Firewalls Are Just Like Bouncers

Cybersecurity is key for stations of all sizes October 8, 2015

In today’s world, we are more connected than ever. With all of the remote access solutions available to us, we should be able to address and fix almost any station issue remotely within a few minutes.

Any network can be hacked with enough effort — but effective firewall configuration and maintenance make it much harder.
The process of addressing issues has been greatly streamlined by the use of AoIP and other technologies. These new technologies afford us unprecedented ability to address most issues with a Web browser or a terminal interface. Because so much of our work now lies within computers, we can choose to work with our sites in-person or remotely, by way of laptops, tablets or smartphones. We need to leverage this connectivity to make our lives a little easier while providing excellent service for our stations.

In this article (and the next) we’re going to discuss firewalls first, followed up by a detailed examination of various remote access solutions, so that you can learn to effectively make use this tool.

There is always a price to pay for this ease of communications and remote network access. The price is called risk. If you connect your LAN to the Internet — there is risk. If you open a door to allow remote access, there is even more risk. Any network can be cracked with enough time and patience; there is no way to candy-coat this. If you enable remote access, someone can potentially break into your network.

Your job as the person implementing a remote access solution is to balance the amount of risk you are willing to take with the level of functionality that you need. If the solution is complex, it will have less risk, but utilizing it might be more challenging. If the solution is rather simple, then you might have more risk and more issues with unauthorized access.

As we cover various remote access solutions, you will have to assess where your comfort zone lies.

POINTS OF CONSIDERATION

Engineers need to consider some points before they dive into implementing a remote access solution. We all have budget constraints. A license for remote access software may cost thousands of dollars.

One must also consider the group of users that will potentially have remote access. Some stations only allow the engineering staff to access the station remotely; some stations will also allow program directors, production  directors and traffic directors to access the system remotely. This will factor in to how complex the solution will be.

The final point I would like to address is that of maintenance. Someone will need to monitor and administer the remote access system. A remote access solution is not something you set and forget: Someone needs to make sure that passwords are rotated, logs are checked for suspicious access attempts, and that patches are applied. An engineer can implement the best remote access in the world, but it is worthless and a severe security risk if it is not maintained.

When implementing a remote access solution, a limited discussion about firewalls and basic TCP/IP is in order. One of the most important concepts is the idea of inbound and outbound data traffic. Most firewall implementations do not block any outbound traffic, meaning that users on your LAN have access to whatever they want on the outside of the firewall, via the open Internet. When we implement a firewall, we are usually blocking inbound traffic.

Another concept to discuss is the use of port forwarding, or the opening a port on the firewall for inbound traffic. With any TCP/IP host there are 65,535 ports that can be utilized for services, but certain ports are defined and never change. These are called reserved ports and go from port 0 to port 1024. As an example, let’s look at port 80: Everyone in the world has agreed that this port will be used for Web traffic. If you have implemented a firewall on your Web server you will need to open port 80 inbound so people using the Internet can “see” your website. Ports above 1024 are completely open and anyone can define or use them for their needs.

Some remote access solutions require a port to be opened on the firewall in order to operate properly.

Think of it this way: I want to access Bob’s house. I need to know what door to knock on and Bob needs to answer that door. A firewall blocks everyone’s ability to knock on the doors of Bob’s house. Now, Bob wants people to be able to access his services so he sets up programs that will answer certain doors. After Bob sets up these services, he will need to tell the firewall that if someone wants to knock on these doors, let them. After that “configuration” is done, people can actually reach Bob’s house and knock on certain doors, and they can access the services that Bob is offering.

OF PROTOCOLS AND PORTS

Let’s talk about the difference between TCP and UDP and the significance of ports.

TCP/IP and UDP/IP are two flavors of network protocols we are interested in when we are talking about firewalls. These two protocols deliver your data in different ways: UDP is usually used for audio and video over the network due to the time-sensitive nature of these types of data; TCP is used for everything else.

These two protocols work in conjunction with IP to get your data from source to destination. Four pieces of information are needed to get your data from one point to another: A valid source and destination IP address and a valid source and destination port number.

For simplicity’s sake, you can think of TCP/IP and UDP/IP as the means by which mail gets delivered to your house. TCP/IP is like certified mail that requires a response to the sender for verification that the letter was received. UDP/IP is like a postcard; it gets sent, and we don’t necessarily care about getting confirmation. We need a proper address in order to deliver mail. Usually a person will place a return address and a recipient address on a letter in order to mail it. The address of the destination building is like the IP address and the port is like the person we are sending the letter to. Without these two pieces of information, we cannot send data. When you are setting up the remote access solution of your choice you will need to know what your network IP address is and what port you wish to use so you can properly configure your firewall.

NETWORKS

The cable color/header color combinations correspond to basic functions of the network device on the far end.
Another concept that needs to be addressed is the difference between the external network and internal network.

A firewall will usually have a different external address than its internal address. To the outside world, my computer accessing the Internet appears to be at this IP address: 208.61.234.54, which is the external (or “Internet-facing”) address of the firewall. The firewall has an internal IP address of (for example) 192.168.1.1. My computer’s assigned address is, say, 192.168.1.43. My computer and the internal address of the firewall are on the same network (the local area network), but my computer has no idea about the external address of the firewall.

As you can see, the external address of the firewall is completely different from my internal network number. How can this be? These addresses are completely different! Well, the firewall translates between my internal IP address and the external address. This is called Network Address Translation, and it allows me to hide my computer’s true identity behind the firewall.

When you open a port on a firewall to allow remote access, you will need to know the external IP address so you can access your network from the Internet. The firewall will need to be told where to send the port forward on the internal network.

Let me give you an example. I have port 3389 open on my firewall. My firewall has an external address of 208.61.234.54. I want to access my engineering network from my house over the Internet, so I open my remote access solution and place 206.61.243.54 as the address I wish to access. The remote access solution will either ask me for the port or it will default to 3389. Great! Now I have made it to the firewall. Now what? The firewall knows that port 3389 is open but to where? I need to tell the firewall that if someone knocks on port 3389 please send that knock or “data” to my internal IP address of 192.168.1.43. Furthermore, I need to have a service ready on my computer at 192.168.1.43 to answer the requests on port 3389 for the remote access to work.

This concept confuses some people. Keep in mind that the firewall protects you by hiding your true identity from the bad people on the Internet by blocking all attempts to connect to ports on your computer. The firewall needs to be specifically told about the “who” (IP address) and the “what” (port number) that will be allowed to be pass. The firewall is exactly like an 300-pound bouncer that sits at the door of your network; if your name is not on the list you are not getting into the building. Similarity, if your ports are not forwarded from the external network to the internal network properly, you are not remotely accessing anything.

Next time around, we’ll talk about specific remote access solutions and their advantages and disadvantages.

Cottingham is a Cisco, Microsoft, and CompTIA instructor with 25 years experience in IT and radio engineering. He’s also the chief engineer of KFMK in Austin, Texas.

Receive regular news and technology updates. Sign up for our free newsletter here.

Comments