A firewall, in the real world, is built between buildings to prevent a fire started in one building from spreading to another
A digital firewall serves similar purpose, by preventing security breaches that occur in one zone from spreading to another zone
In a way, firewalls can be considered as delimiters that together define the perimeter of a network
A firewall prevents unwanted and/or unauthorized traffic from entering into or getting out of a given network (the ‘protected’ network)
Also called ‘secure Internet gateways’ or ‘security gateways’
RFC2828 Internet Security Glossary (by R. Shirey, May 2000)
$ filtering router
An internetwork router that selectively prevents the passage of data packets according to a security policy.
A filtering router may be used as a firewall or part of a firewall.
A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy.
The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields (especially IP source and destination addresses and TCP port
RFC2828 Internet Security Glossary (by R. Shirey, May 2000)
$ bastion host
A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.
Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host , which usually is part of the firewall.
Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively.
However, to allow legitimate internal and external users to access application resources through the firewall, higher layer protocols and services need to be relayed and forwarded by the bastion host . Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.
According to RFC2828 Internet Security Glossary (by R. Shirey, May 2000):
An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).
A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network.
A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts , all connected to a small, dedicated LAN between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers.
The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep intruders out, but usually also needs to let authorized users in and out.
enforce strong authentication for users who wish to establish inbound or outbound connections
associate data streams that are allowed to pass through the firewall with previously authenticated and authorized users
Use of application gateways is needed to support these higher-level features.
Compare Various Firewall Technologies Transport layer or higher Network layer (or Internet layer in TCP/IP) OSI layers Circuit-level Application-level Static Dynamic Sub-types Application gateways Packet filters Types
Stateless , meaning that each IP packet must be examined in isolation from what has happened in the past (and what may happen in the future), forcing the filter to make a decision to permit or deny each packet individually based on the packet-filtering rules
no concept of session
lead to problems when more than one connection is created in a protocol such as FTP
The implementation of the SOCKS protocol typically involves the recompilation or relinking of TCP-based client applications to use the appropriate encapsulation routines in the SOCKS library. ‘ socksified’ clients
Procedure for TCP-based clients
When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall, it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. The SOCKS service is conventionally located on TCP port 1080.
If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, then sends a relay request.
The SOCKS server evaluates the request, and either establishes the appropriate connection or denies it.
The obvious advantage of using private address space for the Internet at large is to conserve the globally unique address space by not using it where global uniqueness is not required.
Enterprises themselves also enjoy a number of benefits from their usage of private address space: They gain a lot of flexibility in network design by having more address space at their disposal than they could obtain from the globally unique pool. This enables operationally and administratively convenient addressing schemes as well as easier growth paths.
Renumbering of IP addresses may be needed in some cases:
Once one commits to using a private address, one is committing to renumber part or all of an enterprise, should one decide to provide IP connectivity between that part (or all of the enterprise) and the Internet.
Another drawback to the use of private address space is that it may require renumbering when merging several private internets into a single private internet.