| A firewall is an information technology (IT) | | | | layer. |
| security device which is configured to | | | | |
| permit, deny or proxy data connections set | | | | * Whether the communication state is being |
| and configured by the organization's security | | | | tracked at the firewall or not. |
| policy. Firewalls can either be hardware and | | | | |
| or software based. | | | | With regard to the scope of filtered |
| | | | communications there exist: |
| A firewall's basic task is to control traffic | | | | |
| between computer networks with different | | | | * Personal firewalls, a software application |
| zones of trust. Typical examples are the | | | | which normally filters traffic entering or |
| Internet which is a zone with no trust and an | | | | leaving a single computer. |
| internal network which is (and should be) a | | | | |
| zone with high trust. The ultimate goal is to | | | | * Network firewalls, normally running on a |
| provide controlled interfaces between zones | | | | dedicated network device or computer |
| of differing trust levels through the | | | | positioned on the boundary of two or more |
| enforcement of a security policy and | | | | networks or DMZs (demilitarized zones). Such |
| connectivity model based on the least | | | | a firewall filters all traffic entering or |
| privilege principle and separation of duties. | | | | leaving the connected networks. |
| | | | |
| A firewall is also called a Border Protection | | | | The latter definition corresponds to the |
| Device (BPD) in certain military contexts | | | | conventional, traditional meaning of |
| where a firewall separates networks by | | | | "firewall" in networking. |
| creating perimeter networks in a | | | | |
| Demilitarized zone (DMZ). In a BSD context | | | | In reference to the layers where the traffic |
| they are also known as a packet filter. A | | | | can be intercepted, three main categories of |
| firewall's function is analogous to firewalls | | | | firewalls exist: |
| in building construction. | | | | |
| | | | * Network layer firewalls. An example would |
| Proper configuration of firewalls demands | | | | be iptables. |
| skill from the firewall administrator. It | | | | |
| requires considerable understanding of | | | | * Application layer firewalls. An example |
| network protocols and of computer security. | | | | would be TCP Wrappers. |
| Small mistakes can render a firewall | | | | |
| worthless as a security tool. | | | | * Application firewalls. An example would be |
| | | | restricting ftp services through /etc |
| Firewall technology emerged in the late 1980s | | | | ftpaccess file |
| when the Internet was a fairly new technology | | | | |
| in terms of its global use and connectivity. | | | | These network-layer and application-layer |
| The original idea was formed in response to a | | | | types of firewall may overlap, even though |
| number of major internet security breaches, | | | | the personal firewall does not serve a |
| which occurred in the late 1980s. In 1988 an | | | | network; indeed, single systems have |
| employee at the NASA Ames Research Center in | | | | implemented both together. |
| California sent a memo by email to his | | | | |
| colleagues that read, | | | | There's also the notion of application |
| | | | firewalls which are sometimes used during |
| “ We are currently under attack from | | | | wide area network (WAN) networking on the |
| an Internet VIRUS! It has hit Berkeley, UC | | | | world-wide web and govern the system |
| San Diego, Lawrence Livermore, Stanford, and | | | | software. An extended description would place |
| NASA Ames. †| | | | them lower than application layer firewalls, |
| | | | indeed at the Operating System layer, and |
| This virus known as Morris Worm was carried | | | | could alternately be called operating system |
| by e-mail. The Morris Worm was the first | | | | firewalls. |
| large scale attack on Internet security; the | | | | |
| online community was neither expecting an | | | | Lastly, depending on whether the firewalls |
| attack nor prepared to deal with one. | | | | keeps track of the state of network |
| | | | connections or treats each packet in |
| First generation - packet filters | | | | isolation, two additional categories of |
| | | | firewalls exist: |
| The first paper published on firewall | | | | |
| technology was in 1988, when Jeff Mogul from | | | | Stateful firewalls |
| Digital Equipment Corporation (DEC) developed | | | | |
| filter systems known as packet filter | | | | Stateless firewalls |
| firewalls. This fairly basic system was the | | | | |
| first generation of what would become a | | | | Network layer |
| highly evolved and technical internet | | | | |
| security feature. At AT&T Bill Cheswick and | | | | Network layer firewalls operate at a |
| Steve Bellovin were continuing their research | | | | (relatively) low level of the TCP/IP protocol |
| in packet filtering and developed a working | | | | stack as IP-packet filters, not allowing |
| model for their own company based upon their | | | | packets to pass through the firewall unless |
| original first generation architecture. | | | | they match the rules. The firewall |
| | | | administrator may define the rules; or |
| This type of packet filtering is not | | | | default built-in rules may apply (as in some |
| responsible for 'statefull' packet | | | | inflexible firewall systems). |
| inspection, in other words, it's a static set | | | | |
| of rules applied to the packets traversing | | | | A more permissive setup could allow any |
| the firewall. | | | | packet to pass the filter as long as it does |
| | | | not match one or more "negative-rules", or |
| Second generation - circuit level | | | | "deny rules". Today network firewalls are |
| | | | built into most computer operating systems |
| From 1980-1990 three colleagues from AT&T | | | | and network appliances. |
| Bell Laboratories, Dave Presetto, Howard | | | | |
| Trickey, and Kshitij Nigam developed the | | | | Modern firewalls can filter traffic based on |
| second generation of firewalls known as | | | | many packet attributes like source IP |
| circuit level firewalls. | | | | address, source port, destination IP address |
| | | | or port, destination service like WWW or FTP. |
| This is also referred to as a 'stateful | | | | They can filter based on protocols, TTL |
| firewall' as it is able to determine if a | | | | values, netblock of originator, domain name |
| packet is either a new connection or data | | | | of the source, and many other attributes. |
| that is part of an existing connection. | | | | |
| Though there's still a set of static rules | | | | Application-layer |
| involved for configuring this firewall the | | | | |
| state of a connection can in itself also | | | | Application-layer firewalls work on the |
| trigger specific rules. | | | | application level of the TCP/IP stack (i.e., |
| | | | all browser traffic, or all telnet or ftp |
| Third generation - application layer | | | | traffic), and may intercept all packets |
| | | | traveling to or from an application. They |
| Publications by Gene Spafford of Purdue | | | | block other packets (usually dropping them |
| University, Bill Cheswick at AT&T | | | | without acknowledgement to the sender). In |
| Laboratories and Marcus Ranum described a | | | | principle, application firewalls can prevent |
| third generation firewall known as | | | | all unwanted outside traffic from reaching |
| application layer firewall, also known as | | | | protected machines. |
| proxy based firewalls. Marcus Ranum's work on | | | | |
| the technology spearheaded the creation of | | | | By inspecting all packets for improper |
| the first commercial product. The product was | | | | content, firewalls can even prevent the |
| released by DEC who named it the SEAL | | | | spread of the likes of viruses. In practice, |
| product. DEC’s first major sale was on | | | | however, this becomes so complex and so |
| June 13, 1991 to a chemical company based on | | | | difficult to attempt (given the variety of |
| the East Coast of the USA. | | | | applications and the diversity of content |
| | | | each may allow in its packet traffic) that |
| Subsequent generations | | | | comprehensive firewall design does not |
| | | | generally attempt this approach. |
| In 1992, Bob Braden and Annette DeSchon at | | | | |
| the University of Southern California (USC) | | | | The XML firewall exemplifies a more recent |
| were developing their own fourth generation | | | | kind of application-layer firewall. |
| packet filter firewall system. The product | | | | |
| known as “Visas†was the first | | | | Proxies |
| system to have a visual integration interface | | | | |
| with colours and icons, which could be easily | | | | A proxy device (running either on dedicated |
| implemented to and accessed on a computer | | | | hardware or as software on a general-purpose |
| operating system such as Microsoft's Windows | | | | machine) may act as a firewall by responding |
| or Apple's MacOS. In 1994 an Israeli company | | | | to input packets (connection requests, for |
| called Check Point Software Technologies | | | | example) in the manner of an application, |
| built this into readily available software | | | | whilst blocking other packets. |
| known as FireWall-1. | | | | |
| | | | Proxies make tampering with an internal |
| A second generation of proxy firewalls was | | | | system from the external network more |
| based on Kernel Proxy technology. This design | | | | difficult and misuse of one internal system |
| is constantly evolving but its basic features | | | | would not necessarily cause a security breach |
| and codes are currently in widespread use in | | | | exploitable from outside the firewall (as |
| both commercial and domestic computer | | | | long as the application proxy remains intact |
| systems. Cisco, one of the largest internet | | | | and properly configured). Conversely, |
| security companies in the world released | | | | intruders may hijack a publicly-reachable |
| their PIX product to the public in 1997. | | | | system and use it as a proxy for their own |
| | | | purposes; the proxy then masquerades as that |
| Some modern firewalls leverage their existing | | | | system to other internal machines. While use |
| deep packet inspection engine by sharing this | | | | of internal address spaces enhances security, |
| functionality with an Intrusion-prevention | | | | crackers may still employ methods such as IP |
| system (IPS). | | | | spoofing to attempt to pass packets to a |
| | | | target network.. |
| Types | | | | |
| | | | Network address translation |
| There are three basic types of firewalls | | | | |
| depending on: | | | | Firewalls often have network address |
| | | | translation (NAT) functionality, and the |
| * Whether the communication is being done | | | | hosts protected behind a firewall commonly |
| between a single node and the network, or | | | | have addresses in the "private address |
| between two or more networks. | | | | range", as defined in RFC 1918. Firewalls |
| | | | often have such functionality to hide the |
| * Whether the communication is intercepted at | | | | true address of protected hosts. |
| the network layer, or at the application | | | | |