What Is a Firewall and What Does It Do?

A firewall is an essential ingredient in the recipe for successful information security but what actually is a firewall, what does it do and how?

23 February 2016 Discovery  Security

Networkmen - Article

Take a look back over history as well as fiction and you will see countless examples of shields of various forms being used to protect people and property. From the Starship Enterprise's Deflectors to moats of around Castles, shields abound and protecting you from ruffians on the the Internet is no exception - between you and them there will be one or more shields more commonly known as firewalls.

Knowing a bit about what a firewall is and how it works is worth spending a bit of time on.  Firewalls do not offer, nor are they intended to provide, perfect security - they perform particular tasks and knowing how they work will help you understand where they fit in with keeping your set up safe.

Meet The Management

Bouncer - ArticleProbably the easiest way to think of a firewall is to imagine that it is a lot like a night-club bouncer for your Internet connection.

In the real-world, a bouncer stands at the door of a venue and looks at the people who want to come in and decides who is allowed in and who is not based on the rules they have been given to operate with.

So a firewall operates in pretty much the same way as the bouncer, it looks at what wants to come into your network and decides, using the rules it has been given, whether or not to allow something in. There are a few more things a firewall does but for the moment lets concentrate on the rules.

Our firewall “bouncer” is given a lot of information to work with. For example, imagine the night-club bouncer knows, just by looking at you, which part of town you are from and if you are from a rough part of town it has been told not to let you in. Well our firewall can do the same thing, if someone from say the Middlesborough is trying to connect to your network the firewall can refuse to let them in.

And the opposite applies - if the firewall recognises that something is coming from a particular (we will assume trusted location!) it can be told to let it in without question and it can also direct it straight to the VIP area - nice!

More than just a pretty face

From that last example you can see the firewall can do something else, not only can it decide what comes in but it can also be told anything coming in that meets some particular criteria (for example wearing a jacket) is sent to a specific place.

This capability is useful if your organisation has its own Email server - it means the firewall can be instructed to deliver any Email related communications to the Email server.  Imagine if the firewall couldn't do that - someone hands your bouncer an envelope addressed to you (who are inside the night-club) but the bouncer doesn't know who you are or where you are and to be honest is dealing with other things, get your own post!

So our firewall can be told who or what comes in and depending on who or what it is, direct it somewhere inside.

Look but don't touch

In the real world bouncers operate by very strict rules and our firewall is just the same, it cannot deviate from the rules nor can it exceed its capabilities.  We have now instructed our night-club bouncer to hand over any envelopes to the bar staff - they know exactly where to find the person so the bouncer can return to the door. 

What happens though if someone is trying to sneak something in an envelope - surely the bouncer will check what is inside?  Not necessarily - the bouncer hasn't been told to do that and may not actually be capable (for some random reason) of that.  And so it is with the firewall.  An Email (with a virus) may present itself at the firewall but it isn't capable of looking in the Email and spotting the virus so it is allowed through.  This isn't a failure of the firewall - it is simply following its rules and capabilities.

Having a firewall deals with some security issues (e.g. hacking attempts through the firewall) but not others (viruses in Emails).  This is why having up to date antivirus software on your computer is important - it adds another line of defence and makes up for things the firewall can't do.

In fact, some firewalls can check the contents of what is going through but we will come to that later - in most cases they can't or don't and you should assume that is the case.

The Back Door

Back Door - ArticleWe have seen that our firewall can do a pretty good job of keeping the riff-raff out but that we also still need some additional security measures in place.  However, there is also one major issue with our firewall bouncer that is more difficult to manage.

Unlike our real-world bouncer, our firewall bouncer will almost always be told that "Anyone already in the venue can invite anyone else in regardless of who they are, where they are from, what they are wearing etc.".  Imagine being the bouncer at a real-world venue where that rule applied - there would be chaos!

It seems alarming that a firewall would do that but if it didn't you wouldn't be able to read this article.  Your device is sitting behind the firewall and it says, I would like to read this article.  If this rule didn't apply, the firewall would see the article arrive but it hasn't been told who it needs to go to and to be honest it looks a bit suspect so ... on your way.  The rule makes sense then.

However, in very secure environments this would usually be adjusted so that anything leaving would also be subjected to some checks.  For example, if something inside tried to send an Email but it wasn't the organisation Email server then it wouldn't allow the Email out.  The assumption being made with the rule is that it could be a virus sending Emails to everyone it can find and so should be stopped.

That kind of rule made sense a few years ago but today with lots of personal devices with personal Email accounts trying to send legitimate Email people would soon get a bit annoyed and so this kind of rule rarely gets applied.

The important thing to take from this is that your device can invite anyone else in so if your device has a virus, your firewall is probably not going to be able to do a lot to stop whatever it is doing.  Virus checkers on devices/computers are essential.

X-Ray Googles

X-Ray Belongings - ArticleWe know a lot about what a firewall does now but some firewalls have additional capabilities that can improve security further.  These kind of firewalls can "inspect" the contents of what is passing in (or out) and if it finds something that looks like a virus, a request to visit a suspicious web site or just something odd, it can put the brakes on the activity.  This is known as Stateful Packet Inspection (SPI) and is a feature that is usually bought as an add-on service to your firewall.

Consider for a moment the amazing technology that goes into this process - it must perform thousands of checks on a communication request but do so  quickly that you don't notice any disruption to what you are doing.  Not only that the firewall will be dealing with the requests of everyone else at the same time.  It is very impressive.

With some add-ons our firewall can protect us further but as noted, don't assume it does, keep your virus checker and device up to date.

Salute your firewall

The firewall quietly sits inside your broadband router or your company's Comms room and day in day out is helping keeping out the undesirables.  Even your computer or device will have its own firewall doing just the same thing adding even more protection.   Hopefully you have a better idea now of what a firewall does and how (without getting too technical), and that as good as your firewall is you shouldn't forget to keep all your other shields up.

Tags  network security

Corrections or suggestions

Secure USB Flash Drive

Kingston DataTraveler Locker+ 16GB USB Flash Drive

Kingston DataTraveler Locker+ G2

Secure USB Hard Drive

Western Digital MyPassport 1TB USB Drive

Western Digital MyPassport 1TB

Security Cable

Kensington MicroSaver Cable Lock

kensington lock