A firewall is a device or set of devices configured to permit, deny, encrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Contents 1 Function 2 History 2.1 First generation - packet filters 2.2 Second generation - "stateful" filters 2.3 Third generation - application layer 2.4 Subsequent developments 3 In popular culture 4 Types 4.1 Network layer and packet filters 4.2 Application-layer 4.3 Proxies 4.4 Network address translation 5 See also 6 References 7 External links

Function

A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. A computer network is a group of interconnected Computers. Networks may be classified according to a wide variety of characteristics Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. The Internet is a global system of interconnected Computer networks An intranet is a private computer network that uses Internet protocols and network connectivity to securely share any part of an organization's information or operational A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ). In Computer security, a demilitarized zone ( DMZ) based on military usage of the term but more appropriately known as a demarcation zone or

A firewall's function within a network is similar to firewalls with fire doors in building construction. In Construction, a firewall is a fire-resistance rated Wall assembly intended to slow the In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.

Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.

History

The term "firewall" originally meant a wall to confine a fire or potential fire within a building, c. f. firewall (construction). In Construction, a firewall is a fire-resistance rated Wall assembly intended to slow the Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.

Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s to separate networks from one another ^[1]. The view of the Internet as a relatively small community of compatible users who valued openness for sharing and collaboration was ended by a number of major internet security breaches, which occurred in the late 1980s. ^[1]:

• Clifford Stoll's discovery of German spies tampering with his system ^[1]

• Bill Cheswick's Evening with Berferd" 1992 in which he set up a simple electronic jail to observe an attacker^[1]

• In 1988 an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read,

“

We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. Year 1992 ( MCMXCII) was a Leap year starting on Wednesday (link will display full 1992 Gregorian calendar) The National Aeronautics and Space Administration ( NASA, ˈnæsə is an agency of the United States government, responsible for the nation's public space program NASA Ames Research Center (ARC is a NASA facility located at Moffett Federal Airfield, which covers 43 acres at the borders of the cities of Mountain View Electronic mail, often abbreviated to e-mail, email, or originally eMail, is a Store-and-forward method of writing sending receiving A computer virus is a Computer program that can copy itself and infect a computer without permission or knowledge of the user The University of California Berkeley (also referred to as Cal, Berkeley and UC Berkeley) is a major research university located in Berkeley The University of California San Diego (popularly known as UC San Diego or UCSD) is a public Research university in San Diego, California The Lawrence Livermore National Laboratory ( LLNL) in Livermore California is a scientific research laboratory founded by the University of California in 1952 Leland Stanford Junior University, commonly known as Stanford University or simply Stanford, is a private Research university located in NASA Ames Research Center (ARC is a NASA facility located at Moffett Federal Airfield, which covers 43 acres at the borders of the cities of Mountain View

”

• The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. The Morris worm or Internet worm was one of the first Computer worms distributed via the Internet; it is considered the first worm and was certainly the Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one. ^[2]

First generation - packet filters

The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. Digital Equipment Corporation was a pioneering American company in the Computer industry This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture. Bell Laboratories (also known as Bell Labs and formerly known as AT&T Bell Laboratories and Bell Telephone Laboratories) is the Research organization Steven M Bellovin is a researcher on computer networking and security

Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number). Internet Protocol version 4 ( IPv4) is the fourth revision in the development of the Internet Protocol (IP and it is the first version of the protocol to be widely The Transmission Control Protocol (TCP is one of the core protocols of the Internet Protocol Suite. User Datagram Protocol ( UDP) is one of the core protocols of the Internet Protocol Suite. In Computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint used by Transport Layer protocols

Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports. The Transmission Control Protocol ( TCP) and the User Datagram Protocol ( UDP) are Transport Layer protocols of the Internet Protocol

Second generation - "stateful" filters

Main article: stateful firewall

From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls. In Computing, a stateful firewall (any firewall that performs stateful packet inspection ( SPI) or stateful inspection) is a firewall Before proposing a merge request please see Talk and see if the merger you propose has recently been made and Bell Laboratories (also known as Bell Labs and formerly known as AT&T Bell Laboratories and Bell Telephone Laboratories) is the Research organization

Second Generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful firewall as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. In Computer networking, a mangled or invalid packet is a packet &mdashespecially IP packet&mdashwhich lacks sound order self-coherence or content Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

Third generation - application layer

Main article: application layer firewall

Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. In Computer networking, an application layer firewall is a firewall operating at the Application layer of a Protocol stack. Eugene H Spafford (born 1956) (known colloquially as "Spaf" is a professor of Computer science at Purdue University and a leading Computer Marcus J Ranum (born November 5, 1962 in New York City, New York) is a computer and network security researcher and industry leader In Computer networking, an application layer firewall is a firewall operating at the Application layer of a Protocol stack. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in a known harmful way. The Domain Name System (DNS is a hierarchical naming system for computers services or any resource participating in the Internet. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. The Transmission Control Protocol ( TCP) and the User Datagram Protocol ( UDP) are Transport Layer protocols of the Internet Protocol

Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The University of Southern California (commonly referred to as USC, SC, Southern California, and incorrectly The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. Microsoft Corporation is an American multinational Computer technology Corporation, which rose to dominate the Home computer Microsoft Windows is a series of Software Operating systems and Graphical user interfaces produced by Microsoft. Mac OS is the trademarked name for a series of Graphical user interface -based Operating systems developed by Apple Inc In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1. Check Point Software Technologies Ltd ( is a hardware and software company that is best known for its firewall and VPN products FireWall-1 is a firewall product created by Check Point Software Technologies Ltd

The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS). Deep packet inspection ( DPI) (or sometimes complete packet inspection) is a form of Computer network Packet filtering that examines the Data An intrusion prevention system is a Network security device that monitors network and/or system activities for malicious or unwanted behavior and can react in real-time to

Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes. A middlebox is a device in the Internet thatprovides transport policy enforcement

In popular culture

Use of the term "firewall" in relation to computer or network security may have been popularized by its use in the 1983 film WarGames. WarGames is a 1983 drama / Thriller film written by Lawrence Lasker and Walter F In the movie, at approximately time index 01:42:00, while attempting to gain access to the WOPR computer as it sought the code required to launch the United States' nuclear arsenal against the Soviet Union, NORAD personnel engaged in the following dialogue:

“

--John, lets feed it a tapeworm. --Nah, it’s too risky. It might smash the system. --How’d the kid get in—through the back door? --We took it out. --Can we invade the deep logic? --We keep hitting a damn firewall.

”

Types

There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.

Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The Internet Protocol Suite (commonly TCP/IP) is the set of Communications protocols used for the Internet and other similar networks A protocol stack (sometimes communications stack) is a particular software implementation of a Computer networking protocol suite The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems. An operating system (commonly abbreviated OS and O/S) is the software component of a Computer system that is responsible for the management and coordination

Network layer firewalls generally fall into two sub-categories, stateful and stateless. In Computing, a stateful firewall (any firewall that performs stateful packet inspection ( SPI) or stateful inspection) is a firewall In Computing, a stateful firewall (any firewall that performs stateful packet inspection ( SPI) or stateful inspection) is a firewall Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). In Information technology, Telecommunications, and related fields handshaking is an automated process of negotiation that dynamically sets parameters of Debt AIDS Trade in Africa (or DATA) is a Multinational non-government organization founded in January 2002 in London by U2 's Connectivity refers to the use of computer networks to link to people and resources If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.

Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. An Internet Protocol ( IP) address is a numerical identification ( Logical address) that is assigned to devices participating in a Computer network In Computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint used by Transport Layer protocols The World Wide Web (commonly shortened to the Web) is a system of interlinked Hypertext documents accessed via the Internet. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes. Time to live (sometimes abbreviated TTL) is a limit on the period of time or number of iterations or transmissions in Computer and Computer network technology The Domain Name System (DNS is a hierarchical naming system for computers services or any resource participating in the Internet.

Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux). IPFilter (commonly referred to as ipf) is an Open source software package that provides firewall services and Network address translation (NAT ipfirewall or ipfw is a FreeBSD IP Packet filter and traffic accounting facility FreeBSD is a Unix-like free Operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD branch through Mac OS X (mæk oʊ ɛs tɛn is a line of computer Operating systems developed marketed and sold by Apple Inc, the latest of which is pre-loaded on all currently PF ( Packet Filter, also written pf) is a BSD licensed stateful Packet filter, a central piece of software for Firewalling It is comparable OpenBSD is a Unix-like computer Operating system descended from Berkeley Software Distribution (BSD a Unix derivative developed at the Netfilter is a Framework that provides a set of hooks within the Linux kernel for intercepting and manipulating network packets. ipchains is a Free software based firewall for Linux. It is a rewrite of Linux's previous IPv4 firewalling Code, Ipfwadm Linux (commonly pronounced ˈlɪnəks

Application-layer

Main article: Application layer firewall

Application-layer firewalls work on the application level of the TCP/IP stack (i. In Computer networking, an application layer firewall is a firewall operating at the Application layer of a Protocol stack. e. , all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. Telnet ( Tel ecommunication net work is a Network protocol used on the Internet or local area network (LAN connections They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. A computer worm is a self-replicating Computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network and it may do so without This article refers to a form of Malware in computing terminology In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

The XML firewall exemplifies a more recent kind of application-layer firewall. First brought to market by Forum Systems, an XML firewall is a specialized firewall used to provide security for XML messaging such as Web services

Proxies

Main article: Proxy server

A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets. In Computer networks a proxy server is a server (a computer system or an application program which services the requests of its clients by forwarding

Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. In the context of Network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network. In common usage hacker is generic term for a computer criminal often with a specific specialty in computer intrusion In Computer networking, the term IP ( Internet Protocol) address spoofing refers to the creation of IP packets with a forged (spoofed source

Network address translation

Main article: Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. In Computer networking network address translation (NAT is the process of modifying Network address information in datagram packet headers while in transit across In Computer networking network address translation (NAT is the process of modifying Network address information in datagram packet headers while in transit across Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance. Reconnaissance (also scouting) is a military and medical term denoting exploration conducted to gain information

See also

• Access control list
• Bastion host
• Comparison of firewalls
• Computer security
• End-to-end connectivity
• Firewall pinhole
• List of Linux router or firewall distributions
• Network Address Translation
• Network security
• Reconnaissance
• Personal firewall
• Golden Shield Project (aka Great Firewall of China)
• Unified Threat Management
• Screened-subnet firewall
• Mangled packet

References

External links

• Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul Robertson. In Computer security, an access control list ( ACL) is a list of permissions attached to an object A bastion host is a special purpose computer on a network specifically designed and configured to withstand attack The following tables compare different aspects of a number of firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls This article describes how security can be achieved through design and engineering End-to-end connectivity is a property of the Internet that allows all nodes of the network to send packets to all other nodes of the network without requiring intermediatenetwork In Computer networking, the term firewall pinhole is used to describe a port that is opened through a firewall to allow a particular application This list contains Linux distributions or Unix distributions specifically designed to be used as the Operating system of a machine acting as a Router and/or In Computer networking network address translation (NAT is the process of modifying Network address information in datagram packet headers while in transit across Network security consists of the provisions made in an underlying Computer network infrastructure policies adopted by the Network administrator to protect Reconnaissance (also scouting) is a military and medical term denoting exploration conducted to gain information A personal firewall is an application which controls network traffic to and from a computer permitting or denying communications based on a Security policy. See also Internet censorship in the People's Republic of China The Golden Shield Project ( sometimes referred to as the Great Firewall of China Unified threat management ( UTM) is used to describe Network firewalls that have many features in one box including E-mail spam filtering Anti-virus In Network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host firewall In Computer networking, a mangled or invalid packet is a packet &mdashespecially IP packet&mdashwhich lacks sound order self-coherence or content
• Evolution of the Firewall Industry - Discusses different architectures and their differences, how packets are processed, and provides a timeline of the evolution.
• A History and Survey of Network Firewalls - provides an overview of firewalls at the various ISO levels, with references to the original papers where first firewall work was reported.
• windowsecurity.com Types of Firewalls article
• Comprehensive Firewall Portals

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic