|
Virginia Tech DShield |
|
Internet Primer
This introduction is intended to provide a basic understanding of how the Internet works and how this applies to firewalls. Thick books have been written about this, and you are encouraged to read one of them if you would like to know more. This page will just provide a brief definition of many of the terms used on this site.
- IP Address
- DNS / Domain Name / Host Name
- Ports
- IP (Internet Protocol)
- TCP (Transmission Control Protocol)
- UDP
- ICMP (Internet Contol Message Protocol
- Firewalls
IP Address
Each device (computer, cell phone, coffee maker) connected to the Internet requires an 'IP Address'. An IP address is a four byte long number. It is usually written by separating the 4 bytes with a '.'. For example, 64.71.137.130 is the IP address of the dshield web server. Each one of these number has to fall in the range from 0-255.DNS / Domain name / Host Name
As humans have a hard time remembering numbers, an automated directory assistance was introduced which translates easier to remember named (domain names or host names) into IP addresses. This lookup is performed transparent to the user. If you enter 'www.dshield.org' in you web browser, your Internet software will ask a domain name server (DNS) for the IP address associated with this host name. The domain name server will respond with '64.71.137.130'. As a result, your computer will contact '64.71.137.130' and ask it for the dshield.org home page.Ports
This site uses the term 'port' a lot. In order for a computer to connect to multiple Internet services at the same time, the concept of 'port' was introduced. Each computer has 65536 ports available. If your web browser initiates a connection to dshield.org for example, it will pick the first available port ( let say 12345) and use it to send the connection request to dshield.org . DShield.org's web server will reply to port 12345 on your PC. This way, your PC knows that this reply is in response to the request sent to dshield.org earlier.The first 1024 ports are set aside for 'privileged use'. Usually, only servers that wait for incoming connections use these ports.
IP (Internet Protocol)
There are a number of different protocols which are used to send data across the Internet. Some will be discussed below. However, all of them are based on the 'Internet Protocol'. The Internet Protocol is the basic language that makes the Internet work.One of the features that made the Internet Protocol such a big success is it's simplicity.
The Internet Protocol requires all data to be split into packets. A packet is any kind of data, which is preceded by a header. The header contains the source and destination of the packet, as well as a number of options, checksum and the length of the packet.
Routers, which will pass the packet from it's source to the destination, will leave the content of the packet untouched and just look at the header to identify where to sent the packet next.
TCP (Transmission Control Protocol)
TCP is one of the two most popular protocols used on the Internet. It provides a connection between client and server and each site acknowledges the receipt of data. TCP is the basis of popular Internet applications like HTTP (Web Browsing), FTP (File Transfer) and e-mail.UDP
Unlike TCP, UDP is not build on the idea of a 'connection'. Instead, one system will just send data blindly and it will not require any acknowledgement that the data has been received. This can be useful to stream data at high speed, like for streaming audio, where re-sending a missing packet would not be feasible.ICMP (Internet Control Message Protocol)
ICMP is mostly used for diagnostics. 'ping' a small application included in most (all?) operating systems, uses this protocol. ICMP is used to send small messages indicating the status of a host or connection. It can also be used to request such a status message.Typical message are:
- 'ECHO': This message requests the packet to be returned to the sender to confirm the connection.
- 'NO ROUTE TO HOST': This message is sent by a router to the sender of a packet to indicate that there is no route available to deliver the packet to the intended receiver. Most likely a network link is disconnected or the destination address does not exist.
- 'TIME TO LIVE EXCEEDED': The header of each IP packet indicates the maximum number of routers through which a packet is allowed to travel. This number is referred to as Time To Live (TTL). A special field in the IP header is decremented whenever a router touches a packet. A router will return a packet if this number reaches zero. This message usually indicates a 'routing loop', where the packet is send in circles between a number of routers.
Firewalls
Like a firewall between two buildings is intended to protect one house from a potential fire in a neighbors house, Internet firewall software or hardware is intended to protect a personal computer or private network from the ever raging fire on the Internet.To do so, a firewall will inspect packets sent to and received from the Internet. Based on rules defined by it's administrator or manufacturer, the firewall will allow certain data to pass while it will block other data.
Many firewalls will track rejected packets in a log. The administrator is encouraged to regularly inspect these logs. Dshield.org collects such logs to allow firewall administrators to compare notes and improve firewall rule building.
Firewall implementations vary widely. In it's most basic version, they will inspect headers and try to determine if source and destination are defined as 'allowed', or if the packet is a response to a request sent earlier. More sophisticated firewalls will inspect the content of the packet as well, and alert the user if the content matches data defined as sensitive.
However, most firewalls have a common feature and weakness: They prevent connection attempts initiated from the 'outside', while they are very permissive in allowing requests to be send from the inside. Firewalls do not replace virus scanners and safe computing practices.
[ Home | Login | What's New | Intro | Submit | Clients | Web Submission | All Reports | Links | About | Privacy ]