|Internet Connection Security for Windows Users|
|by Steve Gibson, Gibson Research Corporation|
You need a Personal Internet Firewall if:
A firewall is a super cool idea. This is so true, that someday firewalls will be standard equipment on all PC's. There's no question about it.
But today, firewalls need to be added where needed which is pretty much everywhere.
The firewall concept is so exactly correct that the term "firewall" has been badly abused by many weak "firewall wanna-be" products in an attempt to trade on the power of the concept. MANY, if not most, of the Evil Port Monitors I discussed on the prior page try to pass themselves off as "high security firewalls", yet not one of them is. Also, many "Application-Based" firewalls provide poor protection against malicious spyware.
How does a Firewall Work?
In order to reach its destination whether it's another computer two feet away or two continents distant every Internet packet must contain a destination address and port number. And, so that the receiving computer knows who sent the packet, every packet must also contain the IP address and a port number of the originating machine. In other words, any packet travelling the net contains first and foremost its complete source and destination addresses. As we've seen earlier on this site, an IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.
Since the firewall software inspects each and every packet of data as it arrives at your computer BEFORE it's seen by any other software running within your computer the firewall has total veto power over your computer's receipt of anything from the Internet.
A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!
But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgement) the firewall can be selective about which packets are admitted and which are dropped. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.
So, for example, if you were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. Even if your system were to inadvertently pick up a Trojan horse program which opened a Trojan listening port to the outside world, no passing Trojan scanner could detect or know of the Trojan's existence since all attempts to contact the Trojan inside your computer would be blocked by the firewall!
Or suppose that you wish to create a secure "tunnel" across the Internet to allow your home and office computers to share their files without any danger of unauthorized intrusion. Firewall technology makes this possible and relatively simple. You would instruct the firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. Thus, either machine can "see" the other's NetBIOS ports, but no one else on the Internet can see that either machine has established such a secure tunnel across the Net.
But what about you originating your own connections to other machines on the Internet? For example, when you surf the web you need to connect to web servers that might have any IP address. You wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a firewall too. Since each end of an Internet connection is always acknowledging the other end's data, every packet that flows between the two machines has a bit set in it called the "ACK" bit. This bit says that the packet is acknowledging the receipt of all previous data. But this means that only the very first packet which initiates a new connection would NOT be acknowledging any previous data from the other machine. In other words, a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. Thus, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.
Another example of the power of a high-quality firewall is "application level" filtering and response: Most firewalls do pretty much what I've explained above, and this affords tremendous protection. But they don't attempt to "understand" the data in the packets they're admitting or blocking. Their "permit" or "deny" decisions are only based upon the source and destination addresses. But an "application level" firewall involves itself in the actual dialog taking place. For example, we've seen that one of the biggest problems with Microsoft's file and printer sharing is its lack of ability to prevent password crackers from pounding away on a password until it's broken. But an intelligent application level firewall can monitor what's happening on port 139 (where password protection occurs) and step in to completely block an offending remote computer! It can automatically "black list" the originating IP address to completely prevent any and all future access from that outsider.
I hope I've conveyed some sense for the powerful benefits and features created by firewalls. At a cost ranging from $29 to $39 USD, these personal firewalls are a terrific bargain! If you have also received the sense that this can be very tricky stuff I'd have to agree.
software personal firewalls, please see
our "LeakTest" firewall evaluation page!
Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
|Last Edit: Oct 06, 2003 at 14:29 (3,844.69 days ago)||Viewed 69 times per day|