Help ! My firewall leaks !

Firewall

This question calls for an ambivalent answer: ‘Probably yes, probably no.”

Let’s first see what’s this famous firewall before coming with an answer.

The firewall

The firewall is your door to go forth and back on the Internet, be it to surf or to exchange emails. As any door, it is open – even slightly – or closed.

Our personal computers open this door each time we want to visit a website or send an email. They are supposed to close the door once we stop surfing or once the email is gone.

Basic version

The Firewall is a software tool that monitors and controls what enters and exits; it blocks what we’ve written in the rules. The one integrated to the Operating System (Windows, Mac OS, Android, etc.) has three levels: High – Medium – Low.

We have to choose what level we want; otherwise the ‘Low’ level is applied. The ‘High’ level will constrain us as it controls many things what takes time.

Special version

If we buy an ‘Internet Security’ pack – generally with an antivirus – this firewall will take the control. It’s more complex to tune because we have to precise some rules.

Problems

  1. These devices generally only control what comes in. They consider we decide what goes out and a control isn’t hence necessary.
  2. Malware we ‘eat’ so easily can modify the rules as they please. They can bring out information without we even notice.
  3. This ‘door’, even controlled, directly gives access to our living room. If there is wind outside, it’ll refresh everything inside. The intruder at the door is able to directly see what may interest him inside our computer.

Firewall infrastructure

Pro version

Professionals replace the door by an airlock or safety door like in the banks or submarines. There are two doors and ‘in between’ a buffer zone.

This zone between the two doors is called ‘demilitarized zone’ (DMZ) and it contains all basic services that do not contain sensitive information and make the exchanges possible. One of the devices of the DMZ is the system that monitors and logs all activities.

The Pro version hence uses 1 firewall (= door) at both ends of the DMZ.

How does it work?

  • All entering traffic must comply with some rules to be authorized through the entry door
  • Within the DMZ the request is given. If it’s valid, the request is passed ‘inside’ through the second door with its specific rules
  • The answers comes back through this ‘rear door’ and, after verification, is transmitted to the requester through the ‘entry door’ if it complies with the exit rules.

It seems complicated, but if you compare to the entrance to your bank agency or an airport, it becomes clear:

  • You use your bank card to open the entry door / you get your boarding pass and go through the emigration control (with this boarding card and your passport)
  • There you have different services such as ATM, machines to deposit banknotes, make a transaction / the tax free shops along with the X-ray controls for yourself and your belongings you take into the cabin
  • If you need to enter the bank agency for a specific service with an appointment, you have to ring the bell / you present again your passport and boarding pass to get into the plane.

The monitoring system sees all what comes in, notes the refusals, logs the internal flows and all what goes out the DMZ. In both directions.

The problem

  1. The key issue lays in the rules: if they are too loose, it’s a sieve; if they are too numerous or too strict, its takes time or it stops too much. It requires hence specific skills to fix this firewall:
    There is a need to clearly describe what may come in and go out, and under which conditions.
  2. The monitoring system must also be tuned to see a maximum of things and to log what ‘seems to be useful’. The DMZ administrator uses then tuned tools to trigger an alert when something dubious happens.
  3. Malware are frequently designed to go through the maze. They modify or deceit the rules to allow exiting information that is their providers worth: names lists (such as in the France Television case), sensitive files and other data whose sale or use can bring a lot of money.

 

Did I – again – create fear in your mind? It’s for a good cause.

An informed Internet surfer is worth two – and if it could be four, it’d be even better 😉

 

Your remarks are welcome, share them.

See you soon, more secure with your information

Jean-Luc

© Mats Tooming | Dreamstime Stock Photos

Leave a Reply

Your email address will not be published. Required fields are marked *