Hardware Firewalls

By Matthew Sarrel  |  Posted 2002-11-19 Print this article Print

Hardware Firewalls

The inexpensive router appliances that move traffic between the Internet and one or more machines on home and small-office networks have long used Network Address Translation (NAT), which some companies incorrectly refer to as a firewall. NAT simply hides the IP addresses of pcs so that all outgoing traffic seems to come from the same address, but its possible to bypass a firewall-free NAT device.

Recently, the router manufacturers have been including true firewalls that block inappropriate inbound and outbound traffic through various techniques. IP filtering, for example, can block users behind the firewall from accessing or receiving anything from specific IP addresses. Similarly, the administrator can block traffic to or from network cards on the LAN, each with a specific MAC address (a unique identifier for each network card).

The hardware firewalls in this roundup add another layer of protection: Stateful Packet Inspection (SPI). SPI examines the content of packets (rather than just the source and destination addresses and ports) to determine whether to grant access to your network.

Hardware firewalls can also control traffic via keyword and domain filters. Administrators can block traffic to specific domains or to any domain containing certain keywords. Some firewalls let administrators create sophisticated rules, such as denying traffic based on the source, destination address, port, or protocol being used (such as ICMP, TCP, or UDP).

Confused by this alphabet soup? Therein lies the hardware firewall rub. The average user is unlikely to have a deep enough understanding of networking to know his udp from a hole in his firewall. Some of the firewalls we tested come with reasonably good default settings, but if these arent appropriate—for example, for multiuser games that need specific ports open—changing the settings can be challenging. Will the person playing the game even realize why it isnt working?

On the other hand, the average user will likely appreciate the "set it and forget it" nature of hardware solutions, which tend to operate quietly in the background, without generating as many queries and alerts as software firewalls. For those who have multiple computers on home networks, managing one device is easier than monitoring individual machines with a software firewall on each. Also, physical installation is trivial: Run an Ethernet cable between your cable or DSL modem and the firewall, then connect each PC on your network to the firewall through either a wired or wireless Ethernet connection. (Some routers also let you share a dial-up modem.)

Matthew Sarrel Matthew D. Sarrel, CISSP, is a network security,product development, and technical marketingconsultant based in New York City. He is also a gamereviewer and technical writer. To read his opinions on games please browse http://games.mattsarrel.com and for more general information on Matt, please see http://www.mattsarrel.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel