How does a Firewall Work???
All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. Packets are the fundamental unit of information flow across the Internet. Even though we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those two "connected" machines. Essentially, they "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.
In order to reach its destination whether it's another computer two feet away or two continents distant every Internet packet must contain a destination address and port number. And then, so that the receiving computer knows who sent the packet, every packet must also contain the IP address and a port number of the originating machine. So, any packet travelling the net contains, first and foremost, its complete source and destination addresses. An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.
Since the firewall software inspects each and every packet of data as it arrives at your computer ? BEFORE it's seen by any other software running within your computer ? the firewall has total veto power over your computer's receipt of anything from the Internet.
A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!!!
But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks out. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgement) the firewall can be selective about which packets are admitted and which are dropped. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.
For example, if yah were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. Even if your system were to inadvertently pick up a Trojan horse program which opened a Trojan listening port to the outside world, no passing Trojan scanner could detect or know of the Trojan's existence since all attempts to contact the Trojan inside your computer would be blocked by the firewall!!!
Or suppose that yah want to create a secure "tunnel" across the Internet to allow your home and office computers to share their files without any danger of unauthorized intrusion. Firewall technology makes this possible and relatively simple. Yah would instruct the firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. So, either machine can "see" the other's NetBIOS ports, but no one else on the Internet can see that either machine has established such a secure tunnel across the Net.
But what about you originating your own connections to other machines on the Internet??? For example, when you surf the web you need to connect to web servers that might have any IP address. Yah wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a firewall too. Since each end of an Internet connection is always acknowledging the other end's data, every packet that flows between the two machines has a bit set in it called the "ACK" bit. This bit says that the packet is acknowledging the receipt of all previous data. But this means that only the very first packet which initiates a new connection would NOT be acknowledging any previous data from the other machine. In other words, a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. So, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.
Another example of the power of a high-quality firewall is "application level" filtering and response: Most firewalls do pretty much whats above, and thay gives tremendous protection. But they don't attempt to "understand" the data in the packets they're admitting or blocking. Their "permit" or "deny" decisions are only based upon the source and destination addresses. But an "application level" firewall involves itself in the actual dialog taking place. One of the BIGGEST problems with Microsoft's file and printer sharing is its lack of ability to prevent password crackers from pounding away on a password until it's broken. But an intelligent application level firewall can monitor what's happening on port 139 (where password protection occurs) and step in to completely block an offending remote computer!!! It can automatically "black list" the originating IP address to completely prevent any and all future access from that outsider.
So, a firewall is a POWERFUL BENEFIT TO ALL COMPUTERS.
All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. Packets are the fundamental unit of information flow across the Internet. Even though we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those two "connected" machines. Essentially, they "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.
In order to reach its destination whether it's another computer two feet away or two continents distant every Internet packet must contain a destination address and port number. And then, so that the receiving computer knows who sent the packet, every packet must also contain the IP address and a port number of the originating machine. So, any packet travelling the net contains, first and foremost, its complete source and destination addresses. An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.
Since the firewall software inspects each and every packet of data as it arrives at your computer ? BEFORE it's seen by any other software running within your computer ? the firewall has total veto power over your computer's receipt of anything from the Internet.
A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!!!
But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks out. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgement) the firewall can be selective about which packets are admitted and which are dropped. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.
For example, if yah were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. Even if your system were to inadvertently pick up a Trojan horse program which opened a Trojan listening port to the outside world, no passing Trojan scanner could detect or know of the Trojan's existence since all attempts to contact the Trojan inside your computer would be blocked by the firewall!!!
Or suppose that yah want to create a secure "tunnel" across the Internet to allow your home and office computers to share their files without any danger of unauthorized intrusion. Firewall technology makes this possible and relatively simple. Yah would instruct the firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. So, either machine can "see" the other's NetBIOS ports, but no one else on the Internet can see that either machine has established such a secure tunnel across the Net.
But what about you originating your own connections to other machines on the Internet??? For example, when you surf the web you need to connect to web servers that might have any IP address. Yah wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a firewall too. Since each end of an Internet connection is always acknowledging the other end's data, every packet that flows between the two machines has a bit set in it called the "ACK" bit. This bit says that the packet is acknowledging the receipt of all previous data. But this means that only the very first packet which initiates a new connection would NOT be acknowledging any previous data from the other machine. In other words, a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. So, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.
Another example of the power of a high-quality firewall is "application level" filtering and response: Most firewalls do pretty much whats above, and thay gives tremendous protection. But they don't attempt to "understand" the data in the packets they're admitting or blocking. Their "permit" or "deny" decisions are only based upon the source and destination addresses. But an "application level" firewall involves itself in the actual dialog taking place. One of the BIGGEST problems with Microsoft's file and printer sharing is its lack of ability to prevent password crackers from pounding away on a password until it's broken. But an intelligent application level firewall can monitor what's happening on port 139 (where password protection occurs) and step in to completely block an offending remote computer!!! It can automatically "black list" the originating IP address to completely prevent any and all future access from that outsider.
So, a firewall is a POWERFUL BENEFIT TO ALL COMPUTERS.
