What is a firewall?
A device or system that permits or denies the transfer of IP data packets through an IP interface,
based on pre-defined rules. Firewalls are used to protect individual computers or entire networks
from access by hackers and from attack by malware that may be probing for weaknesses within your
network or PC. Two fundamentally different types of firewall exist - hardware firewalls and software
firewalls. The difference between these is explained below. The rules used by firewalls can be quite
complex and firewalls are pre-configured with multiple rules to allow an intelligent decision to be
made about the validity of any given data packet. Each rule includes a number of criteria that are
used to assess what action should be taken. Typically these criteria include the source IP address
of the packet, the destination IP address, the type of packet (e.g. UDP, TCP, ICMP) and the type of
service that is trying to be reached (usually defined in terms of destination port number).
Additional features which work alongside the basic rules are frequently included by firewall
manufacturers to provide enhanced protection to the computers on the LAN. These include Stateful
Packet Inspection, SYN flood attack lockout, Denial Of Service lockout and various other more
specific protection policies.
A hardware firewall is a device with at least two ethernet interfaces - one for connection to
the "unsafe" public network and another for connection to the protected private network. These
are usually labelled WAN and LAN respectively. A hardware firewall will have its own CPU and
memory and a dedicated program, stored in non-volatile memory, that runs continuously. This
program, generally referred to as firmware, is responsible for inspecting every packet of data
trying to pass through from one interface to any other. A hardware firewall will be equipped
with some kind of password protected administration interface, usually in the form of dynamic
web pages that are viewed using a browser. It is very common for a hardware firewall device to
have a number of other network functions built into the same box. For example, it might include
an ethernet switch thereby providing multiple sockets for LAN-side connections. It will almost
inevitably act as a router and in some cases the adminstration interface allows static routes
to be configured. Virtually all hardware firewalls provide Network Address Translation (NAT)
to allow many computers on the LAN network to share one IP address on the WAN network. Some
include wireless networking to add WiFi functionality on the LAN side. Some can also act as
a VPN termination point - very useful if you want to allow remote or mobile users to connect
securely to the LAN. Site-to-site VPN capability, when included, allows multiple sites to
communicate securely with each other in a way that can be virtually transparent to users.
A software firewall is a program that runs in the background on a computer and which inspects
packets of data trying to pass in or out through the network interfaces installed in the computer.
The firewall is pre-configured with rules that it uses to decide whether data packets should be
blocked or allowed through. The rules in a software firewall can include additional parameters
beyond those that are usually found in the rules of hardware firewalls because the software
firewall has some knowledge about the applications running on the computer. Thus the criteria
used to decide if a packet may pass through will often include references to the application that
is transmitting or receiving the data as well as the remote IP address, port number and direction
of travel of the packets. Some software firewalls can be configured to "trust" particular
applications and allow them free access to the Internet or, more likely, to permit access using
a particular port but only for a particular group of programs.
NAT: Address Translation
A facility that is normally built into hardware firewalls to allow multiple private IP addresses on
the LAN to all share access to the Internet through one public IP address. In addition to providing
highly efficient use of IP addresses, NAT also has the advantage that it makes computers on the LAN
more secure because they cannot be directly addressed from the Internet. However, this can also be
a disadvantage for some services that want to be able to communicate directly to a computer - for
example Voice Over IP telephony.