firewall (networking)


In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. A firewall is also called a Border Protection Device (BPD), especially in NATO contexts, or packet filter in BSD contexts. A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.
Proper configuration of firewalls demands skill from the administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.


Types of firewalls

There are three basic types of firewalls depending on:
Whether the communication is being done between a single node and the network, or between two or more networks.
Whether the communication is intercepted at the network layer, or at the application layer.
Whether the communication state is being tracked at the firewall or not.
With regard to the scope of filtered communications there exist:
Personal firewalls, a software application which normally filters traffic entering or leaving a single computer.
Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). Such a firewall filters all traffic entering or leaving the connected networks.
The latter definition corresponds to the conventional, traditional meaning of "firewall" in networking.
In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist:
Network layer firewalls. An example would be iptables.
Application layer firewalls. An example would be TCP Wrapper.
Application firewalls. An example would be restricting ftp services through /etc/ftpaccess file
These network-layer and application-layer types of firewall may overlap, even though the personal firewall does not serve a network; indeed, single systems have implemented both together.
There's also the notion of application firewalls which are sometimes used during wide area network (WAN) networking on the world-wide web and govern the system software. An extended description would place them lower than application layer firewalls, indeed at the Operating System layer, and could alternately be called operating system firewalls. Some firewalls have higher privileges than others like mysql and pj.
Lastly, depending on whether the firewalls track packet states, two additional categories of firewalls exist:
Stateful firewalls
Stateless firewalls


Network layer firewalls

Main article: network layer firewall
Network layer firewalls operate at a (relatively) low level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).
A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules". Today network firewalls are built into most computer operating systems and network appliances.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.


Application-layer firewalls

Main article: application layer firewall
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
By inspecting all packets for improper content, firewalls can even prevent the spread of the likes of viruses. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.
The XML firewall exemplifies a more recent kind of application-layer firewall.


Proxies

Main article: Proxy server
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.
Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.


Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly use so-called "private address space", as defined in RFC 1918. Administrators often set up such scenarios in an effort (of debatable effectiveness) to disguise the internal address or network.
Management
The Middlebox Communication (midcom) Working Group of the Internet Engineering Task Force is working on standardizing protocols for managing firewalls and other middleboxes. See, e.g., Middlebox Communications (MIDCOM) Protocol Semantics.
Implementations
Software
Astaro Security Linux
MCS Firewall - [1]
Check Point VPN-1 (formerly Firewall-1)
SC Gauntlet (discontinued, but still in use)
ipchains
Iptables
IPFilter (ipf)
ipfw
Microsoft Internet Security and Acceleration (ISA) Server
Netfilter/iptables
PF
WinGate Proxy / NAT Firewall
PORTUS-APS
Appliances
ActionTEC (a DSL Modem packaged by Qwest with new DSL customer orders)
Celestix MSA Series
Cisco PIX and Cisco ASA
CyberGuard
Global Technology Associates, Inc.
NetASQ
DataPower
Juniper NetScreen
Lightning MultiCom VPN Firewall - [2]
Lucent VPN Firewall - [3]
Nortel Stand-alone and Switched Firewall - [4]
Phion NetFence
PORTUS-APS Appliance
Sarvega
Sidewinder and Sidewinder G2
SofaWare Technologies
XNet (Made in Pakistan) (Contact nadeem@xnet.com.pk)
SonicWall
Watchguard
Free Software Distributions (that allows you to reuse your old computer as a firewall)
Endian Firewall (GPL)
IPCop (GPL)
m0n0wall (BSD-style license)
pfSense (BSD-style license) (m0n0wall fork)
Devil-Linux (GPL)
SmoothWall Express (GPL)
eBox Platform (GPL)
BrazilFW Firewall and Router (GPL) - Formerly Coyote Linux - This runs from a floppy disk or hard disk, and is configured through a Windows or Linux program.
Personal firewalls – see that article
Use case scenario

A redundancy firewall reduces the possibility of an Internet connection Outage.
The simplest form could be like this:
node 1 and node 2 running an OS with a Linux kernel (Debian GNU/Linux for example)
To create a redundancy firewall we could choose to build a high-availability cluster. Therefore we need to connect those nodes (at least two are necessary) to each another in a way they could "see" each other. The software to do so could be Heartbeat which is part of Linux-HA Project
The most critical task in such a scenario is to ensure that all nodes share the same data at all times, better known as data integrity. This could be done with DRBD which is roughly speaking nothing else than a network RAID 1.
Last but not least we need firewalling capabilities for the redundancy firewall. A packet filter like iptables helps here.
Online firewall check
These sites offer free online portscan services to check your firewall security. Please note that online port probes are not 100% bulletproof, as they always check the public IP address, which may be a proxy server. Online portscans are easy to use and offer basic insights, but to ensure network security, use tools like Nmap.
ShieldsUP (Gibson Research Corporation) Quick and easy to use
Sygate Online Scan Extended security check, concise (Stealth Scan, Trojan Scan)
Planet Security Firewall-Check Quick, extended security check, checks current endangered ports, clearly laid out, TCP Scan
See also
Middlebox
Windows Firewall
Firewall pinhole
End-to-end connectivity
Access control list
Bastion host
Demilitarized zone (DMZ)
Great Firewall of China

Virus

computer virus

A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.


virus

Software used to infect a computer. After the virus code is written, it is buried within an existing program. Once that program is executed, the virus code is activated and attaches copies of itself to other programs in the system. Infected programs copy the virus to other programs.
The effect of the virus may be a simple prank that pops up a message on screen out of the blue, or it may destroy programs and data right away or on a certain date. It can lay dormant and do its damage once a year. For example, the Michelangelo virus contaminates the machine on Michelangelo's birthday.


Viruses Must Be Run to Do Damage

A virus is not inserted into data. It is a self-contained program or code that attaches itself to an existing application in a manner that causes it to be executed when the application is run. Macro viruses, although hidden within documents (data), are similar. It is in the execution of the macro that the damage is done.


E-Mail Attachments Are Suspect

File attachments in e-mail messages are a common way of infecting a computer, providing the user clicks on the attachment. If the attachment is an executable file, it can do anything when run. Examples of executables are files with extensions such as .BAT, .COM, .EXE, .SCR, and .SHS


Viruses Are Relatively Recent

The term virus was coined in the early 1980s, supposedly after a graduate student presented the concept of a program that could "infect" other programs. Since then, more than 80,000 viruses have been defined. However, 99% of the infections are from only a few hundred variants found "in the wild."
Since 1993, the WildList Organization has been keeping track of virus attacks around the world. For more information, visit www.wildlist.org. For a sampling of different virus infections, see virus examples. See in the wild, quarantine, disinfect, macro virus, e-mail virus, behavior blocking, polymorphic virus, stealth virus, worm, boot virus, vandal, virus hoaxes and crypto rage.


Be Careful Out There!

If you use the Internet for any purpose, be sure you have an antivirus program running at all times (see antivirus program).