Getting a Close Look at Firewalls
As network traffic passes through the firewall, the firewall decides which traffic to forward and which traffic not to forward, based on rules that you have defined. All firewalls screen traffic that comes into your network, but a good firewall should also screen outgoing traffic.
What a firewall does
Normally a firewall is installed where your internal network connects to the Internet. Although larger organizations may also place firewalls between different parts of their own network that require different levels of security, most firewalls screen traffic passing between an internal network and the Internet. This internal network may be a single computer or it may contain thousands of computers.
The following list includes the most common features of firewalls:
- Block incoming network traffic based on source or destination: Blocking unwanted incoming traffic is the most common feature of a firewall.
- Block outgoing network traffic based on source or destination: Many firewalls can also screen network traffic from your internal network to the Internet. For example, you may want to prevent employees from accessing inappropriate Web sites.
- Block network traffic based on content: More advanced firewalls can screen network traffic for unacceptable content. For example, a firewall that is integrated with a virus scanner can prevent files that contain viruses from entering your network. Other firewalls integrate with e-mail services to screen out unacceptable e-mail.
- Make internal resources available: Although the primary purpose of a firewall is to prevent unwanted network traffic from passing through it, you can also configure many firewalls to allow selective access to internal resources, such as a public Web server, while still preventing other access from the Internet to your internal network.
- Allow connections to internal network: A common method for employees to connect to a network is using virtual private networks. VPNs allow secure connections from the Internet to a corporate network. For example, telecommuters and traveling salespeople can use a VPN to connect to the corporate network. VPNs are also used to connect branch offices to each other. Some firewalls include VPN functionality and make it easy to establish such connections.
- Report on network traffic and firewall activities: When screening network traffic to and from the Internet, it's also important to know what your firewall is doing, who tried to break into your network, and who tried to access inappropriate material on the Internet. Most firewalls include a reporting mechanism of some kind or another.
What a firewall looks like
Clothing salespeople want us to believe that there is a size that fits all. As a smart consumer and a fashionable dresser, you know that there is no such thing as one size fits all. Similarly, there is also no one firewall that works well for every organization. Firewalls usually fall into one of the categories in the following list.
The type of firewall that you install depends on your exact requirements for protection and management.
- Personal firewall: A personal firewall is most often installed as a piece of software on a single computer and protects just that computer. Personal firewalls also come as separate hardware components, or they may be built into other network devices, but they all protect a single computer or a very small number of computers. Personal firewalls also normally have very limited reporting and management features.
- Departmental or small organization firewall: These firewalls are designed to protect all the computers in an office of limited size that is in a single location. Firewalls in this category have the capacity to screen network traffic for a limited number of computers, and the reporting and management capabilities are adequate for this function.
- Enterprise firewall: Enterprise firewalls are appropriate for larger organizations, including organizations with thousands of users that are geographically dispersed. The reporting capabilities include consolidated reports for multiple firewalls; the management tools enable you to configure multiple firewalls in a single step.
As you are evaluating firewalls, keep in mind that some firewall products can work well in more than one setting. However, few firewalls, if any, work well in all three settings: personal, departmental, and enterprise.
One of the basic network connectivity devices is a router. A router transfers network packets between two different networks. In order for network traffic to get from one computer to another on the Internet, this traffic normally has to traverse a number of routers. Some router manufacturers have enhanced the functions of their products by including firewall features.
If you already have a router that connects your network to the Internet, you should explore whether it can perform packet filtering or other firewall functions. Most likely, you will find that your router provides some rudimentary firewall capabilities but that it doesn't give you any advanced features.
Some firewalls consist of a piece of hardware with integrated software that provides a number of firewall functions. Such a device is often referred to as a firewall appliance. Just like a refrigerator that simply works when you plug it into an outlet, a firewall appliance starts working the moment you plug it in — there's no separate software to install. However, you still may have to do some configuration, which most often entails using a Web browser that's running on another computer. If you use such a firewall, the device is fairly simple to administer. You don't have to worry about configuring a separate operating system, and most often the device has no other functions that may interfere with the firewall's operations.
Software-only firewalls run on a computer that can also perform other functions. Most personal firewalls that protect a single computer fall into this category. After all, the reason you get a personal firewall is to protect your computer while you are using the Internet — not to make your computer a dedicated firewall. Some enterprise firewalls are also software-based.
An increasingly popular type of network device is the all-in-one tool. One vendor, for example, offers a small box that promises to act as a cable modem, router, network hub, wireless networking base station, and firewall. If it did the laundry and cooked dinner, it would be close to perfect — at least according to the specifications on the box. Often, when multifunction devices include a firewall, the manufacturer excludes some functions that you may consider important. The device performs several functions reasonably well, but not necessarily well enough. There are a few exceptions to this rule, so don't dismiss a product just because it performs several functions; however, be skeptical as you evaluate such products.
When evaluating an all-in-one product, make sure that you pay special attention to the firewall features. The cost of the damage that can be done by hackers that are able to break through a firewall that doesn't work well is normally much more than what you can save by buying an all-in-one tool.