What is a Firewall?

A firewall is usually a piece of hardware that sits at bthe entrance to your link with the outside world. So, if you have an ADSL connection, you can buy a firewall which dials the number to make the connection, and everything that goes to the Internet, or comes through the internet to your network (be they PCs, or servers, or printers or anything) firstly gets screened by the firewall. The firewall is designed to be hardened, so it can withstand unwanted attacks. So if you have a fixed IP number (more on IP Numbers here) and your machines were to sit on the internet at the same number day after day NOT behind a firewall, people could attack your machine and take control of it, particularly if it was an older machine (Windows 95/98/ME are prime examples) and therefore not as secure as some of the newer ones. However, that same weak and vulnerable machine, sitting behind a firewall is a lot safer. (It will never be totally safe, and the opposition is getting smarter at circumventing these things by the day, so watch this space).

One way it does this is to give different IP numbers on a different range to the local machines.

So, if when the firewall is sitting on the internet, it has a fixed IP address of 80.16.24.82 (to take an example from thin air). Your laptop is sitting behind the firewall, it does not have an IP number of 80.16.24.83, but instead is given a totally different number of say 192.168.0.4 (the 192.168.0.x range being chosen by the network admin). So when you go onto the internet, the firewall gets a request from 192.168.0.4 to get the web page at www.google.com. The firewall (80.16.24.82) makes this request to google and gets the google home page flying its way. When it gets the homepage (or actually, as the bits arrive), it passes those bits back to yuor laptop 192.168.0.4. Nice and simple.

The complexity comes when 40 people are all making requests at the same time, and the firewall has to keep track of who asked for what, which it does very well, otherwise it wouldn't be in business.

But, say a hacker has seen your request to google, and decides you have a nice old machine, and he comes to attack you. He asks your machine to respond to him in an agreed manner (which your laptop would do so in the normal course of events). Google sent the page to 80.16.24.82, and that is where he attacks. Only problem is that it is not your laptop sitting there, it is a hard nut of a firewall who when he gets unsolicited requests from unknown numbers, just ignores these requests. Much as the attacker attacks, the firewall keeps him away. The attacker does not know that your laptop is 192.168.0.4, he only knows you as 80.16.24.82. Even if he did, he would still have to get to you through the firewall, and the firewall only allows legitimate traffic back to your laptop.

A further complication to the above scenario is where your laptop really is out on the internet, and you cannot put it behind a true firewall. You then run firewall software on your laptop. This helps, but is much weaker than a true firewall. Why?

Well, your firewall software sits on Windows, or Mac (OS 9) or Unix (Mac OSX is a Unix derivative, and similarly Linux). If you have a machine like this on the internet, the attacker will not attack the firewall software, but will attack the weakest point. The firewall software is hard, and designed to be hard. Windows/MacOS9 is much weaker, so he would hit the Operating System (Windows 98), not the firewall software. For example, Windows 98 can receive a specially constructed packet, and when it receives it, irrespective of what is running on the machine at the time, it is knocked off balance, or crashes completely (not exactly that, but is the equivalent effect on you or I receiving news that your mother or daughter is in a road accident around the corner: we drop whatever we are doing and get there as fast as we can. Similarly with the laptop). While the laptop is struggling with the weird packet it has received, and what precisely is it meant to do with it? the attacker slides another bit of information to your laptop which the machine doesn't check or allow the firewall to check because it is panic mode. From hereon, the attacker is into your laptop, and taking over...

So, when purchasing a firewall, check what operating system it is running.

  Vital.

Unix is the hardest to crack of the lot, Mac OS9, Windows 95,98 and ME the weakest. Windows NT also fairly weak, Windows 2000 better and XP better still, but not a touch on Unix (when each is properly configured, for all the above examples). Of course, if it proprietary operating system built into the firewall, that makes it tougher, but even those are being exploited these days, by even the most well respected names....

The way the situation is going, hackers and crackers are finding ways into networks and even around firewalls. I can see the day not far off when a firewall will just be the first barrier to entry, and every PC on the internal network will have its own local software firewall (as Microsoft have done with XP SP2). It makes life more difficult for the network administrator, who really does want to let you see your shared files on the server, but without letting someone else see them. But that is life, so they say.