Firewalls and You
paranoid if they ARE watching you
March 24, 2003
This article was originally published in February 2001. It
was updated in March 2003.
As the popularity
broadband always-on Internet service (such as cable modems
DSL) has increased, firewalls have been gaining increasing
media attention. Suddenly you and your network have an open door
to the Internet, a place that is rife with hackers, criminals,
and various other ne'er-do-wells -- at least that is what I
hear. This report is designed to introduce you to firewalls.
As with all technology, you need a basic understanding of
firewalls or you will end up with something that may or may not
be the right solution for your organization.
What a Firewall Is
A firewall is a system or group of systems that enforces an
access/deny policy. The firewall filters all the packets that go
in and out of your network and blocks them or allows them to
continue to their destination.
For example, you can configure a firewall to allow only e-mail
to enter your network, thus shielding you from any attacks
except for ones that arrive via e-mail.
A firewall is typically a separate computer or device on your
network that sits between your private network and your Internet
connection. This way the successful break into your network must
still go through a separate level of security to get to your
A firewall often includes or works with a
proxy server that makes network requests on behalf of
workstation users. This way your network users' information is
hidden from the outside world.
A firewall also acts as the concentrator for your Internet
access. Since all of your traffic goes through one place, you
can produce detailed logs of who tried to access your network,
what traffic went where, and much, much more.
Types of Firewalls
There are really just two different types of firewalls. Though
there are several gradations of these types, and some firewalls
will have both in one.
Using the classic OSI network model taught to every young
network engineer (who then almost immediately forgets) the
network layer is essentially the layer where you get into
TCP/IP packets of data. These packets contain information
about where they are from, where they are going, what state
are they in (for example, whether they have just spoken to the
server) and the actual data they are transferring.
Network Layer firewalls can do things like block access to an
IP address altogether, or allow only specific types of
packets to pass through, i.e. packets destined for port 80 (a
Recent improvements to this model are the Stateful Packet
Inspection or SPI firewalls, such as the Cisco PIX firewalls.
These firewalls look at the state of the packet, and can allow
or disallow them based on that information. Many network
attacks, such as the Denial of Service attacks, rely on
sending packets in the wrong state to a server causing the
systems to freak out (in a purely scientific sense, of
Application Layer Firewalls
Application Layer firewalls are subtler and are mainly used
for logging or filtering your Internet connection. They do not
specifically allow or deny a connection, but are required to
negotiate the connection and due to their middleman role can
monitor and report based on this information.
Every computer on the Internet needs a unique IP address to
communicate. However, these Application Layer firewalls allow
organizations to use one real IP address for external
communication, and hundreds of non-routable IP addresses.
Proxy servers and Network Address Translation (NAT) servers
are examples of these firewalls.
Good Security is More Than a Firewall
A firewall is your first line of defense. I mention this because
if the rest of your network is insecure, a firewall breach will
be disastrous. Network security is a tricky business, and you
need to be diligent in keeping your entire network secure. But
no network is safe if the entire system isn't safe. Your
security policy needs to take employees, physical systems (such
as doors), and waste paper, amongst many other things, into
consideration. A locked door means nothing if the window is wide
The first thing you need to concern yourself with is your
overall security policy. I know this sounds suspiciously like
planning, but if you don't have a strong security policy, your
firewall will be nothing more than an interesting experiment.
A good security policy will take into account your entire
system. You'll need to think about how long your passwords are
in place before they must be changed, who has the keys to the
server, and your own paranoia level. Pay special attention to
the level of security and the effect on usability. The more
secure a system is, the more often the users are required to
remember multiple passwords or to change their passwords, making
the system less useful.
After you have worked that out, you want to think specifically
about the firewall. A firewall policy will answer the questions:
- What type of traffic do you want to allow?
- Is your firewall just there for queuing traffic and
monitoring or do you want to restrict everything but HTTP/Web
- What are the risks associated with these things?
- Is security more important than usability or vice-versa?
Configure your Firewall
If you are setting up a firewall, you have the advantageous
position of being able to decide what traffic to allow and what
traffic to disallow. Usually it is best to deny first and ask
questions later. Deny all services not crucial to your needs.
This is, of course, easier said than done.
First you will need to define your network. If you don't have a
network diagram, now is as good a time as any to build one. List
out your network protocols, main systems (such as e-mail, file
server version, and patch level), as well as your Internet
connection, speed, IP addresses, and services. Defining where a
firewall will go and what its purpose will be can help you
determine which device will work best for your organization.
Once you have decided what services to allow, you will need to
determine what TCP port these services are using, and allow that
port or ports.
TCP/IP traffic is routed based on a specific port number that is
kept in the TCP data packet. You can connect to the same
server's IP address and domain name with a Web browser on port
80, or with an
FTP client on port 21, or with an e-mail client using POP3
on port 110. The server knows what services you are trying to
access based on the port.
It is actually a pretty cool system. However, there are 65,535
different possible port numbers. As you try to identify ports,
take advantage of the helpful resources available on the Web.
The good folks at the Internet
Assigned Numbers Authority (IANA) maintain a useful official
site. However, undocumented ports are also in use. Occasionally,
tracking these down can be nearly impossible. I've found these
sites helpful, though:
Why is Port 5631 Open?
If you didn't set up your firewall, but want to see what it is
protecting (or not protecting) you can start by getting access
to your firewall. This may involve hunting down a password from
ISP, digging through manuals, deciphering the notes left by
that guy who set the Internet connection up two years ago, and
just plain guessing.
If you can't get access to your firewall, you won't be able to
make any changes to your configuration rules. However, you may
want to avoid resetting your router/firewall due to the
disruption this would cause staff.
If you just want to see how the thing is configured, the easiest
way to do this is to use an online tool. There are several out
there; the main one I use is from
Gibson Research, which has two programs that can probe a
server's ports. They look at the most vulnerable systems and
check to see if you are vulnerable. These tests take about one
or two minutes, and sometimes provide remarkable and eye-opening
A longer TCP scan (covering the main 1024 ports) is available at
Sygate's Web site. This
scan can take 40 minutes or so.
For most nonprofit organizations, the best way to start is to
look for a product to buy. If someone has told you about how you
can build a firewall to meet your needs with existing routers,
please think twice. In theory, this approach is good if you have
a full-time IT staff that really understands wide-area
networking. In practice, this approach often costs much more in
staff time and energy than comparable out-of-the-box firewalls.
You can buy firewall systems in any shape or size that your
heart desires. You can buy software, hardware devices, and
hardware bundled with an operating system like Unix or Windows
NT/2000 and firewall software.
Most organizations can get by with the basic packet filtering
firewalls included with the router provided by their ISP or in
the DSL sharing routers, such as those offered by Linksys,
NetGear, and SMC. These devices are often limited by how many
rules they can apply, in their logging and reporting
capabilities, and in performance.
If you want sophisticated packet handling, decent logging
features, e-mail notification of intrusion detection attempts,
or Stateful Packet Inspection, you will need to upgrade to a
better firewall. Stand-alone hardware such as the Cisco PIX or
SonicWall firewalls can set you back between $500 to $5000
depending on your requirements.
Another option is a server-based application. These devices have
the advantage that you can increase their performance by getting
faster hard drives, network cards, etc. They are often easier to
manage since their tools are integrated with your server
CheckPoint has been the leader in this field for ages, but
Microsoft has entered this arena with its
There are many other notable players, including
These products tend to start at around $1000 and go up from
there. Microsoft ISA server is included with Small Business
Server 2000, though, making for a cost-effective solution if you
have fewer than 35 users.
In the end, you are the only person who can tell you which is
the right product, based on your needs and budget. But there are
a few things to consider when shopping:
1. Will the firewall supplement your security system or are you
dependent on the firewall security?
2. Does the firewall use a flexible, user-friendly IP-filtering
language that is easy to program and can filter on a wide
variety of attributes, including source and destination IP
address, protocol type, source and destination TCP/UDP port and
inbound and outbound interface?
3. Does the firewall contain mechanisms for logging traffic and
suspicious activity, as well as mechanisms for log reduction to
keep logs readable and understandable?
4. The firewall and any corresponding operating system should be
updateable with patches and other bug fixes in a timely manner.
Once you've considered all these questions, you can start
approaching vendors and looking for something in your price
range that suits your specifications. You can focus you energy
on checking out the firewall products list in the appendix and
just start hitting Web sites, or look through product reviews
and decide which is best and which one you trust.
If You Want My Opinion
I can't guarantee that everyone will like these, but here's what
I'd recommend without knowing the specifics of your situation.
For small offices and homes, the first thing I would look at are
the DSL modems with built-in firewalls. If you are getting DSL
anyway, you might as well get a decent modem that has a
firewall. Check with your DSL provider as to which modem they
are giving you, or to make sure that the one you buy is
compliant with their system. Often these devices include
VPN, NAT (network address translation), and DHCP. Check out
for the products that suit your needs.
For stand-alone firewalls, I like the
WatchGuard SOHO device. It costs about $500 and is easy to
install and configure.