In computing, a firewall is a network security system that

monitors Monitor or monitor may refer to: Places * Monitor, Alberta * Monitor, Indiana, town in the United States * Monitor, Kentucky * Monitor, Oregon, unincorporated community in the United States * Monitor, Washington * Monitor, Logan County, West Vir ...

and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

History

The term ''

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

'' originally referred to a wall intended to confine a fire within a line of adjacent buildings. Later uses refer to similar structures, such as the

metal sheet Sheet metal is metal formed into thin, flat pieces, usually by an industrial process. Sheet metal is one of the fundamental forms used in metalworking, and it can be cut and bent into a variety of shapes. Thicknesses can vary significantly; ex ...

separating the engine compartment of a vehicle or aircraft from the passenger compartment. The term was applied in the late 1980s to network technology that emerged when the Internet was fairly new in terms of its global use and connectivity. The predecessors to firewalls for network security were routers used in the late 1980s. Because they already segregated networks, routers could apply filtering to packets crossing them. Before it was used in real-life computing, the term appeared in the 1983 computer-hacking movie '' WarGames'', and possibly inspired its later use.

Types

Firewalls are categorized as a network-based or a host-based system. Network-based firewalls are positioned between two or more networks, typically between the local area network (LAN) and wide area network (WAN). They are either a software appliance running on general-purpose hardware, a

hardware appliance A computer appliance is a home appliance with software or firmware that is specifically designed to provide a specific computing resource. Such devices became known as ''appliances'' because of the similarity in role or management to a home ap ...

running on special-purpose hardware, or a

virtual appliance A virtual appliance is a pre-configured virtual machine image, ready to run on a hypervisor; virtual appliances are a subset of the broader class of software appliances. Installation of a software appliance on a virtual machine and packaging that i ...

running on a virtual host controlled by a hypervisor. Firewall appliances may also offer non firewall functionality, such as DHCP or VPN services. Host-based firewalls are deployed directly on the

host A host is a person responsible for guests at an event or for providing hospitality during it. Host may also refer to: Places * Host, Pennsylvania, a village in Berks County People *Jim Host (born 1937), American businessman * Michel Host ...

itself to control network traffic or other computing resources. This can be a daemon or

service Service may refer to: Activities * Administrative service, a required part of the workload of university faculty * Civil service, the body of employees of a government * Community service, volunteer service for the benefit of a community or a pu ...

as a part of the operating system or an agent application for protection.

Packet filter

The first reported type of network firewall is called a packet filter, which inspect packets transferred between computers. The firewall maintains an access control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard. Three basic actions regarding the packet consist of a silent discard, discard with

Internet Control Message Protocol The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communi ...

or TCP reset response to the sender, and forward to the next hop. Packets may be filtered by source and destination

IP addresses An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

, protocol, source and destination ports. The bulk of Internet communication in 20th and early 21st century used either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) in conjunction with

well-known ports This is a list of TCP and UDP port numbers used by protocols for operation of network applications. The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) only need one port for duplex, bidirectional traffic. They usually u ...

, enabling firewalls of that era to distinguish between specific types of traffic such as web browsing, remote printing, email transmission, and file transfers. The first paper published on firewall technology was in 1987 when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin continued their research in packet filtering and developed a working model for their own company based on their original first-generation architecture. In 1992, Steven McCanne and Van Jacobson released paper on BSD Packet Filter (BPF) while at Lawrence Berkeley Laboratory.

Connection tracking

From 1989–1990, three colleagues from

AT&T Bell Laboratories Nokia Bell Labs, originally named Bell Telephone Laboratories (1925–1984), then AT&T Bell Laboratories (1984–1996) and Bell Labs Innovations (1996–2007), is an American industrial research and scientific development company owned by mult ...

, Dave Presotto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling them

circuit-level gateway A circuit-level gateway is a type of firewall. Circuit-level gateways work at the session layer of the OSI model, or as a "shim-layer" between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between ...

s. Second-generation firewalls perform the work of their first-generation predecessors but also maintain knowledge of specific conversations between endpoints by remembering which port number the two IP addresses are using at layer 4 ( transport layer) of the OSI model for their conversation, allowing examination of the overall exchange between the nodes.

Application layer

Marcus Ranum Marcus, Markus, Márkus or Mărcuș may refer to: * Marcus (name), a masculine given name * Marcus (praenomen), a Roman personal name Places * Marcus, a Asteroid belt, main belt asteroid, also known as List of minor planets: 369001–370000#088, ( ...

, Wei Xu, and Peter Churchyard released an application firewall known as Firewall Toolkit (FWTK) in October 1993. This became the basis for Gauntlet firewall at

Trusted Information Systems Trusted Information Systems (TIS) was a computer security research and development company during the 1980s and 1990s, performing computer and communications (information) security research for organizations such as NSA, DARPA, Army Research Lab, ...

. The key benefit of

application layer An application layer is an abstraction layer that specifies the shared communications protocols and Interface (computing), interface methods used by Host (network), hosts in a communications network. An ''application layer'' abstraction is speci ...

filtering is that it can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non standard port, or detect if an allowed protocol is being abused. It can also provide unified security management including enforced encrypted DNS and

virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...

ing. As of 2012, the next-generation firewall provides a wider range of inspection at the application layer, extending deep packet inspection functionality to include, but is not limited to: * Web filtering * Intrusion prevention systems * User identity management * Web application firewall

Endpoint specific

Endpoint-based application firewalls function by determining whether a process should accept any given connection. Application firewalls filter connections by examining the process ID of data packets against a rule set for the local process involved in the data transmission. Application firewalls accomplish their function by hooking into socket calls to filter the connections between the application layer and the lower layers. Application firewalls that hook into socket calls are also referred to as socket filters.

Configuration

Setting up a firewall is a complex and error-prone task. A network may face security issues due to configuration errors.

References

External links

Evolution of the Firewall Industry
– discusses different architectures, how packets are processed and provides a timeline of the evolution.
A History and Survey of Network Firewalls
– provides an overview of firewalls at various ISO levels, with references to original papers where early firewall work was reported. {{DEFAULTSORT:Firewall (Computing) Network management Firewall software Packets (information technology) Data security Cyberwarfare American inventions