A firewall, whether it is hardware or software, controls the flow of network traffic, in both directions. Unlike a hub or switch, which route traffic from one network address* to another.
Common Hardware Firewall – NAT Router
The type of hardware firewall that we are most likely to see and touch is the wired/wireless router that we use to connect our broadband connections to our home networks. Units like the popular Linksys WRT54G serve not only as a router, which connects our home computers to a single Internet connection (our broadband, DSL or cable, link) but also serve as an excellent firewall. This router incorporates firewall capability through NAT-T (Network Address Translation & Traversal).
NAT allows the router to temporarily assign network addresses (IP–Internet Protocol–addresses) to each computer on the home network, usually in the form of 192.168.1.X, where X is a number between 1 and 255. Each computer on the network communicates with the router and receives a unique IP address that is valid for one day; however, the address may automatically renew when it expires. Since the address that each computer receives is not routable on the Internet, literally, it is not a valid address for Internet resources, the addresses form a private network. This is an important first step in protecting the home computers from attacks coming from the Internet-side of the router (the DSL/cable broadband connection).
When one of the computers on the private network (the computers in our homes) wishes to connect to a Web site, send e-mail, open an instant messaging chat session, or connect in any other way to a public Internet resource, the router kicks into NAT mode by automatically intercepting the workstation’s request, say to visit cogitoveritas.com. The router…
1. keeps track of the workstation’s IP address, say 192.168.1.2
2. forwards the data request to cogitoveritas.com
3. receives the Web page from cogitoveritas.com
4. looks up which workstation requested the data
4a. finds that it was the workstation at IP address 192.168.1.2
5. sends the Web page to the workstation
6. the user at the workstation sees the Web page displayed in his or her Web browser.
All six steps take place literally in the blink of an eye, and it is no slower than if the workstation were connected directly to the broadband connection (without the router’s being in the middle of the connection).
The neat security benefit of the NAT (network address translation) is that cogitoveritas.com thought it was router that made the request for the Web page. So, if I were running malicious software on my site, and I attempted to attack (crack into) the computer that requested the data, I would actually be attacking your router, which is programmed to reject all data requests that were not initiated from the private network. This is the firewall benefit of using a NAT router on all broadband connections (even if only one computer were installed in the home).
Common Software Firewall
Software firewalls do not offer NAT services, but rather act as a block to most of the common malicious attacks that may be directed to a PC (installation of a remote control software, key logging software, and worms).
Software firewalls, such as those from Symantec, McAfee, and Computer Associates (the last being my favorite), usually work with their sister programs that offer antivirus and antispam protection to block access to the computer from the network to which the computer is connected.
I strongly recommend that broadband users, use both a hardware and software firewall, as the combination will protect a Microsoft Windows XP computer from all but the most tenacious and talented attackers. I do not know of any reliable attack methods that can be assured of working against a NAT router that do not involve the home users’ interaction (such as opening a malicious e-mail attachment). NAT routers are, for all intents and purposes, still considered secure. However, since malware can be distributed by e-mail and by visiting, yes–just visiting, a Web site, the software firewall is needed to protect against malicious software that has now passed through the NAT router (because the user downloaded the e-mail or visited the affected Web page).
Whew! Did I explain it to you in plain-enough language?
If you would like to become a digital security expert, I suggest two references, although it will take you a bit of time to cull through all of the material. I have posted a long list of digital security-related articles on my student resources site. Start your research here. I also heartily suggest reading Steve Gibson’s interviews on the Security Now! podcast. Recordings and transcripts are available on his site. New podcasts are released every Thursday afternoon. Of the 50 podcasts to which I subscribe, this is the one that I never miss…I may skip some of my New York Times book reviews and my Scientific American podcasts, if I am short of time, but I never miss Steve Gibson’s talks…they are, literally, the best source of digital security for consumers and businesses available today.