This
section describes a firewall, its importance to your home
computer strategy, and a way to think about the job you need to
do. We’re going to depart from our
“computer-is-like-a-house-and-the-things-in-it” analogy to use
another that you are probably also familiar with: an office
building.
Have you ever visited a business where you first stopped at the
reception desk to interact with a security guard? That guard’s
job is to assess everybody who wishes to enter or leave the
building to decide if they should continue on or be stopped. The
guard keeps the unwanted out and permits only appropriate people
and objects to enter and leave the business’s premises.
Let’s dig deeper into this analogy. When someone enters a
building, the security guard usually greets them. If they have
an appropriate identification badge, they show it to the guard
or swipe it through a reader. If all is OK, they pass through
the guard’s checkpoint. However, if something’s wrong or if they
are a visitor, they must first stop at the guard desk.
The guard asks whom they wish to see. The guard may also ask
for identification such as a driver’s license or their company
ID. The guard reviews the list of expected guests to see if this
person is approved to visit the party in question. If the guard
decides everything is all right, the visitor may pass. The
visitor usually signs a logbook with their name, the company
they represent, whom they are seeing, and the time of day.
On a computer, the firewall acts much like a guard when it
looks at network traffic destined for or received from another
computer. The firewall determines if that traffic should
continue on to its destination or be stopped. The firewall
“guard” is important because it keeps the unwanted out and
permits only appropriate traffic to enter and leave the
computer.
To do this job, the firewall has to look at every piece of
information – every packet – that tries to enter or leave a
computer. Each packet is labeled with where it came from and
where it wants to go. Some packets are allowed to go anywhere
(the employee with the ID badge) while others can only go to
specific places (visitors for a specific person). If the
firewall allows the packet to proceed (being acceptable
according to the rules), it moves the packet on its way to the
destination. In most cases, the firewall records where the
packet came from, where it’s going, and when it was seen. For
people entering a building, this is similar to the ID card
system keeping track of who enters or the visitor signing the
visitor’s log.
The building’s guard may do a few more tasks before deciding
that the person can pass. If the person is a visitor and is not
on the visitors list, the guard calls the employee being visited
to announce the visitor’s arrival and to ask if they may pass.
If the employee accepts the visitor, they may proceed. The guard
may also give the visitor a badge that identifies them as a
visitor. That badge may limit where in the building they can go
and indicate if they need to be escorted. Finally, no matter
whether the person is a visitor or an employee, the guard may
inspect their briefcase or computer case before they pass.
The firewall can also check whether a given packet should
pass, allowing the computer’s user to respond to unanticipated
network traffic (just as the guard does with the unexpected
visitor). Individual packets can be allowed to pass, or the
firewall can be changed to allow all future packets of the same
type to pass. Some firewalls have advanced capabilities that
make it possible to direct packets to a different destination
and perhaps even have their contents concealed inside other
packets (similar to the visitor being escorted). Finally,
firewalls can filter packets based not only on their point of
origin or destination, but also on their content (inspecting the
briefcase or computer case before being allowed to pass).
Back to the office building, when employees leave the
building, they may also have to swipe their ID card to show that
they’ve left. A visitor signs out and returns their temporary
badge. Both may be subject to having their possessions inspected
before being allowed to leave.
Firewalls can also recognize and record when a
computer-to-computer connection ends. If the connection was
temporary (like a visitor), the firewall rules can change to
deny future similar connections until the system’s user
authorizes them (just as visitors must re-identify themselves
and be re-approved by an employee). Finally, outgoing
connections can also be filtered according to content (again,
similar to inspecting possessions at the exit).
What does this all mean? It means that with a firewall, you
can control which packets are allowed to enter your home
computer and which are allowed to leave. That’s the easy part.
The hard part is deciding the details about the packets that
are allowed to enter and exit your home computer. If your
firewall supports content filtering, you also need to learn
which content to allow and which not to allow. To help you get a
handle on this harder task, let’s return to our security guard
analogy.
Imagine that you are that security guard and it’s your first
day on the job. You have to decide who’s allowed in, who’s
allowed out, and what people can bring into and take out of the
building. How do you do this?
One strategy is to be very conservative: let no one in or out
and let no possessions in or out. This is very simple, very easy
to achieve, but not particularly helpful to the business if none
of its employees or visitors can get in or out. Nor is it
helpful if they can’t bring anything with them. With this type
of strategy, your tenure as a security guard may be short-lived.
If you try this, you quickly learn that you need to change
your strategy to allow people in and out only if they have
acceptable identification and possessions using some agreed-to
criteria. Add the requirement that if you don’t meet the precise
criteria for admittance, you don’t get in.
With most firewalls, you can do the same thing. You can
program your firewall to let nothing in and nothing out. Period.
This is a deny-all firewall strategy and it does work,
though it effectively disconnects you from the Internet. It is
impractical for most home computers.
You can do what the security guard did: review each packet
(employee or visitor) to see where it’s coming from and where
it’s going. Some firewall products let you easily review each
packet so that you can decide what to do with it. When you are
shopping for a firewall, look for this review feature because it
can be quite helpful. Practically speaking, it isn’t easy to
decide which traffic is all right and which is not all right.
Any feature that makes this job easier helps you achieve your
goal of securing your home computer.
Just like the security guard who learns that anybody with a
company photo ID is allowed to pass, you too can create firewall
rules that allow traffic to pass without reviewing each packet
each time. For example, you may choose to allow your Internet
browsers to visit any web site. This rule would define the
source of that traffic to be your browsers (Netscape Navigator
and Microsoft Internet Explorer, for example) and the
destination location to be any web server. This means that
anybody using your home computer could visit any Internet web
site, as long as that web server used the well-known standard
locations.
Now that you have an idea of what your firewall security
guard is trying to do, you need a method for gathering
information and programming your firewall. Here is a set of
steps to use to do just that:
- The Program test: What’s the program that
wants to make a connection to the Internet? Although many
programs may need to make the same type of connection to the
same Internet destination, you need to know the name of each.
Avoid general rules that allow all programs to make a
connection. This often results in unwanted and unchecked
behavior.
- The Location test: What’s the Internet
location of the computer system to which your computer wants
to connect? Locations consist of an address and a port number.
Sometimes a program is allowed to connect to any Internet
location, such as a web browser connecting to any web server.
Again, you want to limit programs so that they only connect to
specific locations where possible.
- The Allowed test: Is this connection allowed
or denied? Your firewall rules will contain some of each.
- The Temporary test: Is this connection
temporary or permanent? For example, if you’re going to
connect to this specific location more than five times each
time you use the computer, you probably want to make the
connection permanent. This means that you ought to add a rule
to your firewall rules. If you aren’t going to make this
connection often, you should define it as temporary.
With each connection, apply the PLAT tests to get the
information you need to build a firewall rule. The answer to the
PLAT tests tells you if you need to include a new
firewall rule for this new connection. For most firewall
programs, you can temporarily allow a connection but avoid
making it permanent by not including it in your rules. Where
possible, allow only temporary connections.
As you run each program on your home computer, you’ll learn
how it uses the Internet. Slowly you’ll begin to build the set
of rules that define what traffic is allowed into and out of
your computer. By only letting in and out what you approve and
denying all else, you will strike a practical balance between
allowing everything and allowing nothing in or out.
Along the way, you may come across exceptions to your rules.
For example, you might decide that anybody who uses your home
computer can visit any web site except a chosen few web
sites. This is analogous to the security guard letting every
employee pass except a few who need more attention first.
To do this with firewall rules, the exception rules must be
listed before the general rules. For example, this means that
the web sites whose connections are not allowed must be listed
before the rules that allow all connections to any web site.
Why? Most firewall programs search their rules starting from
the first through the last. When the firewall finds a rule that
matches the packet being examined, the firewall honors it, does
what the rule says, and looks no further. For example, if the
firewall finds the general rule allowing any web site
connections first, it honors this rule and doesn’t look further
for rules that might deny such a connection. So, the order of
firewall rules is important.
Many firewalls can be programmed to require a password before
changing the rules. This extra level of protection safeguards
against unwanted changes no matter their source, that is, you,
an intruder, or another user. Follow the guidance in
Task 6 - Use Strong Passwords
when assigning a password to your firewall.
Finally, make a backup of your firewall rules. You’ve
probably taken a lot of time to build and tune them to match how
your home computer is used. These rules are important to your
computer’s security, so back them up using the guidance in
Task 5 -
Make Backups of Important Files and Folders.
Firewalls come in two general types: hardware and software
(programs). The software versions also come in two types: free
versions and commercial versions (ones that you purchase). At a
minimum, you should use one of the free versions on your home
computer. This is especially important if you have a laptop that
you connect to your home network as well as a network at a
hotel, a conference, or your office.
If you can afford a hardware firewall, you should install one
of these too. We’ve recommended this as something to do later.
(Firewall programs are Task 4 on
our list of recommended actions, and hardware firewalls are
