A Firewall is a device or software that regulates network traffic. Many people depend on them to be the single mechanism responsible for protecting a computer or network from all forms of malicious traffic. Firewalls are frequently misunderstood, even by some people who work in IT. They are quite often incorrectly configured and used improperly due to a lack of understanding of how they work and what they are intended to do.
The truth is that firewalls are a fantastic security measure, if properly implemented. In order to use them effectively, though, its important to understand how they work. It’s also important to understand what they aren’t built to do. Before we get into that, it’s critical to establish a basic understanding of how computers communicate.
Network traffic basics
Think about a home stereo system with surround-sound. There are multiple channels. One for each angle that sound should be broadcast from. The stereo only sends the sound that is supposed to come from a particular direction to the channel for that particular speaker. It doesn’t send all the sound to all speakers. The result is that you hear different sounds from distinctly different locations when listening to a track that utilizes this.
Computers similarly break up the signals being sent for different purposes. Except with computers, there are more than a handful of channels. There are exactly 65536 (0-65535) channels, called ports. Each of these ports is used to transmit different types of information, such as network time, file transfers, Internet traffic, and even streaming media. Ports 0 through 1023 are each reserved for specific types of common network traffic. The remaining ports can be used by application developers for non-standard purposes.
Like the difference between packing snow into a nice ball versus tossing a shovel-load of snow at someone, protocols define how computers structure and transmit data for a give purpose and how the recipient will receive that data. Internet traffic, for example uses hypertext transfer protocol, HTTP, or the secure version, HTTPS.
To send information, a computer will transmit data to a specific IP address, over a specific port, and using a specific protocol associated with the specific type of data being sent. Without getting too much into the nerdy details of how computers structure data and those mysterious “packets” nerds talk about, this information is critical to properly setting up a firewall.
What firewalls do
A firewall is a sort of electronic bouncer that stands in the gateway to your network, or on your computer and determines what traffic to let through and what traffic to reject. Like a bouncer, it can categorically block traffic that doesn’t meet the criteria of what you’ve decided to allow in or out. If you choose to be restrictive, blocking all traffic and allowing some by explicit authorization, it will only allow the traffic that you’ve identified as authorized. On the other hand, if you are not very restrictive, it will only block exactly what you tell it to.
Firewall rules are based on the port, protocol, the sender and/or recipient’s IP addresses, and the direction of traffic. They are capable of blocking or allowing all traffic using a specific port, protocol, origin address, destination address, whether its in-bound or out-bound traffic, or any combination of these.
The default configuration for firewalls is typically to allow all traffic, only blocking traffic where there are specific rules to do so. Most authorities on the best practices for firewalls recommend configuring them to first block all traffic and then to create rules explicitly allowing the traffic that you want.
What firewalls don’t do
There are several limitations with firewalls. They are passive and do not take any active measures to stop traffic. This means they do not have the ability to detect traffic that circumvents them. It also means that they will not notify anyone if they fail to block something. A firewall cannot detect or block malicious traffic, such as a download containing a virus. It has no idea what is contained in the data it allows through, just that the port, protocol, and/or addresses are allowed according to the rules you set.
It is not uncommon to find someone using a firewall as a method of blocking specific Internet traffic. While this works (sort of) because of the ability of a firewall to block traffic based on IP address, it is highly inefficient and requires a great deal of maintenance. Website’s IP addresses change and you must create and manage a new rule for each and every site you wish to block. This task is much more efficiently and effectively accomplished with a web filter or web proxy, designed specifically for this task.
