Home --> IAQ -->

Choosing a Firewall

By Jeffrey Howard
All rights reserved unless noted otherwise

There is a wide variety of firewall products available today. Recently, on a discussion list, I saw several emails that could be summed up, "What firewall should I use?" This is not surprising. DSL, cable modems, and other high speed, always-on internet access technologies are providing more hosts with dedicated network access. Many of these hosts are on household networks administered by end users and consumers, not IT staff. These people want secure home networks, but they aren't paid to read trade magazines on firewalls.

This introduction is for such home users. You have a DSL or cable modem connection, and you'd like to keep your neighbor's 13 year old from reading your Quicken check register. You know that you want a secure home network, but you aren't entirely sure what exactly you're protecting against or how to do it. By the end of this page, I hope to arm you with a better idea of what questions you need to answer, and ask, in order to choose your firewall product.

Building Your Criteria

Asking the question, "What firewall should I use?", on an email list or newsgroup will probably confuse the professional system administrators. In fact, many will curtly reply, "It depends on what you want to do." Trust me, replying, "I want to make my computer/network more secure," is not going to help. Security can mean a lot of things.

An example helps illustrate this idea. Imagine a computer network for a local library. If someone breaks into the system and reads the book catalog, it's no big deal. They may learn the Library of Congress filing scheme, or maybe they'll stumble across the catalog listing for books on ethics. Either way, no harm is done. However, if the same intruder scrambles the electronic card catalog, patrons of the library will be confused, misled, and inconvenienced. The integrity of the data is very important, but there's nothing to hide, so the secrecy, or confidentiality of the information is unimportant. Compare that with the messages that Mission Impossible operatives get; the tapes, CDs, mini-discs, or whatever are all self-destructing. If anything goes wrong in the delivery, the operative may never get the message. It's much more important that the information remain secret, to preserve plausible deniability for the decision-makers involved. Secrecy is more important than reliability or integrity in this case.

I've used extreme examples to illustrate the point, but there are more reasonable ones all around. Businesses guarding trade secrets will want very different things from a firewall than businesses that are trying to keep employees from looking at web sites devoted to the scantilly clad.

By now, if you're anything like me, you want to take out a contract on my life. I've just said that the most important thing is knowing what you're up against and choosing a tool appropriately, but I haven't given any indication what kinds of threats you might really face. (After all, if you really were the Secretary of State, looking to disavow knowledge about MI operatives, you wouldn't be reading this - you'd have a staff of IT professionals paid to read trade magazines about firewalls.) So let's get to the good part.

Specific Threats

This section should give you some concrete ideas as to what you might want to protect against. These are all broad categories, not specific attacks. The list is far from complete, but I hope to touch on most of the basics and some of the buzzwords in the press these days.

• A port scan is the most common attack that a firewall can defend against. Different types of internet traffic are distinguished by ports on the connecting computers. Think of ports as different apartment numbers within the same building. All the postal mail for the building goes to the same address, just as all the internet traffic for a computer goes to the same network address. However, inside the building, the apartment number determines whose mail slot gets each letter. Similarly, the port number determines whether traffic goes to a web browser, mail program, or something else entirely. Every port has a number. For example, to fetch this web page, your web browser connected to port 80 on our web server.

  A port scan is an attempt to find out what ports receive traffic on a machine. Attackers do this is to learn what programs are receiving information. If they find a program with a known bug that they can exploit to break into a machine, they've turned up useful information. A firewall can stop these scans by dropping packets destined to restricted ports, preventing an attacker from looking for vulnerabilities. To the attacker, it just looks as though no ports are open (or perhaps even as though the machine itself is not there).

• Even without a port scan, an attacker could try to exploit known security holes, just to see if any worked. Using a firewall can prevent the attacker's network packets from reaching their target. Firewalls can also be selective about who they screen out and who they permit through. A firewall could allow an office computer to share files with a home computer, but stop any other computer on the internet from sending information to the ports used for that file sharing.

The above two uses for firewalls, preventing scans and preventing access to private computers and ports, are the most common uses for a firewall. Every firewall that I know of will offer you these features in some form or another.

• Some firewalls go farther, allowing users to choose what applications they want to permit to access the network. For instance, one could permit a web browser access through the firewall, but forbid a program called "SpyOnMe" from sending information to "SpyingOnYou.com"'s web site. The difference here is that the choice rests on "which program" rather than "which port". Firewalls that offer this functionality must run on the same computer as the programs it monitors.

• In the last bullet point, the firewall let some programs use the network while preventing others from doing so. Some firewalls even understand the traffic that's going through them. When loading web pages, they can tell the difference between the page and the banner ads that get in the way. These firewalls can filter out unwanted content, such as ads. Many of these systems can also filter out whole web pages, if desired. These systems are useful to parents who want to control what their children see and read.

• The wave of viruses spread by email prompted another addition to some firewalls. Some can scan attachments to emails to ensure that they are free of well-known viruses.

• Many firewalls will log where and when information was sent in and out, as well as what information was refused transport. With this feature, if you learn how to read the logs (which can get fairly cryptic, depending on the firewall), you'll be able to see when someone tries something funny.

• Skipping tracks completely, there are a variety of attacks on a network that depend on the nit-picky, technical details of how each operating system handles networking. Most of these attacks rely on deliberately sending malformed, erroneous packets to the target computer. When the target computer tries to process the packet, it may crash, spew network traffic everywhere, or behave in some other unforeseen fashion. This kind of attack is a denial of service attack: the purpose is to deny you the use of your computing or networking resources. Firewalls can safeguard, with varying success, against some kinds of denial of service attacks.

• Many broadband and DSL providers will only give one IP address per customer. Many firewalls can be configured to allow several computers behind the firewall. The firewall masquerades for the other computers. The firewall transmits information to and from the internet on behalf of all those computers, pretending to the rest of the world as though all the traffic is coming from the firewall.

• Some firewalls will form a Virtual Private Network (VPN) to foreign sites. A VPN is a way to encrypt information that travels from your network to a foreign network. Many workplaces enjoy this option because it provides a secure way to connect home-office workers with the businesses LAN. Whether VPN's themselves are secure enough or too risky is another subject entirely.

The general theme is that firewalls block some network traffic and permit other network traffic. The goal is to use a firewall to block unwanted traffic while allowing desirable traffic to pass through.

How Can Firewalls Help

How do you pick a firewall that will do what you want? The various shapes, sizes, and functionalities of firewalls are discussed below.

Physical Forms of Firewalls

Broadly speaking, a firewall may take one of two forms. In the first, the firewall is a separate physical device. These are the little plastic boxes pictured in computer store catalogs catalogs. They connect to the cable modem or DSL router and separately connect to a home network or computer. In the second form, firewalls may just be software. With all-software firewalls, there's no separate box of hardware to require yet another open wall socket. On the other hand, the computer with the firewall on it must be between the rest of the network (if any) and the link to the outside world. Or you have to put the firewall software on each machine individually, which means configuring a different firewall for every machine. That doesn't work well for large networks, but for households which won't have more than a handful of computers, the effort isn't prohibitive.

Ways Firewalls Function

Whether physically separate boxes or pieces of software, firewalls all function largely the same way. Firewalls divide into two broad groups: filtering and proxying. A filtering firewall listens to each incoming and outgoing packet. If the firewall's configuration indicates that a packet is acceptable, the packet is forwarded on its path. If the packet does not match the configuration, it is discarded. Filtering is good for the first two concerns in the threat list above: scanning and attacks against specific ports. With a filtering firewall, a good configuration allows only desirable protocols to travel through. An example would be, "Allow me to web surf and both send and receive mail, but don't allow anything else. Specifically notify me if anyone tries to access file or printer sharing."

Proxying firewalls do not allow any packets to pass across them. To use the net, one connects to the proxying firewall and lets it connect to the rest of the network. This is a subtle distinction. Using the web as an example may clarify the idea. With a packet filter, the client computer will connect directly to the web server at the remote location. All of the packets exchanged with the web server must pass through the filter. With a proxy, the web browser connects to the proxy, then the proxy connects to the web server. The web server sends its response to the proxy, which then sends the web pages to the client. With a proxy, the browser is never connected directly to the server. The firewall is called a proxy because it stands in as a proxy for the browser when communicating with the server. Looked at the other way, the firewall stands in as a proxy for the rest of the world, as far as the browser is concerned. The benefit is the same as from a packet filter, because the proxy will only proxy for communications that it is configured to accept.

Firewall Architectures Compared

So what's the difference? A packet filter screens out unwanted packets. A proxy screens out unwanted packets. The difference comes from the fact that a proxy must fully understand the information being sent across it in order to proxy, whereas a packet filter need only understand the source, destination, and ports involved. This should make sense. A proxy has to pretend to be a server to the client software and pretend to be a client to the real server. Filters just pass things through so that the client and server connect directly.

This means that filtering firewalls are generally much smaller and simpler pieces of software. They don't have to understand as much, so there's less room for mistakes. This can be an advantage, because all software has bugs. Bugs in a firewall can completely compromise the firewall's effectiveness. Packet filters can also be easier to configure. They don't do as much, so they have a smaller set of options than proxies.

However, a packet filter can't distinguish between a banner ad and a page. It certainly can't filter out websites based on content. Filters don't understand email, so they can't scan for viruses. Essentially, any advanced features that have to understand the data that's on the network are beyond the capabilities of a packet filter. For that, there are proxies. Since a web browser proxy understands the protocols of the web, it might as well check the content and not bother downloading the banner ads. Since a proxy has to understand email transmission protocols, it might as well scan the mail for viruses as it relays it.

Masquerading additional machines can be done with either kind, although there are arguments over whether it comes more naturally to packet filters or proxies. Both kinds will log who tries to use ports that are restricted, but to log which web sites are viewed from inside the network requires a proxy. Keep in mind, though, that the proxy must understand every application that it proxies for. A web proxy works because it knows how to speak to web servers and web browsers. An email proxy server works because it speaks the email protocols. If you are likely to be disabling your firewall every weekend so you can play games that it won't proxy for, then you should go for a packet filter instead (or in addition), because packet filters don't care about content. You just need to know what ports are used.

I've often seen the question, "Are packet filters or proxies better firewalls?" There's lots of debate. In the end, the answer is probably, "It depends what you want to do." Personally, I find that a packet filtering firewall does everything I need. I have no children or employees with behavior to monitor. I have a network with enough addresses for all my machines. But I do want to avoid people trying to access services that I don't offer to the outside world. A packet filter serves me well for that. I also have one firewall for each machine on the network. I didn't put a single firewall out in front of all the machines. This allows me to customize the filtering rules for what services each machine offers. However, I'm willing to put in more effort, so my solution may cost more time to upkeep than most would want.

Other Features

Okay, if you've stayed with me so far, you have some idea what kinds of threats a firewall can help you protect yourself against. The above section also gave you some idea how to narrow down the category of firewall to focus your search. There are a grab bag of other features you may want to consider.

• Will the firewall set up rules that change based on time of day? For example, "Don't allow outgoing traffic while I'm at work, because it couldn't possibly be from me." But do the rules really need to change based on the time of day? Do people often break into your home just to send an email?
• Does the firewall need to allow for changing firewall rules from remote locations? If so, how does it authenticate identity to know it's really someone allowed to make changes? Will it encrypt the communication so that eavesdroppers don't see the changes in the firewall rules?
• How easy is the firewall to set up and configure? If it is too difficult, mistakes may leave the network vulnerable. If it is too simple, it may be that the product is sweeping important details under the rug.
• What platform will the firewall run under.
• How much does the firewall cost? At the low end of price, many firewalls are available at no charge. This does not imply that they are of inferior quality. Many fine firewall products are given away. However, they may not be easy to use or have technical support. Price goes up through consumer solutions. At the high end, corporate firewall solutions can come with service contracts for round the clock monitoring by professional watch centers. Bear in mind, the trade-off is often not so much price vs. quality of software as it is price vs. quality of support or price vs. user-friendliness.

Final Recommendations

I know this is the part where I'm supposed to name my personal favorites in the various categories. Firewall software is still a rapidly advancing, volatile field. Any recommendations I could make would be out of date as soon as I put up the page. I've tried to concentrate on the kind of issues that will help you to evaluate feature lists for yourself.

Also, note that I do not go into depth about how to configure a firewall. Like any other tool, firewalls can be used well or poorly. I've told you to use what you want to do (and prevent others from doing) as a guide to picking your firewall. Configuring the firewall will depend even very heavily on the specifics of what you want it to do.

I hope you find a firewall that suits your needs. In the end, though, please remembewr that a firewall does not guarantee your security. It's been said a lot in computer security circles, but it never hurts to repeat: "A firewall does not guarantee that security of your network, period." A good firewall is only the first line of defense.

If you're really interested in rolling your own firewall (and network security in general), I heartily recommend reading Zwicky, Cooper, and Chapman's Building Internet Firewalls. (Or buy from Amazon.) If you are running any variant of UNIX, including Linux, I also suggest Garfinkel and Spafford's Practical UNIX and Internet Security. (Or buy from Amazon.)

Summary Guidelines Collected

Summary 1: Choices among firewalls are most heavily influenced by what to protect and what to protect against.

Summary 2: In the case of firewalls, what to protect against is best expressed as what kind of information should be allowed in/out vs. what shouldn't.

Summary 3: Firewalls work by allowing desirable traffic to pass through and forbidding everything else.

Summary 4: Packet filtering firewalls are simpler, in principle, than proxies. They screen traffic based on where it comes from and where its going, using port numbers to distinguish between different services/programs. Proxying firewalls are smarter, understanding the way applications communicate; this lets proxies plug in more advanced features for deciding what passes through and what doesn't.

Summary 5: Honestly, the best shield is knowledge of networks, firewalls, and computer security in general. The more you learn about specific threats, the more you'll understand about how to choose and setup your firewall. Don't try to operate software and hardware beyond your abilities. It's better to keep things simple and correct, rather than sophisticated but with holes for adversaries to exploit.

Summary 6: Free firewalls are not necessarily of inferior quality, but they don't come with formal support. How much you pay mostly determines how much time you'll spend wrestling with your firewall to get the results you want. Of course, if your configuration is not correct, you may be opening an exploitable hole for an attacker.

Summary 7: A firewall is a first line of defense. Look into other options to bolster your network's security in tandem with the firewall.

This page is part of the Infrequently Asked Questions archive.