Wayne Frazee.com
Login
A Firewall that Relies on Connection Scanning
The Bottom Line A software firewall is a protection engine that runs on top of a node and is not integrated into the hardware peripherals that make up that node.

When a user or a company switches over from a dialup 56K connection to a full time, broadband connection, they essentially paint a big red X on thier behind and dares hackers to take pot shots, especially if that person or entity is running Windows NT or 2000. Much of the time, people hear about these firewall things and wonder about getting one but then you move into how you set these things up and how do you work with one. Will it affect my connection? Do I have to have another computer to run it? And many more questions too numerous to count. One of the least expensive solutions is to get a software based firewall which will be explained during the course of this epinion.

If you want the dictionary definition, a software firewall (according to whatis.com) is "a set of related programs, that protects the resources of a private network from users from other networks." In essence, a firewall is an elastic wall with special holes punched in it so you can send traffic back and forth but unrequested and/or unwarrented traffic can not get back to you.

There are two major kinds of firewalls: hardware firewalls and software firewalls. A hardware firewall is a router of varying size and complexity that runs as a gateway server and checks packets and datagrams to ensure that there is no harmful content. A hardware firewall is explained in more depth in my article of this ilk in the category "What is a Hardware Firewall".

A software firewall is a set or suite of related programs and algorythms that operates on your computer, on a proxy, or on an intellegent node to protect and defend a network along the samelines as a hardware firewall, albeit at a lessened speed and in a different operating capacity. In order to explain a software firewall, I need to explain some background network basics.

In creating and building any sort of solution for networks or network connectivity, companies use a reference model called the Open-Systems Interconnection model or OSI model. This model breaks down all of the functions that might have to be performed on a network into a seven layered pyramid with each layer using the services provided by0 the layer under it.

On the first layer, we see the Physical connectivity which means wires, repeaters, hubs, and patch-panels/connectors (the physical layer operates in binary code).

The second layer is the data link layer which uses the physical layers' transmission services to get data back and forth. The data link layer is responsible for the low level transmission and reciept of data and also in low level direction. The data link layer is centered around the media access control address (MAC address) which is stored in ROM on the NIC card and uniquely identifies each physical computer. The data link gets things from the physical layer, checks to make sure the MAC address is its own or needs something done with it, and forwards the frame up the line to the next layer.

The third layer of the OSI model is the network layer which deals with IP addressing and is responsible for packet direction and providing connection-less send-and-forget packet transmission. In additon, the network layer is also responsible for making sure that IP packets are routed where they need to go. This is where routers and "intellegent switches" work. Even some hardware firewalls remain on this level.

The fourth layer is the transport layer which accepts the packets that are being recieved/transmitted and converts them to or from datagrams depending on traffic direction. The transport layer is responsible for connection based traffic including the functions of acknowlegement, pauses, data flow control, etc. In addition, the fourth layer of the OSI model deals with Transport Control Protocol.

Layers five, six, and seven are unimportant here because they deal with higher level connection actions, actual code formating, and final display to the user. The only thing to be said about these layers concerning software firewalls is that opposed to a hardware firewall, software firewalls waste processor time and system resources in order to display an often comprehensive GUI to the user on the console monitor.

Why did I go through all of that? So you can understand where and how firewalls operate. Firewalls begin on the application layer and then extend thier functions onto the 3rd and 4th layers in particular, that is the transport and network layers. It is at that layer that the packets that are being sent to the node that the firewall is operating on are actually coherently analyzed. On layer 3, the network layer, the IP header is extracted and matched either against the node's IP address (to determine if the packet is destined for that node), or against a list of IPs that the node (should it be a router or 'intellegent switch') connects to. On layer four, connection handling occurs, particularly for some important traffic porting.

While you cannot pigeonhole the TCPIP protocol stack to any particular layer of the OSI reference model, the concept still works. A software firewall is charged with analysis and protection of the node and the nodes behind the firewall on the network and transport layers. A software firewall uses one or more specific sets of instuctions, called algorythms that are run on each set of packets that are recieved by the node in question. This collection of algorythms is called the firewall engine, which is the collective "active" part of the program that does the actual protection of your computer.

The firewall, in essence, recieves a packet, looks first to see if the IP or port the packet is going to, or came from has been expressly denied for incoming traffic. If so, the packet is dropped, and it is passed no further on the node. If not, it checks to see if the ip/port has been expressly trusted or allowed. If so, the packet passes through the engine unmolested or with only minimal checks and it is up to the Operating System or another program to deal with that packet set.

If the packet(s) have not been expressly denied or allowed, they are then compared to a ruleset which specifies what traffic is and isnt allowed and also checks packet sets against known hacking traffic signatures. For example, if it detects the packets are on port 25 (SMTP), they will see if that port has been specifically denied or rejected. Then they willl see if there are direction instructions. If it may pass it is compared against attack signatures and then released if clean.

This may sound like a fool-proof plan but make no mistake, ignoring the risks and planning that is required to put in place a firewall solution can be a fatal mistake. No firewall is 100% secure and, depending on the availible resources, speed of the computer, and other services the computer is running, a software firewall may not have the availible clock cycles and bus time to be able to process all of the packets, particularly in a high volume network which can prove to be problematic for some.

In additon, software firewalls are not as highly configurable as some hardware firewalls. Hardware firewalls, especially in the case of cisco router firewalls, allow for advanced configuration component by component. The flip side of this is that a software firewall is so much easier to install and configure and does not require a network technician or security expert to secure your computer to a reasonable level. Software firewalls also include a huge cost benefit. Whereas hardware firewalls can cost far upwards of several hundred dollars, you can get ZoneAlert software firewall free of charge and some of the popular commercial products for $40-$70.

Essentially a software firewall is one in which the protection engine is a software program that does not require specific hardware peripherals to run. It protects the computer or node by running in an operating system and unfortunately uses up a quantity of resources depending on your traffic levels. It is by no means a perfect solution but it is a low cost, comparitively easy to implement security block for users who can set it up properly.
All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.