How to configure a firewall
Firewalls are one of the most important network security devices you can possibly have. Everyone who uses the internet or internal networks needs at least one. Firewalls are absolutely necessary in enterprise computing environments, but these days even consumers need a firewall in some form or another for their home router, PC, and mobile devices. Firewalls control how your endpoints and servers can use the internet and other types of networks. Some devices have them built in.
Here I am republishing my blog for Peerlyst from 2019. Firewalls still work like this.
Thank you, patrons!
At the Fan level: Naomi Buckwalter! OMG, thank you!
At the Reader level: New Readers! Sylvain and HTownQueer!
Returning Readers Ryan Wilson, François Pelletier and IGcharlzard!
I will do my best to post something new weekly. If you can, I’d love for you to join my Patreon supporters here. I even have support levels where I can do custom work for you: https://www.patreon.com/kimcrawley
Routers generally have hardware firewalls, and operating systems generally have software firewalls. Depending on your needs, those firewalls might be enough, especially if you’re a consumer or small business. But datacenters usually need dedicated firewall appliances. This post is targeted to home and small business users for the most part, but some of the general principles are also applicable to larger scale networks.
What are firewalls?
There are so many different types of firewalls. They’re not just large and small, hardware and software. They can also have their own operating systems and their own ways of controlling your network interface. Before you choose a firewall to suit your needs, it helps to understand how they work.
Some people have a little doggy flap in the front door of their house. If the door is locked and it doesn’t have a window, the doggy flap should only allow creatures and things the size of a small animal to go through. Ideally, they should be small enough that a typically adult sized human being can’t crawl into your home. The equivalent in a firewall would be to have one port or application filtered so only authorized use can go through. That would be the door’s human interface in its lock. But then another port or application is open, and that correlates with your doggy door. If everything works according to design, human house robbers can’t go in, the humans who live in the house can go in if they can unlock the door with their key, and Fido can go in and out as he pleases. And that’s the general concept of a firewall. The word itself conjures up an image of a literal wall of fire, but that sounds a bit dangerous, don’t you think?
In the same sense, a good firewall that’s properly configured will allow the network traffic that you want, while blocking traffic that you don’t want — namely unauthorized users and cyber attacks.
Traditional firewalls block and filter per TCP/IP ports. There are a total of 65,535 TCP/IP ports! TCP/IP was developed for ARPAnet (the precursor to the internet). They’re the backbone of the modern internet and most internal networks also use the TCP/IP stack. The first 1024 ports (2 to the power of 10 minus 1, starting at 0) are specifically designated for particular internet services. For example, port 80 is used for HTTP and port 443 is for HTTPS. Those are the protocols of the web. The next roughly 48,000 ports (1024 to 49,151 or 2 to the power of 10 through 2 to the power of 14 plus two to the power of 15 minus one) are used only occasionally. The Internet Assigned Numbers Authority designates these ports for relatively niche uses. For example, some Windows versions of Call of Duty games have used port 28960 for online multiplayer. Ports 49152 through 65535 (2 to the power of 15 plus two to the power of 14 through two to the power of 16 minus one) are used even less frequently. If you have a typical home LAN or small business, a traditional firewall should only use a hundred or so ports in the 0 to 1023 range. Ideally, whether you’re using a laptop or a massive cluster of rackmount servers, all ports that you don’t use should be blocked, and only the ports you use should be open — but your open ports should be filtered.
Firewalls can also often be configured according to IP addresses and ranges of IP addresses. Many networks assign static IP addresses to devices, so the firewalls can block all addresses except for the ones known to be used in your network. Where dynamic IP addresses are assigned, address assignment can be marked for a very specific range (not just “Class C,” for example), and the firewall can exclusively permit only devices with addresses in that range. Sometimes firewalls can also open or block according to DNS names, such as Peerlyst.com.
Newer types of firewalls sometimes block or filter per applications. That’s how the firewall on my Android phone works. I choose which applications can use the internet and how. My web browser needs the internet, but a silly game might not.
Businesses and enterprises these days often use what Gartner refers to as a Next Generation Firewall. “A deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” So they can block per ports like traditional firewalls, they can block per applications vaguely like my Android firewall, and they often have extra useful features like DDoS attack mitigation and intrusion prevention systems. Configuring these firewalls can be a bit more complicated, but the extra security features and customization potential makes all of additional effort worth it!
The first step I would apply when it comes to configuring any type of firewall is to change the default settings. This is very, very important. A lot of exploit kits and malware and other sorts of cyber attack tools will act according to the default settings of your specific device. The default settings might be okay, but they must be changed in order to mitigate the most common attacks. Keep cyber attackers on their toes! Knowing you have a Cisco ASA 5500-X firewall shouldn’t be enough for a cyber attacker to exploit your network. But I’m often shocked by how many people leave the default usernames and passwords on their routers, coinciding with the default firewall configuration. That’s absolutely terrifying!
The next step is to take an assessment of your networking needs. If your firewall works according to TCP/IP ports, which ones should be open? All the ones you don’t use should be blocked. That’s a whitelisting approach, and that’s always more secure than blacklisting. “You may only do x, y, and z” is more restrictive and controlled than “you may do a or b.” If your firewall works per IP addresses, identify which addresses your network uses so you can exclude the rest. The same applies to applications. Depending on your firewall, it may use one or two or all three of these approaches. Ideally if filtering is compatible, as many open ports should be filtered as possible. I might want port 6112 to be open for Blizzard’s Battle.net gaming service, but filtering it can allow me to play Starcraft while making it less likely that a cyber attack can access my PC through Starcraft. Control the Zerg!
Some firewall configuration, especially in the enterprise, can get a lot more complicated than that. Plus sometimes specific firewall platforms are used, such as Cisco ASA or Juniper SRX. If you’re working with something like that, you’ll need to refer to the configuration guides for those particular platforms. But I’ve covered all of the basics. Enjoy!
