Tech 101: Understanding Firewalls
July 31, 2009
Security expert Michael Horowitz demystifies firewalls for home and small business users.
Although the name may invoke a physical thing, a firewall is just a computer program. Simply put, it controls all information/data traveling into and out of a computer via a network.
Firewalls are not involved in data coming or going to the hard drive, a CD or DVD, or a directly attached USB flash drive. The domain of a firewall is the Ethernet network.
When data wants to get into your computer from elsewhere on the network, a firewall program on your computer decides whether it gets in or not. When a program on your computer wants to send data out over the network, a good firewall program will also determine whether to allow it or not.
I say good firewall, because not all firewall programs provide control over outbound data--some only watch the incoming lane for traffic. Keeping with the traffic analogy (data traveling over a network is often referred to as traffic), a firewall program is, in effect, a traffic cop. As a rule of thumb, all computers connected to the Internet should be running a firewall program all the time. This includes machines running Windows, any Mac OS, Linux, and other operating systems too.
One exception is a computer without broadband. If you get onto the Internet via dial-up, you only need a firewall program while the computer is connected to the Internet. In the interest of convenience though, it doesn't hurt dial-up users to have a firewall program constantly running.
There are two types of firewalls and the terminology used to differentiate them is poor. Firewall programs that run on a personal computer (regardless of the host OS) are referred to as software firewalls. Those that run in a box outside your computer are referred to as hardware firewalls.
This, despite the fact that all firewalls are software.
Home users and small businesses encounter hardware firewalls in their routers (wireless or otherwise). Large organizations may run a dedicated firewall device. Another term for a firewall program running on your computer is a personal firewall (I prefer this term and will use it from now on).
To protect and to serve
Typically the firewall in a router only offers inbound protection. Outbound protection is a feature of some personal firewalls, but not all.
While inbound protection is preventative, outbound protection serves more as a warning about existing malware. It's one thing for a computer to be infected with spyware or other malicious software. But it's another thing entirely to have the malicious software make an outbound connection and send data gleaned from your computer to bad guys somewhere out on the Internet.
A firewall with outbound protection will, hopefully, warn you when a new program (one it hasn't seen before) tries to make an outbound connection to another computer. This way, if you don't recognize the program and you didn't initiate the connection, you can have the firewall block it. When in doubt, don't let it out.
Awareness of the need for firewalls can be seen in the history of Windows. Windows 98, ME, and 2000 did not include a firewall. Windows XP does, but it provides inbound protection only. For the first three years of its existence, the built-in XP firewall was disabled by default. With the release of Service Pack 2 in 2004, the XP firewall was enabled by default.
Windows Vista introduced outbound protection to the built-in firewall, but it was, in large part, a sham.
Writing in Computerworld, this is what Preston Gralla had to say about this: ... as shipped, the Windows Firewall offers little outbound protection, and it's not clear how outbound protection can be configured to protect against spyware, Trojans and bots ... by default, most outbound filtering in the Windows Vista firewall is turned off. In addition, there may be no practical way to use outbound filtering to stop all unwanted outbound connections.
Regardless of the personal firewall included in your favorite Operating System, you can install another one if you prefer.
The Internet runs both ways
When your computer is connected to the Internet, you can go anywhere. The same infrastructure, however, that allows you to contact other computers on the Internet, also permits them to contact you. The Internet is a two-way street.
There is rarely a reason for another computer on the Internet to contact you first. Normally, you initiate the contact with other computers. However, if you can contact others, they can contact you.
Bad guys exploit the open, two-way communication on the Internet to probe your computer for vulnerabilities (typically bugs in the Operating System) and/or mis-configurations that allow them to install software, crash your computer, and access your files. Or, in the worst case, take hidden control of your computer.
If your computer suddenly runs much slower than it used to, one possibility is that a bad guy is using it, in the background, to do his bidding. There are many ways for a computer to get infected with malicious software, a firewall is a necessary part of your defensive stance.
How do the bad guys find you? After all, they dont know you and the Internet is really big. Typically they use software that scans the Internet looking for a response to an opening handshake (hailing frequencies if you will).
Once they get a nibble, so to speak, then they are likely to probe the newly discovered computer in more depth. These scanning programs run 24x7.
The prime mission of a firewall is to deny all unsolicited incoming attempts at communication. As a parent warns a child not to talk to strangers, so too should your computer be configured not to respond to unsolicited attempts at communication.. At least by default, at least initially (there may be some necessary exceptions).
Note the word unsolicited. If you go to a Web site and request a page, when that Web page comes back to you, that was solicited. Firewalls do not interfere with incoming data that was specifically requested (solicited).
A firewall should not inhibit you from going anywhere on the Internet. That said, mis-configurations happen, so when you can't connect to something somewhere, the firewall is always a top suspect.
How often do the bad guys on the Internet try to get into your computer?
While writing this article, I ran a test. Although my computers are typically behind a router whose firewall deflects unsolicited incoming connections, I put a computer in the DMZ of the router.
Computers in the DMZ are treated by the router as if they were directly connected to the Internet. This is a logical thing, no wires are moved around. Being in the routers DMZ lets the personal firewall program (ZoneAlarm in this case) see all the incoming traffic, unfiltered by the firewall in the router.
Below is a summary of the unsolicited incoming connection attempts for a random hour:
- 5:51PM 1 connection
- 5:46PM 1 connection
- 5:41PM 17 connections
- 5:31PM 1 connection
- 5:14PM 2 connections
- 5:06PM 2 connections
- 5:05PM 1 connection
- 4:59PM 1 connection
- 4:58PM 2 connections
- 4:54PM 1 connection
Earlier, I wrote about how some poking around inside my router revealed unsolicited incoming connection attempts from China (see Are Chinese Hackers Attacking Your PC? at eSecurityPlanet.com).
Two firewalls are better than one
As noted above, for a personal firewall running on your computer to see unsolicited incoming connections, it needs to be logically placed in front of the firewall in the router. If the routers firewall does such a good job, do you even need a firewall application running on your computer?
Yes, you do. If for no other reason than two levels of protection are better than one.
A personal firewall does something the router-based firewall can't--protect your computer from other computers on the same Local Area Network (LAN).
You may trust the other computers on your LAN, but you shouldn't, malware happens.
Laptop users face the issue of traveling, where you are forced to share a network with total strangers. Using the Internet in a hotel room, for example, you dont want the person in room 602 to be able to see the files on your computer.
I recently suggested traveling with a small dedicated travel router just for the firewall protection.
Windows users that really care about computer security need to install a personal firewall to get outbound filtering. (I'm not familiar with the outbound control offered by the default firewall in Macs or any Linux distributions). This, however, is a coin with two sides.
Firewalls offering outbound control are noisy. That is, they pop-up alerts asking questions about whether to allow certain network communication. This is to be expected at first, and will die down over time, as the firewall is instructed about what to allow and what to deny.
But alerts about outbound activity will never fully go away. These alerts can be confusing and loaded with techie jargon. Even alerts worded in plain language can be too much for non-techies to deal with. The price of security has always been inconvenience.
It's a tough call whether the hassle factor of outbound control in a personal firewall is worth the protection it offers. Certainly it is for techie computer users, but for normal people, it's not so clear.
I was fortunate enough to get started with ZoneAlarm before my computer was protected by the firewall in a router. ZoneAlarm defaulted to popping up an alert any time it blocked an unsolicited incoming connection. It was a great way to see, in real time, just how dangerous the Internet is and how necessary a firewall is. I soon figured out how to turn off these alerts, but the lesson learned has persisted.
Not running a personal firewall while connected to a network is the computer equivalent of not wearing seat belts. You may be fine today and tomorrow, but some day you'll probably regret it.
Article courtesy of eSecurityPlanet.com.