Monday, January 17, 2011

Firewall Description

I’m an information junkie, something that my long time readers will probably have guessed by the breadth of the topics about which I write. One of the best things about writing a blog is that I get to share all of the tidbits of information that I collect. It really gets good, however, when my blog causes more information to come my way. Typically that comes in the form of comments, emails and phone calls; all of which are good. Every once in a while it comes in the form of another blogger making a post to explain in more detail a fact that I shared, but didn’t fully understand.

That happened last week when Eric Byres at did a post explaining the fixed configuration firewall concept behind the new Honeywell Modbus Read-Only Firewall, a product based upon some Tofino Security technology. And Eric very generously credits one of my blog posts as the inspiration for that post. So it seems that we have an inter-blog conversation going; producing even more information. An info junkie's life just can’t get any better.

What is a Firewall?

Eric provides a good description in his blog about how a fixed configuration firewall works and in the process schooled me, at least, in the general operation of a firewall. I’ve understood what a firewall is designed to accomplish, but never quite bothered to find out how it works. Now Eric’s discussion will not allow me to actually configure a firewall (Eric is a good explainer, but it is, after all only a single blog post), but I do have a better understanding of what’s going on.

Now, I’ve been exposed to computers for closing in on 50 years now (I helped write my first computer program in 1964), but I am not a true computer geek, I’m more of a technically knowledgeable user. I can talk to geeks without them laughing at me and I always respectfully listen when they try to explain something to me; it helps make me a better user.

I realize that most of my readers, however, have probably never seen the inside of a computer and would have difficulty recognizing a line of code if they saw it. How to explain the operation of a firewall to them? I guess the best way is to go back to the namesake of the computer firewall, the fire safety firewall.

In fire safety a firewall is a non-flammable barrier protecting stuff on one side from a fire on another. First you have to understand that ‘non-flammable’ is not an absolute term. If the temperature is high enough, then just about anything will burn. So the designer of a firewall makes an educated guess about the maximum temperature of the potential fire on the other side of the barrier and selects a barrier composition to match that temperature.

Now firewalls do not provide absolute protection against the spread of fires, generally they just delay the spread of a fire until other fire response efforts can deal with the situation. Given that, a firewall is rated in the number of minutes that it will hold back a fire. You pay more for more minutes of protection. And of course you need to have a plan for detecting the fire and mobilizing your other fire protection measures in a timely manner.

The best firewalls have no openings in them. Unfortunately, in the real world a wall with no openings is seldom very useful, but any opening is going to provide a route for fire to get through the firewall. So fire safety engineers have developed over the years a number of ways of closing off these openings in the event of a fire. For people sized openings and larger, we call these devices fire doors.

The best of these fire doors normally remain closed and are only opened when something must move through the wall. In a high traffic area this is frequently a pain in the butt and eventually someone figures out that it is easier to just prop the door open. Then you no longer have a fire door, but instead have an unprotected hole in the firewall. Realizing that you can’t engineer human nature, fire safety people have come up with fire doors for high traffic openings that are normally open, but close automatically in the event of a fire. A flash fire or explosion will get through before they can close, but they are better than a normally closed fire door that has been wedged open for the sake of convenience.

A computer firewall provides a similar type protection to a computer system. Instead of protecting against the spread of fire, it prevents the unapproved movement of information. They help to prevent intruders accessing the system or the unauthorized sending of information out of the system. The best protection allows no flow of information (no holes in the firewall or ‘air gapped’ in computer-speak), but that is seldom practical. The next best solution is to provide a communication node through the firewall that is normally closed, but can be opened when necessary with appropriate restrictions on who/what can do the opening.. That is followed by a normally open channel that automatically closes when a threat is detected. The least amount of protection is provided by a normally open port that has no threat detection capability protecting it. Actually, I guess the least protection is provided by the port that no one knows is open. In all cases, restricting what information can flow through the opening increases the level of protection.

To be most effective, any firewall needs to be protected by detection systems that tell someone when an intruder attempts to gain access or when someone attempts to transmit unauthorized information out of the system. And there must be a response capability that is triggered by the detection system.

So, now that you know what a firewall does, go read Eric’s explanation about the pitfalls of configuring firewalls and the benefit of fixed configuration firewalls.

No comments:

/* Use this with templates/template-twocol.html */