Firewall

In the traditional meaning, a firewall is simply a windowless non-flammable wall (or a wall of substantially heavier construction than other walls in the building) built to prevent fire from spreading beyond one section of a building.

By extension, the computing world uses this term for a piece of hardware or software put on the network to prevent some communications forbidden by the network policy.

Firewalls (a computer networking device) come in several categories and sub-categories. The basic goal is to prevent intrusion from a connected network -- the difference is in how they try to accomplish this. The two major categories of firewalls are network layer firewalls and application layer firewalls. These two types of firewall are not mutually exclusive and indeed have been implemented in a single system.

The former operate at the (relatively low) level of the TCP/IP protocol stack as an IP-packet filter, not allowing packets to pass the firewall unless they meet the rules defined by the firewall administrator or applied by default as in some inflexible firewall systems. A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules".

The latter work on the application level (ie, all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. Other packets are blocked (usually dropped without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. By inspecting all otherwise allowed packets for improper content, firewalls can even prevent such things as viruses. However, in practice, this is not easily achieved, and would be so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that it is not generally attempted as a comprehensive firewall design.

A proxy device (running on either dedicated hardware or as software on a general purpose machine) may act as a firewall by responding to input packets (eg, connection requests) in the manner of an application whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult, and misuse of one of its internal systems would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy were intact and properly configured). Conversely, an intruder might hijack a publicly reachable system and use it as a proxy for himself which then masquerades as that system as far as others are concerned. While use of internal address spaces enhances security, methods such as IP spoofing may still be employed to attempt to pass packets to the internal network.

Firewalls often have network address translation functionality, and it is common to use so-called private address space for the hosts behind it. This private address space is defined in RFC 1918. This is often done in a effort (of debatable effectiveness) to disguise the internal address or network.

Proper configuration of firewalls is not simple. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool. Faith in misconfigured firewalls is misplaced indeed.

Also see: stateful firewall, stateless firewall[?], end-to-end connectivity

External links

• Matt Curtin and Marcus J. Ranum, Internet Firewalls: Frequently Asked Questions: http://www.faqs.org/faqs/firewalls-faq/