Internet Security Tips and Advice

Security Choices, Part 1: The Software Firewall

January 16th, 2008 by Igor Pankov

Abstract

This is the first in a series of introductory articles intended for less-experienced users who wish to learn more about the security product options available to them today. Others may also find these articles interesting as a concise summary, update and review of what is frequently a disparate collection of information. The goal of the series is to provide a balanced overview of currently-available categories of security solution, citing their main uses and capabilities as well as their limitations and drawbacks.

This first article focuses on software firewalls which, along with anti-virus software, is considered an essential part of computer security. We’ll be looking at anti-virus in the next article.

The Software Firewall

The firewall’s main task is to prevent malicious or unwanted connections between your computer and the network (usually the internet). Firewalls act like entrance guards – allowing authorized people (network traffic) in and out, and blocking less well-intentioned individuals (malicious or unauthorized connections) from entering or leaving, as determined by the boss (the PC user), and awaiting further instructions whenever it detects unknown activity (visitors with unknown IDs).

The firewall is considered a primary security element because it helps block unknown threats by denying them network access. Firewalls are proactive in their approach – they stop unknown connections, ask the user how these connection requests should be treated, and grant access only to those connections defined by the user as trusted. By blocking network access, firewalls block malware’s main propagation route – the Internet. Most of today’s threats – Trojans, botnets, worms and other malware – use the Internet to spread themselves and transmit stolen personal data to unauthorized individuals or entities.

Firewalls can hide a computer’s presence on the Internet so hackers can’t locate and exploit vulnerable machines. Some advanced firewalls also incorporate a list of known attacks and intrusions, automatically preventing those from reaching the PC. Firewalls can also be used to control the exchange of data in internal networks (such as a home network or office LAN), making sure data is sent to the designated recipient, preventing internal hacks and man-in-the middle attacks.

Firewalls monitor and control traffic in both directions. Data received from the network is referred to as inbound, while data that is sent out is called outbound. Although the majority of today’s threats constitute breaches of outbound security, it’s imperative that both directions are monitored. Some of the more basic firewalls, including those supplied with Windows Vista and XP, don’t monitor outbound connections by default; they must be specifically configured to provide this protection.

Unlike typical anti-malware applications, firewalls are not signature-based, meaning they don’t need to identify a threat according to a known sample of that threat in order to block it. Instead, they ask the user whether a particular program should be allowed to connect to the network or not. This is the most difficult part of firewall operation for users because, understandably, most people are not equipped with the specialist knowledge needed to make this determination. They are not familiar with the specifics of networking or operating systems’ internal functions and cannot provide an informed answer to the firewall’s question.

So, to a certain extent, the firewall is only as secure as the user’s ability to answer these questions; if it turns out that the user responded incorrectly and inadvertently allowed access to a Trojan, the firewall was simply doing what it was told by granting access to this particular malicious program. In an attempt to alleviate this situation, the majority of firewalls now include a “white list” of known good applications and system services that are automatically granted network access without asking the user. To enhance the user’s understanding of individual activities and help in making the right decision when configuring new access permissions, some firewalls now incorporate a system of context-sensitive advice and live hints in this process.

In order to correctly handle network activity for the majority of internet-enabled applications not covered by the firewall’s existing white list, some sophisticated firewalls (including Outpost Firewall Pro and ZoneAlarm Pro) are supported by a continuously-updated online database of known good/and known malicious programs that is regularly downloaded to users to minimize the number of questions users need to answer to keep their protection up to strength. But of course, no system is perfect, and not every software application will be included in any vendor’s list, so there will always be a few questions users need to answer for themselves.

As we can see, firewalls are rarely clearly-defined traffic filters. Many now include additional functionality such as Host Intrusion Prevention systems (HIPS) to control local interactions and application activity, parental control features, safe surfing controls, advanced connection monitoring and logging systems, and other approaches that will be discussed in future articles.

Summary

What firewalls can do:

  • Guard network and internet connections against malicious or unwanted content.
  • Block known internal or external attacks and protect the integrity and privacy of intra-network data.
  • Prevent malicious code from accessing the network and transmitting personal data to cyber criminals.
  • Filter network data according to user-defined criteria.
  • Hide the presence of a PC on the internet, protecting it against network probes and botnets looking for vulnerabilities.

What firewalls cannot do:

  • Remove malware from a system that has already become infected.
  • Provide automatic protection against unknown connection attempts; user input is required for these decisions.

Potential drawbacks of firewalls:

  • Because the firewall is a mutually exclusive tool, two firewalls cannot peacefully coexist on one system. Firewalls operate at a low level, communicating directly with networking hardware, and only one such set of communications can take place at one time.
  • Firewalls may slow data transfer speeds and use additional processor resources when monitoring large volumes of data being sent over high-speed connections.
  • Most firewalls also include some additional, secondary functionality such as parental controls or website content filtering which may cause interoperability issues with other security software offering similar functionality.

Conclusion

While this has been a brief overview/refresher on what firewalls can and cannot do, it’s clear that the firewall is a must-have element in any computer security product portfolio. Our next article will address the strengths and weaknesses of anti-virus, but if you have any questions in the meantime, please don’t hesitate to contact us through the Security Teacher comments space and we’ll do our best to help.

Posted in Security Insight

16 Responses

  1. Doug Woodall

    Great Article, so many users have no Idea how to properly configure their Firewall.

  2. blarkin

    Already invaluable! I did not know that
    only only one firewall at a time cam exist on a system (PCV). Thank you!!!
    Blarkin

  3. pop

    ok but a bit basic

  4. Steve

    Nice post, made basic for the new user to read. will forward to parents and some friends to have a read of it :)
    Personally running agnitum (which links to this site in it’s news article) and it turns off the fairly useless windows firewall by default
    Likewise, do not run 2 anti virus systems as it will not make you more secure, but will cause conflicts and might create gaps

  5. Pavel Goryakin

    Thank you, guys! We appreciate your interest in our content!

  6. bobby

    Please introduce an option to disable News in Outpost Firewall Version 2008! That’s how I got to this article. Very annoying. It really makes Agnitum look bad and contradictory to bombard us with ads and spam in a product designed to fight these same annoyances.

    Come on Agnitum, you are better than this.

  7. Bob

    Good article, as Doug said. (Bobby should look for the big checkbox.) How bout making the next one a bit deeper, maybe color-coding the basic and more detailed parts.

  8. bobby

    Bob,

    There is no way to disable News in Outpost Version 2008. In previous versions yes. In Version 2008 no.

    You must be using an older version. I really do not care to be bombarded with adware and spam by a program designed to fight these same annoyances. It is a bit ironic and contradictory and makes Agnitum look bad. I can not believe the programmers have not fix this bug.

  9. Mihai

    Very nice article !

    Still, please take in consideration the following: this kind of article is more suitable in the help area or something like this where you will find it as a definition. If I were you, I would post only news regarding your product: new modules, tests made by others, reviews, rewards, things like this that would make me happy for choosing your product.I don’t need basic of the firewall because I have it and I know why.

    Thank you,
    Mihai

  10. Mihai

    An important article would be: root-kits, spyware, adware, but I already saw there were…great job!

  11. Igor Pankov

    Thanks guys for your opinions, I will try to take all your suggestions into consideration. Please write as much as you want to, criticize my articles and add important information and details you believe are important. This place is for discussion!

    Igor Pankov
    Security Teacher/Security Insight Author

  12. Maurice

    Great Article! Don’t listen to all those people who offer comments such as “to basic”, “already know this”. Some of us to not have the luck or ability to be nerds, and know everything about computers!
    Kepp up the good work!

  13. Stanley Smart

    I saw you article. I think it is great. I have been around computers for about 4 years and really interested in how a firewall works and how to use it. I am very interested in security and have been reading a great deal about it. I am a sort of security fanatic. So being that I fully appreciate your article.

    In some of the threads I have read here I found that some persons did not realise that there are people who are just beginners, some with limited knowledge, some who really know and some who are just dumb to security. Apparently they just don’t care about the other person.

    I see what you are attempting and its great. Thank you for the news letter I will subscribe. I am pretty savy as a user and I love the security aspect.

    Standeb.

  14. Duvel

    Good article,

    I would like to see something added like the Traffic Led plugin from OP 4.
    Zone-Alarm / Kerio / Online Armour have something implemented it.
    So we can see what Traffic is going out & coming in.

  15. Doodee

    Thanks for sharing

  16. Gymnprionry

    I’d prefer reading in my native language, because my knowledge of your languange is no so well. But it was interesting! Look for some my links: