What is a firewall?

Everyone knows it’s an essential part of your computer’s security setup but once you get past that, most people don’t really understand what a firewall is. Those who do tend to give you a very technical explanation which does you no good. If you just want to understand the concept of a firewall but don’t need to teach a PhD-level IT course, hopefully you’ll enjoy the article below.

First of all, the term “firewall” used to mean (and still does) that metal part between a car’s cabin and its engine. It’s literally a wall where fire cannot get through. That’s the whole point. In fact, in a car nothing gets through a firewall unless you want it to, because you have to drill a hole to feed things through.

The very same thing applies to a firewall for computers. It’s a device, either real or part of your computer’s software, that doesn’t let anything through unless you want it to. Here in the second decade of the 21st century, that’s a standard thing, but once upon a time computers communicated freely and there was nothing to stop them. Personal computer operating systems like Windows were designed to communicate within a building, not for the internet, and the internet itself was designed as this sort of hippie commune of knowledge where there were no bad guys and everyone just helped everyone. Of course, the internet turned out to be a very different place and it turns out that most people you’re likely to run into want to harm you in some way or other.

Computer-to-computer communication is usually described as a series of doors called “ports.” In fact your computer has tens of thousands of ports, and they’re not really like doors because they’re never really locked. They’re more like driveways without gates, letting anyone in who knows how to get there. In retrospect this was not the smartest way to design an operating system and a lot of modern operating systems actually do a better job of locking down these ports. Windows, though, pretty much leaves them open unless you use a firewall (which I’ll explain in a minute) meaning that any attacker anywhere in the world could actually get to your hard drive just by knowing where in the world it is. That’s obviously pretty stupid.

A firewall stops all communication between your computer and the outside world and blocks access to all your computer’s ports except the very few that you need. Port 80, for example, is used for web site loading, so you need that one. Communication that comes through port 80 goes to your browser, so it’s pretty benign. If some other computer wants to get to any other port, your firewall stops it unless you specifically say it’s all right.

There is a firewall built into Windows now, and it’s pretty good. There’s usually another one built into your router’s software that’s pretty good, and unless you’re going some pretty nasty places that tends to be all you’ll need. IT professionals use something called a “firewall appliance” which is a lot more complex but gives them a lot of power. The firewall appliance sits right next to the company’s router and not only does it block unwanted stuff it also helps route the stuff people need to their correct places. For example, it can direct one sort of traffic to the company’s e-mail server so it doesn’t float around the network. It can send web page traffic through without letting attackers get past.

Firewall appliances are also used for “whitelisting” and “blacklisting.” A whitelist is a list of sites that can always be accessed even if they’re doing dodgy things. Other servers that your company owns that aren’t in the building are usually whitelisted, and if you work from home, your traffic into the company’s servers is whitelisted. On the other hand, those sites that your boss doesn’t want you to go to end up on the blacklist, which is a list of sites that can never be accessed even if they behave perfectly. This is one way that companies limit their liability, because for example you wouldn’t want sexually explicit images on company computers where people could sue.