Firewalls - back to basics

The most frequently asked questions (and answers) about Firewalls without the frills

What is a firewall?
A firewall is software or hardware that sits between two networks -- typically, between your LAN and the Internet -- and allows some sorts of network traffic through while preventing others. It works by rules that you set, which define the sort of security you want. Unless you know what sort of security you want and can cast it in rules that your firewall understands, your firewall will be useless or worse. A firewall can be a stand-alone network appliance, part of another network device such as a router or bridge, or specialist software running on a dedicated PC. The latter route is popular among Linux fans and is worth investigating if you have those skills and can cost your time to make it worthwhile. If you're reading this, the chances are you don't want to take this approach. What's a 'personal' firewall?
Personal firewalls, like ZoneAlarm or BlackICE Defender, are software-only firewalls that run on the computer they protect. Designed for individual users or small networks, their primary function in the business environment is to protect remote users who access the network through a VPN or dial-up. Windows XP comes with a personal firewall. If set up in conjunction with other security measures such as anti-virus software and maintained properly, they can be very effective. They are however prone to user tampering, can interact with other software on the computer and are vulnerable to attack by viruses or trojans running locally. Look for remote manageability and good usability, and train users on the proper action if the personal firewall reports an attack or a problem. Do all firewalls work in the same way?
Inasmuch as they monitor traffic and block inappropriate activity yes. However, there are two major ways to do this -- at the network layer or at the application layer. The network layer style of firewall looks at packets and checks their source and destination addresses and port number, allowing them through or not on that basis. Application layer firewalls acts as proxies -- they don't allow traffic to pass between the two networks, but pretend to be applications when accessed from outside the protected network. The firewall then analyses the traffic to make sure its appropriate, and conducts its own conversation with the real application. This has the advantages over the network layer system of hiding all the details of the protected network from the outside world, and also allowing in-depth logging and control of packet movements. It is more complex to administer, more resource hungry and less flexible than the network layer system. It is possible and increasingly common, for firewalls to mix and match aspects of both approaches. What's a DMZ?
A rather unfortunate acronym which stands for demilitarised zone. It's an area with some firewall protection, but which is visible to the outside world -- and thus where public servers for web, file transfer, email and so on can live. More sensitive, private services such as internal company databases, intranets and so on live behind a further firewall and have all incoming access from the Internet blocked. You can also create an effective DMZ using just one firewall, by setting up access control lists that let a subset of services to be visible from the Internet. How do I make FTP/Web/video conferencing, etc, work through my firewall?
With simple protocols, such as the Web's HTTP, this can be as simple as allowing access through one port. With complex protocols such as H.323 for videoconferencing, the security issues are non-trivial and, although you can make them work quite simply this may involve disabling dangerously large areas of your firewall's protection. For a specific question, you can check the Internet Firewalls FAQ but remember that many security problems are caused by half-understood or undocumented changes to a firewall's rule set. How can I tell how good a firewall is before I buy it?
Concentrate on usability, support and reputation over feature sets, performance or price. Find existing users of the products you're interested in -- and who have similar skills and work in a similar environment, if possible -- and find out what their experience has been. Firewall users invariably congregate in online discussion groups, some of which are also frequented by the manufacturers, and are among the most voluble and opinionated of life forms.
Have your say instantly in the Tech Update forum. Find out what's where in the new Tech Update with our Guided Tour. Let the editors know what you think in the Mailroom.