Blog
IT Security - not sexy, but essential
a brick wall on fire, to signify a firewall

Most of us understand what a firewall is for.  Fewer perhaps understand what it does and probably fewer again understand how.

A traditional firewall inspects the traffic into (and out of) your network and decides whether or not to allow it based on essentially where it wants to go.  Technically - it looks at packet headers and approves data destined for particular ports.

Ordinarily, web traffic - that is HTTP and HTTPS - uses ports 80 and 443, email out - SMTP - port 25, email in - POP3 and IMAP - ports 110 and 143.

If your organisation is hosting any of these services - has its own website or in-house mail server for example - these standard ports would need to be open for day-to-day operation - the firewall would allow the traffic though.

More sophisticated firewalls are available and they don't cost the earth. These "next generation" firewalls look inside the data packets and categorise the payload. This gives a much clearer indication of the traffic's intent.

To make an analogy: you see an advert for an event, you buy a ticket. This gains you entry. Would you expect to be frisked?  I think so - so a security guard checks you and your bag.  Nothing suspicious so in you go.

A traditional firewall only looks at your ticket, sees that you have the correct ticket and lets you in. What about the bottle of wine you smuggled through in your bag? Or worse?

A recent nasty worm still proliferating wildly is called "Micorosft:Win32/Morto.A" (catchy). It sneaks through on port 3389 exploiting weak usernames and passwords. Port 3389 is traditionally the Terminal Services port and a huge number of organisations have this port open for user-level or admin-level Remote Desktop. Once in, it snoops around looking for other machines that have port 3389 open. Remote desktop has been a one-click option ever since XP ... that's a lot of machines.

A traditional firewall couldn't stop this attack because it won't be looking for it. Traffic to port 3389 is allowed => it's through.

To inspect a payload but not affect the flow of data is a tough job and requires significant processing power, which is why next generation firewalls are only recently becoming feasible on an SMB's budget. A good firewall will check all data on all ports - including encrypted streams. Watch out for false claims! A really good firewall will show you what's happening in real time and make it very easy for you to create rules based on what's taking place on your network, right now.

A good next generation firewall can also increase your business's productivity. No, really. It can categorise at a supremely low level to allow you to - for example - allow Facebook for business purposes but not personal.

If anything in this post confuses, worries or excites you - please get in touch. Leave a comment, DM me, call the office on 01363 881406 or leave a message.

*
*
*
Please read our Code of Conduct, in the site Terms of Use before submitting.
Submit
Ideas realised by creative technologists and independent developers
Bow Software - digitally interactive