The keys for firewall protection

Firewall protection primarily uses packet filtering to detect and block intruders. Some also include application filtering. In addition, these applications typically generate alerts and log intrusion attempts.

Packet Filtering

In packet filtering, the firewall software inspects the header information (source and destination IP addresses and ports) in each incoming and, in some cases, outgoing, TCP/IP packet. Based on this information, the firewall blocks the packet or transmits it. The firewall uses the port information to block idle or nonstandard ports such as a listening port opened by a Trojan horse. In this way, the firewall blocks packets sent from a hacker to the Trojan horse listening port. Increasingly, personal firewalls also block outgoing traffic on these ports. This precludes a Trojan horse from sending outgoing packets.
The firewall protection also uses the port information to block certain types of incoming packets associated with common hacker attacks. For example, hackers use port scanner software to identify target computers for attack. Port scanners “ping” ranges of IP addresses via port 7. If a computer responds to the ping, it becomes a target for further probing for open ports. By default, personal firewall software packages block these incoming pings on port 7 so that the computer does not respond.
Personal firewalls also use the source and destination IP addresses to filter packets. Firewalls can be configured to allow or block packets from specific IP addresses. However, packet filtering is susceptible to “IP spoofing,” which refers to the practice of forging the source IP address in a packet. In this way, a malicious hacker can try to gain entry by spoofing the source IP address. For example, some firewalls will not block a packet if its source and destination IP addresses correspond to IP addresses behind the firewall on the private network. Hackers exploit this vulnerability by forging the source IP address. In another IP spoofing scenario, the source and destination IP addresses are the same; this type of packet will lock up some computers.

Application Filtering

As one important function of firewall protection, Application-level filtering uses higher-layer protocol information to filter traffic and implements additional security and access control services. More typical in enterprise networks, application-level firewalls are implemented as hosts running proxy servers. These proxy servers are used to prevent direct traffic between network peers. Additionally, proxy servers can log and audit network traffic. Many personal firewalls have a basic form of application-level filtering that allows users to specify which applications on the computer may access the Internet.
Some Trojan horse programs may circumvent this filtering by modifying a program that is commonly granted full access to the Internet through a firewall. In this way, the Trojan horse masquerades as a harmless program on the PC, but provides a hacker with access to the PC, in spite of application-level filtering firewalls. Only a personal firewall software package, which also checks programs for unauthorized modifications, can successfully defend a user from this type of attack.

Alerting and Logging

A key feature of any firewall is its ability to alert the user when it detects an “attack,” and to maintain a system log of these events. This allows the user to identify threats and to fine tune the firewall configuration appropriately. A key responsibility of the user is to monitor the logs and take appropriate action when necessary. and assigns “private” IP addresses to each client PC on the LAN. These private addresses are not known outside the LAN on the Internet. All incoming packets arriving at the NAT gateway have the same destination address. The NAT gateway refers to its association mapping table to determine the actual client address and port number for a destination packet and forwards the packet to the correct client. Many of these NAT devices also include additional firewall protection in the form of basic packet filtering. Some NAT implementations also include “stateful” port inspection, in which the firewall monitors the state of the transaction to verify that the destination of an inbound packet matches the source of a previous outbound request. Stateful port inspection helps to prevent denial-of-service attacks (which typically use the UDP transport) that can be mounted using IP address spoofing techniques