I would like to clarify some of the points in David Berlind's "Do your systems need ZoneAlarm?" and offer a network engineer's perspective. The topics I want to cover are: basic definition of a firewall; personal firewalls; the "more convenience or more security" debate; and my recommendations for a reasonable implementation of personal firewalls.
Basic definition of a firewall
A firewall is a device that protects you from a possibly hostile network by monitoring and restricting TCP/IP communications based on the policies that you set. The device is traditionally dedicated hardware used by big corporations. However, software-based personal firewalls that run on a personal computer are rapidly becoming popular--even for home users. Firewalls basically work by analyzing three factors and comparing them against your firewall policy. The three factors are: source IP address, destination IP address, and service port (UDP or TCP port 1 through 65,535).
On simple firewalls or firewall implementations, policies typically are static; but on more advanced firewalls or implementations, the policy can be dynamically manipulated by user interaction.
One must keep in mind that firewalls are bidirectional and the policies that dictate access vary depending on the direction and source of the traffic initiated. In general, traffic initiated from within the firewall (outbound traffic) is considered more trustworthy and therefore treated more liberally. This is based on the assumption that your own computers on your own network are "clean." (They better be clean, because no firewall can help you if they are not.) Traffic initiated from the outside (inbound traffic from the public Internet) is considered untrustworthy and therefore is generally blocked by default. The only exceptions to this rule would be the case of a public Web server where you must permit port-80 traffic from any source IP to the designated Web server--or else it wouldn't be a public Web Server.
On a side note, hardware firewalls typically also act as NAT devices that allow you to share your Internet access with a large group of people. Companies normally don't have enough public IP addresses to go around for the entire company so NAT provides a gap between a small pool of Public IPs to a large pool of Private IPs. In addition, the use of Private IP addresses is protection in it self because private IPs are not directly addressable by the public internet.
Personal firewalls
The exponential increase in Internet users has been accompanied by an exponential increase in hackers, worms, and viruses. This has inspired the proliferation of the personal firewalls--both in hardware and software solutions. In general, the hardware solution protects your personal network and the software solution protects your personal computer. This is an important distinction because they are different beasts for different situations.
A more secure breed of software firewalls and some hardware firewalls in conjunction with software can have dynamic policies that change depending on user interaction. ZoneAlarm is such a beast. When the firewall detects outbound traffic (legitimate or not), it will prompt the user if they wish to allow such traffic. This can become very annoying and even problematic. Your typical computer user is lucky if her or she can operate the darn computer or Internet in the first place, let alone have to act as some sort of firewall administrator. But like all other endeavors, more security equals less convenience.
In more basic firewalls or firewall implementations, firewall policies pertaining to outbound traffic are static and do not change and therefore do not annoy you every time you try to use a different service. Many of these basic firewalls or firewall implementations cannot or will not restrict outbound traffic.
ZoneAlarm or Tiny Personal Firewall are good examples of personal software firewalls with more secure dynamic outbound policies. Both also offer free versions with fewer features. Windows XP ICF (Internet Connection Firewall) is a good example of a basic software firewall that protects you against all inbound traffic but has zero restrictions for outbound traffic. Linksys, Netgear, Belkin, and DLink are makers of personal hardware firewalls that protect your personal network. By default, all of these hardware firewalls restrict only inbound traffic and allow all outbound traffic. Some of the newer ones can work in conjunction with software products like ZoneAlarm or PC-Cillin to restrict outbound traffic.
As I mentioned earlier, the only security reason for restricting outbound traffic would be if you do not trust your own computer or the computers on your own network because they were compromised by a virus, worm, or hacker in some way. Preventing internal compromise should always be a top priority. Use of a basic firewall is the preferred solution not only because of the ease of use and convenience for the end user, but the ease of a large-scale implementation. Most or all of the difficult actions required are taken by a trained system administrator whose primary job function is security. Relying on end user action almost always ends in failure. Anyone in IT long enough will tell you that.
On a side note, a new breed of firewalls or firmware-upgraded firewalls using UPnP has arrived to address the convenience and user friendliness issue even further. Anyone who has ever tried to use voice chat while behind a firewall knows the meaning of frustration. With UPnP and the NAT traversal protocol, you don't need to be a network security engineer to be able to use voice chat on your instant messaging application. UPnP applications (like Windows XP Messenger) using the UPnP protocol will dynamically open up those pesky dynamic UDP ports on your firewall. Windows XP ICS (Internet Connection Sharing) is one of the first UPnP firewalls. Linksys, Netgear, Belkin and other personal hardware firewalls recently released their new UPnP firewalls. You can sometimes even download firmware updates for your existing firewall.
Steve Gibson of Gibson Research would probably have a cow reading the above two paragraphs because he is one of the world's biggest experts on firewall security. Gibson, for whom I have the utmost respect, produces some of the coolest software applications and utilities in Assembler. Not your typical end user, he UPnP is the devil himself. However, UPnP (when patched) is an extremely useful feature too important to be ignored. If all of my end users were 1/1000th as computer savvy as. Gibson, then I would probably go with the more secure and restrictive firewall. I am trying to look at the big picture in security; there is more than one way to attack the security issue because one must take into account the end user who panics when the Numlock on their laptop keyboard is engaged. It is simply an issue of whether or not you trust your own computer. You know by now my recommendations on how to assure that trust. After following those recommendations, you can proceed to the following.
Recommendations for a reasonable implementation of personal firewalls
Please note that these are only recommended if my other security recommendations are heeded.
This recommendation is intended for IT organizations. End users should not implement any software or utility on their business machines without their IT organization's knowledge and could cause problems if they do.
- Broadband users must use one of the Hardware Firewalls mentioned above.
- Dynamic Outbound policy restrictions are not required or recommended due to ease of use issues.
- Static Outbound policies may be a good idea for more extreme protection, but common services like HTTP and FTP can not be statically blocked.
- Any user that connects via modem to the Internet must have a software firewall implemented.
- Windows XP users can use the built in ICF feature of Windows XP
- Pre-XP users can use the free versions of ZoneAlarm or Tiny Personal Firewall
- Wireless LAN users should be running at least a basic firewall on the wireless interface (even if WEP is used, as WEP can be broken in about an hour).
George C. Ou
Sr. Network & Information Systems Architect
