Hi, so I’m a little confused as to what a firewall can truly prevent and/or detect, specifically between an attack like an intrusion vs a Trojan horse. If a firewall can’t prevent an intrusion and/or Trojan horse, could you please explain why and what firewalls can do in terms of attacks or preventing malware from entering a PC? Any help would be greatly appreciated.
In: Technology
Imagine a bunch of doors in a wall and those doors only go to one place. You can’t use that door to go anywhere else on the other side of the wall, just the place where the door has been put there to go to. Every time you go through the door someone is there asking who are you, where are you coming from, they write that down and sometimes they may not let you in if you’re not allowed. And even sometimes they ask to see what’s in your pockets and if they find any naughty stuff or think you’re trying to do something naughty they won’t let you through the door.
a firewall says “Ok, this program, is allowed to open/receive a network connection to/from this port on this url” or any combination of that information.
So, if there is a strict firewall, the trojan will try to connect to the remote server to open the backdoor (or open a port for it) and the firewall will say “Hey, you cant open that port!”
The problem is, no firewall should block access to port 443 (the port the https uses) on arbitrary URLs otherwise web browsing will not work well. And now aday many non web browsers are actually web browsers, so its really hard to design a firewall filter that counters any trojan while also allowing the user to use the computer
Firewalls work on a few levels, but all come down to the same principle. Imagine you own a building and have a door security staff, and can give them various level of instructions.
The most basic, like your home router or PC’s built-in firewall, is basically a simple ID card check. It allows people who were already inside to leave and come back if their ID matches a list, and stops anybody from coming in. The ID is easy to fake though, doesn’t contain a photo to match you, and the person running the place (you, the operator) pretty much clicks allow and lets everything through.
The next level up checks IDs and matches the photos and a physical description, and checks that you don’t match the description of a known list of bad people. This is much more sophisticated, and is considered a business firewall in most cases, something like pfsense.
The most sophisticated, things like a Palo Alto, also do a pat down, or in some cases strip search, checking for anything malicious. And if they see anything weird, they’ll take it apart to see what it does before releasing it.
This is obviously waaayyy oversimplified, but firewall tech is complicated!
Latest Answers