What is a Firewall, anyway?

As I said earlier, the term "firewall" is thrown around a lot in router marketing literature and is intended to give you a warm, comfy feeling that if you just use one, then you'll be protected from whatever evils exist on the big, bad Internet. But, of course, real life is a bit more complicated.

All consumer grade routers use Network Address Translation. This is the technology that lets you have multiple computers on your LAN (which each have their own IP address) communicate with the Internet through the single IP address that your Internet Service Provider / Broadband Service Provider (ISP / BSP) assigns to you.

NAT also enforces a simple security policy that lets any device on its LAN (Local Area Network) side freely communicate with devices on its WAN (Wide Area Network) / Internet side, as long as the LAN-connected device initiates the communication request. The NAT security policy also blocks any devices on the Internet from communicating with any devices on the LAN, if the LAN device did not request the communication. These two policies together make up the router firewall function.

So why isn't this firewall all that you need to keep you safe from the Internet's harms? Let's look at the simplest way around the firewall: email. Since retreiving email meets the firewall criteria of a request initiated by a LAN device, i.e, you press the "Get Mail" icon on your email program, anything harmful either embedded in the email itself, or in an attachment comes right on through. Once the harmful code is safely past the firewall, unless you have taken any other precautions, it is free to do whatever it was designed to do. The prevalence of email-borne nasties is one of the reasons why most anti-virus programs now have built-in email scanners that check mail as it is being received and sent.

But email isn't the only way that harmful programs can get past a firewall. Websites are now full of all sorts of executable code,such as Active X controls, Java applets, javascript, flash animation, etc. that are downloaded as part of fetching a requested web page. Once again, your router's firewall isn't going to stop any of it, since, after all, you did click on a link or enter a URL to download that page, didn't you?

So it should be clear by now that your router's NAT firewall isn't going to be enough to keep all of the Internet's bad stuff off of your LAN. So how about the Stateful Packet Inspection (SPI) that your router's firewall is supposed to have. That sounds like it can be a big help, right?

Unfortunately, the SPI that's included in consumer routers doesn't really make you more secure, and in fact, can mess up some applications that you purposely open ports for. The SPI you would want is something that would check each incoming packet for all of the bad stuff I mentioned above.

But all most consumer SPI does is protect against malformed packet exploits and things that you'd only need to be concerned about if you were running certain types of servers and had ports opened to them. And the denial of service (DoS) attack protection that is always mentioned as an SPI feature? Not much help either, since if your LAN were the target of a DoS attack, your Internet connection would be so flooded by traffic that it wouldn't matter if your router were running or not.

Fortunately, SPI is now included for no extra charge in most consumer routers, so you don't even need to worry about it.

Tags: router, Tutorial,

Related Articles: