Computers connected to a network have a network address, rather like a house has a phone number, but it's really more like an office in that the single address is qualified by a port number that depends on the type of connection to be made. So while an office has separate extension numbers for sales, marketing, engineering, etc., a computer has individual port numbers for mail, website traffic and a host of other types of network communication that makes the network tick.

A firewall is like a security guard. It can block some ports so that your computer cannot send out certains types of network traffic but, more importantly, it can and should block many ports so that other computers cannot send certain types of message to your computer. Some ports are so important that leaving them open is like leaving your front door wide open and then going on holiday. Thieves and vandals will be in like a shot. Actually, many ports are being monitored by parts of the Operating System that allow communication between computers. It is an unfortunate fact that some of these underlying programs have bugs that malicious users can exploit to expose your data and gain control of your computer.

There are plenty of software tools available on the Internet that allow malicious people, Hackers, to scan your computer for open ports. If one is found they may be able to gain access to your system, take control of it and possibly destroy it. A particularly worrying tool could be placed on your computer so that it relays all your keystrokes back to the hacker. In that way your can reveal usernames and passwords that are generally sent over the Internet in an Encrypted form. Vulnerable computers are also given a mailing program that sends out spam, unwittingly doing the work of the spammer.

A good-quality firewall should be configured to block all ports except those that are necessary for the computer to function. Each computer should ideally have a software firewall and, for businesses with multiple computers that are networked together, there should be a hardware firewall between their local network and the Internet. This extra protection is required because some ports, which are necessary for the local network to function, should not be exposed to the wider world.

DMZ

A DMZ is a de-militarized zone. Whilst not too important for home users that do not run servers, it can be useful to businesses that have web and mail servers that need to be visible both to the internal or local network, and a wider network or the Internet. All apart from the cheapest hardware firewalls offer a DMZ, which is a separate network that is visible to the local network and the wider network, but prevents the local and wider networks seeing each other through it. These devices also work as routers to filter and pass traffic between the three areas.

Fig. 1. A Firewall With A Computer In The DMZ.