is firewall software?
Firewall software, its
importance to your home computer strategy, and a way to think about
the job you need to do. Were going to depart from our computer-is-like-a-house-and-the-things-in-it
analogy to use another that you are probably also familiar with:
an office building.
Have you ever visited a business where you first stopped at the
reception desk to interact with a security guard? That guards
job is to assess everybody who wishes to enter or leave the building
to decide if they should continue on or be stopped. The guard keeps
the unwanted out and permits only appropriate people and objects
to enter and leave the businesss premises.
Lets dig deeper into this analogy. When someone enters a building,
the security guard usually greets them. If they have an appropriate
identification badge, they show it to the guard or swipe it through
a reader. If all is OK, they pass through the guards checkpoint.
However, if somethings wrong or if they are a visitor, they
must first stop at the guard desk.
The guard asks whom they wish to see. The guard may also ask for
identification such as a drivers license or their company
ID. The guard reviews the list of expected guests to see if this
person is approved to visit the party in question. If the guard
decides everything is all right, the visitor may pass. The visitor
usually signs a logbook with their name, the company they represent,
whom they are seeing, and the time of day.
On a computer, the firewall software acts much like a guard when
it looks at network traffic destined for or received from another
computer. The firewall determines if that traffic should continue
on to its destination or be stopped. The firewall guard
is important because it keeps the unwanted out and permits only
appropriate traffic to enter and leave the computer.
To do this job, the firewall software has to look at every piece
of information every packet that tries to enter or
leave a computer. Each packet is labeled with where it came from
and where it wants to go. Some packets are allowed to go anywhere
(the employee with the ID badge) while others can only go to specific
places (visitors for a specific person). If the firewall allows
the packet to proceed (being acceptable according to the rules),
it moves the packet on its way to the destination. In most cases,
the firewall records where the packet came from, where its
going, and when it was seen. For people entering a building, this
is similar to the ID card system keeping track of who enters or
the visitor signing the visitors log.
The buildings guard may do a few more tasks before deciding
that the person can pass. If the person is a visitor and is not
on the visitors list, the guard calls the employee being visited
to announce the visitors arrival and to ask if they may pass.
If the employee accepts the visitor, they may proceed. The guard
may also give the visitor a badge that identifies them as a visitor.
That badge may limit where in the building they can go and indicate
if they need to be escorted. Finally, no matter whether the person
is a visitor or an employee, the guard may inspect their briefcase
or computer case before they pass.
The firewall software can also check whether a given packet should
pass, allowing the computers user to respond to unanticipated
network traffic (just as the guard does with the unexpected visitor).
Individual packets can be allowed to pass, or the firewall can be
changed to allow all future packets of the same type to pass. Finally,
firewalls can filter packets based not only on their point of origin
or destination, but also on their content (inspecting the briefcase
or computer case before being allowed to pass).
Back to the office building, when employees leave the building,
they may also have to swipe their ID card to show that theyve
left. A visitor signs out and returns their temporary badge. Both
may be subject to having their possessions inspected before being
allowed to leave.
Firewalls can also recognize and record when a computer-to-computer
connection ends. If the connection was temporary (like a visitor),
the firewall rules can change to deny future similar connections
until the systems user authorizes them (just as visitors must
re-identify themselves and be re-approved by an employee). Finally,
outgoing connections can also be filtered according to content (again,
similar to inspecting possessions at the exit).
What does this all mean? It means that with a firewall software,
you can control which packets are allowed to enter your home computer
and which are allowed to leave. Thats the easy part.
The hard part is deciding the details about the packets that are
allowed to enter and exit your home computer. If your firewall supports
content filtering, you also need to learn which content to allow
and which not to allow. To help you get a handle on this harder
task, lets return to our security guard analogy.
Imagine that you are that security guard and its your first
day on the job. You have to decide whos allowed in, whos
allowed out, and what people can bring into and take out of the
building. How do you do this?
One strategy is to be very conservative: let no one in or out and
let no possessions in or out. This is very simple, very easy to
achieve, but not particularly helpful to the business if none of
its employees or visitors can get in or out. Nor is it helpful if
they cant bring anything with them. With this type of strategy,
your tenure as a security guard may be short-lived.
If you try this, you quickly learn that you need to change your
strategy to allow people in and out only if they have acceptable
identification and possessions using some agreed-to criteria. Add
the requirement that if you dont meet the precise criteria
for admittance, you dont get in.
With firewall software, you can do the same thing. You can program
your firewall to let nothing in and nothing out. Period. This is
a deny-all firewall strategy and it does work, though it effectively
disconnects you from the Internet. It is impractical for most home
You can do what the security guard did: review each packet (employee
or visitor) to see where its coming from and where its
going. Firewall software let you easily review each packet so that
you can decide what to do with it. When you are shopping for a firewall,
look for this review feature because it can be quite helpful. Practically
speaking, it isnt easy to decide which traffic is all right
and which is not all right. Any feature that makes this job easier
helps you achieve your goal of securing your home computer.
Just like the security guard who learns that anybody with a company
photo ID is allowed to pass, you too can create firewall rules that
allow traffic to pass without reviewing each packet each time. For
example, you may choose to allow your Internet browsers to visit
any web site. This rule would define the source of that traffic
to be your browsers (Netscape Navigator and Microsoft Internet Explorer,
for example) and the destination location to be any web server.
This means that anybody using your home computer could visit any
Internet web site, as long as that web server used the well-known
1. Now that you have an idea of what your firewall security guard
is trying to do, you need a method for gathering information and
programming your firewall. Here is a set of steps to use to do just
2. The Program test:
Whats the program that wants to make a connection to the Internet?
Although many programs may need to make the same type of connection
to the same Internet destination, you need to know the name of each.
Avoid general rules that allow all programs to make a connection.
This often results in unwanted and unchecked behavior.
3. The Location test:
Whats the Internet location of the computer system to which
your computer wants to connect? Locations consist of an address
and a port number. Sometimes a program is allowed to connect to
any Internet location, such as a web browser connecting to any web
server. Again, you want to limit programs so that they only connect
to specific locations where possible.
4. The Allowed test:
Is this connection allowed or denied? Your firewall rules will contain
some of each.
The Temporary test: Is
this connection temporary or permanent? For example, if youre
going to connect to this specific location more than five times
each time you use the computer, you probably want to make the connection
permanent. This means that you ought to add a rule to your firewall
rules. If you arent going to make this connection often, you
should define it as temporary.
With each connection, apply the PLAT tests to get the information
you need to build a firewall rule. The answer to the PLAT tests
tells you if you need to include a new firewall rule for this new
connection. For firewall, you can temporarily allow a connection
but avoid making it permanent by not including it in your rules.
Where possible, allow only temporary connections.
As you run each program on your home computer, youll learn
how it uses the Internet. Slowly youll begin to build the
set of rules that define what traffic is allowed into and out of
your computer. By only letting in and out what you approve and denying
all else, you will strike a practical balance between allowing everything
and allowing nothing in or out.
Along the way, you may come across exceptions to your rules. For
example, you might decide that anybody who uses your home computer
can visit any web site except a chosen few web sites. This is analogous
to the security guard letting every employee pass except a few who
need more attention first.
To do this with firewall rules, the exception rules must be listed
before the general rules. For example, this means that the web sites
whose connections are not allowed must be listed before the rules
that allow all connections to any web site.
Why? firewall search its rules starting from the first through the
last. When the firewall finds a rule that matches the packet being
examined, the firewall honors it, does what the rule says, and looks
no further. For example, if the firewall finds the general rule
allowing any web site connections first, it honors this rule and
doesnt look further for rules that might deny such a connection.
So, the order of firewall rules is important.
firewall Software is your security guard that stands between your
home computer and the Internet. It lets you control which traffic
your computer accepts. It also controls which of your programs can
connect to the Internet. With a firewall, you define which connections
between your computer and other computers on the Internet are allowed
and which are denied. There are free firewall products that provide
the capabilities you need to secure your home computer. Commercial
versions have even more features that can further protect your computer.
Firewall Software is an important part of your home computers