Well, all these writeups with no explanation as to what a
firewall really is, at least in idiotese^H^H^H^H^H^H^H^H
plain English.
You may have heard of a firewall before:
your local sysadmin informs you that no, you can't use
Napster because your university has decided to block it with their
firewall, or perhaps they inform you that your computer needs to be using a
proxy server because you are behind a firewall.
So what is a firewall, what does it do, how does it work, and why do you want one?
A firewall is essentially a computer, piece of hardware, or software, which acts as a
fireproof wall between one or more computers and
everything and everyone else. Essentially, the firewall intercepts
all inbound and outbound traffic from a
network:
---------------
| networked |
| computers |
---------------
|
| ---physical network
| connection to
| firewall
|
---------------
| firewall |
---------------
|
| ---physical connection
| to _everything_ else
/ \
/ \
--------- ---------
| another | | another |
| computer| | computer|
--------- ---------
As it intercepts any information going to and from the machines behind the firewall (anything
behind a firewall is a part of the
internal network, anything
outside the firewall falls into the category of "
everything else"), the firewall decides whether or not to permit that traffic. The way a firewall does this is based upon
rules, which are usually custom defined by the
system administrator.
Rules can be very broad, very specific, or anywhere in between. Let's say that the system administrator has a
server behind the firewall, and this server is set to accept
telnet requests. The admin doesn't want just
any user to be able to telnet into the machine, because that's a
security risk that can allow the machine to be hacked or cracked. Instead, he only wants for persons in the remote office to be able to telnet into the system. If the sysadmin knows the
IP subnet for the remote office, he can set the firewall to allow only connections from that subnet. This is an example of filtering inbound traffic. If the remote office owned an entire
class C subnet (let's say 207.46.130.x), the administrator would set the firewall only to allow connections from an IP address that is 207.46.130.1 - 207.46.130.255, which he would know for certain would be from the remote office.
The way the firewall would react to requests from
IP addresses in the 207.46.130.x subnet would be kind of like this:
Inbound request received for my-telnet-server.everything2.com
Who is the requestor?
Requestor is 207.46.130.132
Requestor OK, permit communication
After that, the firewall would allow all
telnet traffic between the two machines for that session. The catch is, firewalls permit and deny traffic based on
port numbers, or
services. For example, telnet is a
service that runs on
port 23. If aforementioned 207.46.130.132 tried to connect to my-telnet-server.everything2.com on
port 25 (the
SMTP service), even if the currently permitted telnet session was still running, the request would be blocked by the firewall, because the firewall is only permitting communication on port 23 for the server.
Thoroughly confused yet? Good. Let's talk about outbound communication.
Computers and servers behind the firewall will on occasion initiate outbound traffic. That traffic again must pass through the firewall before it can be seen by the outside world. Since
Napster is still on the tip of everyone's tongue, we'll use an example of how universities block Napster access.
The firewall can be configured (as shown earlier) to allow incoming communication from only one IP address or subnet. In addition to this, the firewall can be configured to block only one IP address or subnet. Napster has about fifty servers, all on the 64.124.41.x subnet. If a university wants to block access to those servers, all they have to do is configure the firewall to block outbound traffic to and inbound traffic from 64.124.41.x. The end result is that when you start Napster and it tries to communicate with the Napster servers, the firewall will say to itself the following:
Outbound request received for goa.napster.com
Is goa.napster.com a permittable destination?
No, it is not. Blocking communication.
The result of this is that your Napster client will sit there and eventually say that it can't find the server. Indeed it can't, because all data being sent by your computer is
terminated by the firewall before it reaches the outside world.
For the most part, when a firewall is in place
all data is blocked except that which has been configured to be permitted. It is poor security only to block specific things and permit everything else.
Of course, the applications of a firewall listed above aren't the only reasons one might want a firewall. Any computer behind the firewall is immediately protected from outside attack by the firewall: any attempt at
hacking a computer behind the firewall is blocked, and any attempt from behind the firewall to allow the network to be compromised is blocked (by say a
Trojan Horse such as
Sub.Seven).
Firewalls are very, very important to the security of networks. A firewalled server or computer is inaccessible to the outside world except as permitted by the system or network administrator, thus removing it once from the
potential attacker. In addition, they are important for the integrity and administration of a network. For more information on securing networks, read about firewalls on the Internet, try
newsgroups especially, and learn about
NAT (
Network Address Translation).
If you've just a simple workstation or desktop at home that you're interested in securing now that you've got your
DSL or
cable modem (or university provided Internet access), or even if you're security-conscious and on a standard modem, you might want to look into software based firewalls (much, much cheaper than hardware firewalls), such as
ZoneAlarm,
BlackIce Defender,
Norton Internet Security, or
AtGuard (now a part of Norton Internet Security). I personally recommend Norton Internet Security because of its versatility and personal experience, but if you want a free firewall, use
ZoneAlarm (though its lack of configuration options cause me to urge you not to use it).
Hope that clears things up.