Firewalls and the Small Network

A firewall isolates your computer from the Internet using a "wall of code" that inspects each individual "packet" of data as it arrives at either side of the firewall ù inbound to or outbound from your computer ù to determine whether it should be allowed to pass or be blocked.

All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. Packets are the fundamental unit of information flow across the Internet. Even though we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those two "connected" machines. Essentially, they "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.

In order to reach its destination ù whether it's another computer two feet away or two continents distant ù every
Internet packet must contain a destination address and port number. And, so that the receiving computer knows who sent
the packet, every packet must also contain the IP address and a port number of the originating machine. In other words, any packet travelling the net contains ù first and foremost ù its complete source and destination addresses. An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine



The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done



Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside.

Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed.
Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.

This is an important point: providing this "choke point' can serve the same purpose on your network as a guarded gate
can for your site's physical premises. That means anytime you have a change in "zones" or levels of sensitivity, such a checkpoint is appropriate. A company rarely has only an outside gate and no receptionist or security staff to check badges on the way in. If there are layers of security on your site, it's reasonable to expect layers of security on your network.



Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network.

Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool. Before deciding this isn't a
problem in your organization, ask yourself how much trouble a contractor has getting logged into the network or how
much difficulty a user who forgot his password has getting it reset. If the people on the help desk believe that every call is internal, you have a problem.

Lastly, firewalls can't protect against tunneling over most application protocols to trojaned or poorly written clients. There are no magic bullets and a firewall is not an excuse to not implement software controls on internal networks or ignore host security on servers. Tunneling ``bad' things over HTTP, SMTP, and other protocols is quite simple and trivially demonstrated. Security isn't "firewall and forget".



Each product has its pros and cons...Price, ease of use, and functionality. You can read independent reviews of over 30 windows based firewall applications at:
http://www.firewallguide.com/software.htm



In order to check how well your firewall is working, or the state of your pc security if you are not using a firewall, you need to check from outside your own network. There are a number of online services free and otherwise, that will scan
your ip address for open and listening ports, and let you know what they find. A few of them are listed below.

https://grc.com/x/ne.dll?bh0bkyd2 (Shields Up)
http://scan.sygate.com (Sygate Security)
http://www.auditmypc.com:85/scanoptions.asp?S=2051R2 (Audit My PC)
http://www.hackerwhacker.com/newindex.dyn (Hacker Whacker)




Best thing we know is to forward them to an organization such as D-Shield (www.dshield.org) or NetWatchman
(www.mynetwatchman.com) . These organizations accept firewall logs from as many networks as they can get to
participate. Log events with the same source IP addresses are organized into incidents. Depending on the target ervice
and the number of agents that report a given source IP, alert e-mails and log excerpts are sent to the responsible party or their ISP.



More than you ever wanted to know.....
http://www.interhack.net/pubs/fwfaq/