A personal firewall is a piece of software that filters the incoming and outgoing traffic of a PC on the computer itself. It is used to protect the computer and is listed as a recommended protective measure for users of the Internet.
Unlike a classic network firewall, a personal firewall is not a standalone network unit that filters traffic between two networks. It only filters between the computer on which it runs and the network.
A disadvantage of this principle is that the firewall software itself can be attacked. Exploiting or circumventing these can mean full access to the system to be protected. The vulnerability of the computer is shifted from its network operating system to its firewall at the points where the firewall is active. Additional security against attacks is provided by the fact that a firewall is less complex than an entire operating system – and therefore statistically contains fewer errors.
---
Another advantage of a personal firewall, in contrast to an external firewall, is that it can determine exactly which applications are involved in incoming and outgoing communication. In this way, application-specific filters are possible, so that you can allow some programs to traffic and not others.
Purpose of Personal Firewall and How it Works
A personal firewall is installed on a computer connected to a network, a host, to protect it from attacks from the network.
The network can be the Internet or a local network of a company or a private household. The Personal Firewall is designed to control external access to the computer and can selectively prevent it from attacks by worms or crackers.
Another task is to detect and prevent spyware from connecting to backdoors or communications. However, such a “breakout” is difficult to prevent due to the principle and not every firewall software succeeds. In particular, there are techniques to open ports through firewalls, which are also used by instant messenger programs such as Skype.
Basic functions
When communicating in computer networks, the information to be sent is packed into individual data packets, which are forwarded via the network to remote computers. In addition to the data to be transmitted, each packet contains addressing information: the source IP address indicates the computer from which the packet originates, the destination IP address, to which computer it is to be sent. Numbers specified in the packet, the source port number and the destination port number, allow the operating system to assign the packet to an application program.
The main component of a personal firewall is a packet filter. This packet filter makes it possible to block incoming or outgoing data packets according to predefined rules. Filter criteria can be source and destination addresses, protocols, and source and destination ports.
In contrast to external firewalls, a personal firewall has an application filter (application control) that can specifically exclude individual application programs from network communication. In addition, the application can be included in the rules for the previously mentioned packet filter, so that it can filter on an application-based basis. For example, individual applications can be allowed to communicate in a certain way that others are forbidden.
The Personal Firewall provides the user or administrator with a graphical frontend for configuring packet and application filtering.
Other features
Personal firewalls differ in their range of functions due to additional components.
Most personal firewalls have a learning mode. The rules for packet filters and application filters are set by interaction with the user. If the Personal Firewall registers traffic for which no rule exists, this is reported to the user in a dialog box. They can then decide whether to allow or block this connection. From the answer, the firewall can formulate a new rule that will be applied in the future.
With a content filter, some personal firewalls can inspect the contents of data packets and, for example, filter out ActiveX components, JavaScript, or banner ads from requested HTML pages. Content filters that specialize in web applications are called “Web Shield” or “Web Application Firewall.” Filters for email attachments are also commonly offered.
Some firewalls have an intrusion detection and prevention system. In technical jargon, this is called the “Intrusion Detection System” (IDS) or “Intrusion Prevention System” (IPS). A distinction is made between network-based (NIDS) and host-based intrusion detection systems (HIDS). An NIDS examines network traffic for known attack patterns and reports their occurrence. Malware often tries to bypass filtering through the firewall. This could be done by the malware terminating the service of the Personal Firewall. One possible trick to bypass the Personal Firewall is to launch a trusted program (such as the browser) and use it to establish the connection. It is also possible to try to modify a trusted program or library used by it, or to infiltrate it as an extension for such a program. A host-based intrusion detection system (HIDS) attempts to detect such tricks and warns the user.
Another possible feature is “sandboxing“. A program running in a sandbox is denied access to certain system resources. It is designed to prevent a compromised application from causing damage to the operating system.
A computer that communicates on the Internet usually has several connections established at the same time. For example, when a website on the Internet is called up by the browser, the name service is always consulted beforehand in order to resolve the IP address. The same goes for sending or retrieving emails. Such a connection, in turn, consists of several individual data packets that are exchanged bidirectionally. A packet filter that is capable of stateful inspection (stateful or dynamic packet filtering) can allow a data packet to pass through according to the criterion of whether it is part of a pre-existing connection, i.e. the response to a previous allowed data packet. Filtering is said to be controlled by the state (existing or non-existent) of the connection. This is where the term “stateful packet filtering” comes from. One of several ways to implement this feature is that when the packet filter lets an outbound data packet through according to the rule specified by the user, it generates a new rule that also allows a packet that has the properties of an expected response. Since this rule is not rigidly predetermined, but is dynamically generated by the packet filter, it is also referred to as “dynamic packet filtering”.
Some personal firewalls offer a stealth mode. In this mode, requests on unused ports are discarded unanswered. Normally, in such a case, a response would be given that the computer is reachable, but the port is not occupied. The lack of response is intended to make it harder for the attacker to gather information about the system. This approach is known as “security through obscurity”.
Many personal firewalls independently check whether the manufacturer has provided a more up-to-date version of the firewall software on the network, download it if necessary and install it. This automatic system ensures that the firewall software is updated promptly if it is affected by security vulnerabilities.
Remote maintenance access can be used by the network administrator to administer a personal firewall on a device in the network.
