Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Firewall (computing)

From Wikipedia, the free encyclopedia
Software or hardware-based network security system

Incomputing, afirewall is anetwork security system thatmonitors and controls incoming and outgoingnetwork traffic based on configurable security rules.[1][2] A firewall typically establishes a barrier between a trusted network and an untrusted network, such as theInternet[3] or between severalVLANs. Firewalls can be categorized as network-based or host-based.

History

[edit]

The termfirewall originally referred to a wall to confine a fire within a line of adjacent buildings.[4] Later uses refer to similar structures, such as themetal sheet separating theengine compartment of avehicle oraircraft from the passenger compartment. The term was applied in the 1980s to network technology[5] that emerged when the Internet was fairly new in terms of its global use and connectivity.[6] The predecessors to firewalls for network security wererouters used in the 1980s. Because they already segregated networks, routers could filter packets crossing them.[7]

Before it was used in real-life computing, the term appeared inJohn Badham's 1983 computer‑hacking movieWarGames, spoken by the bearded and bespectacled programmer named Paul Richter, which possibly inspired its later use.[8]

One of the earliest commercially successful firewall and network address translation (NAT) products was the PIX (Private Internet eXchange) Firewall, invented in 1994 by Network Translation Inc., a startup founded and run by John Mayes. The PIX Firewall technology was coded by Brantley Coile as a consultant software developer.[9] Recognizing the emerging IPv4 address depletion problem, they designed the PIX to enable organizations to securely connect private networks to the public internet using a limited number of registered IP addresses. The innovative PIX solution quickly gained industry acclaim, earning the prestigious "Hot Product of the Year" award from Data Communications Magazine in January 1995. Cisco Systems, seeking to expand into the rapidly growing network security market, subsequently acquired Network Translation Inc. in November 1995 to obtain the rights to the PIX technology. The PIX became one of Cisco's flagship firewall product lines before eventually being succeeded by the Adaptive Security Appliance (ASA) platform introduced in 2005.

Types of firewalls

[edit]
See also:Computer security

Firewalls are categorized as a network-based or a host-based system. Network-based firewalls are positioned between two or more networks, typically between thelocal area network (LAN) andwide area network (WAN),[10] their basic function being to control the flow of data between connected networks. They are either asoftware appliance running on general-purpose hardware, ahardware appliance running on special-purpose hardware, or avirtual appliance running on a virtual host controlled by ahypervisor. Firewall appliances may also offer non-firewall functionality, such asDHCP[11][12] orVPN[13] services. Host-based firewalls are deployed directly on thehost itself to control network traffic or other computing resources.[14][15] This can be adaemon orservice as a part of theoperating system or anagent application for protection.

An illustration of a network-based firewall within a network

Packet filter

[edit]

The first reported type of network firewall is called apacket filter which inspects packets transferred between computers. The firewall maintains anaccess-control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard. Three basic actions regarding the packet consist of a silent discard, discard withInternet Control Message Protocol orTCP reset response to the sender, and forward to the next hop.[16] Packets may be filtered by source and destinationIP addresses, protocol, or source and destinationports. The bulk of Internet communication in 20th and early 21st century used eitherTransmission Control Protocol (TCP) orUser Datagram Protocol (UDP) in conjunction withwell-known ports, enabling firewalls of that era to distinguish between specific types of traffic such as web browsing, remote printing, email transmission, and file transfers.[17][18]

The first paper published on firewall technology was in 1987 when engineers fromDigital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. AtAT&T Bell Labs,Bill Cheswick andSteve Bellovin continued their research in packet filtering and developed a working model for their own company based on their original first-generation architecture.[19] In 1992, Steven McCanne andVan Jacobson released a paper onBSD Packet Filter (BPF) while atLawrence Berkeley Laboratory.[20][21]

Connection tracking

[edit]
Flow ofnetwork packets throughNetfilter, aLinux kernel module
Main article:Stateful firewall

From 1989–1990, three colleagues fromAT&T Bell Laboratories, Dave Presotto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling themcircuit-level gateways.[22]

Second-generation firewalls perform the work of their first-generation predecessors but also maintain knowledge of specific conversations between endpoints by remembering which port number the twoIP addresses are using at layer 4 (transport layer) of theOSI model for their conversation, allowing examination of the overall exchange between the nodes.[23]

Application layer

[edit]
Main article:Application firewall

Marcus Ranum, Wei Xu, and Peter Churchyard released an application firewall known as Firewall Toolkit (FWTK) in October 1993.[24] This became the basis for Gauntlet firewall atTrusted Information Systems.[25][26]

The key benefit ofapplication layer filtering is that it can understand certain applications and protocols such asFile Transfer Protocol (FTP),Domain Name System (DNS), orHypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non standard port, or detect if an allowed protocol is being abused.[27] It can also provide unified security management including enforcedencrypted DNS andvirtual private networking.[28][29][30]

As of 2012, thenext-generation firewall provides a wider range of inspection at the application layer, extendingdeep packet inspection functionality to include, but is not limited to:

Endpoint specific

[edit]

Endpoint-based application firewalls function by determining whether a process should accept any given connection. Application firewalls filter connections by examining the process ID ofdata packets against a rule set for the local process involved in the data transmission. Application firewalls accomplish their function by hooking intosocket calls to filter the connections between theapplication layer and the lower layers. Application firewalls that hook into socket calls are also referred to as socket filters.[citation needed]

Firewall Policies

[edit]

At the core of a firewall's operation are the policies that govern its decision-making process. These policies, collectively known as firewall rules, are the specific guidelines that determine the traffic allowed or blocked across a network's boundaries.[32][33]

Firewall rules are based on the evaluation of network packets against predetermined security criteria. A network packet, which carries data across networks, must match certain attributes defined in a rule to be allowed through the firewall. These attributes commonly include:

  • Direction: Inbound or outbound traffic
  • Source: Where the traffic originates (IP address, range, network, or zone)
  • Destination: Where the traffic is headed (IP address, range, network, or zone)
  • Port: Network ports specific to various services (e.g., port 80 forHTTP)
  • Protocol: The type of network protocol (e.g.,TCP,UDP,ICMP)
  • Applications: L7 inspection or grouping av services.
  • Action: Whether to allow, deny, drop, or require further inspection for the traffic

Zones

[edit]

Zones are logical segments within a network that group together devices with similar security requirements. By partitioning a network into zones, such as "Technical", "WAN", "LAN", "Public," "Private," "DMZ", and "Wireless," administrators can enforce policies that control the flow of traffic between them. Each zone has its own level of trust and is governed by specific firewall rules that regulate the ingress and egress of data.

A typical default is to allow all traffic from LAN to WAN, and to drop all traffic from WAN to LAN.

Services

[edit]

In networking terms, services are specific functions typically identified by a network port and protocol. Common examples include HTTP/HTTPS (web traffic) on ports 80 and 443, FTP (file transfer) on port 21, and SMTP (email) on port 25. Services are the engines behind the applications users depend on. From a security aspect, controlling access to services is crucial because services are common targets for exploitation. Firewalls employ rules that stipulate which services should be accessible, to whom, and in what context. For example, a firewall might be configured to block incoming FTP requests to prevent unauthorized file uploads but allow outgoing HTTPS requests for web browsing.

Applications

[edit]

Applications refer to the software systems that users interact with while on the network. They can range from web browsers and email clients to complex database systems and cloud-based services. Innetwork security, applications are important because different types of traffic can pose varying security risks. Thus, firewall rules can be crafted to identify and control traffic based on the application generating or receiving it. By using application awareness, firewalls can allow, deny, or limit traffic for specific applications according to organizational policies and compliance requirements, thereby mitigating potential threats from vulnerable or undesired applications.

Application can both be a grouping of services, or aL7 inspection.

USER ID

[edit]

Implementing firewall rules based on IP addresses alone is often insufficient due to the dynamic nature of user location and device usage.[33][34] User ID will be translated to an IP address.

This is where the concept of "User ID" makes a significant impact. User ID allows firewall rules to be crafted based on individual user identities, rather than just fixed source or destination IP addresses. This enhances security by enabling more granular control over who can access certain network resources, regardless of where they are connecting from or what device they are using.

The User ID technology is typically integrated into firewall systems through the use of directory services such asActive Directory,LDAP,RADIUS orTACACS+. These services link the user's login information to their network activities. By doing this, the firewall can apply rules and policies that correspond to user groups, roles, or individual user accounts instead of purely relying on the network topology.

Example of Using User ID in Firewall Rules

[edit]

Consider a school that wants to restrict access to asocial media server from students. They can create a rule in the firewall that utilises User ID information to enforce this policy.

  1. Directory Service Configuration — First, the firewall must be configured to communicate with the directory service that stores user group memberships. In this case, anActive Directory server.
  2. User Identification — The firewall maps network traffic to specific user IDs by interpreting authentication logs. When a user logs on, the firewall associates that login with the user'sIP address.
  3. Define User Groups — Within the firewall's management interface, define user groups based on the directory service. For example, create groups such as "Students".
  4. Create Firewall Rule:
    • Source: User ID (e.g., Students)
    • Destination: list ofIP addresses
    • Service/Application: Allowed services (e.g.,HTTP,HTTPS)
    • Action: Deny
  5. Implement Default Allow Rule:
    • Source:LAN zone
    • Destination:WAN zone
    • Service/Application: Any
    • Action: Allow

With this setup, only users who authenticate and are identified as members of "Students" are denied to accesssocial media servers. All other traffic, starting from LAN interfaces, will be allowed.

Configuration

[edit]

Setting up a firewall is a complex and error-prone task. A network may face security issues due to configuration errors.[35]

Firewall policies are typically configured according to the type of network in use, such as public or private environments. Administrators define rules that permit or restrict traffic in order to reduce exposure to threats like unauthorized access, malware, or other forms of cyberattack.[36]

See also

[edit]

References

[edit]
  1. ^Boudriga, Noureddine (2010).Security of mobile communications. Boca Raton: CRC Press. pp. 32–33.ISBN 978-0849379420.
  2. ^Macfarlane, Richard; Buchanan, William; Ekonomou, Elias; Uthmani, Omair; Fan, Lu; Lo, Owen (2012)."Formal security policy implementations in network firewalls".Computers & Security.31 (2):253–270.doi:10.1016/j.cose.2011.10.003.
  3. ^Oppliger, Rolf (May 1997)."Internet security: Firewalls and beyond".Communications of the ACM.40 (5): 94.doi:10.1145/253769.253802.S2CID 15271915.
  4. ^Canavan, John E. (2001).Fundamentals of Network Security (1st ed.). Boston, MA: Artech House. p. 212.ISBN 9781580531764.
  5. ^Cheswick, William R.;Bellovin, Steven M. (1994).Firewalls and Internet Security: Repelling The Wily Hacker. Addison-Wesley.ISBN 978-0201633573.
  6. ^Liska, Allan (Dec 10, 2014).Building an Intelligence-Led Security Program. Syngress. p. 3.ISBN 978-0128023709.
  7. ^Ingham, Kenneth; Forrest, Stephanie (2002)."A History and Survey of Network Firewalls"(PDF). Archived fromthe original(PDF) on 2006-09-02. Retrieved2011-11-25.
  8. ^Boren, Jacob (2019-11-24)."10 Times '80s Sci-Fi Movies Predicted The Future".ScreenRant. Retrieved2021-03-04.
  9. ^Mayes, John (2022-11-24)."NTI - JMA".Wikipedia. Retrieved2023-03-04.
  10. ^Naveen, Sharanya."Firewall". Archived fromthe original on 21 May 2016. Retrieved7 June 2016.
  11. ^"Firewall as a DHCP Server and Client".Palo Alto Networks. Retrieved2016-02-08.
  12. ^"DHCP".www.shorewall.net. Retrieved2016-02-08.
  13. ^"What is a VPN Firewall? – Definition from Techopedia".Techopedia.com. Retrieved2016-02-08.
  14. ^Vacca, John R. (2009).Computer and information security handbook. Amsterdam: Elsevier. p. 355.ISBN 9780080921945.
  15. ^"What is Firewall?". Archived fromthe original on 2015-02-12. Retrieved2015-02-12.
  16. ^Peltier, Justin; Peltier, Thomas R. (2007).Complete Guide to CISM Certification. Hoboken: CRC Press. p. 210.ISBN 9781420013252.
  17. ^"TCP vs. UDP : The Difference Between them".www.skullbox.net. Retrieved2018-04-09.
  18. ^Cheswick, William R.; Bellovin, Steven M.; Rubin, Aviel D. (2003).Firewalls and Internet Security repelling the wily hacker (2 ed.). Addison-Wesley Professional.ISBN 9780201634662.
  19. ^Ingham, Kenneth; Forrest, Stephanie (2002)."A History and Survey of Network Firewalls"(PDF). p. 4. Archived fromthe original(PDF) on 2006-09-02. Retrieved2011-11-25.
  20. ^McCanne, Steven; Jacobson, Van (1992-12-19)."The BSD Packet Filter: A New Architecture for User-level Packet Capture"(PDF). Archived fromthe original(PDF) on 2000-09-16.
  21. ^McCanne, Steven; Jacobson, Van (January 1993)."The BSD Packet Filter: A New Architecture for User-level Packet Capture".USENIX.
  22. ^M. Afshar Alam; Tamanna Siddiqui; K. R. Seeja (2013).Recent Developments in Computing and Its Applications. I. K. International Pvt Ltd. p. 513.ISBN 978-93-80026-78-7.
  23. ^"Firewalls". MemeBridge. Retrieved13 June 2014.
  24. ^"Firewall toolkit V1.0 release". Retrieved2018-12-28.
  25. ^John Pescatore (October 2, 2008)."This Week in Network Security History: The Firewall Toolkit". Archived fromthe original on April 29, 2016. Retrieved2018-12-28.
  26. ^Marcus J. Ranum; Frederick Avolio."FWTK history".
  27. ^"What is Layer 7? How Layer 7 of the Internet Works".Cloudflare. RetrievedAug 29, 2020.
  28. ^"5 Firewall Features you Must-Have".Check Point Software. Retrieved2021-11-08.
  29. ^Stanfield, Nathan (2019-12-04)."11 Firewall Features You Can't Live Without".Stanfield IT. Retrieved2021-11-08.
  30. ^"Safing Portmaster".safing.io. Retrieved2021-11-08.
  31. ^Liang, Junyan; Kim, Yoohwan (2022).Evolution of Firewalls: Toward Securer Network Using Next Generation Firewall. pp. 0752–0759.doi:10.1109/CCWC54503.2022.9720435.ISBN 978-1-6654-8303-2.
  32. ^"Policy".docs.paloaltonetworks.com. Retrieved2024-11-21.
  33. ^ab"Creating Firewall Policy Rules".Juniper Networks. 2023-11-07. Retrieved2024-11-21.
  34. ^"User-ID".docs.paloaltonetworks.com. Retrieved2024-11-21.
  35. ^Voronkov, Artem; Iwaya, Leonardo Horn; Martucci, Leonardo A.; Lindskog, Stefan (2018-01-12)."Systematic Literature Review on Usability of Firewall Configuration".ACM Computing Surveys.50 (6):1–35.doi:10.1145/3130876.ISSN 0360-0300.S2CID 6570517.
  36. ^"What is Firewall Configuration and Why is it Important?".Fortinet.

External links

[edit]
Threats
vectorial version
vectorial version
Defenses
Related
security
topics
Linux
Apps
Distros
BSD
Apps
Distros
macOS
Windows
Commercial
Freemium
Open-source
discontinued
Malware topics
Infectious malware
Concealment
Malware for profit
By operating system
Protection
Countermeasures
International
National
Other
Retrieved from "https://en.wikipedia.org/w/index.php?title=Firewall_(computing)&oldid=1337887200"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp