What keeps the bad guys on the outside of your network, and the data safe on the inside? A properly managed firewall, of course. Here are some ways to pick barriers that are fireproof.
The term firewall conjures up visions of a barrier that blocks flames from spreading from one area to another.
In a sense the term is appropriate; a firewall–either a hardware device or a piece of software–controls access between your computer or network and other networks, such as the Internet. Unlike a conventional firewall, a network firewall doesn’t close off all access to an area, it lets some traffic through while blocking access to other traffic. Perhaps a better way to think of a firewall is a wall of hydrants on a large skyscraper. Each hydrant represents a port. Just as firefighters connect hoses to some of the hydrants while leaving others unused, so network administrators allow users to connect to specified ports while blocking access to others. In both cases, only authorized personnel can access the on/off mechanisms.
In firewall terminology, your computer or network is considered “trusted” while other networks, like the Internet, are considered “untrusted.” Most firewall solutions use rules to manage what activity is and isn’t allowed. The rules you set up can enable your company to work with another business, keep your young kids off the Internet, or keep hackers out. Each port can have authorized or unauthorized uses. The trick is to enable authorized traffic without compromising the security of your network.
Given the increasing frequency and sophistication of unauthorized uses, if your computer connects to other computers, you need a firewall. Firewalls come in many types: Home users with a single computer and an Internet connection can get by with a simple software program, such as ZoneLabs ZoneAlarm; large enterprises need dedicated firewall hardware that maintain security while allowing lots of data to flow in and out.
Before choosing a firewall, note that there are two common types. Packet-filtering firewalls operate at the network layer. Positioned between your computer or network and the outside world, packet-filtering firewalls examine data packets and compare information in packet headers with the rules you’ve set up. Application-proxy firewalls work at the application layer. Users on the trusted network or computers must access the application-proxy firewall first to obtain access to the outside world. Rules on the application-proxy firewall determine which users and applications are authorized. All other activity is blocked.
Many firewalls combine both packet filtering and application-proxy services. Businesses may want to select one of these solutions both to protect the company and to manage internal user activity. Many business firewalls also include content blocking and logging facilities, which control what workers can do on company time.
Hardware or software?
We talked a bit earlier about software-based personal firewalls for consumers. There are also enterprise-grade firewall software solutions, but many businesses and users with home networks may wish to install and use a hardware-based firewall. These devices are especially handy in small business and SOHO networks.
Another option for budget-minded businesses and home users with networks is a dual-NIC firewall. It can be set up using a PC with two network cards. One network card routes traffic to and from the trusted network while the other card routes (or doesn’t route) traffic from untrusted networks. Here again, you can define rules.
There is one other wrinkle to consider when choosing firewall technology for home or work. While you certainly want to protect your private (trusted) network or computers, you may also wish to make some services visible to outsiders. You want your Web site’s features to be seen, but you hardly want to make your entire network visible to the outside world just to get visitors.
The answer to this problem is something called a demilitarized zone, or DMZ. Typically, a visitor to your Web site accesses the site after passing through one firewall that lets in specific machines and services (like HTTP). However, a second firewall behind the DMZ would prevent that Web site visitor from getting access your private network. Separate sets of rules are used on each firewall to allow or deny access as appropriate. Many business-grade hardware firewalls include built-in DMZ ports that are separate from LAN (private network) and WAN (public network) ports.
So, where should you set up a firewall? The answer really depends on the computer(s) that you have and their proximity to the outside world. If you have a single computer at home, installing personal firewall software on that machine will help keep evildoers away and spyware from phoning home.
For businesses and users with home networks, firewall technology is the first line of security defense for any network connections you have. Thus, the very first access point on your network should be a firewall. In addition, if you run distributed, multiplatform applications internally, you’ll likely want to implement one or more firewalls inside your internal network to protect important data.
Rules of the road
Aside from positioning, probably the most important part of setting up a firewall is defining the rules needed to manage network access. You want to be certain to stop unauthorized inbound and outbound traffic while allowing “good” traffic.
Many subscribe to the idea that firewalls should first be set to deny access. Then, rules can be added to open up ports as needed. This approach is a valid one, but it can cause the firewall rules table to become unmanageable.
It is easier on administration down the road to plan your rules configuration from the start. Think about the applications, services, and users that you want to allow on your computer or network. Make a list of these items. For example, do you want to allow all users at work to be able to surf the Web, or only the Research Department? Or, maybe you want to explicitly put rules in place to prevent the kids from visiting chat rooms while allowing them to access e-mail.
In other words, plan a rules set ahead of time that will be practical for business or family use. After adding the rules, monitor any alerts that come up carefully and check firewall logs frequently. If you find that a program is trying to access the Internet or an outside computer is trying to access your system, you can set a deny default response. Checking logs tells you if denied accesses are appropriate or if you need to add additional rules for a new application or user.
You may notice in some firewalls that certain operating-system components are automatically given access to the Internet. If you try to block these components, your computer may not function properly. Some operating systems, such as Windows, are designed to phone home. If you’d rather not have this, you might consider another OS that doesn’t automatically connect your system to its vendor.
Like other security technologies, firewall products should be updated regularly as new types of exploits are continuing to appear all the time. Firewall vendors frequently provide software or firmware updates; make sure to keep your firewall up to date for maximum protection.