FACTOID # 5: Minnesota and Connecticut are both in the top 5 in saving money and total tax burden per capita.
 
 Home   Encyclopedia   Statistics   States A-Z   Flags   Maps   FAQ   About 
   
 
WHAT'S NEW
 

SEARCH ALL

FACTS & STATISTICS    Advanced view

Search encyclopedia, statistics and forums:

 

 

(* = Graphable)

 

 


Encyclopedia > Firewall (networking)
Firewall separating zones of trust
Firewall separating zones of trust

A firewall is a hardware or software device which is configured to permit or deny proxy data through a computer network which has different levels of trust. A computer network is a useless group of computers. ... Security is everyone’s responsibility. ... Look up firewall in Wiktionary, the free dictionary. ... Image File history File links Firewall_(networking). ... Image File history File links Firewall_(networking). ... For other uses, see Hardware (disambiguation). ... Computer software (or simply software) refers to one or more computer programs and data held in the storage of a computer for some purpose. ... In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. ... For other uses, see Data (disambiguation). ... A computer network is a useless group of computers. ...

Contents

Function

A firewall's basic task is to regulate the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ). A computer network is a useless group of computers. ... An intranet is a private computer network that uses Internet protocols, network connectivity to securely share part of an organizations information or operations with its employees. ... This article or section does not cite any references or sources. ...


A firewall's function within a network is similar to firewalls with fire door in building construction. In former case, it is used to prevent network intrusion to the private network. In latter case, it is intended to contain and delay structural fire from spreading to adjacent structures. This article is about firewalls used in construction. ...


Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.


History

Although the term firewall has gained a new meaning in the modern day, the word dates back to over a century ago. Many houses were constructed with bricks in the wall in order to stop the spread of a potential fire. These bricks in the wall were referred to as a firewall. This article is about firewalls used in construction. ...


Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The original idea was formed in response to a number of major internet security breaches, which occurred in the late 1980s. In 1988 an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read, This article is about the American space agency. ... Aerial View of Moffett Field and NASA Ames Research Center. ... E-mail, or email, is short for electronic mail and is a method of composing, sending, and receiving messages over electronic communication systems. ...

We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.

The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.[citation needed] A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ... Sather tower (the Campanile) looking out over the San Francisco Bay and Mount Tamalpais. ... The University of California, San Diego (popularly known as UCSD) is a public, coeducational university located in La Jolla, California. ... Aerial view of the lab and surrounding area, facing NW. The Lawrence Livermore National Laboratory (LLNL) in Livermore, California is a United States Department of Energy (DOE) national laboratory, managed and operated by Lawrence Livermore National Security, LLC (LLNS), a limited liability consortium comprised of Bechtel National, the University of... Stanford may refer: Stanford University Places: Stanford, Kentucky Stanford, California, home of Stanford University Stanford Shopping Center Stanford, New York, town in Dutchess County. ... Aerial View of Moffett Field and NASA Ames Research Center. ... The Morris worm or Internet worm was one of the first computer worms distributed via the Internet; it is considered the first worm and was certainly the first to gain significant mainstream media attention. ...

First generation - packet filters

The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture. The DEC logo Digital Equipment Corporation was a pioneering American company in the computer industry. ... Bell Laboratories (also known as Bell Labs and formerly known as AT&T Bell Laboratories and Bell Telephone Laboratories) was the main research and development arm of the United States Bell System. ... Steven M. Bellovin is a researcher on networks, security and why the two do not get along. ...


Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).


This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number). Internet Protocol version 4 is the fourth iteration of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. ... The Transmission Control Protocol (TCP) is one of the core protocols of the Internet protocol suite. ... User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. ... It has been suggested that this article or section be merged into Computer port (software). ...


Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports. TCP and UDP are transport protocols used for communication between computers. ...


Second generation - "stateful" filters

From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls. This article is about the current AT&T. For the 1885-2005 company, see American Telephone & Telegraph. ... Bell Telephone Laboratories or Bell Labs was originally the research and development arm of the United States Bell System, and was the premier corporate facility of its type, developing a range of revolutionary technologies from telephone switches to specialized coverings for telephone cables, to the transistor. ... Look up circuit in Wiktionary, the free dictionary. ...


Second Generation firewalls do not simply examine the contents of each packet on an individual basis without regard to their placement within the packet series as their predecessors had done, rather they compare some key parts of the trusted database packets. This technology is generally referred to as a 'stateful firewall' as it maintains records of all connections passing through the firewall, and is able to determine whether a packet is the start of a new connection, or part of an existing connection. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.


This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks, including the SYN flood which sends improper sequences of packets to consume resources on systems behind a firewall. DoS redirects here. ... A normal connection between a user (Alice) and a server. ...


Third generation - application layer

Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories and Marcus Ranum described a third generation firewall known as application layer firewall, also known as proxy based firewalls. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA. Eugene H. Spafford (born 1956) (known colloquially as Spaf) is a professor of computer science at Purdue University and a leading computer security expert. ... Purdue redirects here. ... In computer networking, an application layer firewall is a firewall operating at the application layer of a protocol stack. ...


The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS or web browsing), and can detect whether an unwanted protocol is being sneaked through on a non-standard port, or whether a protocol is being abused in a known harmful way. This article is about the File Transfer Protocol standardised by the IETF. For other file transfer protocols, see File transfer protocol (disambiguation). ... It has been suggested that this article be split into multiple articles. ... Hypertext Transfer Protocol (HTTP) is a communications protocol used to transfer or convey information on intranets and the World Wide Web. ... TCP and UDP are transport protocols used for communication between computers. ...


Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were developing their own fourth generation packet filter firewall system. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1. The Trojan Shrine, better known as Tommy Trojan located in the center of University of Southern California campus. ... Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... “Windows” redirects here. ... This article relates to both the original Classic Mac OS as well as Mac OS X, Apples more recent operating system. ... Check Point Software Technologies Ltd. ... FireWall-1 © is a firewall (networking) product created by Check Point Technologies, Ltd. ...


A second generation of proxy firewalls was based on Kernel Proxy technology. This design is constantly evolving but its basic features and codes are currently in widespread use in both commercial and domestic computer systems.


Some modern firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system (IPS). Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data part of a through-passing packet, searching for non-protocol compliance or predefined criteria to decide if the packet can pass. ... An intrusion prevention system is a computer security device that exercises access control to protect computers from exploitation. ...


Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes, a way of transferring policy enforcement. The Internet Engineering Task Force (IETF) develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standard bodies; and dealing in particular with standards of the TCP/IP and Internet protocol suite. ... A middlebox is a device in the Internet that provides transport policy enforcement. ...


Types

There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.


Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply. The term packet filter originated in the context of BSD operating systems. The Internet protocol suite is the set of communications protocols that implement the protocol stack on which the Internet and most commercial networks run. ... A protocol stack (sometimes communications stack) is a particular software implementation of a computer networking protocol suite. ... BSD redirects here; for other uses see BSD (disambiguation). ... In computing, an operating system (OS) is the system software responsible for the direct control and management of hardware and basic system operations. ...


Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed up packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing. In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. ... In computing, a stateless firewall is a firewall that treats each network frame (or packet) in isolation. ... In information technology, telecommunications, and related fields, handshaking is an automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins. ... For other uses, see Data (disambiguation). ... Connectivity is the property of a device such as a PC, peripheral, PDA, mobile phone, robot, home appliance, or car that enables it to be connected, generally to a PC or another device without the need of a PC - autonomously. ...


Stateless firewalls have packet-filtering capabilities, but cannot make more complex decisions on what stage communications between hosts have reached.


Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes. This article or section does not cite any references or sources. ... It has been suggested that this article or section be merged into Computer port (software). ... WWWs historical logo designed by Robert Cailliau The World Wide Web (commonly shortened to the Web) is a system of interlinked, hypertext documents accessed via the Internet. ... This article is about the File Transfer Protocol standardised by the IETF. For other file transfer protocols, see File transfer protocol (disambiguation). ... Time to live (sometimes abbreviated TTL) is a limit on the period of time or number of iterations or transmissions in computer and computer network technology that a unit of data (e. ... It has been suggested that this article be split into multiple articles. ...


Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux). IPFilter (commonly referred to as ipf) is a software package that can be used to provide network address translation (NAT) or firewall services. ... Indiana University-Purdue University at Fort Wayne (IPFW) is a regional university campus located in Fort Wayne, Indiana. ... FreeBSD is a Unix-like free operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through the 386BSD and 4. ... Mac OS X (IPA: ) is a line of graphical operating systems developed, marketed, and sold by Apple Inc. ... PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. ... OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... BSD redirects here; for other uses see BSD (disambiguation). ... In computer networking, netfilter, along with its companion iptables, are collectively a software extension to the Linux operating system that implements a stateful firewall framework. ... ipchains is a software based firewall for linux. ... This article is about operating systems that use the Linux kernel. ...


Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. In computer networking, an application layer firewall is a firewall operating at the application layer of a protocol stack. ... For the packet switched network, see Telenet. ... The abbreviation FTP can refer to: The File Transfer Protocol used on the Internet. ...


On Inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach. A computer worm is a self-replicating computer program. ... In the context of computer software, a Trojan horse is a program that installs malicious software while under the guise of doing something else. ...


The XML firewall exemplifies a more recent kind of application-layer firewall. An XML firewall is a specialized firewall used to provide security for XML messaging such as Web services. ...


Proxies

Main article: Proxy server

A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets. In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. ...


Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network. In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. ... It has been suggested that this article or section be merged into black hat. ... In computer networking, the term Internet Protocol spoofing (IP spoofing) is the creation of IP packets with a forged (spoofed) source IP address. ...


Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited amount of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance. In Computer Networking, the process of Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a Router or firewall. ... In Computer Networking, the process of Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a Router or firewall. ... Mixed reconnaissance patrol of the Polish Home Army and the Soviet Red Army during Operation Tempest, 1944 Reconnaissance is the military term for the active gathering of information about an enemy, or other conditions, by physical observation. ...


See also

In computer security, an access control list (ACL) is a list of permissions attached to an object. ... A bastion host is a network entity that provides a single entrance / exit point to the Internet. ... To meet Wikipedias quality standards, this article or section may require cleanup. ... This article describes how security can be achieved through design and engineering. ... End-to-end connectivity is a property of the Internet that allows all nodes of the network to send packets to all other nodes of the network, without requiring intermediate network elements to further interpret them. ... In networking, the term firewall pinhole is used to describe a port that is opened through a firewall to allow a particular application to gain controlled access through the firewall. ... In Computer Networking, the process of Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a Router or firewall. ... Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and the effectiveness (or lack) of these measures combined together. ... Mixed reconnaissance patrol of the Polish Home Army and the Soviet Red Army during Operation Tempest, 1944 Reconnaissance is the military term for the active gathering of information about an enemy, or other conditions, by physical observation. ... A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. ... The Golden Shield Project (Chinese: ; pinyin: ), sometimes referred to as the Great Firewall of China, is a censorship and surveillance project operated by the Ministry of Public Security of the Peoples Republic of China (MPS). ... UTM or Unified Threat Management. ...

References

Image File history File links Question_book-3. ...

External links

  • Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul Robertson.
  • Evolution of the Firewall Industry - Discusses different architectures and their differences, how packets are processed, and provides a timeline of the evolution.
  • A History and Survey of Network Firewalls - provides an overview of firewalls at the various ISO levels, with references to the original papers where first firewall work was reported.
  • Advanced Policy Firewall (Linux) - is an iptables (netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations.

  Results from FactBites:
 
Case Study: Automatic Redundant Firewall Failover (940 words)
As a result, even though redundant firewalls and routers were installed as a matter of routine, any failure of a firewall would result in users being unable to reach across the firewalls unless addresses (or static routes on the routers) were modified.
Network Address Translation (NAT) was implemented on the border routers serving the firewalls (using Cisco IOS 11.2) to map the different addresses used by the redundant firewalls back to a common set of address pairings.
Networking Unlimited, Inc. designed a win-win solution for the client, providing most of the benefits of allowing dynamic routing through the firewalls without exposing either network to the dangers of allowing dynamic routing through the firewalls.
Firewall (networking) - Wikipedia, the free encyclopedia (1775 words)
In information technology, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction.
Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones).
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918.
  More results at FactBites »

 
 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments

Want to know more?
Search encyclopedia, statistics and forums:

 


Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms, 1022, m