| A firewall is an information technology
| |
| | * Whether the communication is
|
| (IT) security device which is configured
| |
| | intercepted at the network layer, or at
|
| to permit, deny or proxy data connections
| |
| | the application layer.
|
| set and configured by the organization's
| |
| | * Whether the communication state is
|
| security policy. Firewalls can either be
| |
| | being tracked at the firewall or not.
|
| hardware and/or software based.
| |
| | With regard to the scope of filtered
|
| A firewall's basic task is to control
| |
| | communications there exist:
|
| traffic between computer networks with
| |
| | * Personal firewalls, a software
|
| different zones of trust. Typical
| |
| | application which normally filters
|
| examples are the Internet which is a zone
| |
| | traffic entering or leaving a single
|
| with no trust and an internal network
| |
| | computer.
|
| which is (and should be) a zone with high
| |
| | * Network firewalls, normally running on
|
| trust. The ultimate goal is to provide
| |
| | a dedicated network device or computer
|
| controlled interfaces between zones of
| |
| | positioned on the boundary of two or more
|
| differing trust levels through the
| |
| | networks or DMZs (demilitarized zones).
|
| enforcement of a security policy and
| |
| | Such a firewall filters all traffic
|
| connectivity model based on the least
| |
| | entering or leaving the connected
|
| privilege principle and separation of
| |
| | networks.
|
| duties.
| |
| | The latter definition corresponds to the
|
| A firewall is also called a Border
| |
| | conventional, traditional meaning of
|
| Protection Device (BPD) in certain
| |
| | "firewall" in networking.
|
| military contexts where a firewall
| |
| | In reference to the layers where the
|
| separates networks by creating perimeter
| |
| | traffic can be intercepted, three main
|
| networks in a Demilitarized zone (DMZ).
| |
| | categories of firewalls exist:
|
| In a BSD context they are also known as a
| |
| | * Network layer firewalls. An example
|
| packet filter. A firewall's function is
| |
| | would be iptables.
|
| analogous to firewalls in building
| |
| | * Application layer firewalls. An example
|
| construction.
| |
| | would be TCP Wrappers.
|
| Proper configuration of firewalls demands
| |
| | * Application firewalls. An example would
|
| skill from the firewall administrator. It
| |
| | be restricting ftp services through /etc
|
| requires considerable understanding of
| |
| | ftpaccess file
|
| network protocols and of computer
| |
| | These network-layer and application-layer
|
| security. Small mistakes can render a
| |
| | types of firewall may overlap, even
|
| firewall worthless as a security tool.
| |
| | though the personal firewall does not
|
| Firewall technology emerged in the late
| |
| | serve a network; indeed, single systems
|
| 1980s when the Internet was a fairly new
| |
| | have implemented both together.
|
| technology in terms of its global use and
| |
| | There's also the notion of application
|
| connectivity. The original idea was
| |
| | firewalls which are sometimes used during
|
| formed in response to a number of major
| |
| | wide area network (WAN) networking on the
|
| internet security breaches, which
| |
| | world-wide web and govern the system
|
| occurred in the late 1980s. In 1988 an
| |
| | software. An extended description would
|
| employee at the NASA Ames Research Center
| |
| | place them lower than application layer
|
| in California sent a memo by email to his
| |
| | firewalls, indeed at the Operating System
|
| colleagues that read,
| |
| | layer, and could alternately be called
|
| “ We are currently under attack from
| |
| | operating system firewalls.
|
| an Internet VIRUS! It has hit Berkeley,
| |
| | Lastly, depending on whether the
|
| UC San Diego, Lawrence Livermore,
| |
| | firewalls keeps track of the state of
|
| Stanford, and NASA Ames. ”
| |
| | network connections or treats each packet
|
| This virus known as Morris Worm was
| |
| | in isolation, two additional categories
|
| carried by e-mail. The Morris Worm was
| |
| | of firewalls exist:
|
| the first large scale attack on Internet
| |
| | Stateful firewalls
|
| security; the online community was
| |
| | Stateless firewalls
|
| neither expecting an attack nor prepared
| |
| | Network layer
|
| to deal with one.
| |
| | Network layer firewalls operate at a
|
| First generation - packet filters
| |
| | (relatively) low level of the TCP/IP
|
| The first paper published on firewall
| |
| | protocol stack as IP-packet filters, not
|
| technology was in 1988, when Jeff Mogul
| |
| | allowing packets to pass through the
|
| from Digital Equipment Corporation (DEC)
| |
| | firewall unless they match the rules. The
|
| developed filter systems known as packet
| |
| | firewall administrator may define the
|
| filter firewalls. This fairly basic
| |
| | rules; or default built-in rules may
|
| system was the first generation of what
| |
| | apply (as in some inflexible firewall
|
| would become a highly evolved and
| |
| | systems).
|
| technical internet security feature. At
| |
| | A more permissive setup could allow any
|
| AT&T Bill Cheswick and Steve Bellovin
| |
| | packet to pass the filter as long as it
|
| were continuing their research in packet
| |
| | does not match one or more
|
| filtering and developed a working model
| |
| | "negative-rules", or "deny rules". Today
|
| for their own company based upon their
| |
| | network firewalls are built into most
|
| original first generation architecture.
| |
| | computer operating systems and network
|
| This type of packet filtering is not
| |
| | appliances.
|
| responsible for 'statefull' packet
| |
| | Modern firewalls can filter traffic based
|
| inspection, in other words, it's a static
| |
| | on many packet attributes like source IP
|
| set of rules applied to the packets
| |
| | address, source port, destination IP
|
| traversing the firewall.
| |
| | address or port, destination service like
|
| Second generation - circuit level
| |
| | WWW or FTP. They can filter based on
|
| From 1980-1990 three colleagues from AT&T
| |
| | protocols, TTL values, netblock of
|
| Bell Laboratories, Dave Presetto, Howard
| |
| | originator, domain name of the source,
|
| Trickey, and Kshitij Nigam developed the
| |
| | and many other attributes.
|
| second generation of firewalls known as
| |
| | Application-layer
|
| circuit level firewalls.
| |
| | Application-layer firewalls work on the
|
| This is also referred to as a 'stateful
| |
| | application level of the TCP/IP stack
|
| firewall' as it is able to determine if a
| |
| | (i.e., all browser traffic, or all telnet
|
| packet is either a new connection or data
| |
| | or ftp traffic), and may intercept all
|
| that is part of an existing connection.
| |
| | packets traveling to or from an
|
| Though there's still a set of static
| |
| | application. They block other packets
|
| rules involved for configuring this
| |
| | (usually dropping them without
|
| firewall the state of a connection can in
| |
| | acknowledgement to the sender). In
|
| itself also trigger specific rules.
| |
| | principle, application firewalls can
|
| Third generation - application layer
| |
| | prevent all unwanted outside traffic from
|
| Publications by Gene Spafford of Purdue
| |
| | reaching protected machines.
|
| University, Bill Cheswick at AT&T
| |
| | By inspecting all packets for improper
|
| Laboratories and Marcus Ranum described a
| |
| | content, firewalls can even prevent the
|
| third generation firewall known as
| |
| | spread of the likes of viruses. In
|
| application layer firewall, also known as
| |
| | practice, however, this becomes so
|
| proxy based firewalls. Marcus Ranum's
| |
| | complex and so difficult to attempt
|
| work on the technology spearheaded the
| |
| | (given the variety of applications and
|
| creation of the first commercial product.
| |
| | the diversity of content each may allow
|
| The product was released by DEC who named
| |
| | in its packet traffic) that comprehensive
|
| it the SEAL product. DEC’s first major
| |
| | firewall design does not generally
|
| sale was on June 13, 1991 to a chemical
| |
| | attempt this approach.
|
| company based on the East Coast of the
| |
| | The XML firewall exemplifies a more
|
| USA.
| |
| | recent kind of application-layer
|
| Subsequent generations
| |
| | firewall.
|
| In 1992, Bob Braden and Annette DeSchon
| |
| | Proxies
|
| at the University of Southern California
| |
| | A proxy device (running either on
|
| (USC) were developing their own fourth
| |
| | dedicated hardware or as software on a
|
| generation packet filter firewall system.
| |
| | general-purpose machine) may act as a
|
| The product known as “Visas” was the
| |
| | firewall by responding to input packets
|
| first system to have a visual integration
| |
| | (connection requests, for example) in the
|
| interface with colours and icons, which
| |
| | manner of an application, whilst blocking
|
| could be easily implemented to and
| |
| | other packets.
|
| accessed on a computer operating system
| |
| | Proxies make tampering with an internal
|
| such as Microsoft's Windows or Apple's
| |
| | system from the external network more
|
| MacOS. In 1994 an Israeli company called
| |
| | difficult and misuse of one internal
|
| Check Point Software Technologies built
| |
| | system would not necessarily cause a
|
| this into readily available software
| |
| | security breach exploitable from outside
|
| known as FireWall-1.
| |
| | the firewall (as long as the application
|
| A second generation of proxy firewalls
| |
| | proxy remains intact and properly
|
| was based on Kernel Proxy technology.
| |
| | configured). Conversely, intruders may
|
| This design is constantly evolving but
| |
| | hijack a publicly-reachable system and
|
| its basic features and codes are
| |
| | use it as a proxy for their own purposes;
|
| currently in widespread use in both
| |
| | the proxy then masquerades as that system
|
| commercial and domestic computer systems.
| |
| | to other internal machines. While use of
|
| Cisco, one of the largest internet
| |
| | internal address spaces enhances
|
| security companies in the world released
| |
| | security, crackers may still employ
|
| their PIX product to the public in 1997.
| |
| | methods such as IP spoofing to attempt to
|
| Some modern firewalls leverage their
| |
| | pass packets to a target network..
|
| existing deep packet inspection engine by
| |
| | Network address translation
|
| sharing this functionality with an
| |
| | Firewalls often have network address
|
| Intrusion-prevention system (IPS).
| |
| | translation (NAT) functionality, and the
|
| Types
| |
| | hosts protected behind a firewall
|
| There are three basic types of firewalls
| |
| | commonly have addresses in the "private
|
| depending on:
| |
| | address range", as defined in RFC 1918.
|
| * Whether the communication is being done
| |
| | Firewalls often have such functionality
|
| between a single node and the network, or
| |
| | to hide the true address of protected
|
| between two or more networks.
| |
| | hosts.
|
