When talking about network security, something that pops up quite often is firewalls. It’s very unclear what they are really doing for non-networking people except that they may block bad traffic. But how do they know what is bad what is not?
In this blog post, I wanted to clarify what a firewall is and that is exactly what you are going to learn if you continue reading. On top of that, I will tell you why you should not buy a firewall except if you are a company, then you should really get one. You’ll also learn some of the disadvantages of firewalls. But let’s start with what a firewall is.
A firewall is not a wall to keep the fire out, however, it has similarities. A firewall in a building is there to block a fire so that the area behind it can be safe. A network firewall is working the same way. It keeps the area behind it, the LAN, safe from bad stuff that would like to get into a network.
Essentially, a firewall is your shield to the outside network. All traffic that comes into your network is scanned by the firewall and it will throw out any packets that are not allowed. It knows which packets to throw out based on rules that have been set up beforehand.
Something that is very common when configuring a firewall is to block everything and then add a rule for each thing that needs to come through. This could be quite long and isn’t very fun to set up but it’s secure, which is the whole reason why a firewall is there in the first place.
A firewall often has traffic logs as well so that you can see what the firewall is blocking and what it is letting through. While it may not be as interested to you, it’s very interesting for Enterprise to see which services and/or systems that are trying to reach out to the internet or entering the LAN.
While some, like Roger A. Grimes at CSO, doesn’t think firewalls are needed, I do believe that they are still needed. But does that mean that you, like a regular home user, should get a firewall? The simple answer is no, and here’s why.
You already have one. Unless you have actively turned it off, you already have a firewall that is protecting you from the bad stuff. I am running macOS on my main computer and this operating system is asking me whenever a program or a system wants their traffic to come into the laptop. This way, I can decide myself if I want a program to be allowed into my computer.
The firewall is turned on.
If you are using Windows, you should get the same experience with the operating system asking you for permission. You will only get these questions on programs that you have installed yourself. The operating system will automatically allow traffic that is needed by the operating system as well as basic networking. On my Mac, I was also able to choose if I wanted to allow ping from outside the network or not.
But hold on for a minute now, isn’t a firewall a physical box that you need to configure? Well, yes, but there are two types of firewalls, software, and hardware. While they are doing the same basic thing, hardware firewalls tend to offer much more features and perform much better than software ones.
A software firewall that you have on your computer, will also protect your computer only. It will not protect your whole network, which a hardware firewall can do. These hardware firewalls are placed between the internet connection and the router, so that all traffic that is going to the router, has been filtered as OK by the firewall. This is not possible with software.
However, to get back to the main question here, for home use, there really is no need to get a hardware firewall as the firewall on your computer is good enough. Unless you are very interested and want to learn more about TCP, UDP, ports, and packets, then a firewall can be a fun way to get started.
A firewall is like a gate, the first blockade.
A firewall can protect you from bad stuff, I’ve told you that already. But how does it do that and what exactly do I mean by “bad stuff”? When I say, “bad stuff”, I am talking about hackers and other unauthorized connections to your network. I am also talking about viruses and malicious code that you may end up getting in your email or download from the internet.
A physical firewall that is filtering traffic into the network, will protect against people that are outside your network and is trying to get in using different methods. If the firewall is correctly configured, it will block these connections and you can see that is was blocked from the log.
The firewall will also block a lot of unnecessary traffic in your network. I looked at the log that we have at my work and there is a lot of chatter that is being blocked by the firewall. What I mean by that is that there are bots that are trying many common ways trying to get inside. This has been set up by humans and if they get in, I guess if a bot succeeds, they will notify a human.
If you instead download a malicious software or get a file in an email, a physical firewall may see the bad file and lets it through. Then, you have the software firewall on your operating system that will protect you instead. Not from getting the virus on the computer but the firewall can block the virus from sending your information out to the internet. However, many viruses will add themselves to the OK-list on a firewall, which is how they get past this.
Basically, a firewall is very good at keeping anything that you don’t want in your LAN, outside of the LAN.
According to CIO.com, the biggest security issue is with your employees.
If you run a business and does not have a firewall yet, then I highly recommend that you get one. While you may not need one for your private network, a business network is often more interesting for an attacker than a private network, because of the information that businesses have. It is also common for small businesses to not have a strong network security, making it even easier for attackers to get in to see customer data and business financials.
Having a physical firewall is the very first line of defense against threats from the outside. By now, you should know the advantage of a firewall and it is simply a must for a business. It’s much easier to control one firewall than having to manage software firewalls on company computers, especially if you have a few of them. If you have hundreds of computers, then having one hardware firewall is a no-brainer, simply because of management.
If you have two offices on two different locations, having a firewall can actually connect these two offices using a VPN tunnel. What this means is that you have two firewalls on each site, that will then connect to each other in a secure, encrypted network tunnel. The offices will then be able to speak to each other, meaning that you can have network resources at one office only.
There are many other benefits of having a firewall for a business. It’s a great way to monitor the network traffic, making sure that your employees are not downloading torrents from the company network, for example. You are also able to block websites so that your employees can’t visit them.
Many of these problems are problems that you don’t have on your private network, and these are a few of the reasons why a business should have a hardware firewall, even if they are just a small business.
But of course, there are disadvantages with a firewall as well. However, the benefits of having a firewall are always better than having no firewall at all, be it software or hardware. But it’s still good knowing the limitations of firewalls.
If you have a hardware firewall for your company, this firewall will not protect you from internal attacks that happens behind the firewall. This could be an employee plugging in a USB stick with malicious code on or downloading a software from the internet that looks like something else. If it has passed the firewall, you need to deal with it some other way.
When it comes to software firewalls, they are always in the background, checking for incoming and outgoing traffic for the computer. This means that the firewall will always take some performance from the computer that you may have wanted elsewhere. This is a problem that used to be big but nowadays the computers are powerful enough and the operating systems are smart enough, that there really isn’t any big performance hit. But if you have an old laptop, this could be a problem.
In the end, having a firewall for your home network is something that you already have. There is no point having a physical firewall unless you are interested, and if you are not interested, then don’t bother.
I would also advise against buying software firewalls. It is very popular for anti-virus software’s to include a firewall, that the advertisement says is better than the built-in but it’s usually not.
Nicely explained blog. Very informational. I usually thought that should be a small size firewalls that can protect our home devices from out side attacks. But still don't required such things. I am still safe while using 24*7 internet and browsing many things on networks. So, agree with your point firewall is good for enterprises networks not for home.
In reference to not needing a home firewall, does this change when you have smart devices like TV, lights and other household devices working off of your WiFi network as well?
Hi Nancy,
Yes, it does, and that is because these devices likely do not have a configurable firewall on them, also known as a Host-Based Firewall, like we have on our computers. Smart TVs, or other smart devices don't have any sort of firewall we can configure which can leave them vulnerable to attacks.
Most modern routers do have a firewall in them now, however, it is not very configurable, as companies make them for users to "set it and forget it". In general, they block any connection trying to come in, and allow any connection going out. A network firewall can provide more granularity in what you allow going out, or to come in, which is better protection, but more maintenance. So most people should be okay with their current routers, however they can't control much of what connections are allowed on the network. This becomes more concerning when you have smart devices that are not completely trusted. A network grade enterprise firewall can help lock down smart devices.
hich type of firewall should the residential user implement, would be Software or Hardware? Kindly give me an example also in real-life based
Hi Arianne!
Great question. Generally, for the residential home owner, you will be implementing a hardware firewall. Whenever you buy a router and put it in your home, it has basic hardware firewall capabilities.
However, you can also implement a software firewall on your computer, especially if you expect to travel with it. It will provide you protections when you are on the internet when using public wifi, and can be a great layer to add on top of a virtual private network (VPN).
Some examples of software firewalls include Microsoft Defender Firewall, and GlassWire.
I hope this helps!
How about to prevent my children from browsing porn sites or any other sites that i don't want them to access? are there any way to block those connections? or any consumer grade firewall i can use to prevent that?
Hi Ernan,
Generally, this type of functionality is referred to as url filtering or content filtering. The way this is achieved is by external services that provide knowledge of this type of content that they categorize for you.
So for restricting access to adult content, or other such as games, gambling, etc, your firewall would need url filtering capabilities, or also known as Parental Controls. Newer firewalls / routers provide this functionality, such as Linksys Velop, Google Wifi, or Netgear Orbi. These services may be subscription based, or free, depending on the vendor. For example, Linksys provides Linksys Shield for $4.99 / month, or 49.99 / year for parental controls.
Otherwise, if you don't have a newer firewall / router with parental controls, you would have to block each website manually. That would be a very tedious process, hence the need for these services.
The last thing I'd mention is these controls can be bypassed if your children purchase VPN access. At this point, the firewall would not see those connections. The only way to prevent access that is by restricting VPN access, which could possibly be done via parental controls, again, depending on the vendor.
I hope this helps!
If I want to turn on RDP so I can access my PC from outside my network but limit it to certain IP addresses (or even better, certain mac addresses) would an appliance firewall be the best option?
Hi Kevin,
Thanks for reading!
So yes, you would want an appliance firewall (network firewall) to access your PC via RDP from outside your network. Likely, you already have a consumer grade router at home which is performing this function for you. Here you would do port forwarding, to forward incoming connections on whatever port on the router / firewall, to port 3389 of the IP address that is your PC. Depending on your firewall, you can restrict incoming connections to certain IP addresses. As for certain MAC addresses, this isn't possible with a firewall. Since firewalls perform network base operations at Layer 3, and MAC Addresses are Layer 2 based, you won't be able to filter by MAC Address with firewall rules. Even moreso, MAC Addresses can be easily spoofed, and do not provide a sense of security.
Before you explore this option, I would highly discourage exposing RDP on your PC from outside your network. This is because there are plenty of vulnerabilities and methods to exploit RDP that a hacker can use to access your network. This is a very common way that hackers use to get into a network, and perform a ransomware attack, or other attacks. Additionally, RDP connections are not encrypted, so you could be exposing information on the network you're using to get into RDP, that is if anyone else is snooping on the network. If you go down this route, be sure you have the latest versions of Windows and your router, but again, its highly discouraged.
The best way to access RDP from outside your network is to set up a virtual private network (VPN), on your network. VPNs are best suited to provide an encrpyted connection to your local network. This prevents anyone from snooping on your connection and reading that information. VPN logins can also easily be hardened to with good security to make it difficult to exploit. Plus this has the added benefit of accessing anything else on your network, not just RDP on your PC.
You can purchase a Raspberry Pi and set up a VPN with ease, using PiVPN. Here all you have to do is forward to VPN port from your router, to your Raspberry Pi IP Address, and go through the installer, and now your have a private VPN you can use with your public IP to get VPN access to your network. I recommend this VPN as I had used it personally and it worked well. Here is a how-to guide that should help with the install process.
Hope this helps!
Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
Thank you Vinilos!
I had a connection problem with my Linksys RE6300 extender so I contacted their tech. Very long story short-they concluded the extender wasn't working because I didn't have a firewall. I do on computers and router. They talked me into buying a sonic wall at a "special price" because I was a customer. the extender still doesn't work and the last call with the tech said maybe it's a firmware issue. I'm thinking I may have been conned.
Hi Richard,
I'm sorry to say but it seems like you might have been deceived. Every consumer grade router purchased is already a firewall, albeit one with very minimal configuration options. The only thing you can (for most consumer routers) is port forwarding, which creates a firewall rule to let traffic in. Now it could be that there is a firmware issue with the extender, but you wouldn't initially have had issues because of "no firewall". You might be interested in a mesh network to improve your network coverage, as opposed to a range extender. There are plenty of mesh routers out that serve most people's needs.
This article did not age well for the standard home user. Today, now in 2022, the average home is full of devices that connect to the internet and create network vulnerabilities that did not exist before. Today’s home definitely requires a firewall. I think the key difference between a home and a business is that for a home network, a high quality router will include a sufficient firewall for most homes. This will protect those IoT items such as smart thermostats, smart switches, smart bulbs, smart tv’s, smart appliances, smart etc.’s, that despite their names, are actually quite dumb when it comes to network security.
But so t take my word for it, just a couple of years ago, since this article was written, a casino was hacked for a few million by exploiting the casino’s aquarium controller. Seems everyone with an aquarium today as an off the shelf aquarium co troller. These things are great…at controlling aquariums…and opening holes in your network security.
Hi Christopher, I can say that all homes that have routers and devices already have a firewall. They aren't very finely tuned, but they do have one. Routers have firewalls on them, and so do computers, and even some smart devices. How they are configured is a different story.
A high quality consumer router will not have much to it in terms of a extra firewall capabilities with some parental controls, maybe other network protections too, but very limited personal controls. Plus you usually have to pay subscriptions for those additional services. Sure those devices are smart alright, apparently, anything you connect to the internet is smart. Indeed they are dumb when it comes to network security. Ideally, one of the best protections for these devices is to segment them onto a separate network. More often than not, that is done with VLANS, and most consumer routers will not be capable of that. They can create guest networks, that actually are VLANs, but you can't actually make more than one or configure it. For more business features, I'd recommend flashing the router with a new firmware that has tons of more features.
I did see that article and am aware of what happened there. They likely had a firewall and it didn't fully protect them. They likely had a flat network that allowed a hacker to pivot to different devices with higher privileges and credentials to perform more dangerous attacks. I find it amusing how much companies want to connect things to the internet. It's probably better at opening security holes than controlling aquarium temperature.
Thank you for reading, and I'm sure this article could use a bit of updating.
I read your article and now feel like I got scammed so I'd like to get your thoughts. I had called for help in setting up WiFi extender. Lots of questions were asked by the tech i spoke with. He did a job on me to purchase firewall software for my network because I had a number of ISP's that were using MY NETWORK AND WHO HAD ACCESS TO MY COMPUTERS. The Net-gear software he said would effectively protect all computers and smart devices on my network so I'd no longer need firewalls for individual computers.
Anyway, I bought what HE WAS saying .... he in stalled the software and made many setting changes and I paid $500.
As I write this I am feeling very foolish. I think I know the answer.
Thank you for yours,
Joe M
Hi Joe,
I'm sorry to hear this, but it seems like you were misled. Setting up a WiFi extender has no bearing on a firewall. WiFi extender workings with radio signals, and carries traffic for an existing IP network. I am not sure what firewall software you purchased, but any home router you buy will have a firewall on it. It's not a great firewall, but it does the job that most people need it to do, though this is changing as more devices are connected to the internet, like smart devices. Most of your other devices do have firewalls as well, just like your computers. However some are disabled, or left in a basic configuration, similar to network firewall. Host based firewall are good for each device and not something you'd "no longer need".
Most new features people pay for with new routers are extra security and parental controls and monitoring. It's not necessary, but can help provide some peace of mind, its similar to a home security system. Won't prevent intrusions, but should make it harder and more visible if something were to occur.