When it comes to managing a home or small office network with a broadband Internet connection, the implementation of a firewall should never be overlooked. While nobody will dispute the importance of having a hardware or software firewall from a security perspective, many users aren’t familiar with the many features that firewalls support. A firewall was once considered a device that would determine which TCP/IP traffic could exit or enter a network.

But the firewall of today also includes a wide range of advanced features, enabling you to control everything from the email attachments that should be quarantined, through to privacy features like the ability to block cookies.

This feature takes a look at different firewall components, as well as the differences between soft and hardware-based firewall solutions. Once we’re done, you should have a better idea of the firewall solution that will work best for you and your network setup.

Why a firewall?
At the most basic level, the firewall’s main purpose is to act as a secure intermediary between your private network and the Internet. For example, you might decide that all the systems on your internal network will have unrestricted access to any and all services on the Internet, such as web, FTP, ICQ, and so forth. Similarly, you might want to block internal users from accessing the Internet with certain programs, such as file-sharing services like Kazaa. Regardless of which camp you fall into, the configuration of almost any firewall will allow you to control the type of traffic permitted on your network.

For most users, the primary reason for implementing a firewall is to keep the bad guys (aka the Internet at large) out of your network. In the default configuration of most firewalls, all traffic originating on the Internet is blocked from entering your network, denying external users the ability to connect to your private network. Of course, there will be times when you want to be selective about the type of traffic that enters your network. If you host your own internal web server, for example, and want Internet users to be able to connect to it, you’ll need to configure the firewall to both allow this traffic to enter, whilst also forwarding the request to the specific internal system on which your web server software is running.

Hardware versus software
Once you understand why you need a firewall and its primary purpose, it’s time to go about determining whether a software or hardware solution will work best for you. As a general rule, users looking to protect a home or small office network will do best with a hardware solution. Those with a single PC are likely to find a software firewall more cost-effective. In the hardware arena, the most popular option for a home firewall is found in the form of an Internet router (such as those available from companies like Linksys or SMC). These relatively inexpensive devices usually include a range of features, such as the ability to share a broadband cable or DSL Internet connection, a firewall component, and an integrated DHCP server for allocating IP addresses to systems on your network. From a simplicity standpoint, the convenience of managing a single device for sharing Internet access and providing firewall functions is hard to beat.

As you might expect, a hardware firewall isn’t the best solution for everyone. While generally associated with broadband Internet connections, having a firewall in place is just as important for the networks of PCs that use dial-up. Dial-up connections to the Internet may be slower, but systems using them still face the same security threats as systems connected via broadband.

In cases where you’ve got a single PC dialling into the Internet, or even multiple systems sharing a dial-up or broadband Internet connection via a Windows method like Internet Connection Sharing, (ICS) then a software solution is usually your best option. A wide variety of software-based firewall solutions exist, but some are more popular than others. Windows XP includes a native firewall in the form of the Internet Connection Firewall (ICF). While not nearly as fully-featured as some of the third-party programs available, ICF handles the job of blocking requests originating from the Internet, allows you to selectively sanction different types of TCP/IP requests into your network, and gives you control over how the system will respond to common requests such as a ping. On the downside, ICF is fairly limited in that it doesn’t allow you to control which resources internal systems can access on the Internet. In cases where your needs are basic or cost is an issue, a solution like ICF will get the job done, and do it well. ICF is configured via the Advanced tab of the properties of a connection .

If you’re looking for more out of your software firewall than just the ability to block Internet users from accessing your PC or network, then you’ll need to take a closer look at third-party software. Two of the most popular solutions for home and small office users include ZoneAlarm and Norton Personal Firewall. Both programs are relatively inexpensive and offer you a much more granular level of control over system and network security.

Firewall features
When selecting a firewall solution, it’s well worth taking the time to examine the features that different hardware and software platforms support prior to making a decision. This is a simple affair when evaluating software, since both ZoneAlarm and Norton Personal Firewall allow you to download time-limited trial versions prior to purchase. Things aren’t as simple on the hardware solution side, since vendors will include different capabilities with their project and you really don’t have the option of trying before you buy. Rather than going through the pain of learning that a feature you want isn’t included in the model you’ve purchased, this is where it pays to do your homework in advance.

Some of the features to consider when looking for a firewall solution include support for controlling access for internal systems, intrusion detection, MAC address filtering, URL blocking, custom rule creation, various content blocking features, and more. Each of these capabilities will be looked at in more detail in the following sections.

Outside in
The most important feature of any firewall is its ability to control access from the Internet to your PC or network. You’ll find that by default, most firewall software will be configured to block all requests for resources on your PC or network that originates from the Internet. This is good news, since hackers, crackers, and script kiddies (non-hackers using pre-built tools to try and hack into your system) are constantly trying to connect to Internet systems looking for easy targets. Their reasons for wanting to access your system range from curiosity (what can I find?) to malicious behaviour (let’s install a Trojan horse and try to take complete control of this system!), so keep your guard up.

However, while blocking all connection attempts from outside users is a good default, there will be times when you want Internet-based users to be able to connect. This may be the case if you have an FTP server installed where you share files with work colleagues. In this instance, the firewall needs to be configured with a rule to allow Internet-based FTP traffic to gain access to your system or network. In the case of a hardware router with a built-in firewall, this would involve configuring a rule that permits all traffic from the Internet destined to TCP port 21 (the default FTP port) to be forwarded to your internal FTP server. For a higher degree of control, access to your FTP server could be made more limited by configuring your firewall to only allow external users from certain IP addresses to connect. When selecting a firewall, try to choose one that gives you the option to create more granular rules for incoming traffic. This provides a much higher degree of control than a firewall that doesn’t allow you to limit connections to specific hosts, and by extension makes your PC or network more secure.

Inside out
Along with the ability to keep the bad guys out of your network, you may also be looking for a method of controlling the traffic that leaves your network destined for the Internet. You may want to limit the types of services that your internal users have access to, such as bandwidth-consuming services like Kazaa. In many companies, firewalls are used to limit users to basic and common services like web (HTTP), email (SMTP and POP3), and so forth. Not only does this give the company greater control over the way the Internet connection is used, but it also ensures that users are denied access to services that might otherwise have an impact on their productivity.

In the same way, perhaps you only want certain users to have Internet access. Most hardware and software firewall solutions will allow you to control exactly which users are allowed to access the Internet according to their IP address. This is a great way to stop certain users, while permitting others access. Regardless of your exact goals, this level of control is useful for everyone from parents to the administrator of even a very large network.

One additional but related feature found in many software firewall packages is the ability to restrict access to the Internet by certain programs. For example, you can configure a list of exactly which programs are authorised to access an Internet connection, such as Internet Explorer or Outlook Express. This feature is especially useful since it can help to ensure that any malicious applications installed on your system (such as a Trojan horse program) can’t access the Internet, thus rendering them useless. This is an extremely useful and important feature of programs like ZoneAlarm and Norton Personal Firewall. If you’re evaluating either, their relative merits will be commented upon a little later in this feature.

Intrusion detection
Most home and small office firewall solutions have traditionally only provided what’s known as ‘stateless’ service. At the most basic level, a stateless firewall will inspect each packet that attempts to pass through the firewall, and then accept or reject the packet after considering the rules that have been defined by the firewall administrator. While this basic function is critical, a stateless firewall does nothing to determine whether a packet is valid, beyond looking at the IP address and the port numbers of the source and destination hosts.

Most of the newer firewalls on the market today provide an option to enable ‘stateful’ service, or only use this option by default. A stateful firewall not only checks that packets match the IP address and that the port rules have been defined, but it also checks to ensure that the contents of the packets are valid and not some attempt to maliciously use the connection by a hacker.

A stateful firewall does this by tracking each connection, and then looking for abnormal or suspicious behaviour. In cases where the behaviour of the connection is suspicious, events can be logged or the connection itself can be terminated by the firewall. The methods available vary from firewall to firewall. As a general rule, the more complex and expensive the firewall, the more advanced the intrusion detection capabilities it provides. If you’re going to implement your own firewall for a home or small office, then a stateful model should be a key pre-requisite and is well worth implementing, even if it costs a tiny bit more up front.

MAC filters
Although IP addresses are important, every client on an Ethernet or Wi-Fi network ultimately identifies and communicates with other systems on the network using MAC addresses. Any system with a wired or wireless network card installed has a MAC address that’s globally unique, providing you with another method to control Internet access. For example, consider a situation where a user knows their IP address is blocked from access. If that user is running an operating system like Windows 98 or Me, they could easily change their IP address to another value, and perhaps one that’s allowed to access the Internet. If a MAC address filter were configured for this system, it wouldn’t be allowed to access the Internet under any circumstance, regardless of the IP address in use. Again, this feature gives you a more granular level of control over who should or shouldn’t have access, so is well worth looking for in a firewall solution.

Virtual DMZ hosts
Most home firewall solutions, such as hardware routers, use a technique called Network Address Translation (NAT) to enable multiple PCs on the private network to connect to the Internet using a single public address provided by an ISP. This technique is useful due to the scarcity of public IP addresses, and the fact that most providers won’t provide more than one public address without additional charges. Internal clients simultaneously ‘share’ the single public address, with the NAT device (in this case the hardware router) keeping track of the various connections. On a Windows system, Internet Connection Sharing (ICS) provides a basic NAT function when it’s enabled.

Unfortunately, not all applications work well in NAT environments as they require direct end-to-end connectivity without an intermediary (the NAT server) translating packets. For this reason, one of the features that you might want to look for in a firewall solution is the ability to define virtual DMZ hosts. DMZ is short for demilitarised zone, a term traditionally used to describe a portion of a network that’s accessible to Internet systems, but distinct and separate from the private network. When virtual DMZ hosts are supported and designated, a client system can be granted unrestricted two-way access to the Internet via the router by bypassing the NAT function. This capability is rarely required by applications, but if you’re having issues getting a certain program to function, then it’s definitely worth having at your disposal.

URL blocking
Although support for URL blocking varies between different firewalls, it’s another feature that you might find useful. When URL blocking is enabled, you can configure lists of web sites or keywords that a user on your network won’t be able to access. As an example, a company might want to ensure that users don’t use a service like Hotmail as a method of circumventing the company mail server. In this case they would block the www.hotmail.com site, or any related site for that matter. Unfortunately, the configuration of URL blocking can be fairly time-consuming, especially in cases where you have sites and many keywords that you wish to block. In situations where you want to be able to selectively permit or block access to sites in a granular fashion (such as by category, topic, or keyword), a better solution is to implement content-control software such as NetNanny. This will offer you the option to selectively enable or disable broad types of content in a single mouse click.

Cool add-ons
As a consumer, the time couldn’t be more right to be in the market for a firewall solution for two reasons. Firstly, prices for both hardware and software versions have dropped dramatically due to heavy competition. Secondly, the fierce competition in the industry has forced manufacturers and developers to provide more bang for your buck in terms of additional features and capabilities as a way of differentiating their products. Software like ZoneAlarm not only provides basic firewall functions but also allows you to block cookies and banner ads. On the hardware front, vendors like SMC include features like Dynamic DNS client components to automatically update Internet DNS servers when your DHCP-allocated IP address changes, thus avoiding manual reconfiguration. You won’t need all of the cool add-ons that manufacturers and developers are providing, but the choice and flexibility is an added bonus when you need it.

Final thoughts
If you’re currently in the process of evaluating a firewall solution for your home or office, take the time to determine your needs before you buy. It may involve a little more time and effort on your part, but ultimately a firewall solution that meets all of your needs is money well spent.