of VNC on all your machines and has been using them to DDOS US government institutions, who are now quite unhappy about what your network has been doing. And so on, and so forth.

You, as an amateur security programmer can be wickedly smart, cunning and downright devious. You can have as much knowledge as a guy with a fresh Infosec degree about the subject. Yet none of that matters, because someone who's aware of some obscure little vulnerability that you've never even heard of can still own your network the moment they try it. So as Guy said: Don't try to do it yourself. Trust the pros, because the pros have proven that they can defeat hackers. A firewall built by a dozen competent pros is always going to win out over a firewall built by one wickedly smart amateur. ᛗᛁᛟᛚᚾᛁᚱPants Tell me all about it. 13:11, 24 May 2017 (UTC)

@ᛗᛁᛟᛚᚾᛁᚱPants, thank you. Very impressive. I wouldn't try building a firewall. But it was fun to dream about it. Of course I have many other projects to busy myself with. --AboutFace 22 (talk) 14:23, 24 May 2017 (UTC)

How many people in the world use smartphones?

How many people in the world use smartphones or how many active smartphones are there? What's a good, recent source to verify this? I was surprised not to find it in the WP article on smartphones. Thank you for your help! --122.108.141.214 (talk) 10:20, 23 May 2017 (UTC)

How about these pages...?

• https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/
• http://www.businessinsider.com/how-many-people-own-smartphones-around-the-world-2016-2?IR=T
• https://www.google.com/search?q=How+many+people+in+the+world+use+smartphones%3F

CiaPan (talk) 10:36, 23 May 2017 (UTC)

There's a bit of a dispute over the ways to measure "active smartphones" as a lot of online stat counters use internet usage as a defining factor. This heavily cuts Android phone numbers and massively increases iphone users to the point where they're pretty much pointless to look at. Our own articles that include these tend to struggle with the issue... Thanks ツ Jenova20 ^(email) 10:43, 23 May 2017 (UTC)

Thanks CiaPan - I did try DuckDuckGo-ing for it myself, but I didn't recognise Statista as a good source to use. Jenova, where is this discussed on WP? I looked in the main smartphone article and briefly in the bottom navigation box there (as well as doing a search for smartphone use and smartphone usage), but couldn't readily find such information. Is it only available on individual brand/model pages? --122.108.141.214 (talk) 11:01, 23 May 2017 (UTC)

I've seen it crop up on both Android sales figures a few years back and recently on the Ipad article, where the figures are blatantly not possible to gauge without estimating or using something like internet usage to estimate. Both are unreliable as i've mentioned. It may have happened other times but those are two that I know of. Thanks ツ Jenova20 ^(email) 12:05, 23 May 2017 (UTC)

Why does Japan have only 39% smartphone use ?

As per http://www.businessinsider.com/how-many-people-own-smartphones-around-the-world-2016-2?IR=T.

I am guessing heavy taxation ? StuRat (talk) 11:31, 23 May 2017 (UTC)

See Galápagos syndrome. --122.108.141.214 (talk) 11:43, 23 May 2017 (UTC)

Thanks, that led me to feature phones, which are apparently a popular alternative in Japan, where phones have built-in features that would require downloads on smartphones. I have to admit, that sounds better, and more secure, to me. I have a smartphone but no time to research and download apps, so it currently does very little. StuRat (talk) 12:27, 23 May 2017 (UTC)

Japan has a very mature/old population in general. Old people don't adapt to new tech like youngsters. Could that be it? Thanks ツ Jenova20 ^(email) 12:05, 23 May 2017 (UTC)

Yes, and those old people may also prefer phones that do everything from day 1, versus phones that require downloading apps to become useful. StuRat (talk) 12:29, 23 May 2017 (UTC)

Coincidentally my dad only just started using his smartphone to it's full. He was content with texting and calls for the last 3 years, but we've finally got him using Whatsapp and youtube now. I never realised he was Japanese so this has come as a very big shock. Sorry. Thanks ツ Jenova20 ^(email) 12:44, 23 May 2017 (UTC)

What I'd really like is a hybrid. That is, a phone that comes preloaded with features, perhaps from a list I choose when I order it, which have already been installed and tested. I could then download additional apps, if I choose to do so. StuRat (talk) 13:17, 23 May 2017 (UTC)

Old people are smart. Why pay 900$ for a superphone when one for 50$ does everything a phone should do? Young people are stupid! Also why should old people want to watch youtube on a 4" micro display? You ever noticed most old people put on glasses to read? --Kharon (talk) 13:32, 23 May 2017 (UTC)

I paid $5 for my phone (LG-L38C), and would only choose to watch video on a tiny screen as a last resort, so I guess that makes me super-old. :-) StuRat (talk) 16:37, 23 May 2017 (UTC)

So when you get a smartphone, you have to download basically everything? It doesn't come with most features pre-loaded? Nyttend (talk) 02:21, 24 May 2017 (UTC)

Most features, yes. Candy Crush, no (thankfully). Thanks ツ Jenova20 ^(email) 08:52, 24 May 2017 (UTC)

Mine (LG-L38C) seems to lack some rather basic features on it's own, like the ability to type in notes and use the GPS, but maybe it's defective or I just haven't figured it out. StuRat (talk) 15:19, 24 May 2017 (UTC)

Funny enough I just remembered that the first tablet I bought (Motorola Xoom) came with an SD card slot which didn't work until months later. It shipped with hardware it didn't actually support yet and a future update sorted that. That's something i've not seen before and really shows commitment to a product. Thanks ツ Jenova20 ^(email) 09:47, 25 May 2017 (UTC)