The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise.
In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware).
In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.
Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.
Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.
Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.
Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).
Protected and More Protected
In the diagram on top, the internal network is protected by only one screening router (a router with packet filtering). If there were servers on the internal network providing services to Internet users, this would offer minimal protection against an attack. The use of two screening routers in the firewall configuration at the bottom offers two points of protection from the outside world to the internal LAN.
Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer analysis of IP and IPX packets and network address translation to secure a network. The window on the left could scroll down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)
An Excellent Resource
O'Reilly's \"Building Internet Firewalls, 2nd Edition\" by Zwicky, Cooper and Chapman is one of the best books written on Internet and Web security. It covers a huge range of firewall and related topics and should be a \"must have\" for anyone interested in the subject. (O'Reilly & Associates, Inc., 2000, ISBN 1-56592-871-7)
In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware).
In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.
Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.
Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.
Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.
Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).
Protected and More Protected
In the diagram on top, the internal network is protected by only one screening router (a router with packet filtering). If there were servers on the internal network providing services to Internet users, this would offer minimal protection against an attack. The use of two screening routers in the firewall configuration at the bottom offers two points of protection from the outside world to the internal LAN.
Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer analysis of IP and IPX packets and network address translation to secure a network. The window on the left could scroll down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)
An Excellent Resource
O'Reilly's \"Building Internet Firewalls, 2nd Edition\" by Zwicky, Cooper and Chapman is one of the best books written on Internet and Web security. It covers a huge range of firewall and related topics and should be a \"must have\" for anyone interested in the subject. (O'Reilly & Associates, Inc., 2000, ISBN 1-56592-871-7)
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- TeamViewer 5.0.7312 Beta (Windows)
- TeamViewer is a simple and fast solution for remote control, desktop sharing and file transfer that works behind any firewall and NAT proxy. To connect to another computer just run TeamViewer on both machines without the need of an installation procedure. With the first start automatic partner IDs are generated...
- Software downloads 2009-11-21
- Anti Trojan Elite 4.7.6 (Windows)
- Anti Trojan Elite is a malware remover and system security manager. It features a real-time malware firewall for users that can detect trojans or keyloggers that try to infect your PC. It can detect a vast variety of malware such as trojans, worms and keyloggers and has a live update...
- Software downloads 2009-11-21
- Microsoft finds security hole in Google Chrome Frame
- HAHA! Way to go Microsoft! They basically just told Google to suck it! The best part is they were right the whole time. Yet people blindly defended Google. It would seem Google has more software issues than anyone else.RE: Microsoft finds security hole in Google Chrome FrameI'm not...
- Discussion threads 2009-11-19
- Do we need a 'beautiful mess' in operating systems? Yup
- To make a good soup, you've got to stir the pot...Ok, sure - it turns cloudy, short-term. Just be sure to filter it or let it settle, before serving.Whereas the classic 'design-by-committee' model so often fails, its always useful to have multiple, talented teams working on similar projects, independently. With...
- Discussion threads 2009-11-19
- FortKnox Personal Firewall 5.0.305 (Windows)
- It is a personal firewall that allows you to protect a PC against hacker attacks, Trojans, spyware and Internet threats. It gives user complete overview of all inbound and outbound network communication. It has built-in Intrusion Prevention System and SPI technologies for extended user protection. With application rules user can...
- Software downloads 2009-11-19
- IceClean 3.3.2 (Mac)
- IceClean is a powerful Finder and System optimization tool using ONLY built-in Unix system tasks to help your System stay healthy and to keep it running smoothly. IceClean lets you execute the following tasks: System Maintenance Process & Infos Periodic Routine Scripts Verify Preferences .plist files Repair Permissions Update Prebindings...
- Software downloads 2009-11-19
- Trojan Guarder Gold 7.95 (Windows)
- Though installed with anti-virus system and firewall, your PC is still not safe enough. Trojans could be recording all your valuable passwords and credit card information without your knowing it. Trojan is a mini program running on a workstation. At its basic level, it merely records every key pressed together...
- Software downloads 2009-11-19
- BeeThink IP Blocker 1.2 (Windows)
- BeeThink IP Blocker blocks unwanted IP addresses based on IP blocklists. It monitors network activities in real-time and prevents the connection between a server/website and certain IP addresses or ranges of addresses. BeeThink IP Blocker effectively bans undesired connections from those computers to a website, mail server, or other Internet...
- Software downloads 2009-11-18
- Gbridge 2.0.0.1322 (Windows)
- Securely do VNC, share files, sync folder and remote backup via Google based VPN, even behind NAT. Gbridge helps you to manage your multiple PCs, and collaborate works with close friends. You can also use it to privately exchange huge media files with your family. Gbridge has many unique features....
- Software downloads 2009-11-18
- Next year is THE year for cloud computing
- Here is what Indu Kodukula, CTO of SunGard Availability Services thinks how cloud computing is likely to transform the computing industry landscape in 2010. Commentary - Yogi Berra had it right - it?s difficult to make predictions, especially about the future. It?s especially difficult...
- News items 2009-11-17
- Thousands of web sites compromised, redirect to scareware
- RE: Thousands of web sites compromised, redirect to scarewareI'm glad Microsoft Windows goes the extra mile to protect users from this kind of mischief. In Microsoft Windows I can set security zones in the Internet Options window so that only trusted sites will load, or set it so internet...
- Discussion threads 2009-11-17
- Local SMTP Server Pro 5.8 (Windows)
- SMTP server program to send e-mail messages without help of your ISP, directly from your local PC to recipient mailboxes. Use your favorite e-mail client along with Local SMTP Server Pro as usual. Mobile PC users who travel a lot and have to switch between different ISPs on the run...
- Software downloads 2009-11-17
- Microsoft confirms 'detailed' Windows 7 exploit
- Ummm interesting....so just block 139 and 445...445? great that port aggain.Is SMB blocked to/from internet by th firewall by default?RE: Microsoft confirms 'detailed' Windows 7 exploitPorts 139 and 445 are blocked by default for Internet access by Windows firewall in Windows 7 and any commerical hardware firewall. They are enabled...
- Discussion threads 2009-11-16
- Fastream IQ Proxy Server 3.0.1R (Windows)
- IQ Proxy Server is a robust and secure content/reverse solution for Windows. Featuring the most scalable server engine with up to 20,000 simultaneous connections for both filtering and caching content proxy and securing and accelerating reverse proxy, could serve more than 10,000 requests/sec in keep-alive mode. Fastream IQ Proxy Server...
- Software downloads 2009-11-15
- Online Armor 4.0.0.10 (Windows)
- Online Armor Premium Firewall safeguards your funds, identity and data on your PC weather you're browsing, transacting or receiving email. Online Armor Premium comes with "Banking Mode" that secures your internet banking session therefore protecting you from keyloggers and Phishing techniques that might want to either record your login details...
- Software downloads 2009-11-14
- Where does HP's Procurve line go post 3Com?
- Strong on switching, weak on routing/firewallIs it not true that the Procurve line is very strong in the switch space, but is weak or non-existent in routing and security?It would seem the 3Com play is to take that slice of the enterprise network away from Cisco.
- Discussion threads 2009-11-13
- Wallix Pro 3.2 (Windows)
- Wallix Pro firewall prevents hackers from accessing your computer and this is the main objective for a computer firewall. It automatically detects and blocks attacks through a comprehensive examination of all inbound and outbound information to your computer.
- Software downloads 2009-11-13
- Yahoo Messenger 10.0.0.1102 (Windows)
- Yahoo Messenger is a free service that allows you to see when friends come online and to send them instant messages. It also can alert you to new e-mail in your Yahoo Mail or Yahoo Personals accounts, or when you have upcoming events recorded in your Yahoo Calendar. Yahoo Messenger...
- Software downloads 2009-11-13
- EAV Antivirus Suite Free Edition 6.3 (Windows)
- EAV Antivirus Suite can detect and eliminate spyware, Trojans, key loggers, adware programs, browser hijackers, cookies, spy bots, trackware, and other malware, even new and unknown ones, on your PC. EAV Antivirus Suite is able to block ARP attacks. EAV Antivirus Suite can recover all damages with Internet Explorer caused...
- Software downloads 2009-11-13
- Microsoft bracing for malware attacks from embedded fonts
- Not too worried here......Been using group policy for a long time with font downloads always being disabled for all users on my network. I am patching no doubt, but much less concerned knowing I have always had this blocked. I'm coveredno windoze , no threat.Again with the fear...
- Discussion threads 2009-11-12
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer>>
- The more you simplify, the more you save
-
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
SmartPlanet
- Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
- More from IBM
-
- Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
- Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
