Firewalls Demystified

FIREWALLS DEMYSTIFIED

A firewall is a piece of hardware or software used to deny passage of data that does not belong on your computer network, while simultaneously allowing passage of the data that does belong on your computer network. It has been described, perhaps most famously by William Cheswick*, as the crunchy outer shell for a soft crewy center (that part being the rest of the network, of course). Firewalls can be a dry topic to many people, and while I won't claim to make them more exciting for you, I can't imagine what it's like to not find them fascinating, so maybe that'll rub off in this section.

As you may know, Windows XP now has a pretty good firewall embedded into the operating system. I say 'pretty good,' because you may find that this firewall also breaks some applications or just makes getting them to work more tedious - like a VPN connection (GS). to your work, for example. Most of these problems can be worked around, but there is some additional work involved on your part. Nevertheless, I applaud Microsoft for the effort. Firewalls are a critical part of protecting your home or business computers. The computer, much as some people would like, is not (yet) a toaster or a television that takes care of everything while you work or play. You have to get involved if you want it to stay secure. That's the bottom line. Okay, enough of the soapbox.

There are other options to the MS firewall, and those who aren't running XP will need to know them. Even those with XP may want to explore other options. There is a long list of free personal firewalls, many with advanced features for cost. Reading reviews will show you a few that consistently receive praise from users.

My personal choice of protection is a hardware firewall. Some people may not like the notion of buying and configuring a piece of hardware, but if you have multiple machines behind a broadband Internet connection, this choice may protect you more efficiently than software of every machine. Furthermore, if you ever reinstall an OS on your machine at home and you are not behind a hardware firewall, your PC may get a virus or other malicious code before you have a chance to get to the Windows Update site to download the few dozen patches you are likely missing. Some people use hardware in conjunction with software firewalls, but I find software firewalls annoying, since they always nag you to approve or deny this or that, and sometimes you may not know what to say - and if you guess incorrectly you may have to slog through the application to undo your mistake. Oh, bother. What's worse is that some people get frustrated with having to answer to the software and just start saying 'yes' all the time - or just take the suggested action so they can get on with life. Not very secure, eh?

Most firewalls these days do what's called 'Stateful Packet Inspection,' or SPI. Ominous as it may sound, it just means that the firewall looks at the communication going back and forth between your machine and the outside world, and looks for any communications that are trying to get in without you asking them in directly. It drops any communication links that don't meet that criteria. If that isn't clear, just think about the name. The firewall uses SPI to watch, or inspect the state of the communication to make sure the data is coming back from where you requested it. The communication is transmitted by breaking big chunks of information into little data pieces called packets. With no SPI, a really good hacker could get in by falsifying some of the packet information. It's rather difficult to accomplish, but if there's no firewall using SPI to watch over the state of things, it is possible, but not probable, that a hacker could dump some harmful code onto your machine.')">(GS).

So, if you're interested, there are plenty of firewalls that use SPI (and other security mechanisms just too techie to cover here) available for less than $100. Althought the market has increased the likelihood that they will, they do not HAVE to say firewall to act as one. Plenty of routers (which, as the name implies, route packets from point to point) have SPI. Just read the box before you buy.

Whether you get a hardware or software firewall, take the time to read the instructions and you'll have it up and running in one night. Some hardware firewalls are mostly plug and play, but make no mistake, they will require some input. Again, this is worth learning becuase the more you know about your own network, the more likely you are to know when something is amiss.

So, once you get one of these fancy firewall thingies, be it software or hardware-based, how do you know it's working? You attack yourself. Whuh? No. Really. There are sites out there that will do what's known as 'penetration testing' to see if you are really secure. Now, you can pay a company for this service if you want, but there's more than one free way to test things out. Some folks in security love to hate this man, and some just think he's at incredibly gifted genius. He's a bit overzealous at times, but then I can't fault him for a trait I also share. I'm speaking of Steve Gibson of Gibson Research Corporation. He has several tools for testing your firewall at grc.com probe area. Just don't let his 'shout from the rooftops' attitude about security issues worry you about the state of the Internet. Granted, there's lots to be worried about, but protecting our own computers and networks is about all most of us can do. Another good set of free scanning tools is available from broadbandreports.com scanning area.

*Cheswick wrote one of the most well known of the early books on firewalls - Firewalls and Internet Security: Repelling the Wily Hacker. If you want to learn a lot about these two subjects, you should check out the book. But for now you're here, so let's read that book some other time.

MENU

LINKS TO MORE INFO

FIREWALLS DEMYSTIFIED