Mr. Hely covers the area between the bare basics and more technical
details so clearly in
Firewalls Defined, that I have placed his article
here, word for word, for all of us to experience. It
is from "How Safe is Your
Success" - a series of eight articles by Bill Hely which address
different aspects of a universal problem of particular importance to
all of us who use the Internet our online security.
For most "average" computer users, hearing the word "firewall"
usually evokes one of two responses. The first is along the
lines of "Oh, that's complex big-business stuff it's not
something I need or could afford". The other group, probably
due to exposure to advertising, online forum discussions, etc.
automatically associates "firewall" with a software brand such
as the well known ZoneAlarm. The latter group have the edge.
At least they know that a firewall is (or more correctly, can
be) a consumer item they could purchase and install if they
were so inclined.
The two types we'll discuss are software and hardware
firewalls. The latter usually takes the form of a small "black
box" that plugs into your Internet connectivity device (e.g.
cable, ADSL or dial-up modem) and also into your PC or into
some network component such as a Hub or Switch. By the way,
"black boxes" are almost never black; the term simply denotes
a device whose exact inner workings are irrelevant to the
discussion. It is only what goes in and what comes out that
Now, the nature and purpose of this article dictates that I
don't tell all of the story all of the time. For example, I am
now telling you there are two types of firewall to consider.
In actual fact the number of "types" depends entirely on how
you choose to categorize them. For our purposes a simplistic
breakdown is both adequate and legitimate.
Frequently called a Personal Firewall because it only protects
one PC, a software firewall is, as the name suggests, simply a
computer program. What software and hardware Firewalls have in
common is that they both receive, inspect and make decisions
about all incoming data before passing it on to other parts of
A most important difference between software and hardware
firewalls is that the hardware Firewall doesnt control
outbound communications to any significant degree. This
becomes a real problem once some scumware program that has the
capability to communicate back out to the Internet gets into
your hard drive.
On the other hand, the software Firewall offers strong control
over both incoming and outgoing data. You will be justified in
wondering why you need to use two different types that both
control incoming connections. There are several reasons but,
from the point of view of a computer user, as good a reason as
any is much improved usability.
The software Firewalls control over incoming connections is
quite powerful. Using its programmed intelligence, it can
analyze incoming data streams. However it cannot make final
block or allow decisions without your help until you have
taught it how to respond to different situations. It needs
to learn as it goes. In short, the software type will
frequently need to ask you to make decisions on what to do
about certain incoming data packets whether to allow them in
Thats fine, until the frequency of the alarms becomes
distracting to the point of being annoying. While you are
trying to concentrate on other things in the face of these
interruptions, there is a very real risk that you will take
the easy way out and command the software Firewall to always
allow or always deny such data packets, without giving
careful thought to the consequences which could be
significant either way.
The hardware Firewall, on the other hand, enforces a very
simple policy on incoming connections: if the connection
wasnt requested by a PC from within its walls, the
connection is refused or ignored. In most situations such
simplistic decision making is quite OK. If you think about
that for a moment, you will see that the stubborn
inflexibility of the hardware Firewall makes the software
Firewall's job much easier. Youll recall that the hardware
device is a perimeter Firewall placed between your PC (or
your network) and the Internet, so it gets first look at any
incoming data. The software Firewall is on a local PC and thus
inside the perimeter, so it only gets to see incoming data
that has survived the hardware Firewall. And the only incoming
data that does survive is that requested by an internal PC in
the first place.
With a hardware Firewall in place, there will be less
questionable incoming traffic for the software Firewall to
analyze, thus fewer excuses for it to bother you with a
request for a decision. And therefore fewer chances for you to
give a dangerous answer.
This improvement in usability is not a minor matter. The
difference can be so pronounced that people who install a
hardware Firewall after having a software type in place for a
while, begin to wonder if the latter is still working, so
reduced are the alarms they have to respond to.
Another reason for using both hardware and software Firewalls
is that software is
well, software. And software, any
software, can be compromised. On the other hand the hardware
Firewall, with very few exceptions, can only be got at
physically a baddie has to have hands-on access to the
Firewall to do anything nefarious with it.
Finally, both software and hardware can fail for any number of
reasons. If a good software firewall encounters a problem it
should be designed to fall back to some sort of safe mode,
blocking all Internet traffic until the problem is dealt with.
But if something should occur that forced the software
Firewall to shut down or that prevents it from loading at all
(something many Trojans attempt to do), it is no longer an
impediment to unauthorized data. You could well be vulnerable
to attack and remain blissfully unaware of the fact. On the
other hand, if the hardware Firewall fails it will do so in
such a way that access to and from the Internet is cut off
altogether. The hardware Firewall, by its very nature, can
only fail on the side of complete safety. If it's "not there",
neither is the Internet connection.
does that make the software Firewall too much trouble?
No way !!! A good software Firewall that does its job properly
is positively invaluable for its management of outgoing
connections, which is where one of the biggest threats to your
security lies. A very, very strong case can be made for having
both types in place. I do, as do most professionals with an
understanding of, and a respect for, data security.
At the very least you should install a good software Firewall
on each PC for which you are responsible. A consistent
Editor's Choice selection, probably the most-recommended by IT
professionals, and my personal choice is ZoneAlarm from Zone
Labs. There are both free and PRO versions, with various
licensing options. Even if you are eligible to use the free
version I do encourage you to at least give PRO serious
consideration and look at the extra features you get over the
There is no space here to discuss hardware firewall
recommendations, as the most suitable type will depend on a
number of factors. Seek advice from a reputable computer
dealer or consult a more detailed resource such as my book
"The Hackers Nightmare".
If this newsletter has been passed on to you by a friend,
please subscribe to it yourself so you can be sure of
receiving the next part in this series, when I'll show you how
to keep your sensitive electronic correspondence completely
confidential, even if someone does manage to intercept your
Bill Hely is a technologist,
consultant and author living in Brisbane, Australia. For most
of the last two decades his professional focus has been on
advising and supporting small business operators in
Information Technology and Office Productivity issues and
rescuing them when they didn't heed his advice the first time
around. He is the author of several books on technology for
the business operator, including the Bible of Internet and
computer security "The Hacker's Nightmare". For more
information on this must-read tutorial and reference visit:
Subscribers to our
Alerts News Reporter
will be alerted when other parts
of Bill Hely's series of articles are posted to the Articles
and Reports section of the Firewalls-and-Virus-Protection
Sunbelt Personal Firewall
Return to Articles and Reports >>
Subscribe to our
for periodic updates on
the latest events and
issues affecting your
We Value Your Privacy
- Get your FREE report
"23 Critical Security Alerts"
plus "15 Steps to PC
from the subscription
| To Top |
Avoiding Infection | Infected?
| Virus Hoaxes
| SPAM & Spyware
Articles & Reports |
Family Safety |Trojan
Virus Removal Tips |
Maintaining your Computer System health is our Goal
Help Spread the word about our
'Computer Security Awareness Campaign"
How many of your friends need to have
Firewalls Defined for them? ..
|Mr. Hely certainly
presents his work in a clear and easy to understand manner.
His "The Hacker's Nightmare" is just as easy to follow and understand as
is his article on "Firewalls Defined", which I hope you have just read.
I believe that every single user of an Internet-connected Windows computer
NEEDS the kind of valuable information contained in
" The Hacker's Nightmare."
You no longer have to be an IT expert to have access to this knowledge.
Now this essential information is yours --- in a language you can
understand and in a format you can easily implement for yourself.
|Order your copy of the
book today by
I'm certain that
you'll be as pleased
with it as I am.
.Check Out the
Security Alert BLOG
Add your comments to ours
Get Free Downloadable Firewall from ZoneAlarm