What Are Firewalls and Do I Really Need One?
Security is one of the greatest concerns expressed by businesses
which are connecting their internal Local Area Networks (LANs) to
the internet. The internet is a global network of networks, and
because of its underlying design, is inherently insecure. Data is
often sent across the network as clear text (i.e., is not encrypted
or scrambled). It is also easy to impersonate someone else while you
are online. While there is presently a great deal of paranoia about
internet security, the good news is that there are some very good
tools available for securing your network against unauthorized
This tutorial focuses on the subject of firewalls, and is aimed
at end users who are relatively new to the internet.
A firewall is a device or software application which serves as a
flexible barrier between the computers on your internal network and
the outside world (i.e., the internet). Firewalls apply a set of
rules to decide who gets to connect to which machines and to what
services they are authorized to use. When set up properly, a
firewall provides an excellent means for protecting your network and
the machines connected to it.
A firewall's primary purpose is to prevent outside users from
accessing machines other than those set up for public access (i.e.,
your web server, FTP servers,
etc.). They do this via several different tools:
Filtering - here the firewall discards data before it ever reaches
a particular machine. For example, you might want to deny access
to a specific machine from outside your LAN. Using packet
filtering, you tell the firewall to discard all packets destined
to a specific machine. (See notes on this below.)
- Client Access Lists - here the firewall is given a list of
client PCs (outside
IP addresses) which may access machine(s) on your
- Server Access Lists - here the firewall is given a list of
servers which can be accessed from outside your LAN.
- User Authentication - here the firewall prompts outside users
for a user name and password, and has an opportunity to grant or
deny access to services on your network.
- Address Obfuscation - here the firewall masks the IP addresses
of your internal machines and makes them appear to outside users
to be on different IP addresses. This makes it very difficult for
hackers to access these machines without knowing their real IP
IP addresses, ports, and other items
Before going into a detailed description of these techniques, it is
first helpful to explain how the internet addressing system works.
There are 2 basic terms to understand here. Each machine on the
internet has an IP address. This is the internet equivalent of a
telephone number. An IP address identifies a specific device,
workstation, etc., on the network. Behind each IP address, you can
have several thousand port addresses. A port address is the internet
equivalent of a telephone extension. For example, you might call
1-800-444-3556 to reach Hello Direct and then extension 8148 to
reach Mike in sales. Likewise, if you connect to www.hellodirect.com
on port (extension) 133, you'll be talking to the web server.
Port addresses are generally used to identify services. For
example, a single workstation may provide many different services.
It may be a worldwide web server, e-mail server, IRC (chat) server,
etc. Each service typically listens for incoming requests on a
specific port address. The
(basic building block of the worldwide web) usually monitors port
This arrangement makes it possible to selectively block access to
some services on a specific machine and not others. This is an
important concept which we will return to shortly.
The majority of the data transmitted across the internet is not
encrypted, it is sent as clear text. This means that if somebody is
able to monitor the raw data coming in and out of your network, they
will be able to see quite a bit. The good news is that most of the
data transmitted on the net is "junk" data (i.e., images in web
pages, routine correspondence, etc.). In order to find valuable
information, someone would need to have physical access to your LAN,
to your ISP, or a
channel through which most of your data passes. They would also need
to screen a lot of data to fetch the interesting traffic.
Encryption enables you to close this loophole by rendering the
data unreadable to outsiders. Strong forms of encryption, such as
Rivest-Shamir-Adleman (RSA) public key encryption, are virtually
unbreakable even to computer scientists with access to
supercomputers capable of cycling through key combinations very
rapidly. There are several different types of encryption in use,
ranging from simple, easily cracked substitution algorithms, to DES,
to public key encryption. Even very weak encryption is still very
useful as it prevents casual observers from accidentally stumbling
upon useful information. Strong public key encryption is secure
enough for military applications (one of the reasons the U.S.
Government has sought to prevent the export of public key encryption
Currently, encryption is usually employed only on a selective
basis (i.e., for handling secure web orders). In the future, the
next generation version of the
protocol (the basic foundation of the internet), will incorporate
support for low level encryption of network transmissions, as well
as the authentication of IP addresses (this will make spoofing, the
impersonation of someone else's IP address, more difficult). The
available security technology today is very good, and will soon be
in widespread use throughout the internet.
Packet filtering is probably the easiest way to secure your internet
connection. It lets you permit certain services to cross your LAN
internet connection (i.e., e-mail, HTTP/worldwide web, IP phone
calls, etc.), while blocking connections to services such as FTP,
TFTP, Telnet, etc. (services which can potentially be used to
compromise or break into a workstation). The general rule of thumb
used is to deny access to everything except for common services such
as web access, e-mail, etc., and then allow other types of traffic
to pass through upon request. The basic idea is to start with a
restrictive policy, then expand the list of permitted services as
needed. This conservative approach makes it unlikely that someone
will be able to exploit a weakness in a service like FTP.
A typical packet filtering arrangement will permit services such
as HTTP (web), SMTP
(e-mail), POP3 (e-mail), and DNS (address name resolution service)
to traverse your firewall, while blocking data bound for other
services. For example, there is usually no reason to allow users to
access FTP services on personal workstations, especially since FTP
can be used to access the file system on a computer. So, unless an
individual has a specific need for people to be able to FTP files to
and from his/her workstation, it is best to filter these services.
Also, many PC operating systems, UNIX in particular, will often have
undocumented services which run on oddball port addresses. Applying
a generic filter to block access to normally unused ports further
reduces the likelihood that someone will exploit an undocumented
security gap in this manner.
One thing to be careful about, if you go overboard with packet
filtering, you will block legitimate as well as illegitimate
traffic. Primarily, you will want to block access to services like
FTP, and to undocumented ports, while not restricting access to
ports used for basic TCP/IP services such as worldwide web access,
e-mail send/receive services, etc.
Client access lists
Another useful tool for securing your network are client access
lists. These allow you to grant restricted or unrestricted access to
all or part of your LAN based on the IP address of the outside
party. This technique has its limitations since it is relatively
easy to spoof (imitate) somebody else's IP address. This is most
useful for securing workstations which do not normally receive
requests from outside your LAN, or which service infrequent sessions
from outside your LAN.
Note: IP address filtering gives you a good way to prevent
spammers from taking over your company's mail server. Most internet
e-mail servers are designed to accept e-mail from any e-mail
address, to any e-mail address. The service used to deliver e-mail
on the internet, simple mail transfer protocol (SMTP), has
essentially no built-in security features, and so it is very easy to
trick somebody else's e-mail server into sending your junk mail
(while making it appear to originate from a third party's network).
This is not only very annoying, but it can be damaging when irate
people start blaming you for somebody else's junk e-mail. Using IP
address filtering, you can filter incoming SMTP requests from
problem domains (i.e., cyberpromo.com).
Server access lists
This is a variation of packet filtering. Here you are defining a
list of servers which can be accessed from outside your office. This
makes it relatively easy to declare certain workstations verboten,
and even to conceal their existence from the outside network.
User authentication is a helpful tool in environments where it is
not practical to globally block access to specific workstations or
services. Telecommuters, for example, may have a legitimate need to
FTP files to and from their machines at the office. Your network
administrator may decide to work from home several days a week.
User authentication comes in both weak and strong forms. The weak
form prompts the user for a user ID and password pair. This
information may or may not be encrypted when transmitted across the
internet. The strong form either employs public key encryption, or
uses a key card (handheld LCD card which generates a random series
of access codes, so a different PIN is used to access the network
for each session). The latter scheme is very difficult to break
without assistance from insiders.
Address obfuscation is another technique for securing your network.
This is a great example of the premise of "security through
obscurity." If an intruder has no idea where a particular resource
is located, it will be difficult to compromise. Address obfuscation
does this by altering your computers' IP addresses to appear
different than they actually are to outside users. Inside your LAN,
users will see your machines' real IP addresses. Users outside your
LAN will see different IP addresses. By making it difficult for
intruders to obtain the real IP addresses of machines inside your
network, you make it difficult for someone to access your
workstations through indirect means (i.e., by installing a malicious
program on your web server which is used to leapfrog into other
machines inside your LAN). This in and of itself is a fairly weak
defense, but when used in combination with these other techniques it
makes it even more difficult to compromise your computers.
Different types of firewalls
Firewalls come in several different forms. Some are standalone
appliances which connect directly to an
Some are software toolkits which can be installed on Windows NT or
UNIX workstations. Some are integrated into internet access devices
- Standalone network appliances - standalone firewalls are a
good choice if you are already connected to the internet, and do
not want to replace your router, or if you need a high-capacity
firewall. These units typically have 2 Ethernet jacks, one for
your internal LAN connection, one for your external
- Software-based firewalls - these products turn a PC into a
firewall. The benefit of software-based firewalls is that they can
be used to convert an existing machine into a firewall device.
Usually, all you need to do is to install a second Ethernet
adapter in a workstation to turn it into a firewall. The only
problem with this is that if the host PC is not set up correctly,
it can be compromised. If your firewall can be compromised, then
so can the rest of your network. Only go this route if you
thoroughly understand the networking services offered by the
operating system you'll be installing this on.
- Integrated firewall/router combinations - most router
manufacturers now include firewall capability as a software
upgrade. This enables you to get integrated internet connectivity
and security services from a single appliance which connects
directly to your LAN. These devices, since they do not run on top
of a PC operating system, are highly secure when they are set up
This is usually the easiest and most cost-effective way
Do you even need a firewall in the first place?
Chances are, if you are a small business, you may not even need a
firewall. If you are using a dial-up modem connection, or are using
an on-demand ISDN connection to the internet, a firewall is usually
not necessary. This is because your internet connection is only
operating when you need it. If your internet connection is down,
then an outsider has no way of connecting to your LAN via the
internet, and so a firewall is unnecessary.
Here's an example to illustrate this point. Let's assume that
your office has an internet access appliance such as Webramp or
Netopia. When someone on your LAN needs to access the internet
(i.e., to browse a web page, fetch e-mail, etc.), it brings your
internet connection up, and then drops it once the connection is no
longer needed. This minimizes the cost of your internet connection,
and it also makes it very difficult for an outsider to connect to
your computers. Not only must he correctly guess the IP address of
your machine (it often varies from session to session with dial-up
and ISDN connections), but he must also have guessed your user
account and password, AND he must correctly guess exactly when you
have an active connection to the internet. If you are an occasional
internet user, and your connection is down most of the time, it will
be very difficult for somebody to compromise your computer if you
are using a dial-up connection.
If you have a dedicated internet connection, one which is up 24
hours a day, then putting a firewall in place is probably a good
idea since a hacker could systematically try to break into your
machines in the early morning hours when you are least likely to
detect it. (Most break-ins usually go undetected unless the intruder
damages or erases files from a machine).
Selecting a firewall
I recommend buying a
has a firewall built into it. This is usually the most
cost-effective solution, is easy to set up and administer, and does
not require the purchase of superfluous hardware. If you already
have a router in place, a stand-alone firewall may also be a good
idea, especially now that low-cost turnkey units are starting to
appear. Unless you are an expert in networking software, I generally
don't recommend software-based firewalls.
Most router vendors now offer basic firewall services either as a
basic feature or as an optional upgrade. Ascend, for example, has a
firewall upgrade for their Pipeline 50 series of ISDN routers. It
only adds $100 or so to the cost of the router, and so it's a great
value compared to buying a standalone appliance.
Some additional security tips
Besides installing a firewall there are a number of simple things
you can do which will further enhance the security of your network.
Here are a few examples.
- Put sensitive data on a machine which cannot be accessed via
TCP/IP - most PC operating systems support multiple networking
protocols, such as NetBEUI, IPX/SPX, TCP/IP and others. One
technique for sequestering sensitive data is to put it on a
machine which has no TCP/IP connectivity, and instead talks to
other machines using a LAN protocol such as NetBEUI. If your
router is programmed to prevent non-TCP/IP data from exiting your
LAN, this makes it very difficult for an outsider to access this
machine. If there's no need for the machine to be networked, you
may want to consider isolating the machine altogether if the data
is especially sensitive.
- Disable drive mapping on servers which can be accessed from
outside your LAN - many operating systems allow you to view hard
drives on remote machines as local disk drives. While this is
convenient, it is also a security loophole. For example, if your
FTP server can see remote disk drives on other machines as local
drives, an outsider can sometimes use FTP to access those remote
drives, as well as the FTP server's own disk. This can be a recipe
for disaster. In general, it is good to limit FTP access anyway,
but always make sure drive mapping is disabled on publicly visible
- Get rid of lightweight operating systems - Windows 3.1 and
Windows 95 have pretty weak security services compared to higher
end operating systems like Windows NT and UNIX. Seriously consider
upgrading to a more secure OS on machines where sensitive data or
services may be located. Windows NT is highly rated for its
security features. If you properly utilize them, you can make each
workstation very secure, so even if someone does get past your
firewall, they will then have to correctly guess a privileged
password on each workstation (not easy without insider help).
- Disable unnecessary services - most TCP/IP services are
relatively harmless even if they are abused. However, some provide
direct access to your computer's console or to the file system.
FTP is one such service. It is used to view and transfer files
between internet hosts. It is a very useful service, but if
compromised, someone can potentially access the entire disk drive
of the affected machine. If you don't need FTP on a particular
machine, just disable it. If you do need FTP on a machine, it is a
good idea to set up accounts which can only be used during
specific time periods (i.e., deny connections after normal
business hours, disable accounts if more than 3 invalid passwords
are given in a row, etc.).
- Don't use obvious passwords - many people just use their name
as a password, this is not a good idea. The best passwords consist
of a combination of letters (upper and lower case) and numbers.
This makes it very difficult to guess a password. For example,
"bingo" would not be a good password since it could be guessed
easily by a password cracking program. "75BinGO" would, on the
other hand, be a good password because of the combination of
numbers, lower case, and upper case letters. This will be
difficult to guess, especially if an account is frozen after 3
invalid login attempts.