Firewalls are software, and sometimes hardware, that controls the
passage of network traffic into and out of protected network. You
can think of a firewall as being like a bouncer at a club who only
lets certain people into the club. Unlike most bouncers, however,
firewalls can also control what leaves a protected network as well.
Firewall companies appeared in the early nineties, with the now
defunct Digital Equipment (DEC) being the first company to offer a firewall
as a service. DEC employees would come into a business, set up a couple
of computers, to control access to the business' network, for the
tidy sum of $120,000. Soon other companies had built hardware and
software packages that were much cheaper yet worked similiarly to
the DEC Firewall service (called SEAL).
Today, the most popular firewalls come with new computers, or new
operating systems. Windows XP and Vista, Mac OS X, Linux and FreeBSD
all include firewalls. In some cases, these built-in firewalls are
already turned on when you get your system. You don't have to setup
these firewalls, because they are designed to let you access other
networks by default. While this prevents someone from launching
an attack against your own computer, it doesn't protect you from
doing things that result in your own computer
being exploited.
Firewalls for businesses and organizations may be part of special
hardware, like Netgear or Watchguard, that are dedicated firewalls.
The two largest router companies, Cisco and Juniper, include firewall
capabilities in most of the networking equipment that they sell. Sometimes
companies combine both networking equipment (routers) with dedicated
firewalls to create multiple layers of defense.
The Details
Firewalls perform their jobs by examining the network traffic that
arrives. Most networks use the Internet Protocol, or IP, and what
makes IP work universally is that IP is standardized. The beginning
of each network communication, called a packet, always has the
exact same format. An IP packets format can be compared to a postal
envelope, in that they have formats as well. An envelope that you
want to mail must have the destination address, and should have
the sender's address as well. Each of these addresses must also
have a particular format: name, street address, city, and state
or locality, followed by a postal code. In a similar manner, packets
all begin with formatted information that includes the destination
address, as well as the sender's address (called the source address).
Firewalls can examine this formatted information and use it to make
decisions about what packets will be permitted through the firewall
(like the club bouncer checking ids). But destination and source
addresses don't really have enough information to be useful, so firewalls
look deeper into packets. The next set of formatted information includes
information about what application a packet is destined for, or what
application a packet came from. The term for this information is
ports, with
port numbers representing different applications. Checking ports provides
more information to the firewall.
Higher-end firewalls dig even deeper into packets, into the application
data itself. Just like packets having to meet standards, Internet
applications have standards as well. Higher-end firewalls use software
(and occasionally hardware) that is called application gateways.
Application gateway software checks that application data complies with
standards. When application data doesn't comply with standards, it often
means that the data contains an attack, and the firewall will reject
the packet containing that information. You can compare this to a club
bouncer that not only checks id, but takes each club patron aside and
searches them thoroughly. Where the bouncer might be looking for weapons,
application gateways looks for inconcistencies that suggest they might
be attacks.
|
|