The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise.
In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware).
In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.
Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.
Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.
Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.
Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).
Protected and More Protected
In the diagram on top, the internal network is protected by only one screening router (a router with packet filtering). If there were servers on the internal network providing services to Internet users, this would offer minimal protection against an attack. The use of two screening routers in the firewall configuration at the bottom offers two points of protection from the outside world to the internal LAN.
Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer analysis of IP and IPX packets and network address translation to secure a network. The window on the left could scroll down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)
An Excellent Resource
O'Reilly's \"Building Internet Firewalls, 2nd Edition\" by Zwicky, Cooper and Chapman is one of the best books written on Internet and Web security. It covers a huge range of firewall and related topics and should be a \"must have\" for anyone interested in the subject. (O'Reilly & Associates, Inc., 2000, ISBN 1-56592-871-7)
In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware).
In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing.
Firewall Techniques
Following are the different methods used to provide firewall protection, and several of them are often used in combination.
Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.
Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.
Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.
Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).
Protected and More Protected
In the diagram on top, the internal network is protected by only one screening router (a router with packet filtering). If there were servers on the internal network providing services to Internet users, this would offer minimal protection against an attack. The use of two screening routers in the firewall configuration at the bottom offers two points of protection from the outside world to the internal LAN.
Firewall Management
Elron Firewall was a product that combined stateful inspection, multilayer analysis of IP and IPX packets and network address translation to secure a network. The window on the left could scroll down to more than 70 user services. (Screen example courtesy of Elron Software, acquired in 2003 by Zix Corporation, www.zixcorp.com)
An Excellent Resource
O'Reilly's \"Building Internet Firewalls, 2nd Edition\" by Zwicky, Cooper and Chapman is one of the best books written on Internet and Web security. It covers a huge range of firewall and related topics and should be a \"must have\" for anyone interested in the subject. (O'Reilly & Associates, Inc., 2000, ISBN 1-56592-871-7)
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- Which antivirus is best at removing malware?
- Run a Linux distro or a MacIt is funny, when you 'weld' a web_browserinto an operating system and viruses/worms/malware/trojans and spyware come in from outside sources it is amazing how insecureit makes an Operating System.Say what you will, Linux distro's power theInternet with Bind dns, dhcp, routers/switchesand they do not...
- Discussion threads 2009-11-05
- ZoneAlarm Pro 2010 9.1.008 (Windows)
- No anti-virus or anti-spyware product is 100% effective, so ZoneAlarm invented the OS Firewall. The OS Firewall monitors behaviors within your computer to spot and stop even the most sophisticated new attacks that bypass traditional anti-virus and security suites. New Advanced Access Protection - specifically defeats new, advanced attacks that...
- Software downloads 2009-11-05
- Online Armor Free 4.0.0.10 (Windows)
- Online Armor is a powerful personal firewall, with HIPS and a host of other security features to keep your PC clear of infections and running smoothly. Online Armor is designed to be easy to use for beginners and offers powerful performance.
- Software downloads 2009-11-05
- iHacked: jailbroken iPhones compromised, $5 ransom demanded
- ... WHAT?Who in their right mind keep a server running with default usernames/passwords on the default port....I doubt that jailbroken iPhones are alone in this. It's possible, specially if iPhones have a ssh server running, that this could happen on non-jailbroken iPhones also.Just one question...Has this person been remanded yet?...
- Discussion threads 2009-11-03
- AVG Anti-Virus Plus Firewall 9.0.700 (Windows)
- AVG Anti-Virus plus Firewall Edition is the ideal product to protect your single home PC or workstation from external threats such as viruses, the Internet, and other network users. It is simple to install and operate. No IT expertise is required and it can run in the background. All unauthorized...
- Software downloads 2009-11-02
- ZoneAlarm Internet Security Suite 2010 9.1.008 (Windows)
- ZoneAlarm Internet Security Suite is an essential antivirus, anti-spyware, and firewall protection for your PC. The OSFirewall monitors changes within your computer to spot and stop new attacks that bypass traditional anti-virus protection. The Advanced Download Protection analyzes browser downloads in three unique ways before they can infect your PC...
- Software downloads 2009-11-02
- Anti Trojan Elite 4.7.4 (Windows)
- Anti Trojan Elite is a malware remover and system security manager. It features a real-time malware firewall for users that can detect trojans or keyloggers that try to infect your PC. It can detect a vast variety of malware such as trojans, worms and keyloggers and has a live update...
- Software downloads 2009-10-31
- Malware Defender 2.4.3 (Windows)
- Malware Defender is a HIPS Host Intrusion Prevention System with firewall. It is effective to protect your computer system from all forms of malware (viruses, worms, trojans, adware, spyware, keyloggers, rootkits). Malware Defender is also an advanced rootkit detector. It provides many useful tools that can be used to detect...
- Software downloads 2009-10-31
- McAfee vs. Symantec: Dueling in consumer and enterprise
- Worked for SYMC - products inadequately testedWe rearchitected stuff as it was going out the door. That experience was one more reason I eventually switched to Mac.Working for SYMCYou should have stuck around...Then you could have said to have been part of improving of the process . Just compare Norton...
- Discussion threads 2009-10-30
- Xupport 3.6.0 (Mac)
- Xupport is a multipurpose system utility for Mac OS X. It provides many features to configure hidden Mac OS X and Unix options, to increase system security and performance, to maintain and backup Mac OS X, and to dig deeper into the world of Unix. Xupport 3 is fully compatible...
- Software downloads 2009-10-30
- Amazon launches relational database service: Think MySQL in the cloud
- Three reasons this is a bad paradigm...Security, security and...let's see, what was that other thing...oh yeah, security. The comment "enterprise customers are likely to take their time moving sensitive data into Amazon?s RDS effort" should be nominated for the understatement of the year award. What's more likely is...
- Discussion threads 2009-10-27
- XP Firewall Commander 4.0 (Windows)
- XP Firewall Commander is an easy to use control interface for your Windows XP built-in firewall which lets you add and remove exceptions for programs and services so that they can receive inbound traffic. If you use no exceptions, you can still view Web pages, send and receive e-mail messages,...
- Software downloads 2009-10-27
- AVG Anti-Virus Network Edition 9.0.700 (Windows)
- Centrally controlled security protection against viruses, worms, trojans and potentially unwanted programs combined with desktop firewall protection against intrusions and hacking.Includes: Anti-Virus protects from viruses, worms and trojans; Firewall provides individual security against hackers; Central administration of all features, including desktop firewall, updates, and scheduling. Features: Reduces administrator workload and...
- Software downloads 2009-10-27
- Netgate Internet Security 3.0.205 (Windows)
- Netgate Internet Security, a bundle comprising of FortKnox Personal Firewall and Spy Emergency, is a complete security protection solution against all of the most serious Internet threats, including spyware, viruses, adware, trojans, worms, rootkits, phishing, spam and hackers consisting of anti-spyware, anti-virus, anti-spam, anti-rootkit, anti-phishing and firewall technologies. With built-in...
- Software downloads 2009-10-27
- iBackup 6.6.5 (Mac)
- iBackup is a simple to use backup/restore utility for scheduled backups of your system preferences, like the dock, deskop picture, time settings, firewall, bluetooth and system applications like AddressBook, Mail, Stikies, iChat, iTunes and more. You can edit these preferences settings and add your own. iBackup do also backup/restore files,...
- Software downloads 2009-10-27
- Am I OESIS OK 2.1.2.1 (Windows)
- This free, lightweight utility will instantly detect all of your computer's installed security applications, including antivirus, antispyware, firewall, vpn clients, hard disk encryption, backup clients. It will then indicate the OESIS OK interoperability level for those applications based on manageability criteria which are used by products from Cisco, Juniper, F5,...
- Software downloads 2009-10-27
- MyCafeCup Platinum 2.22 build 2264 (Windows)
- Internet cafe software and cybercafe software from MyCafeCup is a software solution for operating cyber cafe and gaming shops. Although it is designed for an Internet cyber cafe shop, it can be used for your intranet or for public access tracking as in a library, school or Public WiFi HotSpot....
- Software downloads 2009-10-27
- Who's There? Firewall Advisor 2.3 (Mac)
- View, understand and react to access attempts detected by your firewall Provides advice and helps you take action to combat access attempts Enhances the DoorStop X Firewall, Tiger's built-in firewall and others Available standalone or as part of the integrated DoorStop X Security Suite
- Software downloads 2009-10-26
- DoorStop X Firewall 2.3 (Mac)
- The DoorStop X Firewall protects your Mac from undesired access from the Internet, logging both allowed and denied access attempts. Its easy-to-use interface means less chance of mistakes, and its wide range of addressing and service options gives you fine-grained control over how services are protected. DoorStop enhances the firewall...
- Software downloads 2009-10-26
- DoorStop X Security Suite 2.3 (Mac)
- An integrated, comprehensive approach to securing your Macintosh on the Internet. Learn. Protect. Understand. Learn. The new electronic edition of "Internet Security for Your Macintosh" is accessible from all products in the Suite. Whether you read it section-by-section or look up information on specific services or access attempts as you...
- Software downloads 2009-10-26
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
Meet Doc
-
-
Here to help you with your Document Management Needs
- Check out Doc’s Blog on ZDNet
- Help your company, help the earth I want to share with you the Environmental Defense Fund Paper Calculator, which allows you to gauge your organization's environmental impact.
- Which is Greener: Paper or Digital? The Answer May Surprise You Anything we can do to reduce paper consumption is good. But what about the impact of digital waste?
-
Produced by
ZDNet and -
