To keep burglars from breaking into your house, you lock your doors and windows. On your computer, access in and out is through network "ports", and these are what a firewall protects. A firewall is like a lock on the door, preventing unauthorized traffic in and out of your computer by monitoring the network stack.
Firewalls can prevent attacks that anti-virus software can only detect after the fact, but even the best firewall can't prevent all attacks. Anti-virus software provides a backup by monitoring your file system and alerting you to malware that slips through your firewall. If a firewall is like a lock on the door, an anti-virus program is like a burglar alarm. If you're connected to the internet, you need both.
All three of the leading PC security packages (Norton Internet Security, McAfee Internet Security Suite, and ZoneAlarm Security Suite) provide both anti-virus software and a firewall in a single package. Anti-virus software is easy to set up and use. The default settings give good protection without interfering with your computer's operation. You just need to download updated virus definitions once in a while.
But firewalls are a different matter. The settings must be customized for your specific configuration, and few people are knowledgeable enough to do this without help. The wizards in today's personal firewalls help, but they aren't perfect. If not set up properly, the firewall either will not provide adequate protection, or will interfere with your own legitimate activities. Even experts make mistakes because the settings tend to get so complex.
The 2003 CSI/FBI Computer Crime and Security Survey found that while 98% of businesses used firewalls, well over half had experienced unauthorized access, and the most frequent source was the internet. Most security breaches are due to misconfigured firewalls, and security experts say that over 50% of the firewalls installed in businesses are misconfigured. Among personal users, the percent is probably even higher.
To understand how firewalls work, you need a general understanding of how hackers use network connections to break into computers. Firewall features evolve naturally from this starting point.
Just as your home has a street address so the mail carrier can find it, your computer has an internet address (called the "Internet Protocol" or IP address) so internet communication can be directed to it (see Figure 1). A hacker can't break into a computer that it doesn't know is there, so one common feature of firewalls is to hide the IP address.
The network ports that give access to your computer are actually endpoints of communication. There are multiple ports so that multiple network conversations can take place at once. For example, you can access your email, download a file, and browse to a Web site all at the same time.
Internet software uses different data exchange rules, or "protocols", for different types of communication. For example, browsers use the HyperText Transmission Protocol (HTTP) to transmit and receive Web pages, the File Transfer Protocol (FTP) is often used for uploading and downloading binary data, and email communication uses still other protocols. These common internet services typically use certain well-defined ports. For example, HTTP is usually on port 80, and FTP on port 21.
But there are many more ports than these - 65,536 ports in all. Legitimate traffic uses only a fraction of the available ports, but hackers will quickly use the others to attack your computer if you leave them open. Therefore, another common function of firewalls is to close all unused ports. If you don't do this, any time your computer is connected to the internet, a hacker can come into your computer through an unused port, steal your personal files, and create havoc.
Note that you don't have to be accessing the internet yourself to be attacked. Your email program and browser can be closed and you can be off mowing the lawn, but if your computer is connected to the internet, it can be attacked through open ports. This is especially true for computers with broadband connections, since the fixed IP addresses give hackers plenty of time to discover a vulnerability they can use to get in.
The goal of a firewall is to close off all unused access points into your computer, and allow only those that you truly need. This is accomplished through sets of rules - for example, allow outgoing ftp but not incoming (meaning, you can download files from the internet, but others cannot download files from your hard disk). These rules can get very complicated, and it's difficult to define them so access is as limited as possible while allowing legitimate traffic.
When you are trying to get something done and your firewall won't let you do it, it's easier to punch a big hole in the wall than to figure out how to define a pinhole that will keep your computer safe. For instance, if you want to access your work computer from home, it's easier to give full access to the file sharing ports (135-139) or turn off your firewall completely, than to figure out how to give file sharing access only to your home computer's IP address. This is why over half the computers running firewalls are still vulnerable to attack.
Security programs use two methods for identifying attacks: signature monitoring and behavior monitoring (see Figure 2). In the signatures approach, the security program maintains a database of known attacks, and monitors your system for matches to this database. This is the method traditionally used by anti-virus software. New signatures must be downloaded regularly because only the signatures in the database can be recognized. You can get false positives with signatures, but they are rare.
Behavior monitoring means looking for dangerous patterns rather than specific signatures. In anti-virus software, behavior monitoring is termed "heuristics". It's useful for flagging programs and scripts that have characteristics of malware but aren't yet in the signature database. The disadvantage is that it will yield more false positives than the signature approach.
Firewalls have traditionally relied upon behavior monitoring, using generic rules that are not based on specific past attacks. But with the increasing sophistication of hacking techniques, behavior monitoring is no longer enough.
The latest innovation in firewalls is the Intrusion Detection System (IDS), which provides signature-based monitoring of network activity. For example, if a buffer overrun attack was observed to send 4875 bytes to port 135, that information would go into the IDS signature database, and another attack of the same type would be caught, even if port 135 was open.
An IDS is most useful for a server that must leave ports open for inbound traffic, but it can be useful for personal computers as well. Sygate Personal Firewall Pro and Norton Personal Firewall both include an IDS.
All firewalls monitor network traffic, but they differ in the level at which they monitor the traffic and the method they use for control. To understand these differences you need to understand network levels, so we'll start with a brief description of network architecture (see Figure 3).
Networks are a complex mix of hardware, system software, and end-user programs. The ISO standard for network communication, called Open System Interconnection (OSI), organizes the mix into seven layers. Firewalls operate at level 3 and above.
Level 1 is the physical layer, and consists of hardware such as network cards and ethernet cable. Level 2 is where data is encoded and decoded into bits. Level 3 is the network level, and handles routing for the packets that comprise internet traffic. Level 4, the transport level, is where transfer actual occurs, and is responsible for error recovery and flow control. Level 5, the session level, establishes and manages connections - for example, the handshaking between a browser and Web server. Level 6, the presentation level, is concerned with methods of data representation such as encryption. At the top is level 7, the application level, which comprises end-user applications for different services. The model used by the internet protocol, TCP/IP, is similar to the OSI model, but the top three levels are collapsed into one.
Firewalls implemented at the lower layers of the OSI model have the least impact on network performance, but also are the least secure because of the limited information available to them. The higher the level at which the firewall operates, the more secure it is, and the more it slows network traffic.
There are two primary firewall technologies: packet filters and proxies. Proxy firewalls provide high level protection, but are difficult and expensive to deploy and used only by larger companies. There are two main kinds of proxy firewalls: application-level gateways, and circuit-level gateways.
Circuit-level gateways operate at level 5, the session level. Before a session is established, the requestor is authenticated, perhaps through a username and password. Information can then pass through freely. Most circuit gateway implementations use the SOCKS protocol. End-user applications require modification for use with circuit level gateways. Most browsers have built-in support for SOCKS.
Application-level gateways provide the highest level of security and control. Clients connect to the proxy, the proxy uses application-level information to decide what traffic to allow through (for example, whether to allow an FTP PUT statement), and then establishes a separate connection to the server to transmit allowed requests. Only the proxy is visible to the internet, and this provides additional protection. A separate proxy is needed for each application.
Although personal firewalls often make limited use of software-based proxy servers, they are essentially packet filters of one type or another. We will discuss these next.
Packets are the unit in which data is transported across the internet. Data is converted into packets for transmission and then reassembled at its destination at network level 3, the lowest level at which a firewall can operate. The information available to a firewall at level 3 includes the source and destination IP address, the source and destination port, and the type of service.
Firewalls that use rules based on level 3 information are called "static packet filters". Filtering by IP address lets a firewall control which computers on a network have access to the internet, which can receive incoming traffic, and which have access to various services.
Most modern routers have the ability to do static packet filtering. When implemented in a router, packet filtering entails virtually no performance hit. Plus routers offer an additional protection through network address translation (NAT), which hides the IP addresses of computers on the network. Computers on the internet only can see the IP address of the router. This provides some protection against the main vulnerability of packet filtering, that IP addresses are easily spoofed.
Software-based packet filters can base their rules on information above network level 3, and thus provide much greater protection. However, the price is a performance hit - the more analysis that's done, the greater the hit.
"Dynamic packet filtering" (also called "stateful packet inspection") uses information from level 4 to improve security while minimizing the impact on performance. By maintaining a table of connections, dynamic packet filters can tell whether a given IP packet is the continuation of an established connection or the start of a new one. This technique, developed and patented by Check Point Software Technologies (www.checkpoint.com), prevents spoofed packets from getting through.
The firewall built into Windows XP uses a variation on dynamic packet filtering to only allow connections initiated by the protected computer, or other computers sharing that computer's internet connection. However, this provides no protection at all if your computer is infected with a Trojan that "phones home" with private information from your hard disk.
The updated firewall that will ship with SP2 of Windows XP contains some significant improvements. One major change, added to overcome problems in running peer-to-peer applications, is application-level exceptions to the "no traffic I didn't initiate" rule. Now you can specify which applications are allowed to listen to the internet.
However, you still can't give application-level permission to talk. Any application on your computer can initiate an internet connection unimpeded. That means a Trojan downloaded as an email attachment can still phone home with all your private information.
For full application-level filtering, you need a third party tool. Zone Labs introduced the idea of application-level filtering back in 1999 with its free ZoneAlarm utility, and was the first personal firewall to reliably block outgoing traffic from Trojans. Today, application-level filtering and monitoring of outgoing connections are found in most personal firewalls, but ZoneAlarm still offers the most control. You can configure a program to use only certain source and destination addresses, work only within a certain period of time, and more. This kind of filtering is called "multilevel stateful inspection".
Personal firewall vendors work hard at making their products as easy to configure as possible, and virtually all supply some sort of wizard and built-in intelligence. The recently released ZoneAlarm 5 introduces an Automatic Program Configuration (APC) feature that uses a database of over 10,000 programs to avoid asking you questions you don't know how to answer. Still, if you're running a firewall, you will inevitably be forced to make some choices. Hopefully you are now better equipped to choose wisely.
Sheryl Canter is a contributing editor to PC Magazine. Her Web site is at www.SherylCanter.com.