| A firewall is an information technology | | | | networks. |
| (IT) security device which is configured | | | | * Whether the communication is |
| to permit, deny or proxy data | | | | intercepted at the network layer, or at |
| connections set and configured by the | | | | the application layer. |
| organization's security policy. | | | | * Whether the communication state is |
| Firewalls can either be hardware and/or | | | | being tracked at the firewall or not. |
| software based. | | | | With regard to the scope of filtered |
| A firewall's basic task is to control | | | | communications there exist: |
| traffic between computer networks with | | | | * Personal firewalls, a software |
| different zones of trust. Typical | | | | application which normally filters |
| examples are the Internet which is a | | | | traffic entering or leaving a single |
| zone with no trust and an internal | | | | computer. |
| network which is (and should be) a zone | | | | * Network firewalls, normally running on |
| with high trust. The ultimate goal is to | | | | a dedicated network device or computer |
| provide controlled interfaces between | | | | positioned on the boundary of two or |
| zones of differing trust levels through | | | | more networks or DMZs (demilitarized |
| the enforcement of a security policy and | | | | zones). Such a firewall filters all |
| connectivity model based on the least | | | | traffic entering or leaving the |
| privilege principle and separation of | | | | connected networks. |
| duties. | | | | The latter definition corresponds to the |
| A firewall is also called a Border | | | | conventional, traditional meaning of |
| Protection Device (BPD) in certain | | | | "firewall" in networking. |
| military contexts where a firewall | | | | In reference to the layers where the |
| separates networks by creating perimeter | | | | traffic can be intercepted, three main |
| networks in a Demilitarized zone (DMZ). | | | | categories of firewalls exist: |
| In a BSD context they are also known as | | | | * Network layer firewalls. An example |
| a packet filter. A firewall's function | | | | would be iptables. |
| is analogous to firewalls in building | | | | * Application layer firewalls. An |
| construction. | | | | example would be TCP Wrappers. |
| Proper configuration of firewalls | | | | * Application firewalls. An example |
| demands skill from the firewall | | | | would be restricting ftp services |
| administrator. It requires considerable | | | | through /etc/ftpaccess file |
| understanding of network protocols and | | | | These network-layer and |
| of computer security. Small mistakes can | | | | application-layer types of firewall may |
| render a firewall worthless as a | | | | overlap, even though the personal |
| security tool. | | | | firewall does not serve a network; |
| Firewall technology emerged in the late | | | | indeed, single systems have implemented |
| 1980s when the Internet was a fairly new | | | | both together. |
| technology in terms of its global use | | | | There's also the notion of application |
| and connectivity. The original idea was | | | | firewalls which are sometimes used |
| formed in response to a number of major | | | | during wide area network (WAN) |
| internet security breaches, which | | | | networking on the world-wide web and |
| occurred in the late 1980s. In 1988 an | | | | govern the system software. An extended |
| employee at the NASA Ames Research | | | | description would place them lower than |
| Center in California sent a memo by | | | | application layer firewalls, indeed at |
| email to his colleagues that read, | | | | the Operating System layer, and could |
| “ We are currently under attack from | | | | alternately be called operating system |
| an Internet VIRUS! It has hit Berkeley, | | | | firewalls. |
| UC San Diego, Lawrence Livermore, | | | | Lastly, depending on whether the |
| Stanford, and NASA Ames. ” | | | | firewalls keeps track of the state of |
| This virus known as Morris Worm was | | | | network connections or treats each |
| carried by e-mail. The Morris Worm was | | | | packet in isolation, two additional |
| the first large scale attack on Internet | | | | categories of firewalls exist: |
| security; the online community was | | | | Stateful firewalls |
| neither expecting an attack nor prepared | | | | Stateless firewalls |
| to deal with one. | | | | Network layer |
| First generation - packet filters | | | | Network layer firewalls operate at a |
| The first paper published on firewall | | | | (relatively) low level of the TCP/IP |
| technology was in 1988, when Jeff Mogul | | | | protocol stack as IP-packet filters, not |
| from Digital Equipment Corporation (DEC) | | | | allowing packets to pass through the |
| developed filter systems known as packet | | | | firewall unless they match the rules. |
| filter firewalls. This fairly basic | | | | The firewall administrator may define |
| system was the first generation of what | | | | the rules; or default built-in rules may |
| would become a highly evolved and | | | | apply (as in some inflexible firewall |
| technical internet security feature. At | | | | systems). |
| AT&T Bill Cheswick and Steve Bellovin | | | | A more permissive setup could allow any |
| were continuing their research in packet | | | | packet to pass the filter as long as it |
| filtering and developed a working model | | | | does not match one or more |
| for their own company based upon their | | | | "negative-rules", or "deny rules". Today |
| original first generation architecture. | | | | network firewalls are built into most |
| This type of packet filtering is not | | | | computer operating systems and network |
| responsible for 'statefull' packet | | | | appliances. |
| inspection, in other words, it's a | | | | Modern firewalls can filter traffic |
| static set of rules applied to the | | | | based on many packet attributes like |
| packets traversing the firewall. | | | | source IP address, source port, |
| Second generation - circuit level | | | | destination IP address or port, |
| From 1980-1990 three colleagues from | | | | destination service like WWW or FTP. |
| AT&T Bell Laboratories, Dave Presetto, | | | | They can filter based on protocols, TTL |
| Howard Trickey, and Kshitij Nigam | | | | values, netblock of originator, domain |
| developed the second generation of | | | | name of the source, and many other |
| firewalls known as circuit level | | | | attributes. |
| firewalls. | | | | Application-layer |
| This is also referred to as a 'stateful | | | | Application-layer firewalls work on the |
| firewall' as it is able to determine if | | | | application level of the TCP/IP stack |
| a packet is either a new connection or | | | | (i.e., all browser traffic, or all |
| data that is part of an existing | | | | telnet or ftp traffic), and may |
| connection. Though there's still a set | | | | intercept all packets traveling to or |
| of static rules involved for configuring | | | | from an application. They block other |
| this firewall the state of a connection | | | | packets (usually dropping them without |
| can in itself also trigger specific | | | | acknowledgement to the sender). In |
| rules. | | | | principle, application firewalls can |
| Third generation - application layer | | | | prevent all unwanted outside traffic |
| Publications by Gene Spafford of Purdue | | | | from reaching protected machines. |
| University, Bill Cheswick at AT&T | | | | By inspecting all packets for improper |
| Laboratories and Marcus Ranum described | | | | content, firewalls can even prevent the |
| a third generation firewall known as | | | | spread of the likes of viruses. In |
| application layer firewall, also known | | | | practice, however, this becomes so |
| as proxy based firewalls. Marcus Ranum's | | | | complex and so difficult to attempt |
| work on the technology spearheaded the | | | | (given the variety of applications and |
| creation of the first commercial | | | | the diversity of content each may allow |
| product. The product was released by DEC | | | | in its packet traffic) that |
| who named it the SEAL product. DEC’s | | | | comprehensive firewall design does not |
| first major sale was on June 13, 1991 to | | | | generally attempt this approach. |
| a chemical company based on the East | | | | The XML firewall exemplifies a more |
| Coast of the USA. | | | | recent kind of application-layer |
| Subsequent generations | | | | firewall. |
| In 1992, Bob Braden and Annette DeSchon | | | | Proxies |
| at the University of Southern California | | | | A proxy device (running either on |
| (USC) were developing their own fourth | | | | dedicated hardware or as software on a |
| generation packet filter firewall | | | | general-purpose machine) may act as a |
| system. The product known as “Visas” | | | | firewall by responding to input packets |
| was the first system to have a visual | | | | (connection requests, for example) in |
| integration interface with colours and | | | | the manner of an application, whilst |
| icons, which could be easily implemented | | | | blocking other packets. |
| to and accessed on a computer operating | | | | Proxies make tampering with an internal |
| system such as Microsoft's Windows or | | | | system from the external network more |
| Apple's MacOS. In 1994 an Israeli | | | | difficult and misuse of one internal |
| company called Check Point Software | | | | system would not necessarily cause a |
| Technologies built this into readily | | | | security breach exploitable from outside |
| available software known as FireWall-1. | | | | the firewall (as long as the application |
| A second generation of proxy firewalls | | | | proxy remains intact and properly |
| was based on Kernel Proxy technology. | | | | configured). Conversely, intruders may |
| This design is constantly evolving but | | | | hijack a publicly-reachable system and |
| its basic features and codes are | | | | use it as a proxy for their own |
| currently in widespread use in both | | | | purposes; the proxy then masquerades as |
| commercial and domestic computer | | | | that system to other internal machines. |
| systems. Cisco, one of the largest | | | | While use of internal address spaces |
| internet security companies in the world | | | | enhances security, crackers may still |
| released their PIX product to the public | | | | employ methods such as IP spoofing to |
| in 1997. | | | | attempt to pass packets to a target |
| Some modern firewalls leverage their | | | | network.. |
| existing deep packet inspection engine | | | | Network address translation |
| by sharing this functionality with an | | | | Firewalls often have network address |
| Intrusion-prevention system (IPS). | | | | translation (NAT) functionality, and the |
| Types | | | | hosts protected behind a firewall |
| There are three basic types of firewalls | | | | commonly have addresses in the "private |
| depending on: | | | | address range", as defined in RFC 1918. |
| * Whether the communication is being | | | | Firewalls often have such functionality |
| done between a single node and the | | | | to hide the true address of protected |
| network, or between two or more | | | | hosts. |