A hardware firewall is a relatively simple piece of hardware, they are placed between the out side world (Usually the internet) and the section of the network you are needing to protect. They are specially built to block unwanted protocols and network activity from entering and/or leaving the protected network segment behind the firewall.
Firewalls use a configuration file that contains a set of rules, better known as an ACL (Access List). The ACL is much like any configuration file in the sense it contains all the information needed in order for your firewall to know what information to block and which to forward on to your back-end secure network.
One of the most important things to remember when you begin working with your first firewall is: ACL's are read from the top down, so when you are configuring your firewall, always remember that a rule farther down in the list will NOT override an above rule. So if you block all access in line #1 and then allow access in line #2, line #2 will not allow access as in line #1 you already blocked it.
In many cases you will setup the firewall to block all incoming requests from the outside world beyond those you may want to have access. For instance, if you are running a web server you may want to block all access to the server (SSH especially) except for port 80 (http) and 443 (SSL). This way anyone trying to "hack" into your web server will have extremely little access to work with in order to breach your web server.
Now you may be wondering, "If I block all other ports, how am I going to access my server and/or network behind the firewall?" - This something that can be accomplished in a few different ways:
8-)
Firewalls use a configuration file that contains a set of rules, better known as an ACL (Access List). The ACL is much like any configuration file in the sense it contains all the information needed in order for your firewall to know what information to block and which to forward on to your back-end secure network.
One of the most important things to remember when you begin working with your first firewall is: ACL's are read from the top down, so when you are configuring your firewall, always remember that a rule farther down in the list will NOT override an above rule. So if you block all access in line #1 and then allow access in line #2, line #2 will not allow access as in line #1 you already blocked it.
In many cases you will setup the firewall to block all incoming requests from the outside world beyond those you may want to have access. For instance, if you are running a web server you may want to block all access to the server (SSH especially) except for port 80 (http) and 443 (SSL). This way anyone trying to "hack" into your web server will have extremely little access to work with in order to breach your web server.
Now you may be wondering, "If I block all other ports, how am I going to access my server and/or network behind the firewall?" - This something that can be accomplished in a few different ways:
- VPN - Virtual Private Network allows you to connect to your firewall via a special piece of software that adds your workstation to the network behind the firewall. You do not need to be on the actual network for this to work, only access to your firewall via the internet. So you can VPN in from your home PC over your internet connection.
Once you are logged into the VPN, your workstation or home PC will be virtually connected to your private network behind your firewall, therefore you will not have any ports or data being blocked or otherwise filtered by your hardware firewall. - Access List - Using the brief explanation above on what an ACL is, you may have already determined what you may need to do, however for those who may still be scratching your head, we will give some more details. So an ACL is a list of rules that firewall uses as its configuration file so it knows what to block and what not to. With that concept, you are able to configure your firewall to not block your connection to the network. So you can still block everything else from the outside world, while preserving your own access.
Now that we have a basic idea of what a hardware firewall is and what it does, we are going to take a look at who needs them and what additional security they provide over a software firewall.
Is a hardware firewall for me, in short everyone should have one, however they are not exactly a cheap thing to purchase. A good hardware firewall can range from a few hundred dollars to 10 of thousands, depending on how much throughput you will need to filter and the amount of connections you will need.
That in itself unfortunately filters out many of us, as the data we may need to protect just does not warrant the cost of the purchase. If you find yourself not able afford one, do yourself a favor and at the very least be running a software firewall on your machines.
- You will not be running a network appliance specifically built to protect your network from unwanted access.
- You will now be able to access your back-end network via a VPN, allowing your to securely pass data back and forth between the network and your remote locations.
- Access will now be filtered based on the rules you define, if you don't want someone or something to have access, you can block it.
- This point is one of the most advantages, you can have many many machines behind one physical firewall, so you can control how each machine communicates to the outside world.
- Single point to control access.
8-)
