| A firewall is an information technology (IT) security | | | | a single node and the network, or between two or |
| device which is configured to permit, deny or proxy | | | | more networks. |
| data connections set and configured by the | | | | * Whether the communication is intercepted at the |
| organization's security policy. Firewalls can either be | | | | network layer, or at the application layer. |
| hardware and/or software based. | | | | * Whether the communication state is being tracked at |
| A firewall's basic task is to control traffic between | | | | the firewall or not. |
| computer networks with different zones of trust. | | | | With regard to the scope of filtered communications |
| Typical examples are the Internet which is a zone with | | | | there exist: |
| no trust and an internal network which is (and should | | | | * Personal firewalls, a software application which |
| be) a zone with high trust. The ultimate goal is to | | | | normally filters traffic entering or leaving a single |
| provide controlled interfaces between zones of | | | | computer. |
| differing trust levels through the enforcement of a | | | | * Network firewalls, normally running on a dedicated |
| security policy and connectivity model based on the | | | | network device or computer positioned on the |
| least privilege principle and separation of duties. | | | | boundary of two or more networks or DMZs |
| A firewall is also called a Border Protection Device | | | | (demilitarized zones). Such a firewall filters all traffic |
| (BPD) in certain military contexts where a firewall | | | | entering or leaving the connected networks. |
| separates networks by creating perimeter networks in | | | | The latter definition corresponds to the conventional, |
| a Demilitarized zone (DMZ). In a BSD context they are | | | | traditional meaning of "firewall" in networking. |
| also known as a packet filter. A firewall's function is | | | | In reference to the layers where the traffic can be |
| analogous to firewalls in building construction. | | | | intercepted, three main categories of firewalls exist: |
| Proper configuration of firewalls demands skill from the | | | | * Network layer firewalls. An example would be |
| firewall administrator. It requires considerable | | | | iptables. |
| understanding of network protocols and of computer | | | | * Application layer firewalls. An example would be |
| security. Small mistakes can render a firewall | | | | TCP Wrappers. |
| worthless as a security tool. | | | | * Application firewalls. An example would be restricting |
| Firewall technology emerged in the late 1980s when | | | | ftp services through /etc/ftpaccess file |
| the Internet was a fairly new technology in terms of its | | | | These network-layer and application-layer types of |
| global use and connectivity. The original idea was | | | | firewall may overlap, even though the personal firewall |
| formed in response to a number of major internet | | | | does not serve a network; indeed, single systems |
| security breaches, which occurred in the late 1980s. In | | | | have implemented both together. |
| 1988 an employee at the NASA Ames Research | | | | There's also the notion of application firewalls which |
| Center in California sent a memo by email to his | | | | are sometimes used during wide area network (WAN) |
| colleagues that read, | | | | networking on the world-wide web and govern the |
| “ We are currently under attack from an | | | | system software. An extended description would |
| Internet VIRUS! It has hit Berkeley, UC San Diego, | | | | place them lower than application layer firewalls, indeed |
| Lawrence Livermore, Stanford, and NASA Ames. | | | | at the Operating System layer, and could alternately |
| †| | | | be called operating system firewalls. |
| This virus known as Morris Worm was carried by | | | | Lastly, depending on whether the firewalls keeps track |
| e-mail. The Morris Worm was the first large scale | | | | of the state of network connections or treats each |
| attack on Internet security; the online community was | | | | packet in isolation, two additional categories of firewalls |
| neither expecting an attack nor prepared to deal with | | | | exist: |
| one. | | | | Stateful firewalls |
| First generation - packet filters | | | | Stateless firewalls |
| The first paper published on firewall technology was in | | | | Network layer |
| 1988, when Jeff Mogul from Digital Equipment | | | | Network layer firewalls operate at a (relatively) low |
| Corporation (DEC) developed filter systems known as | | | | level of the TCP/IP protocol stack as IP-packet filters, |
| packet filter firewalls. This fairly basic system was the | | | | not allowing packets to pass through the firewall unless |
| first generation of what would become a highly | | | | they match the rules. The firewall administrator may |
| evolved and technical internet security feature. At | | | | define the rules; or default built-in rules may apply (as in |
| AT&T Bill Cheswick and Steve Bellovin were | | | | some inflexible firewall systems). |
| continuing their research in packet filtering and | | | | A more permissive setup could allow any packet to |
| developed a working model for their own company | | | | pass the filter as long as it does not match one or |
| based upon their original first generation architecture. | | | | more "negative-rules", or "deny rules". Today network |
| This type of packet filtering is not responsible for | | | | firewalls are built into most computer operating |
| 'statefull' packet inspection, in other words, it's a static | | | | systems and network appliances. |
| set of rules applied to the packets traversing the | | | | Modern firewalls can filter traffic based on many |
| firewall. | | | | packet attributes like source IP address, source port, |
| Second generation - circuit level | | | | destination IP address or port, destination service like |
| From 1980-1990 three colleagues from AT&T Bell | | | | WWW or FTP. They can filter based on protocols, |
| Laboratories, Dave Presetto, Howard Trickey, and | | | | TTL values, netblock of originator, domain name of the |
| Kshitij Nigam developed the second generation of | | | | source, and many other attributes. |
| firewalls known as circuit level firewalls. | | | | Application-layer |
| This is also referred to as a 'stateful firewall' as it is | | | | Application-layer firewalls work on the application level |
| able to determine if a packet is either a new | | | | of the TCP/IP stack (i.e., all browser traffic, or all telnet |
| connection or data that is part of an existing | | | | or ftp traffic), and may intercept all packets traveling to |
| connection. Though there's still a set of static rules | | | | or from an application. They block other packets |
| involved for configuring this firewall the state of a | | | | (usually dropping them without acknowledgement to |
| connection can in itself also trigger specific rules. | | | | the sender). In principle, application firewalls can prevent |
| Third generation - application layer | | | | all unwanted outside traffic from reaching protected |
| Publications by Gene Spafford of Purdue University, Bill | | | | machines. |
| Cheswick at AT&T Laboratories and Marcus Ranum | | | | By inspecting all packets for improper content, firewalls |
| described a third generation firewall known as | | | | can even prevent the spread of the likes of viruses. In |
| application layer firewall, also known as proxy based | | | | practice, however, this becomes so complex and so |
| firewalls. Marcus Ranum's work on the technology | | | | difficult to attempt (given the variety of applications |
| spearheaded the creation of the first commercial | | | | and the diversity of content each may allow in its |
| product. The product was released by DEC who | | | | packet traffic) that comprehensive firewall design does |
| named it the SEAL product. DEC’s first | | | | not generally attempt this approach. |
| major sale was on June 13, 1991 to a chemical | | | | The XML firewall exemplifies a more recent kind of |
| company based on the East Coast of the USA. | | | | application-layer firewall. |
| Subsequent generations | | | | Proxies |
| In 1992, Bob Braden and Annette DeSchon at the | | | | A proxy device (running either on dedicated hardware |
| University of Southern California (USC) were | | | | or as software on a general-purpose machine) may |
| developing their own fourth generation packet filter | | | | act as a firewall by responding to input packets |
| firewall system. The product known as | | | | (connection requests, for example) in the manner of an |
| “Visas†was the first system to | | | | application, whilst blocking other packets. |
| have a visual integration interface with colours and | | | | Proxies make tampering with an internal system from |
| icons, which could be easily implemented to and | | | | the external network more difficult and misuse of one |
| accessed on a computer operating system such as | | | | internal system would not necessarily cause a security |
| Microsoft's Windows or Apple's MacOS. In 1994 an | | | | breach exploitable from outside the firewall (as long as |
| Israeli company called Check Point Software | | | | the application proxy remains intact and properly |
| Technologies built this into readily available software | | | | configured). Conversely, intruders may hijack a |
| known as FireWall-1. | | | | publicly-reachable system and use it as a proxy for |
| A second generation of proxy firewalls was based on | | | | their own purposes; the proxy then masquerades as |
| Kernel Proxy technology. This design is constantly | | | | that system to other internal machines. While use of |
| evolving but its basic features and codes are currently | | | | internal address spaces enhances security, crackers |
| in widespread use in both commercial and domestic | | | | may still employ methods such as IP spoofing to |
| computer systems. Cisco, one of the largest internet | | | | attempt to pass packets to a target network.. |
| security companies in the world released their PIX | | | | Network address translation |
| product to the public in 1997. | | | | Firewalls often have network address translation |
| Some modern firewalls leverage their existing deep | | | | (NAT) functionality, and the hosts protected behind a |
| packet inspection engine by sharing this functionality | | | | firewall commonly have addresses in the "private |
| with an Intrusion-prevention system (IPS). | | | | address range", as defined in RFC 1918. Firewalls often |
| Types | | | | have such functionality to hide the true address of |
| There are three basic types of firewalls depending on: | | | | protected hosts. |
| * Whether the communication is being done between | | | | |