Network firewalls are often regarded as mystical devices the configuration and management of which require the aid of a Cisco engineer to run and a cracker with an endless time budget of time to penetrate. Okay, that can be a fair generalization but it's hardly the definition of a firewall and it's certainly a long way from representing what a firewall is.
In the wilds of the Internet and the computer marketplace, the term has also been sorely abused. At this point, many of the devices on the market which bear the tag 'firewall' have multiple roles as IP Gateways, routers (yes, a router and a gateway are not the same thing), NATs (Network Address Translators), PATs (Port Address Translators) and firewalls.
The confusion doesn't stop there, either. Ask your local Fire Marshall or an auto mechanic and you'll get two more answers that are historically more correct…and the answers will have nothing at all to do with Internet hardware!
To understand what a firewall is, there are a couple minor, complex and important details to know about TCP/IP which will help make the firewall's role more easily understood.
IP addresses are probably something you are familiar with already. Each machine in a TCP/IP based network gets its own IP address and no other machine on the network may have the same address. These addresses are commonly referred to as 32 bit addresses but they really aren't. They are really 4 octets, or 8 bit values, a single byte, arranged with a period placed between each byte. Each octet is often represented as a decimal value between 0 and 255. That decimal representation is for human convenience since the computer literally treats these values as raw binary data (0's and 1's).
This is where we start to trip into unfamiliar territory. Each IP Address your system holds has another series of numbers associated with it. These are ports. Ports are numbered from a 16 bit pool (decimal 0 to 65535) and are important to you but you've likely never noticed them. Later, I'll give a couple basic examples of what ports are and why they are important.
If you're thinking I'm going to describe FTP, SMTP or other session protocols here, you're jumping ahead of the game a little. We'll get to them. Actually, there are a wide variety of IP protocols but the two we're particularly concerned with are TCP and UDP. Undoubtedly, you're use to thinking of TCP/IP as one thing with no real variation. Well, maybe I shouldn't be so cavalier with my doubts but most of the documentation by which people learn IP is very sad when it comes to this distinction.
The fact is that the base IP protocol is IP itself. IP, of course, stands for Internet Protocol. By itself, IP is not terribly useful. To make it usable, IP wraps two other protocols by default; TCP and UDP.
TCP, or Transmission Control Protocol, is a connection oriented protocol. That means the protocol itself creates connections between different computers and is also responsible for validating the integrity of the data passed between two systems. And when you say TCP/IP, this is really the protocol arrangement you're referring to, TCP over IP.
UDP is actually much more complicated and, as such, is usually a royal pain for firewall administrators because it is designed to be the more dynamic rule set (protocol). UDP, or User Datagram Protocol, is not connection oriented. It's connectionless. With UDP, data integrity is left completely to the applications using UDP. Quite often, applications using UDP don't even listen on the network until they receive a signal from a remote host that some data is on the way in. The receiving computer then opens a collection of ports (don't worry, we'll explain them in a minute).
FTP, SMTP, HTTP...what do they all have in common? They are session protocols. What's being described here is how a set of applications and servers exchange commands and responses in a predictable way. The commands and responses they use constitute the bulk of what a session protocol is. A basic firewall is not concerned with session protocols at all. When a firewall product is concerned with these, that firewall has been mixed with a NAT, a Proxy server, a Content Filtering system or an Intrusion Detection System. As noted earlier, it's unusual to see a firewall that is strictly a firewall anymore!
All these protocols, all these IP addresses, all these ports; what's a firewall to do?
So far, we've organized and clarified what you know, didn't know and had been
misinformed about. An Internet data exchange is based on the building of packets
formatted for the application, connection type, IP protocol in use and a destination
port! In fact, all a firewall is really interested in is controlling access
to the huge collection of ports on the systems it protects. We're still not
clear on ports, are we?
Let's build a test case and see what this port business is all about.
Many of you have your own web site and it's probably hosted at some hosting provider which also offers services like email to and from your domain. Amongst the other things this hosting provider offers is FTP to upload your site's files which will be served out to visitors of your website. So did you ever wonder how it is that you can FTP to www.yourwebsite.com and see what's there as a collection of files but if you use a browser and point it to www.yourwebsite.com, you only get one of those files at a time...and you're seeing the file's contents, not the file itself?
It's because of ports...more specifically, it's because of the service or daemon listening to particular ports on your web server. Remember, each IP address has associated with it some 65536 ports. Only one service or daemon can listen to any one of these ports at a time. When someone uses a web browser to visit your site, they run a session protocol called HTTP and the standard port for an HTTP server to listen to is port 80. When you connect to your site to upload files with your favorite FTP program, another process is listening on the server at port 21. With this kind of solution, a single IP address can offer a wide variety of services running on different ports and accommodate many different types of data request from remote hosts.
For a complete list of standardized port assignments, visit www.iana.org, the Internet Assigned Numbers Authority. At their site, you'll find a listing of TCP and UDP port assignments, the difference between well-known services and assigned services and the range of dynamically assigned port numbers. For instance, suppose you're looking to see what port 3389 is assigned to. You'll discover that the reference for both TCP and UDP at that port number is something called MS WBT Server. You might be tempted to believe this is some sort of super secret Microsoft Web Based Training system but, no, it really stands for Microsoft Windows Based Terminal. A more familiar name for MS WBT is Terminal Services or Remote Assistance or, even, Remote Desktop Service.
So now you might be asking yourself about the other 65534 ports a system has. Are there daemons listening for requests on all those? Well, not all of them, but there are quite a few running by default. And many of those ports and their services make way too much of the system available to anonymous Internet abusers. Would you like to see all the active ports on your computer?
Click Start, then Run and type CMD. Press Enter. In the new Console Window, type:
Press enter. You'll see a lot of output in a couple minutes so bear with it. Typical output might look like this:
TCP MyHost:3389 MyHost:0 LISTENING
Translated, it means the TCP protocol is listening on MyHost port 3389 and that there are currently no connections. If there were a connection, it might look like this:
TCP MyHost:3389 OtherHost:1089 CONNECTED
The host connected to the service at port 3389 on MyHost, using TCP, is connected using its own port 1089. Pretty simple, isn't it?
So how can you can control what parts of your computer those anonymous visitors can access?
Easy! A firewall is exclusively interested in ports and that's how you can control what remote users can work with on your computer!!
Wait a Minute! That's All a Firewall Does?
Yep, that's it. A firewall is a tool by which you can make some rules about what ports (and, correspondingly, what services) on your system may be accessed by remote networks. You can set all but a couple ports as blocked or denied to all external users, set others so that only certain remote hosts may attach to them and then set just a few that are open for everyone to use. That's how visitors to www.YourWebSite.com can get HTML pages from your website with ease. Yet those same visitors are unable to Map A Network Drive to your web server. The firewall in front of your web server blocks this kind of access (UDP on port 139).
Pretty sweet, eh?
Ahhh, So That's What a Firewall Is!
A basic firewall is the first line of defense for your Internet exposed computer. It allows remote traffic into your computer only if the Traffic Type (UDP or TCP) and port number for that service are allowed by you. A firewall is not worried about session protocols or even IP addresses (except as data to log if you've a firewall which logs visitors). Without any sort of firewall functions at work, all the ports on your computer that have services listening on them would be available to any visitor who asks.
Firewalls have changed over the years by being mixed in with Proxy servers, NATs, PAT, Content Filtering devices, Intrusion Detection Systems, etc. Still, a firewall itself is only a port access manager. Firewalls are actually a newer type of Internet tool. Consider that as recently as 1998, most businesses and data facilities connected to the Internet still had no firewall functions protecting their networks at all. Any visitor could visit any computer on any port within those privately owned networks and access whatever they found. Firewalls and the way they manage access to ports have become indispensable defense mechanisms for all Internet based networks.