FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...
General FAQ
Why do I need a firewall?
As you will know if you have ever set up a network of Windows computers, even if only a couple connected together at home, you can share files and printers between the computers. This is one of the benefits of networking and is the same to various extents for Windows, Macs, Unix, and many operating systems.
What you may not realize is that when you connect to the internet, you may be opening up that same ability to share files and access your hard disk to anyone in the world. On top of the normal file sharing, there are often programs running on your machine and loopholes and bugs in programs which will allow various types of access from the outside world.
It is normally possible to configure your computers carefully, but even then it is very difficult to be sure you have plugged every possible way in to your network. It is common for operating systems to have flaws that allow access no matter how carefully you configure your machine. It is often necessary to check for new operating system patches daily to avoid attack from the internet.
With a permanent internet connection using real internet addresses you leave your network much more open to attack. Even dialling up using a modem may have risks, but this is usually for a short period of time and you are connected to only one, attended, computer. If your network is connected all of the time then you may be unaware of any problems until well after the damage is done. The threat can come from any number of sources, so even if you think "Why would someone want to hack in to my network?" it does not matter as there are plenty of bored people out there who just like causing havoc.
A firewall is a way of stopping everything from coming on to your network. This is great, but if that is all a firewall did then you may as well use scissors to disconnect yourself from the world. The clever bit about a firewall is that having stopped everything, it then lets specific things through. Just the specific things you want. That way, instead of having to try and find and plug all of the holes in your network, you simply have to let through specific traffic as you need to - it is erring on the side of caution.
The main thing the FireBrick does out of the box is ensure all replies are allowed back in. This means when you access a web page your request goes out, and the reply (the web page itself) is allowed back in to your network. This may seem simply enough, but it involves tracking every session from every computer on your network and is called stateful inspection.
Of course there are other reasons for wanting a firewall - you might want to restrict, control or monitor what goes out of your network. If you get some sort of virus on a machine, a firewall can be helpful in stopping it get back out to the internet and can help track down the problem machines on your network.
Why is the FireBrick different from other firewalls?
The FireBrick is simple to use. Out of the box it operates just like a network switch (using stealth mode). This means that if you already have a network connection to the internet set up (e.g. ADSL) then you just plug the FireBrick in between the internet and your computers and you have a firewall.
Out of the box the FireBrick will block all traffic from the outside except for replies to your outgoing requests.
You can change the ports allowed through by accessing http://my.FireBrick.co.uk/ and changing the tick boxes. This is also the way to set up much more sophisticated configurations if you need.
What is a Stealth firewall?
Stealth firewalls operate completely transparently to the network. They do not show up on any network scans or port scans. The tools that hackers might use to identify a firewall will not help them. It means that you can plug it in to your network and the network still operates without any reconfiguration.
Normally with a conventional firewall you have to set up a different subnet each side of the firewall. A conventional internet leased line will need an extra routing entry to understand that you have a firewall (and most ISPs supplying leased lines will happily do this for you). However, some times of internet connection can't work like this or the ISP is unhelpful. This means you cannot set up two separate external subnets one of which is behind a firewall.
The FireBricks stealth mode means that it can sit in the middle, passing data both ways like a switch, but still blocking any unwanted traffic from entering your network. Obviously the FireBrick can operate like a conventional firewall if that's what you need.
What is DHCP?
You may have encountered automatic IP setting on your computer. This is a method of setting the addresses of the computers on your network automatically. ADSL connections can, for example, provide DHCP so that each machine on your network gets an address automatically.
In stealth mode the FireBrick will simply allow the DHCP requests through from your router to your computers as if it was not there.
However, if you are configuring your network with different subnets, you can make the FireBrick get an address automatically from your own DHCP server or router. You can also set it up as a DHCP server, allocating IP addresses to the computers on your network. This is quite a common configuration when using NAT and a block of private addresses on your main network.
DHCP usually means that the addresses are not fixed. The D means Dynamic, and that normally means changeable. The FireBrick is a little different as it will try and re-issued the same address to a machine every time, even if the machine has not been on the network for a long time. This allows the advantages of fixing IP addresses (so you know which machine is which IP) and the advantages of DHCP (saving a lot of time setting up or changing the network).
What is NAT?
Sometimes you do not need to have all of your computers allocated real public internet addresses. A public IP address is one that is unique in the world and allows machines to connect to your machine (firewall permitting). All web pages that you go to have public IP addresses.
In some cases you don't need this. If you have 100 computers in an office, they all need to access the internet, but they don't all need to be accessed by the internet. Perhaps only a few addresses are needed for web servers and email servers.
In this case, you would normally set up private addresses for the machines inside your firewall. Private addresses are special reserved addresses that will never be used on the internet as a whole. They are 10.X.X.X, 172.16-32.X.X or 192.168.X.X. You should never just make up addresses unless they are within these special ranges.
When a machine on a private address tries to access the internet, for example a web site, the other end must have a way to send back the replies. It cannot send to the private address as it does not exist in the outside world. So what happens is that the FireBrick changes the address of the outgoing request to be its public address. When the reply comes back to the FireBrick it works out which of the private addresses the original request came from, and changes the address back and sends the reply on to the right computer in your network. This process is called Network Address Translation or NAT.
NAT does have some limitations. Some protocols communicate the actual address of the computers as part of the information they send and so don't work.
Think of it like this. You have people in a building, and they can send letters (internal mail) with addresses like "room 202". This is fine inside the building, but whenever a letter is sent out to someone outside the building the post room change the reply address on the envelope to say the real building address that the post office understand.
When someone replies, they send a letter back to the real postal address, and the post room look up which room it came from and put the reply in internal mail to, say, room 202.
But, if inside the letter you write "please reply to 'room 202'" then the reply goes in the post-box with just "room 202" on the envelope. The post office have not idea where that is, and throw it away or send it back.
Some protocols do this, so don't work with NAT. One such protocol is FTP (file transfer protocol). Fortunately this has a passive mode which changes the way the data is transferred and will normally mean you can get past a NAT system. Some games however don't have ways around this and may simply not work.
What is Traffic Shaping?
Normally, all of the computers on your network using your internet connection get a share of the overall connection speed. Computers demanding more data get a bigger share of the internet link, and so can effectively hog the link and slow everyone else down. Also, in a managed office, for example, you may have tenants who are paying for a specific internet connection speed.
Traffic shaping is a system of controlling the speed of internet traffic.
For a managed office you can set up each tenant to have a specific limit on their usage. You can also set up certain types of traffic to have limited use. This means you can manage your internet connection better.
The FireBrick lets you have a number of different speed limited streams (speed lanes), and you can set up the rules for what sort of data to/from where is attached to each stream. Unlike some systems where the data is simply capped, giving an irregular and jerky throughput, the FireBrick work using a system called packet scheduling which makes sure the data flows smoothly and consistently at the speed you have set.
What is Tunnelling?
When you have an office that is using private addresses, it is impossible to access machines on those private addresses from outside. The addresses are simply not visible from the internet.
If you have two or more offices, each using a different set of private addresses, and each connected to the internet using NAT, then you might want the offices to be able to communicate directly.
Tunnelling allows you to create a link between the two offices so that there is a way for machines in one office to directly access machines in the other office using their private addresses. This would allow file sharing and printing and other networking operations.
It works by making a link between the public addresses of the two FireBricks and carrying the private addresses data over that link.
The link uses secret passwords that are never seen on the internet, and checks that the link is from the correct public address for the other FireBrick. This means nobody else can pretend to be your other office and get access to your network.
The FireBrick supports a number of separate tunnels at once, allowing a virtual private network (VPN) for be set up.
You can, of course, restrict what is allowed to go through the tunnels using the firewall controls.
How does it work with ADSL?
ADSL is just another way to get internet access, and like a leased line it is permanent. The FireBrick has a number of features to work well with ADSL, including stealth mode (useful where you just get one block of IP addresses), and bonded uplink (allowing traffic to go out via more than one ADSL line at once to get better throughput). The profiling options on a FireBrick are also useful to operate backup links, e.g. reverting to an ISDN router if the ADSL fails.
What about viruses?
Viruses are simply programs. Your computer runs programs all of the time. What makes a virus special is that it changes other programs on your computer and will try and make sure it copies itself on to other computers. Typically they are attached to email or inside documents attached to email.
There is no difference between any program you download from a web page or receive via an email and a virus. They are both just binary data attachments or files.
Virus scanners attempt to look at the data in email and web pages to try and see if there is a known virus included. Some virus programs will try and trap the operation of a virus - where it tries to change existing programs on your computer, and stop it.
Virus scanning can never be 100%, partly because it can only look for know viruses, and partly because viruses could be included in compressed or encrypted data which the virus scanner cannot look in to. This also means that a virus scanner is only as good as its database of known viruses, and the speed of the supplier at updating the database.
The FireBrick is a firewall, and not a virus scanner. There are a number of programs available to check for viruses on PCs, and also many ISPs provide services that can pre-screen email for viruses.
The FireBrick can be instrumental in enforcing some virus checking policies. For example, it can be set up to only allow incoming mail from your ISPs virus scanner and not from anyone sending it directly to your machines and bypassing the scanner.
One of the biggest defences against viruses is common sense. Don't run anything you don't recognize. Don't run programs that have been emailed, even if they appear to be from a friend, without first checking.
What is bonding?
Bonding allows you to combine multiple links (e.g. multiple ADSL lines), to effectively give you a single higher bandwidth link.
Bonding is such an interesting topic that it has its own FAQ here.
E&OE, ® "FireBrick" is a registered trademark of FireBrick Ltd,
Copyright © 2008-2017 FireBrick Ltd. All Rights Reserved.