Firewalls

As you decide to invest in and set up a network at your home or office, one key element to consider is security. In order to protect and keep your network investments, your network information, and your personal data secure from outside intruders, it is important to take security precautions when creating your network structure.

In this section, we will be introducing the concept of firewalls, the types of firewalls out on the market today and how they keep your network and personal computers safe.

Firewall

Firewall – A firewall can be considered a defense mechanism consisting of explicit rules used to protect computers on your private network from malicious attacks coming from computers on the Internet or users outside of your network. A firewall can be hardware or software based.

Most hardware firewalls (also referred to as “network firewalls”) are physically located between your Internet Connection (cable modem) and your router/switch to protect your overall network. Software based firewalls (also referred to as “Host-based firewalls”) protect computers individually by monitoring and controlling the Network Adapter(s) on the host machine (your PC).

Rules are defined to allow or deny specific types of traffic in or out of the network through “firewall policies”. All traffic that the firewall encounters is compared to the firewall policy to determine whether the traffic should be granted network access or denied access.

Either type of firewall may use Stateful Packet Inspection (SPI) and/or Network Address Translation (NAT) methods to increase protection from the Internet and keep your network secure.

About SPI

Stateful Packet Inspection is a mechanism that is designed to keep track of all open sessions initiated from the trusted network (private LAN) destined for the un-trusted network (WAN or Internet). These connections are maintained in what is known as a state table until they timeout or are properly ended. The Firewall uses this state table as a dynamic rule-set to allow/deny incoming traffic from the WAN to reach computers on the private LAN. If the incoming traffic matches certain criteria of a currently open connection it will be allowed to pass the Firewall. If the incoming traffic does not match any criteria of any current connection in the state table or any pre-defined virtual server/port mapping it will be denied and dropped.

Think of Stateful Packet Inspection (SPI) as a request-response mechanism. For every action you perform using your PC, you are sending a “request” for that action to be carried through. Now in order for you to complete your transaction, you would need to receive a “response”.

SPI is the process where the firewall keeps track of certain attributes from all LAN initiated requests and so that when there is a return response, the firewall automatically checks to see if the attributes of the return response matches up with the initial request’s attributes. If there is a successful match, the response is allowed access into the network, otherwise, the response is denied access.

For example, when you send out an instant message to your friend, the firewall logs your outgoing message as an initial request for a chat session and waits for a response. Your friend receives your message and sends you a reply, but before that message can pop up on your screen, the firewall intercepts the message and agrees that the response data matches your initial request. The instant message goes through. If your friend were to send a message to you without you having initiated the conversation or telling the firewall to allow incoming connections, the firewall would disregard said message as there was no corresponding entry in the state table or rule set.

About NAT

Network Address Translation (NAT) is based on a few key principles of operation: there are specific IP Networks that are assigned to private use only and not to be used on the Internet as globally routable IP addresses; these private networks can share one or multiple unique globally routable IP addresses to communicate on the Internet. The NAT (Network Address Translator) translates source and destination IP information in such a way that all communications originating from the private LAN appear to be coming from the NAT device’s globally routable IP address and not the private IP assigned to the original requesting machine. NAT makes it possible to share a single public IP address between multiple computers on a private network. Any communication that initiates from the LAN is translated to appear as though it came from the Public IP of the NAT device. All communications that are destined for the Public IP of the NAT device are translated to the corresponding private IP address if the traffic is allowed (either through SPI or a Rule-Set). NAT is commonly considered a form of network security due to the fact that Internet or WAN hosts do not see the IP address of each PC on the private LAN, only the one single public IP address associated to your network is visible.

Next >>