protected LAN. STUN will not work for all NATs and not for really
secure firewalls and may have some scalability and security issues.
The SIP client has to implement STUN and integrate it in the SIP
stack to make it work.
There are also various tunneling approaches, creating a tunnel
through the firewall and then having an ALG in a central place at the
SIP operator to cope with the separate address space of the private
LANs and their individual users. Special equipment is, therefore,
required at the SIP operator, and sometimes special equipment and
software are required on the LAN or in the SIP clients. With this
approach, the users get locked into a specific SIP operator. This
approach typically cannot handle complex configurations, such as
interworking between an operator and the Microsoft Greenwich
architecture, where a local SIP server on the LAN is used.
For home users (like for SOHOs), Microsoft has suggested an
extension to Universal Plug and Play (UPnP) to allow Windows to
control the NAT or firewall. Several small inexpensive NATs have
implemented these UPnP extensions and thus allow SIP traversal for
Windows Messenger (which is SIP based). However, it is not secure
to allow every PC on the LAN to open the firewall, so UPnP is not
acceptable for a proper firewall that should protect the LAN (in the
Greenwich architecture, even Microsoft recommends that UPnP be
disabled for high security). Another limitation is, of course, that
UPnP control from Windows clients will not help other SIP products
(SIP phones) to traverse a NAT or firewall.
Now, with regards to SOHOs, let’s take a look at how you should
use NAT technology to block access to an internal network demili-
tarized zone (DMZ). In other words, how would you set up a Linux-
based firewall for the SOHO broadband-attached network?
15.7 Employing a Linux-based SOHO firewall
solution with NAT technology
With people spending more and more time on the Internet, security
is becoming increasingly important. This part of the chapter shows
you how to set up a Linux-based personal firewall for the SOHO
broadband-attached network. It also takes a look at several SOHO
firewalls and assesses whether they can keep your system safe from
15.7 Employing a Linux-based SOHO firewall solution with NAT technology 253
Interest in SOHO firewall technology has soared as more and
more people have recognized that the price of the Internet’s freedom
is eternal vigilance. This part of the chapter also examines the latest
in SOHO firewall technology and asks whether existing software is
ready or able to keep your PCs private in an increasingly wireless
broadband-attached networked world.
The term SOHO firewall, as described in this chapter, is one
of many appropriated from other industries to fit the needs of
technology. Originally, a firewall was a strengthened part of a build-
ing’s structure designed to keep a fire contained within a specific
area. When IT managers and software developers wanted to add
security to their networks, the term was used to describe the
layers of defense put into a server to protect against unauthorized
However, the idea of SOHO firewalls has taken time to develop,
with the first products appearing only 4 years ago. Although there
has been considerable skepticism about the usefulness of such pack-
ages, the market for SOHO firewalls has exploded. With more peo-
ple spending increasing amounts of time online, there’s growing
concern among consumers about their system’s security. The major
software vendors are reacting.
Currently, most standalone PCs do need a SOHO firewall, and
quite a bit of protection is now available. Even the most sophisti-
cated SOHO firewall software can’t provide complete protection
against a determined effort to break in (see FYI 15.1), and, of the
SOHO firewalls reviewed in this chapter, none even came close.
However, the vast majority of PCs are neither valuable nor interest-
ing enough to be properly attacked.
Although hacking is almost as old as the computer itself (the term
was first coined to describe the phenomenon in 1984 in Steven
Levy’s book Hackers), the number of hardcore hackers is limited,
and they certainly have other priorities besides SOHO computer
systems. Most take pride in not causing damage during intrusion.
However, the risk is technically there. With the number of comput-
ers spending time attached to the global telecommunications system
growing at current rates, SOHO firewall protection is becoming an
issue of increasing importance.
There’s also a growing amount of options available to the
SOHO firewall buyer. This comes from a mix of old and new
254 15.7 Employing a Linux-based SOHO firewall solution with NAT technology