Posted by Dave
5 Star Support Security Specialist
04.17.06
So what is a firewall, really? And why do I need one? This question has
come up many times, and there are so many incorrect answers and
misconceptions that I decided maybe I could help set things straight and
explain it to you. I’ll warn you from the start that this is not a short
easy answer. In principle, firewalls are simple and straightforward, but
the increases in attacks and the sophistication of these attacks, as
well as the improved technology in this area, has made the subject a bit
more complex and more difficult to understand. I promise to keep it as
simple as possible. That said, let's get started.
Basically, a firewall is a barrier to keep destructive forces away from
your property. In fact, that's why it is called a firewall. Its job is
similar to a physical firewall that keeps a fire from spreading from one
area to the next. In our computer case, a firewall is actually a ‘wall’
of code that is designed to inspect everything going into, or coming
from the computer it is installed in. Data is transmitted in ‘packets’
and it is the firewall’s job to examine these packets and decide whether
or not they are allowed to pass through. A properly designed firewall
will do this very quickly and efficiently, and will be equally effective
on both incoming and outgoing traffic. Why outgoing as well? You don’t
want any personal or privileged information leaving without your
explicit permission, do you?
So how does a firewall actually work? All communication between
computers is accomplished by exchanging the ‘packets’ we described
above. They are sent from one machine to the other, whether the machines
are located in the same room, or around the globe does not matter. It is
important that you remember these packets are the fundamental units of
information flowing through the Internet or a local network. Even though
we say two computers are “connected”, what actually happens is these
packets of information are sent from one computer to another. Each
packet must be able to find its way from the originating machine to the
intended destination, or receiving computer. To accomplish this, each
packet contains a destination address and port number. Each packet must
also contain the address and port number of the sending machine. The
receiving computer in turn sends a packet containing its address and
port number back to the sender to indicate the packet has been received.
When the addresses and port numbers match, the computers agree they are
connected, and the transfer or flow of packets begins.
We need to stop for a minute here and explain the addresses mentioned in
the above paragraph. Every computer has what is called an IP address.
The IP stands for Internet Protocol. This address is unique to every
computer. IP addresses are 32-bit numbers, normally expressed as four
"octets" in a "dotted decimal number." A typical IP address looks like
this: 225.27.61.157. Because it is hard to remember the string of
numbers that make up an IP address, and because IP addresses sometimes
need to change, all servers on the Internet also have human-readable
names, called domain names. For example, it is easier for most of us to
remember www.whereIwanttogo.com than it is to remember 225.27.61.157.
Remember we mentioned Internet protocol? The protocol is the pre-defined
way that someone who wants to use a service talks with that service. The
"someone" could be a person, but more often it is a computer program
like a Web browser. Protocols are often text, and simply describe how
the client and server will have their conversation. Here are the most
common protocols you will encounter in regular computer use:
IP (Internet Protocol) - the main delivery
system for information over the Internet
TCP (Transmission Control Protocol) - used to break apart and rebuild
information that travels over the Internet
HTTP (Hyper Text Transfer Protocol) - used for Web pages
FTP (File Transfer Protocol) - used to download and upload files
UDP (User Datagram Protocol) - used for information that requires no
response, such as streaming audio and video
ICMP (Internet Control Message Protocol) - used by a router to exchange
the information with other routers
SMTP (Simple Mail Transport Protocol) - used to send text-based
information (e-mail)
SNMP (Simple Network Management Protocol) - used to collect system
information from a remote computer
Telnet - used to perform commands on a remote computer
We also mentioned ports. There are
actually thousands of ports on every computer. Each port is assigned a
number, and each port number corresponds to a specific service
communication. Any server machine makes its services available to the
Internet using numbered ports, one for each service that is available on
the server. For example, if a server machine is running a Web (HTTP)
server and an FTP server, the Web server would typically be available on
port 80, and the FTP server would be available on port 21.
Now to put it together, you know each packet contains the specific IP
address and port number of the originating computer, as well as the
specific IP address and port number of the intended destination
computer, with the port numbers being determined by the type of
communication and information being sent.
To use this information, a firewall is
programmed to recognize all the ports and protocols in use today. It
then determines whether or not to let the packets through, or drop them.
This is done in accordance with a set of rules called filters that are
also programmed into the software. Packets that make it through the
filters are sent to the requesting system and all others are discarded.
Once you understand this concept, the actual operation of a firewall
becomes pretty simple. A firewall can help protect you from a whole lot
of problems regularly encountered on the Internet. Some of them are
listed below:
- Remote login - When someone is able
to connect to your computer and control it in some form. This can
range from being able to view or access your files to actually
running programs on your computer.
- Application backdoors - Some
programs have special features that allow for remote access. Others
contain bugs that provide a backdoor, or hidden access, that
provides some level of control of the program.
- SMTP session hijacking - SMTP is
the most common method of sending e-mail over the Internet. By
gaining access to a list of e-mail addresses, a person can send
unsolicited junk e-mail (spam) to thousands of users. This is done
quite often by redirecting the e-mail through the SMTP server of an
unsuspecting host, making the actual sender of the spam difficult to
trace.
- Operating system bugs - Like
applications, some operating systems have backdoors. Others provide
remote access with insufficient security controls or have bugs that
an experienced hacker can take advantage of.
- Denial of service - You have
probably heard this phrase used in news reports on the attacks on
major Web sites. This type of attack is nearly impossible to
counter. What happens is that the hacker sends a request to the
server to connect to it. When the server responds with an
acknowledgement and tries to establish a session, it cannot find the
system that made the request. By inundating a server with these
unanswerable session requests, a hacker causes the server to slow to
a crawl or eventually crash.
- E-mail bombs - An e-mail bomb is
usually a personal attack. Someone sends you the same e-mail
hundreds or thousands of times until your e-mail system cannot
accept any more messages.
- Macros - To simplify complicated
procedures, many applications allow you to create a script of
commands that the application can run. This script is known as a
macro. Hackers have taken advantage of this to create their own
macros that, depending on the application, can destroy your data or
crash your computer.
- Viruses - Probably the most
well-known threat is computer viruses. A virus is a small program
that can copy itself to other computers. This way it can spread
quickly from one system to the next. Viruses range from harmless
messages to erasing all of your data.
- Spam - Typically harmless but
always annoying, spam is the electronic equivalent of junk mail.
Spam can be dangerous though. Quite often it contains links to Web
sites. Be careful of clicking on these because you may accidentally
accept a cookie that provides a backdoor to your computer.
- Redirect bombs - Hackers can use
ICMP to change (redirect) the path information takes by sending it
to a different router. This is one of the ways that a denial of
service attack is set up.
- Source routing - In most cases, the
path a packet travels over the Internet (or any other network) is
determined by the routers along that path. But the source providing
the packet can arbitrarily specify the route that the packet should
travel. Hackers sometimes take advantage of this to make information
appear to come from a trusted source or even from inside the
network! Most firewall products disable source routing by default.
Now, what about other information
sneaking in while having this nice conversation between two computers.
Couldn’t another computer join the conversation without your knowledge?
Without a firewall in place, yes it can, and it happens all the time.
This is how computers without firewall protection can and are attacked
literally in minutes when connected to the Internet. Here’s how a
firewall prevents that from happening. When you surf the web you need to
connect to web servers that might have any IP address. You wouldn't want
all those to be blocked just because you want to block everyone from
getting into your machine. It turns out that this is easy for a firewall
too. Since each end of an Internet connection is always acknowledging
the other end's data, every packet that flows between the two machines
has a bit set in it called the "ACK" bit. This bit says that the packet
is acknowledging the receipt of all previous data. But this means that
only the very first packet that initiates a new connection would NOT be
acknowledging any previous data from the other machine. In other words,
a firewall can easily determine whether an arriving packet is initiating
a new connection, or continuing an existing conversation. Packets
arriving as part of an established connection would be allowed to pass
through the firewall, but packets representing new connection attempts
would be discarded. Thus, a firewall can permit the establishment of
outbound connections while blocking any new connection attempts from the
outside.
Now you hopefully have a basic knowledge
and understanding of firewalls and how they work. I strongly urge you to
install a good firewall on any computer that will be networked in any
way, or connected to the Internet. With the average personal firewall
being available today at prices ranging from free to around $30, you
have to admit that handling all this tricky stuff for you and keeping
you well protected makes a firewall both a true bargain, and a must have
for your computer.
Before departing, I strongly urge you to
consider one other purchase for your protection if you intend to be on
the Internet. This purchase recommendation is that of a router with
firewall. This is not a piece of software, but rather a hardware devise.
It is connected between your modem and your computer. A router will also
have an IP address. When you connect to the Internet with a router
equipped with a firewall, the outward appearing IP address will be that
of the router instead of your computer. With this setup, you have very
good protection indeed because the Internet will be communicating with
the router, and you will be communicating with the router, keeping your
true IP address secure. Your ports are not directly accessible from the
Internet this way either. This is not to say that with a router in place
you can surf the Web with reckless abandon. Although you will still need
to be careful about what you click on and what you choose to open while
surfing the Web, you will have a very good extra layer of protection
from direct attacks.
I hope this has increased your knowledge and helped you understand
firewalls and why you absolutely need to have one. Until we meet again
here at 5 Star Support.
Dave |
