NOW SpinRite 6.1 – Fast and useful for spinning and solid state mass storage!

Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Personal Internet Firewalls that really work!

If you've reached this point, you probably know more about Internet security and securing a Windows PC for safe Internet access than you ever thought you would. If you are using a single stand-alone PC for Internet access, the preceding pages will have equipped you to secure that machine without the need for any additional software. But if your needs are more complex, and especially if you do need to share files across the Internet, you will need some additional software to secure both ends of the Internet connection.

You need a Personal Internet Firewall if:

Your computer's files need to be accessed remotely across the Internet.
You are operating any sort of Internet server such as Personal Web Server.
You use any sort of Internet-based remote control or remote access program such as PC Anywhere, Laplink, or Wingate.
You want to properly and safely monitor your Internet connection for intrusion attempts.
You want to preemptively protect yourself from compromise by "inside the wall" Trojan horse programs like NetBus and Back Orifice.

What's a Firewall?

You can probably guess what a firewall does just from its name. The idea is a simple one, which is why it works so well:

A firewall ABSOLUTELY ISOLATES your computer from the Internet using a "wall of code" that inspects each individual "packet" of data as it arrives at either side of the firewall — inbound to or outbound from your computer — to determine whether it should be allowed to pass or be blocked.

A firewall is a super cool idea. This is so true, that someday firewalls will be standard equipment on all PC's. There's no question about it.

In fact, the PC Industry press now reports that the next version of Microsoft Windows, codenamed "Whistler", will include a built-in firewall. However, its exact nature and capabilities are currently unknown.

But today, firewalls need to be added where needed — which is pretty much everywhere.

The firewall concept is so exactly correct that the term "firewall" has been badly abused by many weak "firewall wanna-be" products in an attempt to trade on the power of the concept. MANY, if not most, of the Evil Port Monitors I discussed on the prior page try to pass themselves off as "high security firewalls", yet not one of them is. Also, many "Application-Based" firewalls provide poor protection against malicious spyware.

How does a Firewall Work?

All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. Packets are the fundamental unit of information flow across the Internet. Even though we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those two "connected" machines. Essentially, they "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.

In order to reach its destination — whether it's another computer two feet away or two continents distant — every Internet packet must contain a destination address and port number. And, so that the receiving computer knows who sent the packet, every packet must also contain the IP address and a port number of the originating machine. In other words, any packet travelling the net contains — first and foremost — its complete source and destination addresses. As we've seen earlier on this site, an IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.

Look what this means! . . .

Since the firewall software inspects each and every packet of data as it arrives at your computer — BEFORE it's seen by any other software running within your computer — the firewall has total veto power over your computer's receipt of anything from the Internet.

A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!

But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgement) the firewall can be selective about which packets are admitted and which are dropped. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.

So, for example, if you were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. Even if your system were to inadvertently pick up a Trojan horse program which opened a Trojan listening port to the outside world, no passing Trojan scanner could detect or know of the Trojan's existence since all attempts to contact the Trojan inside your computer would be blocked by the firewall!

Or suppose that you wish to create a secure "tunnel" across the Internet to allow your home and office computers to share their files without any danger of unauthorized intrusion. Firewall technology makes this possible and relatively simple. You would instruct the firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. Thus, either machine can "see" the other's NetBIOS ports, but no one else on the Internet can see that either machine has established such a secure tunnel across the Net.

But what about you originating your own connections to other machines on the Internet? For example, when you surf the web you need to connect to web servers that might have any IP address. You wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a firewall too. Since each end of an Internet connection is always acknowledging the other end's data, every packet that flows between the two machines has a bit set in it called the "ACK" bit. This bit says that the packet is acknowledging the receipt of all previous data. But this means that only the very first packet which initiates a new connection would NOT be acknowledging any previous data from the other machine. In other words, a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. Thus, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.

Another example of the power of a high-quality firewall is "application level" filtering and response: Most firewalls do pretty much what I've explained above, and this affords tremendous protection. But they don't attempt to "understand" the data in the packets they're admitting or blocking. Their "permit" or "deny" decisions are only based upon the source and destination addresses. But an "application level" firewall involves itself in the actual dialog taking place. For example, we've seen that one of the biggest problems with Microsoft's file and printer sharing is its lack of ability to prevent password crackers from pounding away on a password until it's broken. But an intelligent application level firewall can monitor what's happening on port 139 (where password protection occurs) and step in to completely block an offending remote computer! It can automatically "black list" the originating IP address to completely prevent any and all future access from that outsider.

I hope I've conveyed some sense for the powerful benefits and features created by firewalls. At a cost ranging from $29 to $39 USD, these personal firewalls are a terrific bargain! If you have also received the sense that this can be very tricky stuff I'd have to agree.

For up-to-date information about actual
software personal firewalls, please see
our "LeakTest" firewall evaluation page!

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (7,592.67 days ago)Viewed 33 times per day