In Networking and Security we hear the term firewall on a regular basis. The average computer uses the term as well when talking about the Windows, Symantec or McAfee firewalls. Some more advance user think they are secure because their organization has a firewall. While the terminology is used on a regular basis, many share misconceptions about what a firewall is, how it is used, and what are the different kinds of firewall.
Webopedia defines a firewall as
"A system designed to prevent unauthorized access to or from a private network(http://www.webopedia.com/TERM/f/firewall.html).
It further explains that "All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria." While this definition and explanation gives a person a general view, it is technically flawed in that TCP/IP packets are termed messages. One tends to think of messages as e-mails, and a firewall should filter a great deal more than e-mail messages.
A firewall is device or software that limits, filters and monitors TCP/ IP traffic in and out of a network, computer or other device. This new definition encompasses host based firewalls, hardware, and software.
Host based firewalls are designed to limit, filter and monitor access to a single host. Examples of host based firewalls are IP Chains or the newer IP Table on Linux based operating systems. Symantec and McAfee offer a host based firewall as part of their Client Security suites. Host based firewalls are always a good idea for a laptop that is ported from network to network and is connected to public networks. It will allow the user to limit access to the operating system only to services that started on the laptop and prevent intrusion from unknown sources. The Windows firewall is just as useful, but might not have as many features as other commercially available products.
Links for host based firewalls:
Symantec Norton's 360 - http://www.symantec.com/norton/products/n360
McAfee Security Center - http://us.mcafee.com/root/package.asp?pkgid=272
Netfilter Project for Linux - http://www.netfilter.org/
Blackice (formely Blackice Defender) - http://www.blackice.com/PCProtection-Firewall.htm
Understanding Windows Firewall - http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx
Packet Filter Firewalls inspect all packets entering and leaving the network either accepts, rejects, and drops each packet based on predefined rules setup by the network or system administrator. Most firewalls inspect the packet header (first 20-bytes of data) in an IPv4 packet and based on rules either forwards, drops or rejects the packet. Newer packet filter firewall inspect the payload of the packet and based upon predefined signatures might not accept the packet. For a description of a packet header see http://erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html . Some of the host based firewall described above have Packet Filter features build into them.
The oldest and most commonly used packet filter is the IP Tables or IP Chains that is build into the Linux kernel. A great number of Open Source firewalls are built on the IP Tables kernel module platform. My favorite and easies to setup is the IP Cop firewall found at http://www.ipcop.org/. A user with average computer skills can use an older Pentium II or III machine with 2 or 3 network card, a minimum of 128 MG of RAM and an older 10 GB hardrive to build a really useful and effective firewall that has been use to protect small and medium size networks. Here is an excerpt from the IPCop Installation Manual:
"You will be installing an operating system on the IPCop PC. It is a Linux based operating system, but it is not meant to be a general-purpose system. The firewall design attempts to eliminate as many features from the system as possible. The central idea is that the more code that runs on the firewall, the more places there are that are vulnerable to attacks. Do not expect facilities like sendmail or FTP daemons to be present. These are not needed on a firewall and may contain holes that are known to malicious users. "
This clearly outlines one of the basic requirements for a firewall - strip
the operating system down to only the necessary services so as to have a more
secure platform. All unnecessary services and graphical user interface has
been eliminated. IP Cop does provide a webpage interface that is run on a
secure apache installation with
SSL default settings. The management webpage that can be accessed after
the initial installation is being served on https:\\ipcop ip address:455 which
you might recognize is the SSL port. IPCop offers a whole set of other
services, to include DHCP, VPN, Proxy and Traffic Shaping. This is
characteristic of most modern firewalls that have multiple uses. This is
not necessarily ideal, it creates a single point of failure, but it is a reality
of today's multifunction mentality.
To learn about IP Tables see the following detailed tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html