Firewalls have become a necessity for modern networks. Hundreds of pieces of software are released each year that, when installed, provide remote access to your machine, and, as such, are a security risk to the network. Much of this software is marketed to individuals as simple "helpful" applications, but to the network administrator, they can be a nightmare.
Software products such as Kazaa, GNUtella, and so on are popular for downloading music and movies, but they also open file servers that deliver the contents of their computers to outside clients . Dozens of variations of these applications exist, and, on a large decentralized network, it is virtually impossible to keep them from being installed. Even if user application policies are put in place, should a remote exploit be discovered that affects the operating system of all machines on the network, the only recourse for the network administrator may be to wait (patiently?) for a patch.
A solution to both these potential problems is a firewall. A firewall blocks specific network traffic before the critical services on a machine can process it. There are three general types of firewalls:
Personal firewall . A personal firewall is configured on each network workstation. It blocks traffic at that station and does not affect any other machines on the network. This is useful for users who must live on a network without a network firewall and understand the risks of leaving their system open.
Network firewall . A network firewall protects a large number of computers (an entire network) by blocking traffic at the main network feed. It is a dedicated piece of hardware with two (at least) network cards that is usually placed immediately after a network's router. Traffic comes in on one interface, is compared against the firewall rules, and, if appropriate, passes out the second interface ”and vice versa. Mac OS X is capable of running a NAT-based system that provides similar functionality, but is not yet capable of acting as a true network firewall. For those in need of non-NAT-based solutions, instructions for creating a transparent bridging firewall in Linux are provided at the end of this chapter.
Proxy firewall . A proxy is typically a special piece of software that runs on an Internet-connected server and is accessed by a network of non-Internet-accessible machines. The proxy receives incoming requests for resources ("Hey, could you fetch me the current versiontracker .com page?") and, if the request is deemed appropriate, returns the resource as if it were the remote server. Proxies have their uses, but the focus for this chapter will be on personal and network firewalls and how they work with Mac OS X.
Of these firewall types, home users will be most interested in personal firewalls, whereas individuals dealing with enterprise or even SOHO (Small Office/Home Office) networks may want to consider a network firewall of some sort .
I've heard (and even read in earlier Maximum Security books) the comment that managing a firewall is more trouble than it's worth. Although that was perhaps a somewhat valid point in the mid-1990s, this is hardly the case today. A firewall can exist on a network and not block anything until it is needed. You aren't forced to selectively open ports for internal services as they are required. Rather, a firewall can remain in an open state and be closed only in response to attacks or unpatched operating system vulnerabilities. Firewalls are useful tools that should be kept at the ready anywhere the potential for network attack is possible and the resources are available.
Before going any further, it's important to point out what a firewall isn't:
A firewall isn't an end to network attacks. Services that are passed through the firewall are still open to exploit, and the firewall itself may even become the target of a DoS attack.
A firewall isn't a solution for securing network traffic. Information that is sent unencrypted is still just as susceptible to eavesdropping as on an unprotected network.
A firewall isn't an intrusion detection device (although they are often combined). A firewall blocks what you tell it to ”nothing more, nothing less. If your rules do not cover the threats your machine or network faces, only you are to blame.
A firewall isn't a reason to entirely forget about internal network security. A single disgruntled employee can be more of a threat to your network than any outside attacker.
A firewall isn't an instant solution to network attacks. Firewall configuration often takes weeks to complete and requires that an administrator fully understand his or her network topology and active services.