Firewalls - what are they, when do you need one?
By Pcunix
Let me get a disclaimer out of the way first. I am a reseller of a business class firewall called Kerio Control. Some readers may have interest in firewalls for business use and, if so, I'd be happy to talk to them about the product I sell.
Here, I want to talk about firewalls for home use. I don't sell any products for home use (although I do have some customers using Kerio Control in their homes). I'm not going to be recommending any specific products; this article is meant simply to help a home user understand what a firewall does and why they need to have one.
I'll be trying to keep this at a level that anyone can follow. Please, if you are confused by something, ask your question in the comments. It's all too easy to be confused by this subject.
Do you have a firewall already?
You may have a firewall now. It could be external to your computer or it may be software you have installed as part of a "security suite" that was included with your virus protection software. You may have both an external and an internal firewall.
If you have software that incorporates a firewall function, you may be well aware of it and if not, a simple Google search for whatever product you own should tell you whether or not it includes a firewall.
If it is external, it may be a little more difficult to know. Unless you are still using dial-up Internet access, you have a "router". That router probably is also a firewall, but it doesn't have to be. A bit lower down I will suggest some ways you might determine if it is, but one simple way is to Google for the manufacturer and model.
For example, I have a Actiontec M1424WR device provided by Verizon. If I Google, that, I can easily find the manufacturer's product page and read that it includes a "Customizable firewall" among other features.
The IP test
There's a simple test you can do to see if a firewall might be part of your setup.
Type "What's my ip?" into a Google search. You'll get back a response that says "Your public IP address is", followed by some numbers. Use Google for this, Bing doesn't yet know to be this helpful. Write those numbers down.
Now we need to see what your computer thinks about your IP address.
Unfortunately, Microsoft operating systems haven't made that easy. I can't give you one simple thing that I am sure will work no matter what you are using, so, to save some space here, I'm going to send you to another page to find out what you need to do to find your internal IP address. I'm sorry that is necessary, but it's Microsoft's fault, not mine.
You'll be looking for your "IP Address" or "IPV4 Address". It's POSSIBLE that you might see "IPV6 Address" too, but you probably won't.
Compare that to the address you wrote down from Google. If they are the same, you may not have a firewall. That could mean that your computer is at some risk. You need to investigate this more.
If they are different, you probably do have a firewall, because being different indicates that some device is doing NAT(Network Address Translation) and the most common device that does that is a router that includes a firewall. That's not absolutely certain, but it almost always is in a home setup provided by an ISP.
If you have any doubt, call your ISP and ask.
 | Amazon Price: $40.97 List Price: $69.99 |
 | Amazon Price: $41.00 List Price: $79.99 |
 | Amazon Price: $21.95 List Price: $79.95 |
 | Amazon Price: Too low to display List Price: $59.99 |
 | Amazon Price: $67.46 List Price: $124.99 |
![Apple Airport Express MB321LL/A [NEWEST VERSION]](http://ecx.images-amazon.com/images/I/311tkyZouSL._SL75_.jpg) | Amazon Price: $99.00 List Price: $99.99 |
Router, Firewall, Modem, what's the difference?
I commonly hear home users use all these terms to refer to the equipment their ISP (Internet Service Provider) supplied. Sometimes they are technically inaccurate, but everybody understands that whatever you call it, that is the magic device that connects you to the Internet.
It may indeed be translating digital signals to analog, and therefore it is a modem. Some routing service is certainly part of it too. Routing is how stuff you type finds its way to the web page where you are typing in your credit card number or responding to some outrageous comment at an Internet forum. Routing lets you find this web page that you are reading now. Think of a router's job as direction: if you want to get to Virginia from Boston, you first get on Rte. 95. That's a router's job - to get you on to Rte 95. Some other router will get you off in the right place, but your router is the first step.
A firewall is something that tries to protect you. Protect you from what?
Control what's getting to you
One part of a firewall's job is to protect you from the outside world getting at your stuff. You certainly wouldn't want me to be able to read every document on your computer from the comfort of my home without your knowledge, right?
But how I might be able to do that and how a firewall would protect against that is actually a fairly complicated subject. To understand it, we need to reverse roles for a minute. Let's go look at things from the point of view of the computer that provided this page that you are reading.
It is a computer, I hope you realize. I don't know where it is - it could be anywhere. HubPages owns or rents it and it is sitting patiently waiting for people like you ask for a page.
A computer geek would say that it is "listening" for those requests and more specifically, they might add that it is "listening on port 80".
What does that mean? Well, without giving you a headache, ports are like telephone extensions in an office. There's a main number you can dial to reach the business and you can get to a particular person by dialing their extension. The "extension" for web page requests is TCP port 80.
Does YOUR computer listen on port 80? Probably not, so I could ask it for web pages all day long and I would not get any. Unless it has been told to be a web server, your computer is not listening to port 80.
Suppose it was listening to port 80 because you had some local web pages that you wanted to be able to read from another computer inside your house but that you did NOT want the outside world to read? That's where a firewall might enter the picture.
I have my computer configured exactly that way. I have some web pages that have information about my customers and it is sometimes convenient to view them from another one of my computers. I definitely would not want you to see them, though. I use a firewall to help me prevent that.
Understand that there are other ways I could protect those pages. I could require authentication (a name and password) or I could tell the webserver "Only show pages to these other computers and no one else". A firewall is just a convenient way to accomplish my need.
But if your computer is NOT listening on port 80, do you need a firewall to block those port 80 requests? Think about that for a minute. I have already explained to you that if your computer has not been told to listen, it will just ignore any and all attempts that ask for webpages. So what would a firewall add to that?
Nothing. If your computer isn't listening, the firewall does not add any protection against outside queries.
But what IS it listening for?
Ahh, that's the question, isn't it? You probably don't know the answer and unless you are someone like me, it's probably not critical that you do know - as long as you have a firewall, that is.
The default action for most firewalls is to block unsolicited requests from the Internet. The firewall doesn't know or care if your computer is listening for web page requests; by default it's going to stop those from ever reaching your computer at all. As we saw, those requests won't necessarily be dangerous, but the firewall doesn't make those judgements. By default, most firewalls just block everything from coming in.
But wait, something is wrong. You are reading this web page, right? That "got in". If the firewall blocks stuff coming in, how can you be reading it?
The answer is in that "unsolicited" and firewalls define that in another way. If I asked a fellow geek about it, they might say "The firewall will allow traffic on established connections".
What does that mean? Although the analogy is imperfect, imagine a telephone. If I call you, I can hear you talk. If you call me, but I don't answer the phone ("establish the connection"), you can talk all you want, but I won't hear you. When I called you, we established a connection. There are millions of other voices on the phone line, but you and I have a specific connection.
That's what happens in the firewall. The firewall sees you request a page and when the other computer responds to that request, it lets it through because your connection is "established"
It will also let through things it has been specifically told to allow. I might want to be able to read those local web pages when I am not in my office. If so, I'd need to tell my firewall to let those requests pass through.
This is a place where it can get complicated if you have an external hardware firewall and internal firewall software in a security suite. To allow outside access, you may need to tell both of those firewalls.
From the other side
Some firewalls also stop you from making certain requests. Why on earth would they do that?
Have you ever heard of a virus using your computer to send out fake emails to other people? That happens, but suppose you only used Gmail to send and receive mail. If you were doing that, your computer isn't sending mail at all - it's some Google server that is doing that for you. In that circumstance, it could make sense to configure your firewall so that sending out mail (which is done on certain TCP ports, again) would be blocked. That doesn't change the fact that you have a virus, but it could stop the virus from being annoying to other people.
These types of firewalls often work by blocking everything until you tell it that the request is OK. So, if you start up a program that proceeds to try to open a mail connection, the firewall may pop up a notice on your screen telling you what is being requested and asking you if you approve. If you don't approve, the request will be blocked. Usually you are offered the choice of letting it have the access this one time or to always allow it, now and in the future.
These firewalls sometimes cause problems when an action has been blocked in the past but you need to allow it now. That's why some installation programs ask you to turn off all firewalls before they try to install.
Your ISP may be doing some additional blocking. My ISP will only allow mail connections to their mail servers - that means that outgoing mail has to be routed through them. That restriction makes it easier for them to spot possibly compromised computers.
Was this helpful?
I hope this has given you a little better understanding of this very complicated subject. There is much more I could tell you, but we'll leave that for another day.
Comments
Which ones do you think they might need help with? I thought I defined everything important in the hub, but maybe I missed some?
I loved your post on firewalls. I consider the topic to be very important but elusive to many users of computers who also prefer to remain passive over the whole issue. I personally prefer ZoneAlarm which serves me very well. Thanks for sharing and keep up with the good work. .
I much prefer an external firewall. Unfortunately, most consumer level firewalls don't provide and control of outgoing packets and of course can't communicate with a non-technical user to ask about anything it sees.
I don't know that you really "missed" terms but I think people who are non-technical like to see these terms all together in one place. You did a great job laying it out.
You do a good job of simplifying complicated information! Thank you. Voted up and interesting.
I'm happy that you found this useful, vespawoolf.
carcamping 5 months ago
I am a fellow "techie". You have done a good job laying out a complicated subject for non-technical people. One suggestion for you: you may want to add a glossary of terms at the beginning or end of this hub to give people a little better understanding, all in one place.