In computing, a firewall is a piece of hardware and/or software which

functions in a networked environment to prevent some

communications forbidden by the security policy, analogous to the
function of firewalls in building construction. A firewall is also called a
Border Protection Device (BPD), especially in NATO contexts, or
packet filter in BSD contexts. A firewall has the basic task of
controlling traffic between different zones of trust. Typical zones of
trust include the Internet (a zone with no trust) and an internal network
(a zone with high trust). The ultimate goal is to provide controlled
connectivity between zones of differing trust levels through the
enforcement of a security policy and connectivity model based on the
least privilege principle.

Proper configuration of firewalls demands skill from the administrator.

It requires considerable understanding of network protocols and of
computer security. Small mistakes can render a firewall worthless as a
security tool.

History of Firewalls
Firewall technology first began to emerge in the late 1980s when the
Internet was still a fairly new technology in terms of its global usage
and connectivity. The original idea was formed in response to a number
of major internet security breaches, which occurred in the late 1980s.
In 1988 an employee at the NASA Ames Research Center in California
sent a memo by email to his colleagues that read, "We are currently
under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego,
Lawrence Livermore, Stanford, and NASA Ames." This virus known as
the Morris Worm was carried by e-mail and is now a common nuisance
for even the most innocuous domestic user. The Morris Worm was the
first large scale attack on Internet security, which the online
community neither expected, nor were prepared for. The internet
community made it a top priority to combat any future attacks from
happening and began to collaborate on new ideas, systems and
software to make the internet safe again.
The first paper published on firewall technology was in 1988, when Jeff
Mogul from Digital Equipment Corp. developed filter systems known as
packet filter firewalls. This fairly basic system was the first generation
of what would become a highly evolved and technical internet security
feature. From 1980-1990 two colleagues from AT&T Bell Laboratories,
Dave Presetto and Howard Trickey, developed the second generation of
firewalls known as circuit level firewalls. Publications by Gene Spafford
of Purdue University, Bill Cheswick at AT&T laboratories and Marcus
Ranum described a third generation firewall known as application layer
firewall, also known as proxy-based firewalls. Marcus Ranum's work on
the technology spearheaded the creation of the first commercial
product. The product was released by Digital Equipment Corporation's
(DEC) who named it the SEAL product. DEC’s first major sale was on
June 13, 1991 to a chemical company based on the East-Coast of the
USA.
At AT&T Bill Cheswick and Steve Bellovin were continuing their
research in packet filtering and developed a working model for their
own company based upon their original 1st generation architecture. In
1992, Bob Braden and Annette DeSchon at the University of Southern
California were developing their own fourth generation packet filter
firewall system. The product known as “Visas” was the first system to
have a visual integration interface with colours and icons, which could
be easily implemented to and accessed on a computer operating
system such as Microsoft's Windows or Apple's Mac/OS. In 1994 an
Israeli company called Check Point Software Technologies built this in
to readily available software known as FireWall-1. A second generation
of proxy firewalls was based on Kernel Proxy technology. This design is
constantly evolving but its basic features and codes are currently in
widespread use in both commercial and domestic computer systems.
Cisco, one of the largest internet security companies in the world
released the product to the public in 1997.
The new Next Generation Firewalls leverage their existing deep packet
inspection engine by sharing this functionality with an Intrusion-
prevention system.
[edit]

Types of firewalls
There are three basic types of firewalls depending on:

• Whether the communication is being done between a single node and

the network, or between two or more networks.
• Whether the communication is intercepted at the network layer, or at
the application layer.
• Whether the communication state is being tracked at the firewall or
not.

With regard to the scope of filtered communications there exist:

• Personal firewalls, a software application which normally filters

traffic entering or leaving a single computer.
• Network firewalls, normally running on a dedicated network device or
computer positioned on the boundary of two or more networks or
 DMZs (demilitarized zones). Such a firewall filters all traffic entering
or leaving the connected networks.

The latter definition corresponds to the conventional, traditional

meaning of "firewall" in networking.
In reference to the layers where the traffic can be intercepted, three
main categories of firewalls exist:

• Network layer firewalls. An example would be iptables.

• Application layer firewalls. An example would be TCP Wrappers.
• Application firewalls. An example would be restricting ftp services
through /etc/ftpaccess file

These network-layer and application-layer types of firewall may

overlap, even though the personal firewall does not serve a network;
indeed, single systems have implemented both together.
There's also the notion of application firewalls which are sometimes
used during wide area network (WAN) networking on the world-wide
web and govern the system software. An extended description would
place them lower than application layer firewalls, indeed at the
Operating System layer, and could alternately be called operating
system firewalls.
Lastly, depending on whether the firewalls keeps track of the state of
network connections or treats each packet in isolation, two additional
categories of firewalls exist:

• Stateful firewalls
• Stateless firewalls

[edit]

Network layer firewalls

Main article: network layer firewall
Network layer firewalls operate at a (relatively) low level of the TCP/IP
protocol stack as IP-packet filters, not allowing packets to pass through
the firewall unless they match the rules. The firewall administrator may
define the rules; or default built-in rules may apply (as in some
inflexible firewall systems).
A more permissive setup could allow any packet to pass the filter as
long as it does not match one or more "negative-rules", or "deny
rules". Today network firewalls are built into most computer operating
systems and network appliances.
Modern firewalls can filter traffic based on many packet attributes like
source IP address, source port, destination IP address or port,
destination service like WWW or FTP. They can filter based on
protocols, TTL values, netblock of originator, domain name of the
source, and many other attributes.
[edit]

Application-layer firewalls
Main article: application layer firewall
Application-layer firewalls work on the application level of the TCP/IP
stack (i.e., all browser traffic, or all telnet or ftp traffic), and may
intercept all packets traveling to or from an application. They block
other packets (usually dropping them without acknowledgement to the
sender). In principle, application firewalls can prevent all unwanted
outside traffic from reaching protected machines.
By inspecting all packets for improper content, firewalls can even
prevent the spread of the likes of viruses. In practice, however, this
becomes so complex and so difficult to attempt (given the variety of
applications and the diversity of content each may allow in its packet
traffic) that comprehensive firewall design does not generally attempt
this approach.
The XML firewall exemplifies a more recent kind of application-layer
firewall.
[edit]

Proxies
Main article: Proxy server
A proxy device (running either on dedicated hardware or as software
on a general-purpose machine) may act as a firewall by responding to
input packets (connection requests, for example) in the manner of an
application, whilst blocking other packets.
Proxies make tampering with an internal system from the external
network more difficult and misuse of one internal system would not
necessarily cause a security breach exploitable from outside the
firewall (as long as the application proxy remains intact and properly
configured). Conversely, intruders may hijack a publicly-reachable
system and use it as a proxy for their own purposes; the proxy then
masquerades as that system to other internal machines. While use of
internal address spaces enhances security, crackers may still employ
methods such as IP spoofing to attempt to pass packets to a target
network..
[edit]
Network address translation
Firewalls often have network address translation (NAT) functionality,
and the hosts protected behind a firewall commonly use so-called
"private address space", as defined in RFC 1918. Administrators often
set up such scenarios in an effort (of debatable effectiveness) to
disguise the internal address or network. See also Port address
translation.
[edit]

Management
The Middlebox Communication (midcom) Working Group of the Internet
Engineering Task Force is working on standardizing protocols for
managing firewalls and other middleboxes. See, e.g., Middlebox
Communications (MIDCOM) Protocol Semantics.
[edit]

Implementations
• Software
o phion netfence Connectivity Gateways - phion Information Technologies.
o eConceal Firewall (eConceal)
o Astaro Security Linux
o Trustix Enterprise Firewall
o MCS Firewall
o Check Point VPN-1 (formerly Firewall-1)
o SC Gauntlet (discontinued, but still in use)
o ipfw
o ipfwadm
o ipchains
o Iptables
o IPFilter (ipf)
o Netfilter/iptables
o PF
o Microsoft Internet Security and Acceleration (ISA) Server
o WinGate Proxy / NAT Firewall
o PORTUS Application Protection System
o Symantec
o visonys AirLock
o tetrade secure entry server
• Appliances
o ActionTEC (a DSL Modem packaged by Qwest with new DSL customer
orders)
 o Arkoon FAST360
o Blue Reef Sonar
o Celestix MSA SeriesCelestix Inc.
o Cisco PIX and Cisco ASA
o Clavister [1]
o CyberGuard
o DataPower
o D-Link
o FortiGate by Fortinet
o Global Technology Associates, Inc.
o NetASQ
o Juniper NetScreen
o Lightning MultiCom VPN Firewall - [2]
o Lucent VPN Firewall - [3]
o Nortel Stand-alone and Switched Firewall - [4]
o PORTUS-APS Appliance
o PresiNET VPN/Network Visibility
o Sarvega
o Sidewinder and Sidewinder G2
o Securepoint
o SofaWare Technologies
o SonicWall
o Watchguard
o MultiTech Systems - RouteFinder
• Free software distributions
o Endian Firewall (GPL)
o IPCop (GPL)
o m0n0wall (BSD-style license)
o pfSense (BSD-style license) (m0n0wall fork)
o Devil-Linux (GPL)
o SmoothWall Express (GPL)
o eBox Platform (GPL)
o BrazilFW Firewall and Router (GPL) - Formerly Coyote Linux - This runs
from a floppy disk or hard disk, and is configured through a Windows or
Linux program.

• Personal firewalls – see that article

[edit]

Use case scenario

A redundancy firewall reduces the possibility of an Internet connection Outage.
The simplest form could be like this:

• node 1 and node 2 running an OS with a Linux kernel (SUSE GNU/Linux or

Debian GNU/Linux for example)

• To create a redundancy firewall we could choose to build a high-availability

cluster. Therefore we need to connect those nodes (at least two are necessary) to
each another in a way they could "see" each other. The software to do so could be
Heartbeat which is part of Linux-HA Project

• The most critical task in such a scenario is to ensure that all nodes share the same
data at all times, better known as data integrity. This could be done with DRBD
which is roughly speaking nothing else than a network RAID 1.

• Last but not least we need firewalling capabilities for the redundancy firewall. A
packet filter like iptables helps here.

A recent evolution in the security technology space has been the

convergence of Intrusion-prevention systems and Firewall technologies.
This has given birth to new technology called Next Generation
Firewalls. While Firewalls with Deep Inspection were being used to
dictate corporate security policies, IPS systems too had been using the
same deep packet inspection technology to protect the network from
external threats. The new next generation firewalls leverage their
existing deep packet inspection engine by sharing this functionality
with an intrusion protection engine. As part of this process, streams
which have been allowed by the firewall are subsequently submitted
for malicious stream analysis to the IPS engine. The reuse of the deep
packet inspection engine brings about a significant increase in
performance and helps administrators get a consolidated security view
of their network. With time, these firewalls could potentially start
including other content processing technologies like anti-virus which
can leverage the deep packet inspection technolgies to provide
comprehensive protectiojn. Example of Next-Generation Firewalls:
iPolicy Networks/Intrusion Prevention Firewall

Overview
When Windows XP was originally shipped in October 2001, it included a
limited firewall called "Internet Connection Firewall". It was disabled by
default due to concerns with backward compatibility, and the
configuration screens were buried away in network configuration
screens that many users never looked at. As a result, it was rarely
used. In mid-2003, the Blaster worm attacked a large number of
Windows machines, taking advantage of flaws in the RPC Windows
service[1]. Several months later, the Sasser worm would do something
similar. The ongoing prevalence of these worms through 2004 would
result in unpatched machines being infected within a matter of
minutes[2]. Because of these incidents, as well as other criticisms that
Microsoft was not being proactive in protecting customers from threats,
Microsoft decided to significantly improve both the functionality and
the interface of Windows XP's built-in firewall, and rebrand it as,
simply, "Windows Firewall".
Windows Firewall was first introduced as part of Windows XP Service
Pack 2. Every type of network connection, whether it is wired, wireless,
VPN, or even Firewire, has the firewall enabled by default, with some
built-in exceptions to allow connections from machines on the local
network. It also fixed a problem whereby the firewall policies would not
be enabled on a network connection until several seconds after the
connection itself was created, thereby creating a window of
vulnerability.[3] A number of additions were made to Group Policy, so
that Windows system administrators could configure the Windows
Firewall product on a company-wide level.
Windows Firewall turned out to be one of the two most significant
reasons (the other being DCOM activation security [4]) that many
corporations did not upgrade to Service Pack 2 in a timely fashion.
Around the time of SP2's release, a number of Internet sites were
reporting significant application compatibility issues, though the
majority of those ended up being nothing more than ports that needed
to be opened on the firewall so that components of distributed systems
(typically back-up and antivirus solutions) could communicate.
In March 2005, Microsoft released Windows Server 2003 Service Pack
1, which incorporated the same improvements to the firewall product
into their server operating system.
[edit]

Windows Vista
This article or section contains information about beta software
currently in development.
The content may change dramatically as the software development progresses.

Screenshot of the Windows Firewall MMC console in Windows Vista December CTP
5270
The next version of Windows, Windows Vista, will significantly improve
the firewall[5], to address a number of concerns around the flexibility of
Windows Firewall in a corporate environment:

• IPv6 connection filtering

• Outbound packet filtering, reflecting increasing concerns about spyware and
viruses that attempt to "phone home"
• With the advanced packet filter, rules can also be specified for source and
destination IP addresses and port ranges
• Rules can be configured for services by its service name choosen by a list,
without needing to specify the full path file name.
• IPSec is fully integrated, allowing connections to be allowed or denied based on
security certificates, Kerberos authentication, etc. Encryption can also be required
for any kind of connection.
• A new management console snap-in named Windows Firewall with Advanced
Security which provides access to many advanced options, and enables remote
administration.
• Ability to have separate firewall profiles for when computers are domain-joined
or connected to a private or public network. Support for the creation of rules for
enforcing server and domain isolation policies

Webopedia definition
A system designed to prevent unauthorized access to or from a private network.
Firewalls can be implemented in both hardware and software, or a combination of
both. Firewalls are frequently used to prevent unauthorized Internet users from
accessing private networks connected to the Internet, especially intranets. All
messages entering or leaving the intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified security
criteria.

There are several types of firewall techniques:

Packet filter: Looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition,
it is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific
applications, such as FTP and Telnet servers. This is very effective, but can
impose a performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or
UDP connection is established. Once the connection has been made,
packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network.
The proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in

concert.

A firewall is considered a first line of defense in protecting private

information. For greater security, data can be encrypted.