Software Firewalls

[Niall]

The Internet works on IP addresses (you can think of these as like your computer's phone number) and ports (you can think of these as  like extension numbers within an office phone system.)

To send a piece of information the remote system gets your computer's IP address from it's name using a thing called DNS (Domain Name Service.)  It then calls the number it gets and asks for the port it needs. A bit like someone dialling the switchboard of a big company and asking for extension 4567. Think of the programs on your computer as people sitting at desks. Some will have no extension on their desk, some will have one, others will have more. When the phone rings the program will answer it and act on whatever the program at the other end says. Most callers are genuine but a few are con artists.

Think of your firewall as the operator that answers the phone when a program calls the switchboard. That operator has been given a list of extensions that they are allowed to connect callers to and told not to connect a caller to any other extension.  So when ICQ calls asking to speak to your ICQ the rule you set up says this is OK and the operator puts the call through. When the Hacker's Toolkit calls, asking to speak to the credit card number storage department the operator won't put it through because no rule exists for that, protecting the business.  Some firewalls also insist all employees wanting to make a call do it through the operator to make sure nobody within the company is talking to someone they shouldn't.

Some of the best firewalls use a thing called "Stateful Packet Inspection" where the operator connects the calls but continues to listen to the call and disconnects it if they think the caller is up to something bad.


Not all decent firewalls cost money. The line of IPCop, Smoothwall and Monowall are free. However you do need to find a separate cr*ppy old computer to run them on. This is much better than a software firewall (yes, these are software too) because there is nothing else running on the machine with the firewall that can be used to get a trojan in to bypass the firewall.

Cheers,
Paul.

Well yeah, obviously a proxy/dedicated box would be good (dedicated racks in your room being ideal ), but I don't want to build a seperate PC that I route everything through, when I've got a router to avoid that in the first place. Okay not exactly the same thing, but if it works.

I did briefly try this when I had 3 PCs from left over bits. I found it to be interesting, but overly complicated for a home user. All you really need is a router and good firewall. You can actually get a hardware firewall for a decent price these days too, if you want to do it properly.

[Dangerjunkie]

Hi,

Well yeah, obviously a proxy/dedicated box would be good (dedicated racks in your room being ideal ), but I don't want to build a seperate PC that I route everything through, when I've got a router to avoid that in the first place. Okay not exactly the same thing, but if it works.

There are a number of mini-itx or pico-itx machines about that are about the same size as a router. If you visit http://linitx.com/viewcategory.php?catid=117&pp=116,117 they will sell them pre-built with the firewall software already installed. I know they're not cheap but IMHO you get what you pay for.

did briefly try this when I had 3 PCs from left over bits. I found it to be interesting, but overly complicated for a home user. All you really need is a router and good firewall. You can actually get a hardware firewall for a decent price these days too, if you want to do it properly.

Which product gives the best protection depends on the user as well. I agree with what you say as I could never give a real firewall to my mother for example unless I set it up for her. For anybody with a basic knowledge of what  IP addresses, ports and  NAT are then a real firewall shouldn't be a problem. IMHO anyone that could manage to set up my old Linksys router to let a port in could do the same with IPCop.

There is no such thing as a hardware firewall. It's a myth generally spread by the people that make "hardware" firewalls. They try to market their products as better because they are a specialist piece of hardware but in reality a hardware firewall is just a small computer with a couple of network interfaces in a box running a piece of firewall software. I would have much more confidence in one that an software firewall though.  In fact if hardware firewalls did exist they would be very poor because it would be mpossible to update their behaviour when new threats emerged unless you used (very expensive) FPGA parts

Some of these are good products but you should bear in mind they do have limitations. The amount of memory they have is limited and us usually not upgradable so the size of the firewall rule table is limited (may or may not be a problem to you). With something like IPCop or Monowall running on a mini-itx box you can always buy a bigger CF card (where the program is stored) if you run out of space for rules or other things. With a hardware firewall you are generally stuck with software from the manufacturer whereas if you used  Monowall for example and got upset with it you can just load another firewall program onto the box and move on without spending any money.

Hardware firewall software is almost entirely proprietary and the source code isn't publicly available. This means that you have to take the word of the manufacturer (who have a vested interest in you thinking it's good and buying it) to tell you how good it is. With an open-source product the code will have been examined by many people and there are likely to be a number of well informed opinions on how good it is. This process also generally means that problems with it will be found early and fixed fast.

A specialist hardware firewall isn't always east to use either. As an example I have a Juniper Netscreen on one of the networks I manage. I have a degree in computer science but when I started with it I had to get someone to show me how to set up rules for incoming connections. I couldn't even get it on my own when I had the manual.

A hardware firewall will always be a firewall. If you no longer need it then you can't change it into something else like a print server or a mail server. Though I do agree that this would only tend to be an issue for more advanced users.

Software firewalls have their uses but are limited because many pieces of malware use approved programs, like IE, to do their network access so they won't be spotted. They also run on the same machine as the malware so if anything gets past your antivirus then there is a chance it will be able to shut down the firewall from the inside and you will have mistaken confidence you are protected when you aren't.

Cheers,
Paul.

[Dangerjunkie]

Just read that post again. Maybe it didn't sound quite right. I didn't intend it to sound rude.

Cheers,
Paul.

[Rik]

Sounded OK to me, Paul. 

[Niall]

Me too I would have replied sooner, but I've been enjoying relaxing in the nice weather when I've not been in the gym