movie

FireBrick FAQ

Why do I need a firewall ?
Why is the firebrick different ?
What is Stealth ?
What is DHCP ?
What is NAT ?
What is Traffic Shaping ?
What is Tunneling ?
How does it work with ADSL ?
What about Viruses ?
How do Firewalls Work ?

Why do I need a firewall ?

What you may not realize is that when you connect to the internet, you may be opening up that same ability to share files and access your hard disk to anyone in the world. On top of the normal file sharing, there are often programs running on your machine and loopholes and bugs in programs which will allow various types of access from the outside world.

It is normally possible to configure your computers carefully, but even then it is very difficult to be sure you have plugged every possible way in to your network.

With a permanent internet connection using real internet addresses you leave your network much more open to attack. Even dialling up using a modem may have risks, but this is usually for a short period of time and you are connected to only one, attended, computer. If your network is connected all of the time then you may be unaware of any problems until well after the damage is done. The threat can come from any number of sources, so even if you think "Why would someone want to hack in to my network?" it does not matter as there are plenty of bored people out there who just like causing havoc.

A firewall is a way of stopping everything from coming on to your network. This is great, but if that is all a firewall did then you may as well use scissors to disconnect yourself from the world. The clever bit about a firewall is that having stopped everything, it then lets specific things through. Just the specific things you want. That way, instead of having to try and find and plug all of the holes in your network, you simply have to let through specific traffic as you need to - it is erring on the side of caution.

The main thing the FireBrick^® does out of the box is ensure all replies are allowed back in. This means when you access a web page your request goes out, and the reply (the web page itself) is allowed back in to your network. This may seem simply enough, but it involves tracking every session from every computer on your network and is called stateful inspection.

Of course there are other reasons for wanting a firewall - you might want to restrict, control or monitor what goes out of your network.

Why is the FireBrick^® different from other fire walls ?

Out of the box the FireBrick^® will block all traffic from the outside except for replies to your outgoing requests.

You can change the ports allowed through by accessing http://my.firebrick.co.uk/ and changing the tick boxes. This is also the way to set up much more sophisticated configurations if you need.

What is a Stealth firewall ?

Normally with a conventional firewall you have to set up a different subnet each side of the firewall. A conventional internet leased line will need an extra routing entry to understand that you have a firewall (and most ISPs supplying leased lines will happily do this for you). However, some times of internet connection (notably ADSL via BT) can't work like this. This means you cannot set up two separate external subnets one of which is behind a firewall.

The FireBrick^®s stealth mode means that it can sit in the middle, passing data both ways like a hub, but still blocking any unwanted traffic from entering your network. Obviously the FireBrick^® can operate like a conventional firewall if that's what you need.

What is DHCP ?

In stealth mode the FireBrick^® will simply allow the DHCP requests through from your router to your computers as if it was not there.

However, if you are configuring your network with different subnets, you can make the FireBrick^® get an address automatically from your own DHCP server or router. You can also set it up as a DHCP server, allocating IP addresses to the computers on your network. This is quite a common configuration when using NAT and a block of private addresses on your main network.  What is really neat is that you can also make it give you the same address every time you are on the network, this gives laptop users the ability to have the flexibility of DHCP but the administrator of the network always knows what their ip address is, because it will always be given the same number by the firebrick

What is NAT ?

In some cases you don't need this. If you have 100 computers in an office, they all need to access the internet, but they don't all need to be accessed by the internet. Perhaps only a few addresses are needed for web servers and email servers.

In this case, you would normally set up private addresses for the machines inside your firewall. Private addresses are special reserved addresses that will never be used on the internet as a whole. They are 10.X.X.X, 172.16-32.X.X or 192.168.X.X. You should never just make up addresses unless they are within these special ranges.

When a machine on a private address tries to access the internet, for example a web site, the other end must have a way to send back the replies. It cannot send to the private address as it does not exist in the outside world. So what happens is that the FireBrick^® changes the address of the outgoing request to be its public address. When the reply comes back to the FireBrick^® it works out which of the private addresses the original request came from, and changes the address back and sends the reply on to the right computer in your network. This process is called Network Address Translation.

NAT does have some limitations. Some protocols communicate the actual address of the computers as part of the information they send and so don't work.

Think of it like this. You have people in a building, and they can send letters (internal mail) with addresses like "room 202". This is fine inside the building, but whenever a letter is sent out to someone outside the building the post room change the reply address on the envelope to say the real building address that the post office understand.

When someone replies, they send a letter back to the real postal address, and the post room look up which room it came from and put the reply in internal mail to, say, room 202.

But, if inside the letter you write "please reply to 'room 202'" then the reply goes in the post-box with just "room 202" on the envelope. The post office have not idea where that is, and throw it away or send it back.

Some protocols do this, so don't work with NAT. One such protocol is ftp (file transfer mode). Fortunately this has a passive mode which changes the way the data is transferred and will normally mean you can get past a NAT system. Some games however don't have ways around this and may simply not work.

What is Traffic Shaping ?

Traffic shaping is a system of controlling the speed of internet traffic.

For a managed office you can set up each tenant to have a specific limit on their usage. You can also set up certain types of traffic to have limited use. This means you can manage your internet connection better.

The FireBrick^® lets you have a number of different speed limited streams (speed lanes), and you can set up the rules for what sort of data to/from where is attached to each stream. Unlike some systems where the data is simply capped, giving an irregular and jerky throughput, the FireBrick^® work using a system called packet scheduling which makes sure the data flows smoothly and consistently at the speed you have set.

What is Tunnelling ?

If you have two or more offices, each using a different set of private addresses, and each connected to the internet using NAT, then you might want the offices to be able to communicate directly.

Tunnelling allows you to create a link between the two offices so that there is a way for machines in one office to directly access machines in the other office using their private addresses. This would allow file sharing and printing and other networking operations.

It works by making a link between the public addresses of the two FireBrick^®s and carrying the private addresses data over that link.

The link uses secret passwords that are never seen on the internet, and checks that the link is from the correct public address for the other FireBrick®. This means nobody else can pretend to be your other office and get access to your network.

The FireBrick^® supports a number of separate tunnels at once, allowing a virtual private network (VPN) for be set up.

You can, of course, restrict what is allowed to go through the tunnels using the firewall controls.

How does it work with ADSL ?

The no-NAT version provides a real block of IP addresses on your network. This means that the BT supplied ADSL router has an IP address, and your computers have IP addresses, all on the same public subnet. Each of your computers has the BT ADSL router IP address as their Gateway IP address. They send all packets that go to the internet via the BT ADSL router.

To use the FireBrick^® on an ADSL line, you simply connect the FireBrick^® hot port (the one on it's own on the left)to the BT ADSL router, and your computers to any of the FireBrick^® Hub ports (the four on the right hand side).  That is it, you are now running in  stealth mode, you may need to configure your firewall to let through certain type of packets and you may want to come out of stealth mode so that you can remotely configure your firebrick, to do that you just go to http://my.firebrick.co.uk 

What about viruses ?

There is no difference between any program you download from a web page or receive via an email and a virus. They are both just binary data attachments or files.

Virus scanners attempt to look at the data in email and web pages to try and see if there is a known virus included. Some virus programs will try and trap the operation of a virus - where it tries to change existing programs on your computer, and stop it.

Virus scanning can never be 100%, partly because it can only look for know viruses, and partly because viruses could be included in compressed or encrypted data which the virus scanner cannot look in to. This also means that a virus scanner is only as good as its database of know viruses, and the speed of the supplier at updating the database.

The FireBrick^® is a firewall, and not a virus scanner. There are a number of programs available to check for viruses on PCs, and also many ISPs provide services that can pre-screen email for viruses.

The FireBrick^® can be instrumental in enforcing some virus checking policies. For example, it can be set up to only allow incoming mail from your ISPs virus scanner and not from anyone sending it directly to your machines and bypassing the scanner.

One of the biggest defences against viruses is common sense. Don't run anything you don't  recognize. Don't run programs that have been emailed, even if they appear to be from a friend, without first checking.

How do firewalls work?

Firewalls look at the packets, each packet carries information about itself, where it is from and where it is going.

Where is has come from and where it is going are the main attributes used for filtering.

The address is made up of three parts, the first part is the IP address, this is the number made up out of 4 blocks of 3 for example my IP address is 217.169.0.14 the other important bit of information for certain types of data is the port number.  Web servers normally use port 80, ftp use port 20, mail port 25 & 110 and so on. 

For example I have used software to remotely connect to my desktop PC in the office whilst my laptop at home.  The remote control software uses two ports, 5631 and 5632.  Now I could have a hole in my firewall that allows anyone access to my machine on ports 5631 and 5632, but, anyone with the right software and enough time could crack my password and get control of my desktop.  So I don't allow anyone access I only let my home IP address have access. So the rule is only packets that have come from my home IP address that are going to port 5631 or 5632 of my office desktop are allowed.  Now, whilst I have can access from home I am pretty sure that nobody from anywhere else can get in.

What if they faked the packet so it looked like it was from my home machine?, no problem, the software will reply to them at that address and as that address is my machine at home they will get nothing.

So firewalls use the to and from addresses and the ports.

They can also use the type of packets, there are hundreds of types of packets and some of these also use ports. (There are only 3 common packet types ICMP, UDP and TCP you are unlikly to encounter any of the others. ICMP does not use ports but the other two do.)

So that is how a firewall identifies packets, the next thing is what to do about them.  There are four basic options.

Drop, this just does nothing, it does not allow the packet through, it does not reply to the packet.

Allow, this lets the packet through as though there was no firewall.

Reject, this does not allow the packet to get through and sends a message back to the originator advising them that there is a firewall in the way.

Bounce, this does not allow the packet to get through it also replies to the address but in a manner designed to confuse.

The best firewalls will have a delay before sending the reject or bounce.  This is to prevent attacks such as ping of death, which try to fill your buffers and network connections to overflowing and grinding you to a halt.  

Sag line 50 is a trademark of sage PLC Thames valley Berkshire berks Bracknell computer software help