What Are Firewalls and Do I Really Need One?

by Brian McConnell

Security is one of the greatest concerns expressed by businesses which are connecting their internal Local Area Networks (LANs) to the internet. The internet is a global network of networks, and because of its underlying design, is inherently insecure. Data is often sent across the network as clear text (i.e., is not encrypted or scrambled). It is also easy to impersonate someone else while you are online. While there is presently a great deal of paranoia about internet security, the good news is that there are some very good tools available for securing your network against unauthorized intrusion.

This tutorial focuses on the subject of firewalls, and is aimed at end users who are relatively new to the internet.

A firewall is a device or software application which serves as a flexible barrier between the computers on your internal network and the outside world (i.e., the internet). Firewalls apply a set of rules to decide who gets to connect to which machines and to what services they are authorized to use. When set up properly, a firewall provides an excellent means for protecting your network and the machines connected to it.

A firewall's primary purpose is to prevent outside users from accessing machines other than those set up for public access (i.e., your web server, FTP servers, etc.). They do this via several different tools:  

  • Packet Filtering - here the firewall discards data before it ever reaches a particular machine. For example, you might want to deny access to a specific machine from outside your LAN. Using packet filtering, you tell the firewall to discard all packets destined to a specific machine. (See notes on this below.)
  • Client Access Lists - here the firewall is given a list of client PCs (outside IP addresses) which may access machine(s) on your LAN.
  • Server Access Lists - here the firewall is given a list of servers which can be accessed from outside your LAN.
  • User Authentication - here the firewall prompts outside users for a user name and password, and has an opportunity to grant or deny access to services on your network.
  • Address Obfuscation - here the firewall masks the IP addresses of your internal machines and makes them appear to outside users to be on different IP addresses. This makes it very difficult for hackers to access these machines without knowing their real IP addresses.

IP addresses, ports, and other items
Before going into a detailed description of these techniques, it is first helpful to explain how the internet addressing system works. There are 2 basic terms to understand here. Each machine on the internet has an IP address. This is the internet equivalent of a telephone number. An IP address identifies a specific device, workstation, etc., on the network. Behind each IP address, you can have several thousand port addresses. A port address is the internet equivalent of a telephone extension. For example, you might call 1-800-444-3556 to reach Hello Direct and then extension 8148 to reach Mike in sales. Likewise, if you connect to www.hellodirect.com on port (extension) 133, you'll be talking to the web server.

Port addresses are generally used to identify services. For example, a single workstation may provide many different services. It may be a worldwide web server, e-mail server, IRC (chat) server, etc. Each service typically listens for incoming requests on a specific port address. The HTTP protocol (basic building block of the worldwide web) usually monitors port 80.

This arrangement makes it possible to selectively block access to some services on a specific machine and not others. This is an important concept which we will return to shortly.

The majority of the data transmitted across the internet is not encrypted, it is sent as clear text. This means that if somebody is able to monitor the raw data coming in and out of your network, they will be able to see quite a bit. The good news is that most of the data transmitted on the net is "junk" data (i.e., images in web pages, routine correspondence, etc.). In order to find valuable information, someone would need to have physical access to your LAN, to your ISP, or a channel through which most of your data passes. They would also need to screen a lot of data to fetch the interesting traffic.

Encryption enables you to close this loophole by rendering the data unreadable to outsiders. Strong forms of encryption, such as Rivest-Shamir-Adleman (RSA) public key encryption, are virtually unbreakable even to computer scientists with access to supercomputers capable of cycling through key combinations very rapidly. There are several different types of encryption in use, ranging from simple, easily cracked substitution algorithms, to DES, to public key encryption. Even very weak encryption is still very useful as it prevents casual observers from accidentally stumbling upon useful information. Strong public key encryption is secure enough for military applications (one of the reasons the U.S. Government has sought to prevent the export of public key encryption technology). 

Currently, encryption is usually employed only on a selective basis (i.e., for handling secure web orders). In the future, the next generation version of the TCP/IP protocol (the basic foundation of the internet), will incorporate support for low level encryption of network transmissions, as well as the authentication of IP addresses (this will make spoofing, the impersonation of someone else's IP address, more difficult). The available security technology today is very good, and will soon be in widespread use throughout the internet.

Packet filtering
Packet filtering is probably the easiest way to secure your internet connection. It lets you permit certain services to cross your LAN internet connection (i.e., e-mail, HTTP/worldwide web, IP phone calls, etc.), while blocking connections to services such as FTP, TFTP, Telnet, etc. (services which can potentially be used to compromise or break into a workstation). The general rule of thumb used is to deny access to everything except for common services such as web access, e-mail, etc., and then allow other types of traffic to pass through upon request. The basic idea is to start with a restrictive policy, then expand the list of permitted services as needed. This conservative approach makes it unlikely that someone will be able to exploit a weakness in a service like FTP.

A typical packet filtering arrangement will permit services such as HTTP (web), SMTP (e-mail), POP3 (e-mail), and DNS (address name resolution service) to traverse your firewall, while blocking data bound for other services. For example, there is usually no reason to allow users to access FTP services on personal workstations, especially since FTP can be used to access the file system on a computer. So, unless an individual has a specific need for people to be able to FTP files to and from his/her workstation, it is best to filter these services. Also, many PC operating systems, UNIX in particular, will often have undocumented services which run on oddball port addresses. Applying a generic filter to block access to normally unused ports further reduces the likelihood that someone will exploit an undocumented security gap in this manner.

One thing to be careful about, if you go overboard with packet filtering, you will block legitimate as well as illegitimate traffic. Primarily, you will want to block access to services like FTP, and to undocumented ports, while not restricting access to ports used for basic TCP/IP services such as worldwide web access, e-mail send/receive services, etc.

Client access lists
Another useful tool for securing your network are client access lists. These allow you to grant restricted or unrestricted access to all or part of your LAN based on the IP address of the outside party. This technique has its limitations since it is relatively easy to spoof (imitate) somebody else's IP address. This is most useful for securing workstations which do not normally receive requests from outside your LAN, or which service infrequent sessions from outside your LAN.

Note: IP address filtering gives you a good way to prevent spammers from taking over your company's mail server. Most internet e-mail servers are designed to accept e-mail from any e-mail address, to any e-mail address. The service used to deliver e-mail on the internet, simple mail transfer protocol (SMTP), has essentially no built-in security features, and so it is very easy to trick somebody else's e-mail server into sending your junk mail (while making it appear to originate from a third party's network). This is not only very annoying, but it can be damaging when irate people start blaming you for somebody else's junk e-mail. Using IP address filtering, you can filter incoming SMTP requests from problem domains (i.e., cyberpromo.com).

Server access lists
This is a variation of packet filtering. Here you are defining a list of servers which can be accessed from outside your office. This makes it relatively easy to declare certain workstations verboten, and even to conceal their existence from the outside network.

User authentication
User authentication is a helpful tool in environments where it is not practical to globally block access to specific workstations or services. Telecommuters, for example, may have a legitimate need to FTP files to and from their machines at the office. Your network administrator may decide to work from home several days a week.

User authentication comes in both weak and strong forms. The weak form prompts the user for a user ID and password pair. This information may or may not be encrypted when transmitted across the internet. The strong form either employs public key encryption, or uses a key card (handheld LCD card which generates a random series of access codes, so a different PIN is used to access the network for each session). The latter scheme is very difficult to break without assistance from insiders.

Address obfuscation
Address obfuscation is another technique for securing your network. This is a great example of the premise of "security through obscurity." If an intruder has no idea where a particular resource is located, it will be difficult to compromise. Address obfuscation does this by altering your computers' IP addresses to appear different than they actually are to outside users. Inside your LAN, users will see your machines' real IP addresses. Users outside your LAN will see different IP addresses. By making it difficult for intruders to obtain the real IP addresses of machines inside your network, you make it difficult for someone to access your workstations through indirect means (i.e., by installing a malicious program on your web server which is used to leapfrog into other machines inside your LAN). This in and of itself is a fairly weak defense, but when used in combination with these other techniques it makes it even more difficult to compromise your computers.

Different types of firewalls
Firewalls come in several different forms. Some are standalone appliances which connect directly to an Ethernet LAN. Some are software toolkits which can be installed on Windows NT or UNIX workstations. Some are integrated into internet access devices (i.e., routers).  

  • Standalone network appliances - standalone firewalls are a good choice if you are already connected to the internet, and do not want to replace your router, or if you need a high-capacity firewall. These units typically have 2 Ethernet jacks, one for your internal LAN connection, one for your external WAN/internet connection.
  • Software-based firewalls - these products turn a PC into a firewall. The benefit of software-based firewalls is that they can be used to convert an existing machine into a firewall device. Usually, all you need to do is to install a second Ethernet adapter in a workstation to turn it into a firewall. The only problem with this is that if the host PC is not set up correctly, it can be compromised. If your firewall can be compromised, then so can the rest of your network. Only go this route if you thoroughly understand the networking services offered by the operating system you'll be installing this on.
  • Integrated firewall/router combinations - most router manufacturers now include firewall capability as a software upgrade. This enables you to get integrated internet connectivity and security services from a single appliance which connects directly to your LAN. These devices, since they do not run on top of a PC operating system, are highly secure when they are set up correctly. This is usually the easiest and most cost-effective way to go.

Do you even need a firewall in the first place?
Chances are, if you are a small business, you may not even need a firewall. If you are using a dial-up modem connection, or are using an on-demand ISDN connection to the internet, a firewall is usually not necessary. This is because your internet connection is only operating when you need it. If your internet connection is down, then an outsider has no way of connecting to your LAN via the internet, and so a firewall is unnecessary.

Here's an example to illustrate this point. Let's assume that your office has an internet access appliance such as Webramp or Netopia. When someone on your LAN needs to access the internet (i.e., to browse a web page, fetch e-mail, etc.), it brings your internet connection up, and then drops it once the connection is no longer needed. This minimizes the cost of your internet connection, and it also makes it very difficult for an outsider to connect to your computers. Not only must he correctly guess the IP address of your machine (it often varies from session to session with dial-up and ISDN connections), but he must also have guessed your user account and password, AND he must correctly guess exactly when you have an active connection to the internet. If you are an occasional internet user, and your connection is down most of the time, it will be very difficult for somebody to compromise your computer if you are using a dial-up connection.

If you have a dedicated internet connection, one which is up 24 hours a day, then putting a firewall in place is probably a good idea since a hacker could systematically try to break into your machines in the early morning hours when you are least likely to detect it. (Most break-ins usually go undetected unless the intruder damages or erases files from a machine).

Selecting a firewall
I recommend buying a router that has a firewall built into it. This is usually the most cost-effective solution, is easy to set up and administer, and does not require the purchase of superfluous hardware. If you already have a router in place, a stand-alone firewall may also be a good idea, especially now that low-cost turnkey units are starting to appear. Unless you are an expert in networking software, I generally don't recommend software-based firewalls.

Most router vendors now offer basic firewall services either as a basic feature or as an optional upgrade. Ascend, for example, has a firewall upgrade for their Pipeline 50 series of ISDN routers. It only adds $100 or so to the cost of the router, and so it's a great value compared to buying a standalone appliance.

Some additional security tips
Besides installing a firewall there are a number of simple things you can do which will further enhance the security of your network. Here are a few examples.  

  • Put sensitive data on a machine which cannot be accessed via TCP/IP - most PC operating systems support multiple networking protocols, such as NetBEUI, IPX/SPX, TCP/IP and others. One technique for sequestering sensitive data is to put it on a machine which has no TCP/IP connectivity, and instead talks to other machines using a LAN protocol such as NetBEUI. If your router is programmed to prevent non-TCP/IP data from exiting your LAN, this makes it very difficult for an outsider to access this machine. If there's no need for the machine to be networked, you may want to consider isolating the machine altogether if the data is especially sensitive.
  • Disable drive mapping on servers which can be accessed from outside your LAN - many operating systems allow you to view hard drives on remote machines as local disk drives. While this is convenient, it is also a security loophole. For example, if your FTP server can see remote disk drives on other machines as local drives, an outsider can sometimes use FTP to access those remote drives, as well as the FTP server's own disk. This can be a recipe for disaster. In general, it is good to limit FTP access anyway, but always make sure drive mapping is disabled on publicly visible machines.
  • Get rid of lightweight operating systems - Windows 3.1 and Windows 95 have pretty weak security services compared to higher end operating systems like Windows NT and UNIX. Seriously consider upgrading to a more secure OS on machines where sensitive data or services may be located. Windows NT is highly rated for its security features. If you properly utilize them, you can make each workstation very secure, so even if someone does get past your firewall, they will then have to correctly guess a privileged password on each workstation (not easy without insider help).
  • Disable unnecessary services - most TCP/IP services are relatively harmless even if they are abused. However, some provide direct access to your computer's console or to the file system. FTP is one such service. It is used to view and transfer files between internet hosts. It is a very useful service, but if compromised, someone can potentially access the entire disk drive of the affected machine. If you don't need FTP on a particular machine, just disable it. If you do need FTP on a machine, it is a good idea to set up accounts which can only be used during specific time periods (i.e., deny connections after normal business hours, disable accounts if more than 3 invalid passwords are given in a row, etc.).
  • Don't use obvious passwords - many people just use their name as a password, this is not a good idea. The best passwords consist of a combination of letters (upper and lower case) and numbers. This makes it very difficult to guess a password. For example, "bingo" would not be a good password since it could be guessed easily by a password cracking program. "75BinGO" would, on the other hand, be a good password because of the combination of numbers, lower case, and upper case letters. This will be difficult to guess, especially if an account is frozen after 3 invalid login attempts.