Uploaded - 21 Aug 2004 17:19
What does a Firewall Do?First of all it is NOT a wonder cure for all anti-virus situations. If something gets in to one of the legitimate functions such as email or web-downloads and contains a virus and if you trigger it then it has bypassed the firewall. Lets try an analogy: imagine a fairground with lots of attractions (a) Dodgems (b) Big Wheel (c) Coconut Shy (d) Hot Dog stall Now its a rather odd fairground because you are only allowed to visit one attraction per visit, then you have to go out and come back in again to visit something else. Furthermore, from outside you can't see what attractions are inside. You have to know because the owner told you beforehand {=legitimate user} or by guessing {=hacker or virus/worm}. What you have to do is 'get' a ticket outside with the address of the Fair {=IP address} and you write on the ticket the queue-number {=Port address} of the attraction you want to visit and you also write a message on the ticket. On a 'fairground' without a firewall, what happens is you go in through the open gate and then inside you find a set of queues one for each queue-number, with an assistant who looks at your ticket and tells you which queue to join, but this assistant tries to be as helpful as possible and can often be confused by a complicated message or a forged ticket so that he sends you into the wrong queue or one of the private staff queues that no-one from outside is supposed to use, or lets you sneak under a fence {= exploits}. If the queue-number is that of an attraction that doesn't exist in this Fair you get no further, you wait in the queue because no-one comes to fetch you, till you die of old age and the cleaner sweeps up your ashes & puts them in the trash.. When the fairground owner employs a firewall , this is equivalent to putting a turnstile at the gate of the Fair with a mean tough Bouncer in charge of it. He is not attempting to be helpful at all, he looks only at the address on the ticket {=IP address} and at the attraction queue-number {=Port number}, and compares them against the list the management gave him, he is not confused by messages, 'cos he doesn't look at them. He is not confused by pleas that "my little brother is already inside, lost and I need to find him", he is mean, really mean, if the address & queue-number are not on the list, he rips up your ticket & tells you to bugger off. The owner must of course be sure to put a firewall on every gate into the Fair or make all the gates lead to the turnstile instead of straight into the Fair. Now all that above, describes what happens for an unsolicited visit to the Fair. For the staff {=you} already inside, if that was all that happened you would starve to death cos no food would get in (you couldn't send out for a Pizza), nor would you get any Mail or Newspapers. So there is an extra check, which behaves like the passout tickets that you might have had at Night Clubs & Dance Halls in the past. When someone inside (staff) wants something from outside (e,g Mail), they ask the outgoing dispatcher for a queue-number. The dispacher asks the address of where the messenger is going {=destination IP address} and gives a queue-number from a pool of unused numbers {= allocates a high port number}. This number will then be reserved for that task for a few hours or until it is cancelled as complete and returned to the pool. The dispatcher copies this information to the Bouncer (=Firewall). Staff then sends a messenger out, with a ticket containg the destination address, the return address (=address of fairground) and the allocated queue-number and the staff message. The messenger takes the ticket to the destination (say the Post Office) & the messengers task is finished, (he evaporates ). The Post Office, finds the mailbox requested bundles up the mail and sends a messenger back to the originating place, with a copy of the ticket. When the messenger meets the Bouncer (=Firewall}, he is let in because the ticket information is on the temporary list, and the messenger goes to the relevant queue. The original staff member knows the queue-number & periodically checks the queue to see if the mail has arrived. Your Computer FirewallNow an ordinary personal computer corresponds to a Fairground with no public attractions; the only queues inside are for the internal activities of the computer and you don't want any irritating callers coming in and trying to befuddle your queue assistant, or creeping into private queues, so you activate the Firewall and give it an empty list for unsolicited incoming messengers. The only list the firewall has is the temporary lists for use by responses to outgoing messages. So no-one gets in uninvited and your system is more secure, not perfectly secure, but better than before. There are snags, of course, there are always snags, and one of those affects Netmeeting and other Video/Audio services. The reason is simply that Netmeetin has many activities going on simultaneously (a) outgoing Audio (b) outgoing Video (c) incoming Audio (d) Incoming Video (e) Sketchboard (f) file transfer (g) overall control The protocol (H323) that it uses for audio & video was designed before firewalls became desirable, so the structure does not suit the above message systems (in the analogy above). What happens is Netmeeting chooses an incoming audio or video channel (=Port number} and sends a message with those numbers embedded in the message itself, where the outgoing dispatcher does not look. So the dispatcher does not tell the firewall and then when the incoming traffic arrives it appears to the Firewall to be unsolicited traffic and it is rejected. Result is no incoming sound or no incoming picture. The ideal cure is an intelligent firewall, which looks at the innards of the messages on the way out and says aha, that is a H323 message defining a future incoming audio, so add that IP address+Portnumber to my temporary incoming list. The kludge solution is to give the firewall a list of all the likely incoming audio & video portnumbers and tell it to let anyone in with those numbers no matter what IP address they came from. Netmeeting/H323 tends to use a small range of low numbers for this purpose, so it works most of the time. Sometimes H323 chooses a high number and your audio/video doesn't get through until you disconnect & restart the Netmeeting call. And of course having these holes in your firewall lets wandering hackers & viruses/worms try their luck at confusing the queue assistant or confusing Netmeeting. Bill.
Revised on 14 Feb 2009 |