What Are Firewalls and Do I Really Need One?
by Brian McConnell
Security is one of the greatest concerns expressed by businesses which are connecting
their internal Local Area Networks (LANs) to the internet. The internet is a global network of networks,
and because of its underlying design, is inherently insecure. Data is often sent across
the network as clear text (i.e., is not encrypted or scrambled). It is also easy to
impersonate someone else while you are online. While there is presently a great deal
of paranoia about internet security, the good news is that there are some very good
tools available for securing your network against unauthorized intrusion.
This tutorial focuses on the subject of firewalls, and is aimed at end users who
are relatively new to the internet.
A firewall is a device or software application which serves as a flexible barrier
between the computers on your internal network and the outside world
(i.e., the internet). Firewalls apply a set of rules to decide who gets to connect to
which machines and to what services they are authorized to use. When set up
properly, a firewall provides an excellent means for protecting your network and the machines
connected to it.
A firewall's primary purpose is to prevent outside users from accessing machines other
than those set up for public access (i.e., your web server, FTP servers, etc.). They do
this via several different tools:
- Packet Filtering - here the firewall discards data before it ever reaches a particular
machine. For example, you might want to deny access to a specific machine from outside
your LAN. Using packet filtering, you tell the firewall to discard all
packets destined to a specific machine. (See notes on this below.)
- Client Access Lists - here the firewall is given a list of client PCs
(outside IP addresses) which may access machine(s) on your LAN.
- Server Access Lists - here the firewall is given a list of servers which can be
accessed from outside your LAN.
- User Authentication - here the firewall prompts outside users for a user name
and password, and has an opportunity to grant or deny access to services on your network.
- Address Obfuscation - here the firewall masks the IP addresses of your internal
machines and makes them appear to outside users to be on different IP addresses. This
makes it very difficult for hackers to access these machines without knowing their real IP addresses.
IP addresses, ports, and other items
Before going into a detailed description of these techniques, it is first helpful to
explain how the internet addressing system works. There are 2 basic terms to understand
here. Each machine on the internet has an IP address. This is the internet equivalent of a
telephone number. An IP address identifies a specific device, workstation, etc., on the
network. Behind each IP address, you can have several thousand port addresses. A port
address is the internet equivalent of a telephone extension. For example, you might
call 1-800-444-3556 to reach Hello Direct and then extension 8148 to reach Mike in sales. Likewise,
if you connect to www.hellodirect.com on port (extension) 133, you'll be talking to the
Port addresses are generally used to identify services. For example, a single workstation
may provide many different services. It may be a worldwide web server, e-mail server, IRC
(chat) server, etc. Each service typically listens for incoming requests on a specific
port address. The HTTP protocol (basic building block of the worldwide web) usually
monitors port 80.
This arrangement makes it possible to selectively block access to some services
on a specific machine and not others. This is an important concept which we will
return to shortly.
The majority of the data transmitted across the internet is not encrypted, it
is sent as clear text. This means that if somebody is able to monitor the raw data
coming in and out of your network, they will be able to see quite a bit. The good
news is that most of the data transmitted on the net is "junk" data (i.e., images in
web pages, routine correspondence, etc.). In order to find valuable information, someone
would need to have physical access to your LAN, to your ISP, or a channel through which
most of your data passes. They would also need to screen a lot of data to fetch the
Encryption enables you to close this loophole by rendering the data unreadable to
outsiders. Strong forms of encryption, such as Rivest-Shamir-Adleman (RSA) public key encryption, are virtually
unbreakable even to computer scientists with access to supercomputers capable of
cycling through key combinations very rapidly. There are several different types of
encryption in use, ranging from simple, easily cracked substitution algorithms, to
DES, to public key encryption. Even very weak encryption is still very useful as it
prevents casual observers from accidentally stumbling upon useful information. Strong
public key encryption is secure enough for military applications (one of the reasons the
U.S. Government has sought to prevent the export of public key encryption technology).
Currently, encryption is usually employed only on a selective basis (i.e., for handling
secure web orders). In the future, the next generation version of the TCP/IP protocol
(the basic foundation of the internet), will incorporate support for low level encryption
of network transmissions, as well as the authentication of IP addresses (this will make
spoofing, the impersonation of someone else's IP address, more difficult). The available
security technology today is very good, and will soon be in widespread use throughout
Packet filtering is probably the easiest way to secure your internet connection. It lets you
permit certain services to cross your LAN internet connection (i.e.,
e-mail, HTTP/worldwide web, IP phone calls, etc.), while blocking connections to services
such as FTP, TFTP, Telnet, etc. (services which can potentially be used to compromise or
break into a workstation). The general rule of thumb used is to deny access to everything
except for common services such as web access, e-mail, etc., and then allow other types of
traffic to pass through upon request. The basic idea is to start with a restrictive policy,
then expand the list of permitted services as needed. This conservative approach makes
it unlikely that someone will be able to exploit a weakness in a service like FTP.
A typical packet filtering arrangement will permit services such as HTTP (web), SMTP
(e-mail), POP3 (e-mail), and DNS (address name resolution service) to traverse your
firewall, while blocking data bound for other services. For example, there is usually
no reason to allow users to access FTP services on personal workstations, especially
since FTP can be used to access the file system on a computer. So, unless an individual has
a specific need for people to be able to FTP files to and from his/her workstation, it is
best to filter these services. Also, many PC operating systems, UNIX in particular, will
often have undocumented services which run on oddball port addresses. Applying a generic
filter to block access to normally unused ports further reduces the likelihood that someone
will exploit an undocumented security gap in this manner.
One thing to be careful about, if you go overboard with packet filtering, you will block
legitimate as well as illegitimate traffic. Primarily, you will want to block access to
services like FTP, and to undocumented ports, while not restricting access to ports used
for basic TCP/IP services such as worldwide web access, e-mail send/receive services, etc.
Client access lists
Another useful tool for securing your network are client access lists. These allow you
to grant restricted or unrestricted access to all or part of your LAN based on the IP
address of the outside party. This technique has its limitations since it is relatively
easy to spoof (imitate) somebody else's IP address. This is most useful for securing
workstations which do not normally receive requests from outside your LAN, or which
service infrequent sessions from outside your LAN.
Note: IP address filtering gives you a good way to prevent spammers from taking over your
company's mail server. Most internet e-mail servers are designed to accept e-mail from
any e-mail address, to any e-mail address. The service used to deliver e-mail on the internet,
simple mail transfer protocol (SMTP), has essentially no built-in security features, and
so it is very easy to trick somebody else's e-mail server into sending your junk mail
(while making it appear to originate from a third party's network). This is not only
very annoying, but it can be damaging when irate people start blaming you for somebody
else's junk e-mail. Using IP address filtering, you can filter incoming SMTP requests from
problem domains (i.e., cyberpromo.com).
Server access lists
This is a variation of packet filtering. Here you are defining a list of servers
which can be accessed from outside your office. This makes it relatively easy to
declare certain workstations verboten, and even to conceal their existence from the
User authentication is a helpful tool in environments where it is not practical to
globally block access to specific workstations or services. Telecommuters, for example,
may have a legitimate need to FTP files to and from their machines at the office. Your
network administrator may decide to work from home several days a week.
User authentication comes in both weak and strong forms. The weak form prompts the user
for a user ID and password pair. This information may or may not be encrypted when
transmitted across the internet. The strong form either employs public key encryption,
or uses a key card (handheld LCD card which generates a random series of access codes,
so a different PIN is used to access the network for each session). The latter scheme
is very difficult to break without assistance from insiders.
Address obfuscation is another technique for securing your network. This is a great
example of the premise of "security through obscurity." If an intruder has no idea where
a particular resource is located, it will be difficult to compromise. Address obfuscation
does this by altering your computers' IP addresses to appear different than they actually
are to outside users. Inside your LAN, users will see your machines' real IP addresses.
Users outside your LAN will see different IP addresses. By making it difficult for
intruders to obtain the real IP addresses of machines inside your network, you make
it difficult for someone to access your workstations through indirect means (i.e., by
installing a malicious program on your web server which is used to leapfrog into other
machines inside your LAN). This in and of itself is a fairly weak defense, but when used in
combination with these other techniques it makes it even more difficult to compromise
Different types of firewalls
Firewalls come in several different forms. Some are standalone appliances which
connect directly to an Ethernet LAN. Some are software toolkits which can be installed
on Windows NT or UNIX workstations. Some are integrated into internet access devices
- Standalone network appliances - standalone firewalls are a good choice if you are
already connected to the internet, and do not want to replace your router, or if you need
a high-capacity firewall. These units typically have 2 Ethernet jacks, one for your
internal LAN connection, one for your external WAN/internet connection.
- Software-based firewalls - these products turn a PC into a firewall. The benefit
of software-based firewalls is that they can be used to convert an existing machine
into a firewall device. Usually, all you need to do is to install a second Ethernet
adapter in a workstation to turn it into a firewall. The only problem with this is
that if the host PC is not set up correctly, it can be compromised. If your firewall
can be compromised, then so can the rest of your network. Only go this route if you
thoroughly understand the networking services offered by the operating system you'll
be installing this on.
- Integrated firewall/router combinations - most router manufacturers now include
firewall capability as a software upgrade. This enables you to get integrated internet
connectivity and security services from a single appliance which connects directly to
your LAN. These devices, since they do not run on top of a PC operating system, are
highly secure when they are set up correctly. This is usually the easiest and most cost-effective way to go.
Do you even need a firewall in the first place?
Chances are, if you are a small business, you may not even need a firewall.
If you are using a dial-up modem connection, or are using an on-demand ISDN
connection to the internet, a firewall is usually not necessary. This is because
your internet connection is only operating when you need it. If your internet connection
is down, then an outsider has no way of connecting to your LAN via the internet, and
so a firewall is unnecessary.
Here's an example to illustrate this point. Let's assume that your office has an
internet access appliance such as Webramp or Netopia. When someone on your LAN needs
to access the internet (i.e., to browse a web page, fetch e-mail, etc.), it brings your
internet connection up, and then drops it once the connection is no longer needed.
This minimizes the cost of your internet connection, and it also makes it very difficult
for an outsider to connect to your computers. Not only must he correctly guess the IP
address of your machine (it often varies from session to session with dial-up and ISDN
connections), but he must also have guessed your user account and password, AND he must
correctly guess exactly when you have an active connection to the internet. If you are an
occasional internet user, and your connection is down most of the time, it will be very
difficult for somebody to compromise your computer if you are using a dial-up connection.
If you have a dedicated internet connection, one which is up 24 hours a day, then putting
a firewall in place is probably a good idea since a hacker could systematically try to
break into your machines in the early morning hours when you are least likely to detect
it. (Most break-ins usually go undetected unless the intruder damages or erases files
from a machine).
Selecting a firewall
I recommend buying a router that has a firewall built into it. This is
usually the most cost-effective solution, is easy to set up and administer, and does
not require the purchase of superfluous hardware. If you already have a router in place,
a stand-alone firewall may also be a good idea, especially now that low-cost turnkey
units are starting to appear. Unless you are an expert in networking software, I generally
don't recommend software-based firewalls.
Most router vendors now offer basic firewall services either as a basic feature or
as an optional upgrade. Ascend, for example, has a firewall upgrade for their Pipeline 50
series of ISDN routers. It only adds $100 or so to the cost of the router, and so it's
a great value compared to buying a standalone appliance.
Some additional security tips
Besides installing a firewall there are a number of simple things you can do which
will further enhance the security of your network. Here are a few examples.
- Put sensitive data on a machine which cannot be accessed via TCP/IP - most PC operating
systems support multiple networking protocols, such as NetBEUI, IPX/SPX, TCP/IP and others.
One technique for sequestering sensitive data is to put it on a machine which has no TCP/IP
connectivity, and instead talks to other machines using a LAN protocol such
as NetBEUI. If your router is programmed to prevent non-TCP/IP data from exiting your LAN,
this makes it very difficult for an outsider to access this machine. If there's no need for
the machine to be networked, you may want to consider isolating the machine altogether if
the data is especially sensitive.
- Disable drive mapping on servers which can be accessed from outside your LAN - many
operating systems allow you to view hard drives on remote machines as local disk drives.
While this is convenient, it is also a security loophole. For example, if your FTP server
can see remote disk drives on other machines as local drives, an outsider can sometimes use
FTP to access those remote drives, as well as the FTP server's own disk. This can be a recipe
for disaster. In general, it is good to limit FTP access anyway, but always make sure drive
mapping is disabled on publicly visible machines.
- Get rid of lightweight operating systems - Windows 3.1 and Windows 95 have pretty
weak security services compared to higher end operating systems like Windows NT and UNIX.
Seriously consider upgrading to a more secure OS on machines where sensitive data or
services may be located. Windows NT is highly rated for its security features. If you
properly utilize them, you can make each workstation very secure, so even if someone does
get past your firewall, they will then have to correctly guess a privileged password on
each workstation (not easy without insider help).
- Disable unnecessary services - most TCP/IP services are relatively harmless even
if they are abused. However, some provide direct access to your computer's console or
to the file system. FTP is one such service. It is used to view and transfer files between
internet hosts. It is a very useful service, but if compromised, someone can potentially
access the entire disk drive of the affected machine. If you don't need FTP on a particular
machine, just disable it. If you do need FTP on a machine, it is a good idea to set up
accounts which can only be used during specific time periods (i.e., deny connections after
normal business hours, disable accounts if more than 3 invalid passwords are given in a
- Don't use obvious passwords - many people just use their name as a password, this is
not a good idea. The best passwords consist of a combination of letters (upper and
lower case) and numbers. This makes it very difficult to guess a password. For example,
"bingo" would not be a good password since it could be guessed easily by a password
cracking program. "75BinGO" would, on the other hand, be a good password because of
the combination of numbers, lower case, and upper case letters. This will be difficult
to guess, especially if an account is frozen after 3 invalid login attempts.