The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise.
In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware).
In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.
Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.
Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.
Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.
Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).
Protected and More Protected
In the diagram on top, the internal network is protected by only one screening router (a router with packet filtering). If there were servers on the internal network providing services to Internet users, this would offer minimal protection against an attack. The use of two screening routers in the firewall configuration at the bottom offers two points of protection from the outside world to the internal LAN.
Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer analysis of IP and IPX packets and network address translation to secure a network. The window on the left could scroll down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)
An Excellent Resource
O'Reilly's \"Building Internet Firewalls, 2nd Edition\" by Zwicky, Cooper and Chapman is one of the best books written on Internet and Web security. It covers a huge range of firewall and related topics and should be a \"must have\" for anyone interested in the subject. (O'Reilly & Associates, Inc., 2000, ISBN 1-56592-871-7)
In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware).
In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.
Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.
Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.
Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.
Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).
Protected and More Protected
In the diagram on top, the internal network is protected by only one screening router (a router with packet filtering). If there were servers on the internal network providing services to Internet users, this would offer minimal protection against an attack. The use of two screening routers in the firewall configuration at the bottom offers two points of protection from the outside world to the internal LAN.
Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer analysis of IP and IPX packets and network address translation to secure a network. The window on the left could scroll down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)
An Excellent Resource
O'Reilly's \"Building Internet Firewalls, 2nd Edition\" by Zwicky, Cooper and Chapman is one of the best books written on Internet and Web security. It covers a huge range of firewall and related topics and should be a \"must have\" for anyone interested in the subject. (O'Reilly & Associates, Inc., 2000, ISBN 1-56592-871-7)
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2008 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- Scammers caught backdooring chip and PIN terminals
- The U.K's Dedicated Cheque and Plastic Crime Unit DCPU have recently uncovered state of the art social engineering scheme, where once backdoored, chip and PIN terminals were installed at retailers and petrol stations in an attempt to steal the credit card details passing through. Originally, before online banking took place...
- Blog posts 2008-08-19
- Is the enterprise ready for cloud computing?
- Guest post: This is a post by Barry X Lynn, CEO of 3Tera, in response to a discussion about whether cloud computing is industrial strength. Lynn can be found on the 3Tera blog. There have been multiple white papers and articles written on the topic -...
- Blog posts 2008-08-19
- Delivering the Olympics: Akamai and Limelight respond
- Akamai disputes Limelight Networks' take on its infrastructure and my recent post, Limelight Networks: Why the Olympics didn't 'Melt' the Internet. Limelight, however, says its implementation facts are accurate and that it absolutely stands behind its words.Keep in mind that the two companies compete fiercely and have different takes on...
- Blog posts 2008-08-18
- Maintain an automated networked database? GraphOn wants to sue you
- GraphOn is suing Google for patent infringement and the company appears to be doing a nice imitation of NTP, the company that made its name by suing Research in Motion. GraphOn is going for gold in the patent troll Olympics. In a statement Monday, GraphOn said it...
- Blog posts 2008-08-18
- BuddyPress, an open source competitor to FaceBook
- At Today's WordPress Camp in San Francisco - covered in detail by ZD's Andrew Mager here - Founder Matt Mullenweg discussed impressive growth for WordPress.com and WordPress.org. Page views grew from 1.5 billion to 6.5 billion/month with 120-160 million unique visitors, including a third from heavyweight media...
- Blog posts 2008-08-16
- Two flavors of software as a service: Intuit QuickBase and Etelos
- There are dozens of flavors of clever applications aimed at the office productivity market, often spawned as a result of the Web 2.0 explosion. Where the Web 2.0 application market is driven by eyeballs and their resulting advertising monetization, the enterprise 2.0...
- Blog posts 2008-08-14
- Got any old iMacs laying around?
- Got any old iMacs laying around?interestingI'm going to download that torrent when I get home since our firewall blocks all torrent access at work. This might be an option for us to use to possibly sell the equipment we previously thought was so out of date no staff members would...
- Discussion threads 2008-08-13
- MS Patch Tuesday: Critical IE, Office, Excel patches coming
- MS Patch Tuesday: Critical IE, Office, Excel patches comingupdate to MSupdate ..any news on when the update to ms-update is being releasedI have to vent about vistaI couldn;t understand why everyone hated it, I hadn;t used it and bought it. It seemd great, less laggy and more stable than...
- Discussion threads 2008-08-07
- Will the Olympics melt the Internet?
- Will the Olympics melt the Internet?Well...No one really watches the Olympics, so it won't be a test.ScalingThe Internet will be able to handle it... unless they use Twitter's servers.Umm...2006?The Internet didn't melt then.p2pusers already use p2p programs and they download a massive amount of GB/week of films, but the network...
- Discussion threads 2008-08-07
- VIPRE performance shoot-out - Does it really not slow down your PC?
- VIPRE performance shoot-out - Does it really not slow down your PC?How about the corporate versionI've been using Symantec Anti-Virus corporate for years and subjectively it seems a lot less "in your face" i.e. much less of an impact compared to its consumer cousin Norton Anti-Virus. I actually steer...
- Discussion threads 2008-08-07
- Expert: SOA vulnerable to DNS security flaw, too
- This just in from the Black Hat security confab currently taking place in Las Vegas: Dan Kaminsky, a well-known IT security researcher, disclosed his findings around the Domain Name Server flaw or DNS cache poisoning vulnerability, and where it can bite. Tim Wilson of Dark Reading reported on Kaminsky's presentation,...
- Blog posts 2008-08-06
- Useful: Cradlepoint PHS300 Personal Hotspot
- The Cradlepoint PHS300 (US$179) creates a personal hotspot with a mobile broadband card like the many EV-DO data cards from carriers like Verizon. I recently got a chance to test a PHS300 on a trip to Bonnaroo in Manchester, TN. Several of us were traveling to the...
- Blog posts 2008-08-06
- TeamViewer (dmg)
- TeamViewer is a simple and fast solution for remote control, desktop sharing and file transfer that works behind any firewall and NAT proxy. To connect to another computer just run TeamViewer on both machines without the need of an installation procedure. With the first start automatic partner IDs are generated...
- Software downloads 2008-08-06
- Spammers using Google Sites to bypass filters
- Spammers using Google Sites to bypass filtersRE: Spammers using Google Sites to bypass filtersSpammers are increasingly getting more sophisticated in their attacks. Even spam mails are getting more and more dificult to decipher now adays. It seems the guys are stepping up their attacks verey time we think we have...
- Discussion threads 2008-08-05
- 'ESME': Social messaging within an enterprise SOA environment
- There are interesting community driven enterprise developments around SAP's 'Netweaver' SOA ('service-oriented application') and integration platform, with a sophisticated Twitter - style tool created by a diverse group of international users taking shape. Twitter is a free social networking and micro-blogging service that allows users to...
- Blog posts 2008-08-04
- Security is everyone's domain
- Guest editorial by George Stathakopoulos In the first half of 2008, Microsoft Corp. released its latest Security Intelligence Report. One of the most interesting statistics involved the results from Microsoft's Malicious Software Removal Tool MSRT. Each second Tuesday of every month, the tool...
- Blog posts 2008-08-04
- Kaspersky Anti-Virus 2009
- Despite winning our Editors' Choice award two years in a row, Kaspersky Anti-Virus 2009 did not impress us enough to extend that run another year. Granted, there are significant improvements to the anti-malicious-software engine in KAV 2009; it is faster, although we only saw evidence of that during the file...
- Product reviews 2008-08-01
- I say crapware; you say 'performance enhancer'
- I say crapware; you say 'performance enhancer'agreedall trialware should be treated as crapware.OneCare offered as TRIAL is crapware.OneCare offered as TRIAL is crapware.I want the full version or nothing. Trial is useless.Anyway I don't like OneCare because it's a security suite. I would like a simple antivirus only programohgreat.One problem...
- Discussion threads 2008-08-01
- Sunbelt Software's VIPRE - Redefining security software
- Sunbelt Software's VIPRE - Redefining security softwareNo Firewall ???Sounds great, I looked into them because of your article, but it looks like they never incorporated their firewall product. In fact, their firewall product page talks about how it will work with VIPRE so that price you've posted isn't a good...
- Discussion threads 2008-08-01
- eScan AntiVirus Edition (exe)
- eScan Anti-Virus AV for Windows provides the basic security for your desktops and provides complete protection against viruses, trojans & worms. The features include On Demand Scanner ODS, Anti Virus Monitor allows automatic and Real Time virus scanning, Automatic Daily Anti virus signature updates, NetBIOS Firewall. This version is the...
- Software downloads 2008-07-31
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- BNET Industries
- Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
-
- The technology industry from a different angle
-
- See what's hot in the auto industry
-
- Stay on top of the energy industry
