Firewalling an old operating system


Modern operating systems have a lot of security features. A large part of that includes cryptography. Unfortunately, cryptography is very processor intensive, and it will tax a lot of older processors.

For this reason pretty much all modern operating systems do not bend over backwards to maintain usability on old hardware, and I support this.

But -- what if you wish to run a historic operating system on historic hardware? You have to be aware you are creating a security nightmare. IF your system is not Internet Aware (i.e., MSDOS, CP/M, etc.), you don't have a big problem (in fact, let's go as far as to say, "you have no problem"). But if you hope to attach it to the Internet, or even if the system COULD be attached to the Internet and your OS is no longer supported (i.e., OS/2, Windows 9x, Windows 2000, XP, Windows 7, etc.), you need to be aware you have a security nightmare on your hands.

And I'll be honest here: You should take my advice, but I doubt you will. But you get no right to complain to me when the likely happens.

The importance of the router

I'm going to assume you have a firewall (router) between your internal network and the Big Bad Internet. Time has changed; in the 1990s, the cable companies fought you if you put a router inside your house, they wanted to bill you per computer you attached. Now, most cable companies provide you a router which will allow dozens of computers internally through one Internet conneection.

Network and security people will bristle when I say this, but it's true(ish): a simple router acts as a basic firewall. The router makes all the computers behind it look like one node on the Internet, with one public IP address. It does this by keeping track of which computer makes a request from an outside service, and it routes the reply back to the requester. The good news is when an unsolicited request comes in from the outside world, the router literally has no idea where to send it, so it drops it. This is a huge protection for your computers. You can still have something bad happen, but your computer has to initiate the query.

So...a computer with no software running on it is "safe" behind a router. (unfortunately, there are no computers with "no" software running on them!). Think of the router as a one-way valve to the Internet.

A few outright security myths:

I wish I didn't need to say this, but I've seen things like this enough times from people claiming to be experts, I need to dispell a few things...

So what can I do?

There are a few options.

Don't network your old computer

Really, this is an option. Your old computer won't be able to surf the internet effectively anyway, as old browsers are basically incompatable with the "new" Internet. So you may be very able to run what you wish to run with no Internet connectivity.

Download files to your modern computers, copy them to CD or USB stick (or floppy!) and move them to the old computer.

Run just one computer at a time

You really can't (easily) have a virus jump from one computer to another if only one computer is on at a time. So, if you turn off your non-historic computers, they are unlikely to become infected from the historic computers over the network.

This is difficult for most people, however. And keep in mind, your TV, phone, and a lot of other things in your house are probably also connected to the Internet. Fortunately, for the most part, your TV and phone are running very different code than your historic computer, so the odds that one bit of malware will jump between your TV and your historic computer is very low (though demonstrated possible, not a common real world issue at the time I write this).

Multi-network firewall/router

This is a great solution; you have a firewall that supports multiple isolated networks, which all have access to the Internet. For a three port firewall, you have one port attached to the Internet, one port of "trusted" machines and one port for "untrusted" machines. Both the trusted and untrusted ports can get to the firewall, but they can't talk to each other.

Unfortunately, most consumer routers don't have multiple ports, and configuring a system like this is tricky.

DIY Multi-port firewall

I build my own firewalls, because I can. I'm not going to assume you have that skill set.

However, there's a way you can use conventional home routers to "Fake" a multi-port firewall. Remember, I said above a router acts as a one-way valve to the internet...machines behind it can go out, the outside can't come in.

So, a simple trick is adding a second router to your network, and put your trusted machines behind the second router.

                              - untrusted computer
Internet --- <<router<< ---+-+--- <<router<< --- (trusted computers)
                                - untrusted computer 
Most likely, your first router between you and the Internet is controlled by your Internet company, so I'm going to assume you can't change it. You have to add a router, and you will have to actually do a bit of configuration on that, as it's internal network range is likely to conflict with your existing internal network config.

So ... if your existing home network is in the range, you will need to set your second router's internal network to a different range -- an easy choice might be

You now move all your maintained hardware behind the SECOND router.

How it works

It's really quite simple. The routers work as one-way valves for internet traffic. Your trusted computers can get out to the Internet by jumping through both routers. Your untrusted computers can get from their subnet to the Internet, but the second router keeps them from getting to your trusted machines. Your trusted machines can access your untrusted systems if they wish, but the untrusted machines can't initiate the contact.

The upside is, you have really good isolation between the untrusted and the trusted networks. The downside is, your trusted machines have two routers to hop through, and your second router, if not sufficient in performance, may throttle your Internet access more than you wish. Considering the amount of Internet bandwidth many people have in their homes now, having a router with sufficent performance could cost a bit. The second router will add a small amount of lag. Normal users will not notice, but some gamers may feel the slight bit of extra latency. But then, I wouldn't trust most gamer machines, so maybe the game machines should be in the untrusted network anyway.

The Portable Firewall

IF you are willing to roll your own firewall, you can build what I call a "portable protected network" using a cheap old computer, a couple network cards, and a bit of free software.

My personal choice here would be OpenBSD, but almost any open source OS that can be used to build a firewall can do this, including FreeBSD and Linux.

The trick is to make a NAT (Network Address Translation) firewall. It should attach to your existing internal network, and it should provide a separate subnet for your untrusted systems. It will provide DHCP network config to the untrusted network. But it also has a set of firewall rules that block access from the untrusted network to the subnet of the trusted network. So ... the rules would be something like this, if your internal trusted network was

pass in from protected
block in from protected to
So...traffic is admitted and forwarded AS LONG AS it isn't being sent to your home network., the double routing is only impacting your untrusted machines.

If you aren't familiar with setting up firewalls and networking, this is not enough information for you to do this, but if you are, this might give you ideas on how to do this.

Note: these firewall and router tricks do NOT protect your historic computer, they are as vulnerable as ever. However, it is will be much more difficult for your historic computers to cause problems for your machines you use for important or business applications.

Holland Consulting home page
Contact Holland Consulting

since February 17, 2022

Copyright 2022, Nick Holland, Holland Consulting

$Id: template.html,v 1.3 2004/07/09 17:02:03 nick Exp $