Firewalls are an important part of internet security. They guard systems and networks from hack attempts and other malicious unauthorized activity. But how do you the work? To understand this it is important that you understand some basics on how the internet works and how ‘packets’ move around from network to network. Let’s examine this in a bit more detail.What is a packet? – Simply put a packet is a small collection of data that is sent from one system to another. If a machine wanted to send a one megabyte file to a server it would not be practical in most cases to send it all in one go, so what happens is this data is then split up into packets. These packets are then sent individually, the advantage here is that if one packet fails to send it can easily be resent without needing the rest of the data to also be resent. A packet contains important information to ensure that it arrives where it should do. The most important parts being – the source address, destination address, source port and destination port.What is a port? – Every single piece of data sent across the internet needs to have a source port and destination port. The source port is generated automatically in most cases by the operating system and is a simple way for your computer to differentiate between two lots of data. For example – let’s say you’re browsing the web and sending email at the same time. When a response comes back to say your email has sent how does the operating system know that this packet is destined for your email client? With the source port of course! Your computer will setup a virtual port for your email client (let’s say 1024) and then when you start browsing the web it will setup another port for this (let’s say 1025)
The destination port is more important, it tells the receiving host what service the packet is meant for. All the common services on the internet (http, email, ftp, telnet) have their own standard ports. Here is a list of some of the common ones:
- Http (Web) : 80
- Sending Email (SMTP) : 25
- Receiving Email (Pop) : 110
- FTP : 21
- Telnet : 23
So when a server receives a packet with the destination port of 80, it knows that this is a web request and it hands the packet to its web service program (IIS or Apache for example).
Now that you know about packets and ports it will be easier to understand how a firewall works.
The basic job of a firewall – A firewall can be either hardware or software, essentially they serve the same purpose, a hardware firewall would physically sit in between your local network and wide area network. A software firewall would sit on a client machine and therefore would only be able to protect that machine it resides on.
A software firewall sits low in the operating system and integrates with the network handler, by doing this it can ‘intercept’ every single packet that goes in and out of your machine. A firewall will usually come with a default set of rules that it must adhere to. These rules will determine what packets a firewall will allow in and out. Typically a firewall might be set to only allow outgoing traffic on certain ports. By doing this only traffic destined for the allowed services would be allowed out. So if a rogue program made its way on your machine and attempted to ‘call home’ on a different port to the ones in your allowed list, it would be blocked.
Whilst this is all good and well, what would happen if this rogue program called home on an allowed port, like port 80? Well the firewall would let it through of course and we don’t want this. This is why many firewall programs will generate rules based on the process name. For example it would allow iexplore.exe to communicate out on port 80, but any other program communicating out would need permission.
Analyzing incoming traffic is probably the biggest job for the firewall, every packet must be examined to see what program it is destined for and whether it should be allowed. Again, most software firewalls will have a list of rules of what to allow and what not to. If a packet comes in destined for a port that is not being used then it will be dropped and logged. The set of rules that a user can customize for a firewall will only offer so much protection, this is why many firewalls will use heuristics to determine if a hack attempt is being made. Many hack attempts will follow patterns that the firewall will determine and be able to establish as a hack attempt. A common example is port scanning – when incoming requests for ports are flying in fast the firewall will usually know that this is a port scan attempt and will then drop all packets from the source host for the next ten minutes.
This kind of pattern detection is what makes a firewall effective at its job. Fixed rules are only effective to a point, if a firewall is challenged with an attack that it doesn’t know about it must be able to detect it and stop it.
So in summary; a firewall is used to analyze every packet coming in and out of an interface and determine whether it should be allowed, packets that are not allowed are blocked. To determine whether a packet is allowed a firewall will follow a set of rules that can be customized by the administrator. Many firewalls also use heuristic detections to stop hack attempts that follow common patterns.
Courtesy: Computing Help
No comments:
Post a Comment