JonHoyle.com Mirror of MacCompanion
http://www.maccompanion.com/archives/October2006/Columns/Security101.htm

 

Mac Security 101

http://www.applemacpunk.com applemacpunk@cox.net

Hardware Firewalls: A (very) Basic Overview

Gby Kale Feelhaver aka, AppleMacPunk

In last month’s article, I discussed connecting to the Internet using a router for added security. In this article, I will give a brief overview of hardware firewalls, what they do, and take a look at a few popular models.

Note: this article will take a high-level view of firewalls, but assumes you know the basics of TCP/IP and networking.

What is a hardware firewall? A hardware firewall is a network device that separates networks. Firewalls can be used to separate a private network (i.e.: office network) from a public network (i.e.: the Internet), or to separate multiple private networks (i.e.: wired and wireless networks). Firewalls are rule-based, which means an administrator must configure what is allowed or denied in a series of rules. A firewall inspects every piece of data that passes through it and examines the source address (who sent it), destination address (where is it going), and the protocol (what it is). The firewall then consults its rule base and allows or denies the data based on the way you have it configured. This provides a high level of security and configurability, but involves administrative overhead.

 

 

 

 

 

 

 

For example, let’s say your Mac has an IP address of 192.168.0.1 and you want to be able to visit a web page at 17.254.3.183. The source address of is 17.254.3.183 and the destination address is 192.168.0.1. Since this is a web page, the protocol is HTTP, which uses port 80. So the firewall rule would look something like this:

Allow ip 17.254.3.183 192.168.0.1 80

Every firewall’s syntax is a little different, but the above rule shows the general idea. Normally, you have an “allow” or “deny” tag, followed by the source address, destination address, and port number. Now, once this rule is in place, HTTP traffic will be allowed to pass from the Internet to your Mac. However, if the web site were to send a request on port 81, it would be denied, because the rule specifies port 80.

So… I know what you’re thinking… this is going to take forever to setup if I have to enter the IP of every website I want to visit. That’s true… but luckily most firewalls allow for wildcards, which make configuration much easier. A wildcard is normally specified using the word “any” or a * character. So to configure a firewall rule that would allow all HTTP traffic from the Internet to 192.168.0.1, the rule would look something like this:

Allow ip any 192.168.0.1 80

Rules are the basis of all firewalls. The firewall is only as good as the rules that it houses. A really expensive firewall with a badly configured set of rules provides less security than a cheap firewall with a good rule set. For this reason, configuring a firewall may not be for the faint of heart. Luckily, most new firewalls are configurable through a web page, which makes for much easier administration. Years ago, all firewalls were configured via the command line interface. In addition, most consumer level firewalls come configured with a basic set of rules that will allow most common protocols.

In addition to firewalls allowing/denying traffic, they can also log traffic. In many cases, the logging feature is more important the allow/deny feature. Just like the rules, the logging can be configured to monitor all traffic, only blocked traffic, only allowed traffic, only traffic from the Internet… or whatever else you can come up with. However, logs are only useful if they are reviewed regularly, which means even more administrative overhead. Someone has to regularly sort through the logs if they are going to be any use to you.

There are a variety of hardware firewalls on the market for home users, small businesses, and big businesses. Some popular manufacturers include: Cisco, WatchGuard, SonicWall, and 3Com. Since going into detail about all of them is beyond the scope of this article, I will concentrate on two that are well suited to home users/small business users: SonicWall’s TZ170 and WatchGuard’s Firebox SOHO 6. Both of these network appliances are very affordable, with the SonicWall selling for about $500 and the WatchGaurd at about $300. They are not much bigger than an average dictionary and provide a ton of functionality. Both have an easy-to-use web page interface and come setup with a basic rule set to get you started. Many home users may be able to plug one of these devices in and never touch it again. However, if you have to make changes, a basic knowledge of firewall rules is a good idea. Since hardware firewalls are network-based, there are no Mac/Windows compatibility issues. Any firewall should work the same with a Mac as it does with a PC. Which is good news for those of you with mixed networks. Out of these two models, I would have to say I’m partial to the WatchGuard, but they both have some great features.

Generally the firewall will sit on the perimeter of your private network, protecting your Mac(s) from the Internet. On smaller networks the firewall is generally placed between the router/switch and the Internet. However, on larger networks, the firewall usually sits behind the router. In some cases, the firewall can actually replace the router, and sit directly between the Mac(s) and the Internet. The diagram below shows the placement of a firewall on a typical small/home network.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

At this point, some of you are probably thinking, “Wow, hardware firewalls are way too much work. I don’t need one.” That statement may be true in a lot of cases. The average home user will probably never need or want a hardware firewall. For most folks, a NAT router and software firewall (included with Mac OS X) will be more than enough. However, if you have critical business data that is stored on your network, if you store customer account information, or if you are just a network security geek like me, you may have a need for a hardware firewall. Just keep in mind, the firewall is only as good as it’s configuration. If you are new to networking, make sure you have an IT Professional you can consult when your firewall needs changes. They are extremely functional and powerful devices, but are only as good as the configuration.


Contact Us | ©2006 MPN LLC.


















Who links to macCompanion.com?