In computing, a firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted. Firewalls exist both as a software solution and as a hardware appliance. Many hardware-based firewalls also offer other functionality to the internal network they protect, such as acting as a DHCP server for that network.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and conversely, many firewalls can perform basic routing functions.
Differentiate Firewall by Appearance
Firewalls can be either hardware or software but the ideal firewall configuration will consist of both. In addition to limiting access to your computer and network, a firewall is also useful for allowing remote access to a private network through secure authentication certificates and logins.
Hardware Firewalls can be purchased as a stand-alone product but are also typically found in broadband routers, and should be considered an important part of your system and network set-up. Most hardware firewalls will have a minimum of four network ports to connect other computers, but for larger networks, business networking firewall solutions are available.
Software Firewalls are installed on your computer (like any software) and you can customize it; allowing you some control over its function and protection features. A software firewall will protect your computer from outside attempts to control or gain access your computer.
The term firewall originally referred to a wall intended to confine a fire or potential fire within a building. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.
Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s:
- Clifford Stoll’s discovery of German spies tampering with his system.
- Bill Cheswick’s “Evening with Berferd” 1992 in which he set up a simple electronic “jail” to observe an attacker.
- In 1988, an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read, “We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.”
- The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.
First Generation: Packet Filters
The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls.
Packet filters act by inspecting the “packets” which are transferred between computers on the Internet. If a packet matches the packet filter’s set of filtering rules, the packet filter will drop (silently discard) the packet or reject it (discard it, and send “error responses” to the source).
Second Generation: “Stateful” Filters
From 1989–1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling them Circuit-level gateways.
Second-generation firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough information is available to make a judgement about its state. Known as stateful packet inspection, it records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria.
Certain denial-of-service attacks bombard the firewall with thousands of fake connection packets in an attempt to overwhelm it by filling its connection state memory.
Third generation: Application Layer
Marcus Ranum, Wei Xu, and Peter Churchyard developed an Application Firewall known as Firewall Toolkit (FWTK). In June 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP filter and socket transparent. This was known as the first transparent Application firewall, released as a commercial product of Gauntlet firewall at Trusted Information Systems. Gauntlet firewall was rated one of the number 1 firewalls during 1995–1998.
The key benefit of application layer filtering is that it can “understand” certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. As of 2012, the so-called next-generation firewall (NGFW) is nothing more than the “widen” or “deepen” inspection at application-stack. For example, the existing deep packet inspection functionality of modern firewalls can be extended to include:
- Intrusion prevention systems (IPS).
- User identity integration (by binding user IDs to IP or MAC addresses for “reputation”.
- Web Application Firewall (WAF). WAF attacks may be implemented in the tool “WAF Fingerprinting utilizing timing side channels” (WAFFle).
Types of Firewall
The earliest firewalls functioned as packet filters, inspecting the packets that are transferred between computers on the Internet. When a packet passes through a packet-filter firewall, its source and destination address, protocol, and destination port number are checked against the firewall’s rule set.
In order to recognize a packet’s connection state, a firewall needs to record all connections passing through it to ensure it has enough information to assess whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. This is what’s called “stateful packet inspection.” Stateful inspection was first introduced in 1994 by Check Point Software in its FireWall-1 software firewall, and by the late 1990s, it was a common firewall product feature.
As attacks against Web servers became more common, so too did the need for a firewall that could protect servers and the applications running on them, not merely the network resources behind them. Application-layer firewall technology first emerged in 1999, enabling firewalls to inspect and filter packets on any OSI layer up to the application layer.
The key benefit of application-layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols — such as HTTP, FTP and DNS — are being misused.
Firewall proxy servers also operate at the firewall’s application layer, acting as an intermediary for requests from one network to another for a specific network application. A proxy firewall prevents direct connections between either sides of the firewall; both sides are forced to conduct the session through the proxy, which can block or allow traffic based on its rule set. A proxy service must be run for each type of Internet application the firewall will support, such as an HTTP proxy for Web services.
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the “private address range”, as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.
Common Firewall Techniques
Firewalls are used to protect both home and corporate networks. A typical firewall program or hardware device filters all information coming through the Internet to your network or computer system. There are several types of firewall techniques that will prevent potentially harmful information from getting through:
Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Applies security mechanisms to specific applications, such as FTP and Telnetservers. This is very effective, but can impose a performance degradation.
Applies security mechanisms when a TCP or UDPconnection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Intercepts all messages entering and leaving the network. The proxy servereffectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.
Firewalls are customizable. This means that you can add or remove filters based on several conditions. Some of these are:
IP Addresses: Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four “octets” in a “dotted decimal number.” A typical IP address looks like this: 18.104.22.168. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address.
Domain Names: Because it is hard to remember the string of numbers that make up an IP address, and because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names. For example, it is easier for most of us to remember www.howstuffworks.com than it is to remember 22.214.171.124. A company might block all access to certain domain names, or allow access only to specific domain names. Protocols – The protocol is the pre-defined way that someone who wants to use a service talks with that service. The “someone” could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation. The http in the Web’s protocol. Some common protocols that you can set firewall filters for include:
- IP (Internet Protocol): The main delivery system for information over the Internet.
- TCP (Transmission Control Protocol): Used to break apart and rebuild information that travels over the Internet.
- HTTP (Hyper Text Transfer Protocol): Used for Web pages.
- FTP (File Transfer Protocol): Used to download and upload files.
- UDP (User Datagram Protocol): Used for information that requires no response, such as streaming audio and video.
- ICMP (Internet Control Message Protocol): Used by a router to exchange the information with other routers.
- SMTP (Simple Mail Transport Protocol): Used to send text-based information (e-mail).
- SNMP (Simple Network Management Protocol): Used to collect system information from a remote computer.
- Telnet: Used to perform commands on a remote computer
A company might set up only one or two machines to handle a specific protocol and ban that protocol on all other machines.
Ports: Any server machine makes its services available to the Internet using numbered ports, one for each service that is available on the server (see How Web Servers Work for details). For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. A company might block port 21 access on all machines but one inside the company.
Specific Words and Phrases: This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word “X-rated” in it. The key here is that it has to be an exact match. The “X-rated” filter would not catch “X rated” (no hyphen). But you can include as many words, phrases and variations of them as you need.
Firewall As A Security?
There are many creative ways that unscrupulous people use to access or abuse unprotected computers:
- Remote login: When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer.
- Application Backdoors: Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program.
- SMTP Session Hijacking: SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace.
- Operating System Bugs: Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of.
- Denial of Service: You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash.
- E-mail Bombs: An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages.
- Macros: To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer.
- Viruse: Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data.
- Spam: Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer.
- Redirect Bombs: Hackers can use ICMP to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up.
- Source Routing: In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network! Most firewall products disable source routing by default.
For the sake of simplicity, think of hardware firewalls as specialized network boxes that contain customized hardware and software. When properly configured, hardware firewalls provide a protective barrier that hides an organization’s internal PCs from the outside world. They can also shield one company department (say, finance) from another (say, human resources).
In many cases, hardware firewalls are great solutions for organizations that want a single security umbrella that protects multiple systems. For this very reason, most FORTUNE 500 networks have hardware firewalls in place.
So what’s the downside? Since they are specialized devices, hardware firewalls tend to be expensive, complicated, difficult to upgrade, and tricky to configure. In other words, they are best reserved for IT managers who are specially trained to install, configure, and monitor such devices.
Low-end hardware firewalls, now found in network switches and routers for the home, also have their limitations. If you take a personal laptop on the road, for instance, your system is no longer protected by the home-based firewall.
Hardware Firewall Examples:
- Cisco ASA & PIX
- Juniper, etc…
In contrast to their hardware cousins, software firewalls are more ideal for individual users or small businesses that have dial-up or broadband Internet connections. Instead of using a custom (and often expensive) piece of hardware, a software firewall installs on an individual’s PC, notebook, or workgroup server.
Even if an organization has hardware firewalls in place, it’s wise for individuals to use software firewalls on their own systems. The main reason: software firewalls are especially convenient for mobile workers who need digital security when working outside of the corporate network. That’s because the entire security solution is, in essence, a single application running on one’s computer. Another major benefit, software firewalls are easily upgraded. Users simply download patches, fixes, updates, and enhancements from the firewall provider’s web site, or the provider sends these improvements via the Internet.
Software Firewall Examples:
- ZoneAlarm Free Firewall
- Comodo Firewall
- Ashampoo FireWall
- Kaspersky Internet Security
- TinyWall, etc…