Firewall explained


A firewall is a hardware or software device which is configured to permit, deny or proxy data through a computer network which has different levels of trust.

Function
A firewall's basic task is to transfer traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A firewall's function within a network is similar to firewalls with fire door in building construction. In former case, it is used to prevent network intrusion to the private network. In latter case, it is intended to contain and delay structural fire from spreading to adjacent structures. An analogy of network firewall is a fire-resistance rated wall with a fire-resistance rated, self-closing, solid-core, inside unlockable, outside key-lockable door between a house and its attached garage.

Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.

History
Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The original idea was formed in response to a number of major internet security breaches, which occurred in the late 1980s. In 1988 an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read,
"We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames."

The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.

First generation - packet filters
The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.

Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).

Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

Second generation - "stateful" filters
From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Howard Trickey, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.

This technology is generally referred to as a 'stateful firewall' as it maintains records of all connections passing through the firewall, and is able to determine whether a packet is the start of a new connection, or part of an existing connection. Though there's still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks, including the SYN flood which sends improper sequences of packets to consume resources on systems behind a firewall.

Third generation - application layer
Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories and Marcus Ranum described a third generation firewall known as application layer firewall, also known as proxy based firewalls. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the SEAL product. DEC's first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS or web browsing), and can detect whether an unwanted protocol is being sneaked through on a non-standard port, or whether a protocol is being abused in a known harmful way.

This type of filtering can be carried out by proxy servers, but if the filtering is done by a standalone firewall appliance, or in a device for traffic shaping, the technology is likely to be referred to as deep packet inspection.

Subsequent developments
In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were developing their own fourth generation packet filter firewall system. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

A second generation of proxy firewalls was based on Kernel Proxy technology. This design is constantly evolving but its basic features and codes are currently in widespread use in both commercial and domestic computer systems. Cisco, one of the largest internet security companies in the world released their PIX product to the public in 1997.

Some modern firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system (IPS).

Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes, a way of transferring policy enforcement.

Types
There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.

Network layer and packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply. The term packet filter originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed up packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection. If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls have packet-filtering capabilities, but cannot make more complex decisions on what stage communications between hosts have reached. Stateless firewalls therefore offer less security.

Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.

Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).

Application-layer
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

By inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

The XML firewall exemplifies a more recent kind of application-layer firewall. It performs mainly three functions i.e; simplest. sees only; a- address b-service protocol. auditing is difficult.

Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network..

Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts.


<-- Previous | Home Glossary | Next -->

📣 Latest tweets mentioning Firewall


📖 Latest blogs mentioning Firewall

🏆 Alexa 666,805 - 📅 - What is a Web Application Firewall (WAF) and how does it work? - WAF (Web Application Firewall) or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. Typically, a WAF protects web applications from attacks such as cross-site
azure.microsoft.com Icon 🏆 Alexa 19 - 📅 - Bringing generative AI to Azure network security with new Microsoft Copilot integrations - We are excited to announce the Azure Web Application Firewall and Azure Firewall integrations in Microsoft Copilot for Security. This is the first step we are taking toward bringing interactive, generative AI-powered capabilities to Azure network ...
aws.amazon.com Icon 🏆 Alexa 8 - 📅 - Stop the CNAME chain struggle: Simplified management with Route 53 Resolver DNS Firewall - Updated 2 May 2024: I removed the reference to Route53 Alias that was incorrectly referred as a chain Starting today, you can configure your DNS Firewall to automatically trust all domains in a resolution chain (such as aCNAMEor DNAMEchain). Let’s ...
vsys.host Icon 🏆 Alexa 118,485 - 📅 - How to Enable and Use firewalld on CentOS 7 - Managing the firewall on a CentOS 7 system is essential for administrators who need to ensure network security and manage traffic effectively. firewalld serves as the default firewall management tool on CentOS, providing a dynamic and configurable ...
wpoven.com Icon 🏆 Alexa 68,159 - 📅 - How to Setup Cloudflare Settings on WordPress? - As a Cloudflare partner, we recommend using Cloudflare as a DNS, firewall, and CDN for the sites we host at WPOven. This guide serves as a small reference for setting up Cloudflare and its official WordPress Plugin to leverage the best Cloudflare ...
easydns.com Icon 🏆 Alexa 193,414 - 📅 - RCA: Intermittent DNS1 Issues on April 3rd 2024 - Background: Until March 31, 2024, easyDNS was contracting with Cloudflare to provide DNS firewall services on our DNS1 and DNS2 anycast constellations. After a good run, lasting over 10 years, we decided to go in a different direction and provided ...
natsav.com Icon 🏆 Alexa 683,105 - 📅 - How to Configure Firewall permit for port number in Windows Server - Step 1: Go to search bar and type Control Panel. (Free VPS Server) Step 2: Then click on System & Security. Step 3: Open the Windows Firewall with Advanced Security console. Step 4: In the navigation pane, select Inbound Rules. (Best Web Hosting ...

📋 Latest news about Firewall

Check Point’s Quantum Spark Firewall Series Elevates Cybersecurity for SMBs - 📅 - The Quantum Spark 1900 and 2000, Check Point (checkpoint.com) (g2.com) Software Technologies' most recent firewall products, were released. These products are a part of Check Point's next-generation firewall series, which is designed to cater to SMBs' specific requirements in the face of an increasingly hostile ...
Aviatrix Launches Distributed Cloud Firewall - 📅 - The 'Distributed Cloud Firewall' is the newest advancement in network security for cloud settings from Aviatrix, a top developer of secure cloud networking solutions. With its "improved scalability, performance, operational simplicity, agility, and cost-efficiency," this technology would transform how businesses ...
Palo Alto Networks Adds ML-Powered Firewall to Microsoft Azure - 📅 - The ML-Powered Next-Generation Firewall (NGFW) from Palo Alto Networks (paloaltonetworks.com) (crunchbase.com) is being added to Microsoft Azure as a fully managed Azure-native ISV solution. A complete security (hjne.ws) solution is provided by Cloud NGFW for Azure, providing features including Advanced Threat ...
Sophos Expands Firewall Portfolio with XGS Series Appliances - 📅 - Sophos (en.wikipedia.org), a global cybersecurity-as-a-service provider, has announced the expansion of its next-generation firewall portfolio with two new high-end, enterprise-grade XGS Series appliances. The XGS 7500 and 8500 models would provide the highest performance and protection for large enterprises and ...
Firewall-as-a-Service Market to be Worth $12.27 Bn By 2030 - 📅 - According to a recent market analysis by Grand View Research (grandviewresearch.com), the size of the worldwide Firewall-as-a-Service market is predicted to reach $12.27 billion by 2030, achieving a CAGR of 22.3% from 2023 to 2030. Demand for Firewall-as-a-Service (FWaaS (hjne.ws)) solutions and services should ...
Fortinet Unveils Managed Cloud-Native Firewall on AWS - 📅 - FortiGate Cloud-Native Firewall (FortiGate CNF (fortinet.com)), an enterprise-grade, managed firewall service especially created for AWS environments, is now available on Amazon Web Services. For real-time detection and defense against malicious external and internal threats, Fortinet's FortiGate CNF offering ...
Firewall Sales Increases 14% to Around $3 Bn in Q2 2022 - 📅 - The global firewall market grew 14% year over year (Y/Y) and reached close to $3 B in quarterly revenue in 2Q22 due to strong demand for firewall solutions, according to a recently released report from Dell'Oro Group, a global source for market information about the telecommunications, security, networks, and data ...