Security Choices, Part 1: The Software Firewall
This is the first in a series of introductory articles intended for less-experienced users who wish to learn more about the security product options available to them today. Others may also find these articles interesting as a concise summary, update and review of what is frequently a disparate collection of information. The goal of the series is to provide a balanced overview of currently-available categories of security solution, citing their main uses and capabilities as well as their limitations and drawbacks.
This first article focuses on software firewalls which, along with anti-virus software, is considered an essential part of computer security. We’ll be looking at anti-virus in the next article.
The Software Firewall
The firewall’s main task is to prevent malicious or unwanted connections between your computer and the network (usually the internet). Firewalls act like entrance guards – allowing authorized people (network traffic) in and out, and blocking less well-intentioned individuals (malicious or unauthorized connections) from entering or leaving, as determined by the boss (the PC user), and awaiting further instructions whenever it detects unknown activity (visitors with unknown IDs).
The firewall is considered a primary security element because it helps block unknown threats by denying them network access. Firewalls are proactive in their approach – they stop unknown connections, ask the user how these connection requests should be treated, and grant access only to those connections defined by the user as trusted. By blocking network access, firewalls block malware’s main propagation route – the Internet. Most of today’s threats – Trojans, botnets, worms and other malware – use the Internet to spread themselves and transmit stolen personal data to unauthorized individuals or entities.
Firewalls can hide a computer’s presence on the Internet so hackers can’t locate and exploit vulnerable machines. Some advanced firewalls also incorporate a list of known attacks and intrusions, automatically preventing those from reaching the PC. Firewalls can also be used to control the exchange of data in internal networks (such as a home network or office LAN), making sure data is sent to the designated recipient, preventing internal hacks and man-in-the middle attacks.
Firewalls monitor and control traffic in both directions. Data received from the network is referred to as inbound, while data that is sent out is called outbound. Although the majority of today’s threats constitute breaches of outbound security, it’s imperative that both directions are monitored. Some of the more basic firewalls, including those supplied with Windows Vista and XP, don’t monitor outbound connections by default; they must be specifically configured to provide this protection.
Unlike typical anti-malware applications, firewalls are not signature-based, meaning they don’t need to identify a threat according to a known sample of that threat in order to block it. Instead, they ask the user whether a particular program should be allowed to connect to the network or not. This is the most difficult part of firewall operation for users because, understandably, most people are not equipped with the specialist knowledge needed to make this determination. They are not familiar with the specifics of networking or operating systems’ internal functions and cannot provide an informed answer to the firewall’s question.
So, to a certain extent, the firewall is only as secure as the user’s ability to answer these questions; if it turns out that the user responded incorrectly and inadvertently allowed access to a Trojan, the firewall was simply doing what it was told by granting access to this particular malicious program. In an attempt to alleviate this situation, the majority of firewalls now include a “white list” of known good applications and system services that are automatically granted network access without asking the user. To enhance the user’s understanding of individual activities and help in making the right decision when configuring new access permissions, some firewalls now incorporate a system of context-sensitive advice and live hints in this process.
In order to correctly handle network activity for the majority of internet-enabled applications not covered by the firewall’s existing white list, some sophisticated firewalls (including Outpost Firewall Pro and ZoneAlarm Pro) are supported by a continuously-updated online database of known good/and known malicious programs that is regularly downloaded to users to minimize the number of questions users need to answer to keep their protection up to strength. But of course, no system is perfect, and not every software application will be included in any vendor’s list, so there will always be a few questions users need to answer for themselves.
As we can see, firewalls are rarely clearly-defined traffic filters. Many now include additional functionality such as Host Intrusion Prevention systems (HIPS) to control local interactions and application activity, parental control features, safe surfing controls, advanced connection monitoring and logging systems, and other approaches that will be discussed in future articles.
What firewalls can do:
- Guard network and internet connections against malicious or unwanted content.
- Block known internal or external attacks and protect the integrity and privacy of intra-network data.
- Prevent malicious code from accessing the network and transmitting personal data to cyber criminals.
- Filter network data according to user-defined criteria.
- Hide the presence of a PC on the internet, protecting it against network probes and botnets looking for vulnerabilities.
What firewalls cannot do:
- Remove malware from a system that has already become infected.
- Provide automatic protection against unknown connection attempts; user input is required for these decisions.
Potential drawbacks of firewalls:
- Because the firewall is a mutually exclusive tool, two firewalls cannot peacefully coexist on one system. Firewalls operate at a low level, communicating directly with networking hardware, and only one such set of communications can take place at one time.
- Firewalls may slow data transfer speeds and use additional processor resources when monitoring large volumes of data being sent over high-speed connections.
- Most firewalls also include some additional, secondary functionality such as parental controls or website content filtering which may cause interoperability issues with other security software offering similar functionality.
While this has been a brief overview/refresher on what firewalls can and cannot do, it’s clear that the firewall is a must-have element in any computer security product portfolio. Our next article will address the strengths and weaknesses of anti-virus, but if you have any questions in the meantime, please don’t hesitate to contact us through the Security Teacher comments space and we’ll do our best to help.
Posted in Security Insight