Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



Expanded version: contains additional text not in the book

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

A firewall is a gateway that restricts and controls the flow of traffic between networks, typically between an internal corporate network and the Internet. Firewalls may also provide secure gateway services between internal networks.

See the "Firewall Terminology" page for descriptions of common firewall terms.

Castles and castle defenses provide a good analogy for firewalls. A castle is designed to protect the people on the inside from the storming hoards on the outside. There is a perimeter defense system that keeps attackers as far away as possible (outer walls, moats, and so on). The castle gate is the "choke point" through which people and supplies must pass to enter or exit the castle. It is the most heavily defended part of the castle.

In the early '80, I spent a summer in Ireland at the home of my father-in-law. Much of that time was spent driving the countryside looking for castles. Upon seeing any pile of rocks, we stopped the car and crossed the cow pasture to see what remained of a once mighty structure. Many castles and tower homes were broken down over the years by farmers who used the rock for fences and building materials. Some suffered the blows of cannons.

During that summer, I completely immersed myself in Irish history and books about castle design, defensive systems, vulnerabilities, attacks, and warfare of the time. The computer systems we install today require "virtual castles" that can withstand attacks of a different kind--attackers that slip into your systems through unknown or unprotected holes and do damage for any number of reasons. Perhaps the attackers are competitors who want to shut down your systems or ex-employees with a grudge. Whatever the case, the threat is real and you need defensive systems to stop them.

In 16th century Ireland, castles that had stood for years were brought down by the cannon. I can't help but think that our computer systems might suffer a similar fate. A common attack is the denial-of-service attack, which attempts to deny legitimate users access to Web servers. The attacker floods a server with session-request packets. The Web server tries to establish a session for each of those request, but the attacker makes sure that a response is never sent to the server after the initial request. It's like someone reaching out to shake your hand, then pulling it away when you reach out with your hand. The server keeps waiting to "shake hands" with the hacker's system and eventually crashes when its runs out of resources to handle the load.

Firewall Characteristics

A firewall, as shown in Figure 1, puts up a barrier that controls the flow of traffic between networks. The safest firewall would block all traffic, but that defeats the purpose of making the connection, so you need to strictly control selected traffic in a secure way. The highest level of protection today is provided by application-level proxy servers. In Figure 1, proxy services run at the application level of the network protocol stack for each different type of service (FTP, HTTP, etc.).

Figure 1, A firewall/proxy server

A proxy server is a component of a firewall that controls how internal users access the outside world (the Internet) and how Internet users access the Internal network. In some cases, the proxy blocks all outside connections and only allows internal users to access the Internet. The only packets allowed back through the proxy are those that return responses to requests from inside the firewall. In other cases, both inbound and outbound traffic are allowed under strictly controlled conditions. Note that a virtual "air-gap" exists in the firewall between the inside and outside networks and that the proxies bridge this gap by working as agents for internal or external users.

Firewalls have become quite sophisticated over the years, but they are not an all-in-one security solution. Firewalls are just one tool in the arsenal of security tools available to security administrators. The topic "Security Auditing" describes tools that administrators can use to strengthen the security of their networks. A scanner might detect that a service is being used that is vulnerable to attack and recommend that the service be disabled. It may also determine that a particular operating system upgrade is needed to fix a security hole. An intrusion detection system is an active monitoring system that detects possible attacks and tracks the attack if possible. An IDS automates the task of monitoring computers, routers, firewalls, links, and other possible attack areas.

Here are some point to keep in mind about firewalls:

  • A firewall may consists of several pieces of equipment, including a router, a gateway server, and an authentication server.
  • Firewalls monitor incoming and outgoing traffic and filter, redirect, repackage, and/or discard packets. Packets may be filtered based on their source and destination IP address, source and destination TCP port numbers, setting of bits in the TCP header, and so on.
  • In the case of a proxy firewall, the firewall is the endpoint of the incoming and outgoing connection. It can perform extensive security and validation scans on the packets it processes. The proxy runs safe, uncorrupted, and bug-free versions of protocols and software.
  • Firewalls can enforce an organization's security policies by filtering the outgoing traffic of internal users to ensure that it complies with usage policies.
  • Sophisticated logging, auditing, and intrusion detection tools are now part of most commercial firewalls.

Note: Refer to RFC 2979 (Behavior of and Requirements for Internet Firewalls, October 2000) for a description of other firewall characteristics.

Readers who want to explore firewall concepts and architecture in more detail should refer to the related entries and Web links page. Also look for the following books:

  • Windows 2000 Security Handbook by Tom Sheldon and Philip Cox (Osborne McGraw-Hill, 2001).
  • Firewalls and Internet Security: Repelling the Wily Hacker, second edition by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 2001)
  • Building Internet Firewalls by Brent Chapman, Elizabeth D. Zwicky, and others (O'Reilly & Associates, June 2000).

Note that these texts refer to the firewall as the bastion host. According to Chapman and Zwicky, a bastion host is "a computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projections on the outer walls of medieval castles."

Defensive Strategies

While firewalls typically protect internal networks from the Internet, many unauthorized activities are perpetrated by internal users. In addition, organizations that connect with business partners over private networks create a potential avenue for attack. Users on the business partner's network may take advantage of the inter-company link to steal valuable information. A solution is to implement VPNs, which implement data encryption on all network transmissions. Encryption can take place right at the source of the transmission for the highest security, whether it is the client on the LAN or the router that connects wide area networks.

As mentioned earlier, firewalls are often described in terms of perimeter defense systems, with a so-called "choke point" through which all internal and external traffic is controlled. The usual metaphor is the medieval castle and its perimeter defense systems, as pictured in Figure 2. The moats and walls provide the perimeter defense, while the gatehouses and drawbridges provide "choke points" through which everyone must travel to enter or leave the castle. You can monitor and block access at these choke points.

Figure 2. Firewalls provide perimeter defenses with choke points, much like medieval castles.

Dr. William Hancock, a well-known firewall expert describes firewalls this way:

The concept [of security barriers] is much like that of the strong castle being protected by a series of moats around the castle. As the storming hoards gets close to the castle, they must traverse the series of moats. It is possible to traverse some moats with pole vault activities, but eventually the leaper of the moat is bound to fall into one of the moats and is caught. If there is only one moat and the leaper is good, there is not much protection. If there are moats, concertina wire, razor wire, tall fences with broken glass on them, land mines, cans full of pennies suspended by trip wires, Doberman pinschers and other such traps in the path from the intruder to the "jewels," one or more of the obstacles is going to alert the keepers of the castle that someone is trying to infiltrate the castle and something must be done to protect the assets and destroy the intruder. Firewall products provide a "moat-like" barrier control method for network assets which varies dramatically with the product selection. The typical use of a firewall product in a network is to isolate corporate assets from each other and from the outside world in a secure and manageable manner.

While the storming hoard analogy might be appropriate in some cases, the real threat is often the stealthy spy who slips over walls in the dark of night and scales every barrier undetected to reach his target of attack.

If a firewall is like a castle, how far do you let people into it, and what do you allow them to do once inside? Local townspeople and traders were usually allowed to enter the market yard of the castle with relative ease so they could deliver or pick up goods. At night, the gates were closed, and goods were brought into the castle--usually after close inspection. Following this analogy, the market yard could be compared to the public Web and FTP servers that you connect to the Internet for general availability.

While just about anybody could enter the market yard, only trusted people and people with special credentials were allowed into the inner perimeters of the castle. Within these walls is the keep, a heavily fortified structure that provides the last defense against attackers.

NOTE: Interestingly, the castle proved quite capable of withstanding attacks until Essex and Cromwell overran Ireland in the 16th century. They used cannons to blow the parapets off the top of castle walls, making them indefensible. Then they scaled the walls. What similar weapons will our network defenses face?

In Europe, there were many different types of strongholds. Tower homes were relatively simple defensive structures designed to protect residents from marauding bands of looters and neighboring clans. Still larger castles with massive walls and bastions were built by the wealthiest of clans. Similarly, businesses with the biggest budgets or the most valuable information to protect build the strongest defenses.

Like the multiple perimeter defenses of the castles, multiple firewall devices can be installed to keep wily hackers out of your networks. Spies and assassins vaulted moats and scaled walls to reach their targets, taking advantage of stealth and perhaps sleeping guards. To protect your network from similar attacks, you can install so-called "trip wire" defense, which are "weak" devices at the outer edge that sound alarms when attacked. So-called "honey pots" are traps for hackers. They look like real systems. As the hacker attempts to gather information about the system, their activities are monitored and logged.

In times of peace, the rulers of a castle would meet with local townspeople, tradesmen, and dignitaries from other areas. Any direct meeting with royalty was usually preceded by a strip search. But if the political situation was tense, the ruler might prefer to avoid direct contact with visitors. In this case, the protocol was for all visitors to meet with the agent of the king or queen, who would then relay messages between parties. The agent provided proxy services.

Firewalls use similar approaches:

  • Packet filtering firewall uses the strip-search method. Packets are first checked and then either dropped or allowed to enter based on rules.
  • Proxy service acts as an agent for a user who needs to access a system on the other side of the firewall.
  • Stateful inspection, is analogous to a gatekeeper remembering some defining characteristics of anyone leaving the castle and only allowing people back in with those characteristics.

Once in place, a firewall requires constant vigilance. Security policies and procedures must be put into place, and you'll need a disaster recovery plan to get systems back online.

Hackers and attackers just keep getting smarter, more aggressive, and more numerous. In 2000, China announced that it could not keep up with the United States militarily, and threatened to wage an information war on the United States. Computer systems at U.S. military installations are under constant attack by both sophisticated and unsophisticated attackers. How many undetected intruders are in those systems?

The castle analogy falls apart in the face of modern security threats, because the weapons available to attackers defy physical boundaries. For example, an attacker may set up an attack well in advance by using e-mail virus techniques to plant so-called "zombie" programs on hundreds or thousands of computers owned by innocent Internet users, many within your own network. The programs are set to wake up at specific times and begin launching attacks against other systems. The real attacker cannot be identified because the attacks are coming from innocent users all over the Internet. The entire Internet can become a weapon aimed at your private network.

Because of these threats, firewall-like software is now needed in nearly every Internet- connected computer, especially those that are connected to "always-on" services, such as DSL and cable (CATV) connections. A typical home setup is to network the parent's and the kid's computers together, and share a single DSL or cable connection to the Internet. Since the connection is always on, it has a continuous IP address that is posted like a flag on the Internet. Hackers will eventually find the IP address and keep coming back to examine and disrupt systems. Personal firewalls are designed to protect these systems while minimizing complex setup procedures.

NOTE: This entire discussion avoids the problems of packet sniffing, session hijacking and other problems. Data encryption is the solution to these problems.

NOTE: As mentioned, refer to the "Firewall Terminology" page for descriptions of common firewall terms.

Classifying Firewalls

Any device that controls network traffic for security reasons can be called a firewall, and in fact the term "firewall" is used in a generic way. However, there are three major types of firewalls that use different strategies for protecting network resources. The most basic firewall devices are built on routers and work in the lower layers of the network protocol stack. They provide packet filtering and are often called screening routers. High-end proxy server gateways operate at the upper levels of the protocol stack (i.e., all the way up to the application layer). They provide proxy services on external networks for internal clients and perform advanced monitoring and traffic control by looking at certain information inside packets. The third type of firewall uses stateful inspection techniques.

Routers are often used in conjunction with gateways to build a multitiered defense system, although many commercial firewall products may provide all the functionality you need.

Screening Router (Packet Filters)

Screening routers can look at information related to the hard-wired address of a computer, its IP address (Network layer), and even the types of connections (Transport layer) and then provide filtering based on that information. A screening router may be a stand-alone routing device or a computer that contains two network interface cards (dual-homed system). The router connects two networks and performs packet filtering to control traffic between the networks.

Figure 3, a screening router

Administrators program the device with a set of rules that define how packet filtering is done. Ports can also be blocked; for example, you can block all applications except HTTP (Web) services. However, the rules that you can define for routers may not be sufficient to protect your network resources, especially if the Internet is connected to one side of the router. Those rules may also be difficult to implement and error-prone, which could potentially open up holes in your defenses.

A router-based Internet connection allows point-to-point connections between clients on internal networks and Internet servers. But routers alone are not secure. They must implement firewall features or you need to install separate firewall components.

Proxy Server Gateways

Gateways work at a higher level in the protocol stack to provide more opportunities for monitoring and controlling access between networks. A gateway is like a middle-man, relaying messages from internal clients to external services. The proxy service changes the IP address of the client packets to essentially hide the internal client to the Internet, then it acts as a proxy agent for the client on the Internet.

Figure 4, a proxy server

Using proxies reduces the threat from hackers who monitor network traffic to glean information about computers on internal networks. The proxy hides the addresses of all internal computers. Traditionally, using proxies has reduced performance and transparency of access to other networks. However, current firewall products solve some of these problems.

There are two types of proxy servers:

  • Circuit-Level Gateway This type of proxy server provides a controlled network connection between internal and external systems (i.e., there is no "air-gap"). A virtual "circuit" exists between the internal client and the proxy server. Internet requests go through this circuit to the proxy server, and the proxy server delivers those requests to the Internet after changing the IP address. External users only see the IP address of the proxy server. Responses are then received by the proxy server and sent back through the circuit to the client. While traffic is allowed through, external systems never see the internal systems. This type of connection is often used to connect "trusted" internal users to the Internet.

  • Application-Level Gateway An application-level proxy server (see Figure 1) provides all the basic proxy features and also provides extensive packet analysis. They fully understand the protocols of the applications that are allowed to interoperate through the gateway and fully manage both inbound and outbound traffic at a level that is not possible with screening routers. When packets from the outside arrive at the gateway, they are examined and evaluated to determine if the security policy allows the packet to enter into the internal network. Not only does the server evaluate IP addresses, it also looks at the data in the packets to stop hackers from hiding information in the packets.

A typical application-level gateway can provide proxy services for applications and protocols like Telnet, FTP (file transfers), HTTP (Web services), and SMTP (e-mail) as shown in Figure 1. Note that a separate proxy must be installed for each application-level service (some vendors achieve security by simply not providing proxies for some services, so be careful in your evaluation). With proxies, security policies can be much more powerful and flexible because all of the information in packets can be used by administrators to write the rules that determine how packets are handled by the gateway. It is easy to audit just about everything that happens on the gateway. You can also strip computer names to hide internal systems, and you can evaluate the contents of packets for appropriateness and security.

NOTE: Appropriateness is an interesting option. You might set up a filter that discards any e-mail messages that contain "dirty" words.

According to Cheswick and Bellovin (see aforementioned book), "an application-level gateway represents the opposite extreme in firewall design. Rather than using a general-purpose mechanism to allow many different kinds of traffic to flow, special-purpose code can be used for each desired application. Although this seems wasteful, it is likely to be far more secure than any of the alternatives. One need not worry about interactions among different sets of filter rules, nor about holes in thousands of hosts offering nominally secure services to the outside. Only a chosen few programs need to be scrutinized."

The FTP service provides a good example of how an application-level proxy server can provide advanced filtering. The application-level server can allow users from the outside to access an FTP server, but it will look in each packet and block any packets with the PUT command for specific users. This prevents just anyone from writing files to the server.

Another important feature of application-level servers is authentication. You can allow only specific users through the firewall on the basis of their credentials. Doing this is useful for trusted mobile users or people from affiliated organizations who need to access specific systems on your networks.

Also keep in mind that firewalls can hide your internal network addresses from the Internet. This lets you implement any internal IP addressing scheme without the need to register with Internet authorities. Network address translation (NAT) is a scheme that allows two connected networks to use different and incompatible IP addressing schemes. Address translation allows hosts on a private internal network to transparently communicate with destinations on an external network or vice versa. NAT also refers to the name of a device that performs these functions. See NAT (Network Address Translation).

Stateful Inspection Techniques

One of the problems with proxies is that they must evaluate a lot of information in a lot of packets. In addition, you need to install a separate proxy for each application you want to support. This affects performance and increases costs. Stateful inspection is a technique that examines the bit patterns of the packets and compares them with packets that are already known to be trusted.

For example, if you access some outside service, the server remembers things about your original request like port number, and source and destination address. The information that is remembered is state information. When the outside system responds to your request, the firewall server compares the received packets with the saved state to determine if the packets should be allowed in.

While stateful inspection provides speed and transparency, one of its biggest disadvantages is that inside packets make their way to the outside network, thus exposing internal IP addresses to potential hackers. NAT (network address translation) helps to solve this problem.

Firewall Policies

No firewall can protect against inadequate or mismanaged policies. If a password gets out because a user did not properly protect it, your security is at risk. If an internal user dials out through an unauthorized connection, an attacker could subvert your network through this backdoor.

A weakness in the policy or the inability to enforce the policy will weaken any protection provided by even the best firewalls. If internal users find your policies too restrictive, they may go around them by connecting to the Internet through a personal modem. The firewall in this case is useless. You may not even know your systems are under attack because the firewall is guarding the wrong entrance.

The most basic firewall policy is as follows:

  • Block all traffic, then allow specific services on a case-by-case basis.

This policy is restrictive but secure. However, it may be so restrictive that users circumvent it. In addition, the more restrictive your policy, the harder it will be to manage connections that are to be allowed. On screening routers, you'll need to implement complicated sets of rules--a difficult task, but most firewall products simplify this process by using graphical interfaces and a more efficient set of rules.

Security policies must be outlined in advance so administrators and users know what type of activities are allowed on the network. Your policy statement should address internal and external access, remote user access, virus protection and avoidance, encryption requirements, program usage, and a number of other considerations, as outlined here:

  • Network traffic to and from outside networks such as the Internet must pass through the firewall. The traffic must be filtered to allow only authorized packets to pass.
  • Never use a firewall for general-purpose file storage or to run programs, except for those required by the firewall. Do not run any services on the firewall except those specifically required to provide firewall services. Consider the firewall expendable in case of an attack.
  • Do not allow any passwords or internal addresses to cross the firewall.
  • If you need to provide services to the public, put them on the outside of the firewall and implement internal settings that protect the server from attacks that would deny service.
  • Accept the fact that you might need to completely restore public systems from backup in the event of an attack. You can implement a replication scheme that automatically copies information to a public server over a secure channel.

For outbound connections, implement any number of encryption schemes to hide transmitted information. If users are accessing the Web with Web browsers, you can implement Web client-server security protocols and encryption techniques.

Firewall Implementations

The Cheswick/Bellovin and Chapman/Zwicky books mentioned earlier provide the material that most firewall vendors use when describing their firewall implementations. This section outlines the basic architectures.

A firewall installation may consist of several devices, including packet-filtering routers and systems running firewall and proxy software. Routers may be implemented as perimeter defense devices, providing the first line of defense.

Dual-Homed System

The dual-homed system is a computer that includes at least two network interface cards, as pictured in Figure 5. Routing is disabled between the network interface cards in the dual-homed system so that the application-level software can control how traffic is handled between networks.

Figure 5: A dual-homed system has two network interfaces

There is one other use for this type of configuration. Assume that the dual-homed host runs an HTTP Web service. If routing is disabled, then the host on either network can still access the Web services, but packets cannot be exchanged between the networks. For example, if several departments in an organization need to share the same Web server but you don't want to create a routable link between the departments, you could use this configuration. However, hackers could still subvert vulnerable servers (i.e., software upgrades and patches are not installed to fix holes and other weaknesses).

Screening Host Architecture

In this scenario, pictured in Figure 6, the screening router only allows Internet users to connect with a specific system on the internal network-the application-level gateway (bastion host). The gateway then provides inbound and outbound controls.

Figure 6: Screening host architecture

The packet-filtering router does a lot of work in this configuration. Not only does it direct packets to a designated internal system, it may also allow internal systems to open connections to Internet systems or disallow these connections. You set these options based on your security requirements. Chapman and Zwicky note that this architecture may be risky because it allows packets to move from the Internet to the internal network, unlike the dual-homed architecture, which blocks all packet movement from the external network to the internal network.

Screened Subnet Architecture

This architecture, pictured in Figure 7, is similar to the screening host architecture described in the previous section, except that an extra layer of security is added by putting up a perimeter network that further separates the internal network from the Internet.

Figure 7: Screening subnet architecture

A reason for doing this is to protect the internal network if the bastion host succumbs to an attack. Since the bastion host is basically connected to the Internet, hackers will target it. According to Chapman and Zwicky, "by isolating the bastion host on a perimeter network, you can reduce the impact of a break-in on the bastion host. It is no longer an instantaneous jackpot: it gives an intruder some access, but not all."

Chapman and Zwicky offer some variations on this design. Multiple bastion hosts may be used on the perimeter network to run different services, such as HTTP Web services, e-mail services, or an external DNS (Domain Name Service).

Another option is to combine the interior and exterior routers if you use a router that has more than two ports, although this configuration is vulnerable if the single router is attacked. You can also merge the bastion host and the exterior router, but not the bastion host and the interior router.

If multiple interior routers are used, a situation could occur in which the internal router decides that the fastest way to another internal system is via the perimeter network, thus exposing internal network packets on the perimeter network.

Other Firewall Information

SOCKS is a circuit-level proxy firewall service that attempts to provide a secure channel between two TCP/IP hosts, typically a Web client on an internal corporate network that wants to access an outside Web server (on the Internet, on another company's network, or on another part of an intranet). SOCKS provides firewall services, as well as auditing, management, fault tolerance, and other features. See "SOCKS."

Most firewalls also perform authentication to verify the identity of the users or processes. RADIUS is often used as the authentication service. It is the same authentication service used for dial-up network access by both enterprise networks and Internet service providers. By authenticating users, the firewall has additional information it can work with to filter packets. For example, it can allow a specific user to access some services but not others. Most firewalls today also support VPNs, which provide secure tunnels between a firewall and a remote user across the Internet. The firewall authenticates the user, encrypts all data, and ensures data integrity by using digital signature technology.

As the role of the firewall becomes more complex, one feature that should not be overlooked is speed. Firewalls must now operate at "gigabit" speeds to keep up with network traffic. Netscreen ( builds a "gigabit firewall" that is designed for Internet data center usage. The system is designed to support the firewall needs of up to 100 separate customers who have outsourced and collocated their Web servers and other equipment at the data center.

Refer to the following RFCs for more information about firewalls.

  • RFC 1919 (Classical versus Transparent IP Proxies, March 1996)
  • RFC 1928 (SOCKS Protocol Version 5, March 1996)
  • RFC 2196 (Site Security Handbook, September 1997), see section 3
  • RFC 2267 (Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, January 1998)
  • RFC 2647 (Benchmarking Terminology for Firewall Performance, August 1999)
  • RFC 2775 (Internet Transparency, February 2000)
  • RFC 2827 (Network Ingress Filtering: Defeating Denial of Service Attacks Which employ IP Source Address Spoofing, May 2000)
  • RFC 2828 (Internet Security Glossary, May 2000)
  • RFC 2979 (Behavior of and Requirements for Internet Firewalls, October 2000)

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.