Firewall (computing): Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 06:34, 3 July 2024 edit 182.182.216.20 (talk) →Types of firewall Tag: Reverted ← Previous edit		Latest revision as of 19:24, 29 August 2025 edit undo InternetArchiveBot (talk \| contribs) Bots, Pending changes reviewers 5,697,556 edits Rescuing 2 sources and tagging 0 as dead.) #IABot (v2.0.9.5
(37 intermediate revisions by 28 users not shown)
Line 1: {{short description\|Software or hardware-based network security system}} In [[computing]], a '''firewall''' is a [[network security]] system that [[Network monitoring\|monitors]] and controls incoming and outgoing [[network traffic]] based on ~~predetermined~~configurable security rules.<ref>{{cite book \| first1=Noureddine \| last1=Boudriga \| title=Security of mobile communications \| url=https://archive.org/details/securitymobileco00boud \| url-access=limited \| publisher=CRC Press \| date=2010 \| ___location=Boca Raton \| pages=[https://archive.org/details/securitymobileco00boud/page/n66 32]–33 \| isbn=978-0849379420}}</ref><ref>{{Cite journal \|last1=Macfarlane \|first1=Richard \|last2=Buchanan \|first2=William \|last3=Ekonomou \|first3=Elias \|last4=Uthmani \|first4=Omair \|last5=Fan \|first5=Lu \|last6=Lo \|first6=Owen \|date=2012 \|title=Formal security policy implementations in network firewalls \|url=https://linkinghub.elsevier.com/retrieve/pii/S0167404811001192 \|journal=Computers & Security \|language=en \|volume=31 \|issue=2 \|pages=253–270 \|doi=10.1016/j.cose.2011.10.003}}</ref> A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the [[Internet]].<ref name="Oppliger 1997 94">{{cite journal\|last=Oppliger\|first=Rolf\|title=Internet Security: FIREWALLS and BEYOND\|journal=Communications of the ACM\|date=May 1997\|volume=40\|issue=5\|page=94\|doi=10.1145/253769.253802\|s2cid=15271915\|doi-access=free}}</ref> or between several [[VLAN]]s. Firewalls can be categorized as network-based or host-based. == History == The term ''[[firewall (construction)\|firewall]]'' originally referred to a wall ~~intended~~ to confine a fire within a line of adjacent buildings.<ref>{{cite book\|last1= Canavan\|first1=John E.\|title=Fundamentals of Network Security\|date=2001\|publisher=Artech House\|___location=Boston, MA\|isbn=9781580531764\|page=212\|edition=1st}}</ref> Later uses refer to similar structures, such as the [[Firewall (engine)\|metal sheet]] separating the [[engine]] compartment of a [[vehicle]] or [[aircraft]] from the passenger compartment. The term was applied in the 1980s to network technology<ref name="cheskwick1994">{{cite book \| first1 = William R. \| last1 = Cheswick \| author1-link = William Cheswick \| first2= Steven M. \| last2= Bellovin \| author2-link = Steven M. Bellovin \| title = [[Firewalls and Internet Security]]: Repelling The Wily Hacker \| year = 1994 \| publisher = Addison-Wesley \| isbn = 978-0201633573 }}</ref> that emerged when the Internet was fairly new in terms of its global use and connectivity.<ref>{{cite book\|last1=Liska\|first1=Allan\|title=Building an Intelligence-Led Security Program\|date=Dec 10, 2014\|publisher=Syngress\|isbn=978-0128023709\|page=3}}</ref> The predecessors to firewalls for network security were [[Router (computing)\|routers]] used in the 1980s. Because they already segregated networks, routers could ~~apply filtering to~~filter packets crossing them.<ref name="report_unm">{{cite web \|url=http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf \|title=A History and Survey of Network Firewalls \|year=2002 \|last1=Ingham \|first1=Kenneth \|last2=Forrest \|first2=Stephanie \|access-date=2011-11-25 \|archive-url=https://web.archive.org/web/20060902171316/http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf \|archive-date=2006-09-02 \|url-status=dead }}</ref> Before it was used in real-life computing, the term appeared in ~~the~~[[John Badham\|John Badham's]] 1983 computer-{{nbh}}hacking movie ''[[WarGames]]'', spoken by the bearded and bespectacled programmer named Paul Richter, which possibly inspired its later use.<ref>{{Cite web\|last=Boren\|first=Jacob\|date=2019-11-24\|title=10 Times '80s Sci-Fi Movies Predicted The Future\|url=https://screenrant.com/80s-sci-fi-movies-predicted-the-future/\|access-date=2021-03-04\|website=ScreenRant\|language=en-US}}</ref> One of the earliest commercially successful firewall and network address translation (NAT) products was the PIX (Private Internet eXchange) Firewall, invented in 1994 by Network Translation Inc., a startup founded and run by John Mayes. The PIX Firewall technology was coded by Brantley Coile as a consultant software developer.<ref>{{Cite web\|last=Mayes\|first=John\|date=2022-11-24\|title=NTI - JMA\|url=http://www.jma.com/nti.html\|access-date=2023-03-04\|website=Wikipedia\|language=en-US}}</ref> Recognizing the emerging IPv4 address depletion problem, they designed the PIX to enable organizations to securely connect private networks to the public internet using a limited number of registered IP addresses. The innovative PIX solution quickly gained industry acclaim, earning the prestigious "Hot Product of the Year" award from Data Communications Magazine in January 1995. Cisco Systems, seeking to expand into the rapidly growing network security market, subsequently acquired Network Translation Inc. in November 1995 to obtain the rights to the PIX technology. The PIX became one of Cisco's flagship firewall product lines before eventually being succeeded by the Adaptive Security Appliance (ASA) platform introduced in 2005. == Types of ~~firewall~~firewalls == {{see also\|\|Computer security\|\|Comparison of firewalls}} Firewalls are categorized as a network-based or a host-based system. Network-based firewalls are positioned between two or more networks, typically between the [[Local area network\|local area network (LAN)]] and [[Wide area network\|wide area network (WAN)]],<ref>{{Cite web Line 21: \|archive-url = https://web.archive.org/web/20160521201820/https://www.paloaltonetworks.com/documentation/glossary/what-is-a-firewall \|url-status = dead }}</ref> their basic function being to control the flow of data between connected networks. They are either a [[software appliance]] running on general-purpose hardware, a [[Computer appliance#Types of appliances\|hardware appliance]] running on special-purpose hardware, or a [[virtual appliance]] running on a virtual host controlled by a [[hypervisor]]. Firewall appliances may also offer non-firewall functionality, such as [[DHCP]]<ref>{{Cite web\|title = Firewall as a DHCP Server and Client\|url = https://paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/firewall-as-a-dhcp-server-and-client.html\|website = Palo Alto Networks\|access-date = 2016-02-08}}</ref><ref>{{Cite web\|title = DHCP\|url = http://www.shorewall.net/dhcp.htm\|website = www.shorewall.net\|access-date = 2016-02-08}}</ref> or [[VPN]]<ref>{{Cite web\|title = What is a VPN Firewall? – Definition from Techopedia\|url = https://www.~~vpnranks~~techopedia.com/definition/30753/vpn-firewall\|website = ~~VPNRanks~~Techopedia.com\|access-date = 2016-02-08}}</ref> services. Host-based firewalls are deployed directly on the [[Host (network)\|host]] itself to control network traffic or other computing resources.<ref>{{cite book \| first1=John R. \| last1=Vacca \| title=Computer and information security handbook \| publisher=Elsevier \| date=2009 \| ___location=Amsterdam \| page=355 \| isbn=9780080921945}}</ref><ref>{{cite web \|url=https://personalfirewall.comodo.com/what-is-firewall.html \|title= What is Firewall? \|access-date=2015-02-12 \|archive-date=2015-02-12 \|archive-url=https://web.archive.org/web/20150212104623/https://personalfirewall.comodo.com/what-is-firewall.html \|url-status=dead }}</ref> This can be a [[daemon (computing)\|daemon]] or [[Windows service\|service]] as a part of the [[operating system]] or an [[endpoint security\|agent application]] for protection. [[File:Firewall.png\|thumb\|left\|An illustration of a network-based firewall within a network]] === Packet filter === The first reported type of network firewall is called a [[PF (firewall)\|packet filter]], which inspects packets transferred between computers. The firewall maintains an [[access-control list]] which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard. Three basic actions regarding the packet consist of a silent discard, discard with [[Internet Control Message Protocol]] or [[TCP reset attack\|TCP reset]] response to the sender, and forward to the next hop.<ref>{{cite book\|last1=Peltier\|first1=Justin \|first2=Thomas R. \|last2=Peltier \|title=Complete Guide to CISM Certification \|date=2007 \|publisher=CRC Press \|___location=Hoboken \|isbn=9781420013252 \|page=210}}</ref> Packets may be filtered by source and destination [[network address\|IP addresses]], protocol, or source and destination [[Port (computer networking)\|ports]]. The bulk of Internet communication in 20th and early 21st century used either [[Transmission Control Protocol]] (TCP) or [[User Datagram Protocol]] (UDP) in conjunction with [[List of TCP and UDP port numbers\|well-known ports]], enabling firewalls of that era to distinguish between specific types of traffic such as web browsing, remote printing, email transmission, and file transfers.<ref>{{Cite web \|url=http://www.skullbox.net/tcpudp.php\|title=TCP vs. UDP : The Difference Between them\|website=www.skullbox.net\|language=en\|access-date=2018-04-09}}</ref><ref name="cheswick2003">{{cite book \| first1 = William R. \| last1= Cheswick \|first2= Steven M.\|last2= Bellovin\| first3= Aviel D. \|last3 = Rubin \| year = 2003 \| title = [[Firewalls and Internet Security]] repelling the wily hacker \| publisher= Addison-Wesley Professional \| edition = 2 \| isbn = 9780201634662}}</ref> The first paper published on firewall technology was in 1987 when engineers from [[Digital Equipment Corporation]] (DEC) developed filter systems known as packet filter firewalls. At [[Bell Labs\|AT&T Bell Labs]], [[William Cheswick\|Bill Cheswick]] and [[Steven M. Bellovin\|Steve Bellovin]] continued their research in packet filtering and developed a working model for their own company based on their original first-generation architecture.<ref>{{cite web \|url=http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf \|title=A History and Survey of Network Firewalls \|year=2002 \|last1=Ingham \|first1=Kenneth \|last2=Forrest \|first2=Stephanie \|page=4 \|access-date=2011-11-25 \|archive-url=https://web.archive.org/web/20060902171316/http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf \|archive-date=2006-09-02 \|url-status=dead }}</ref> In 1992, Steven McCanne and Van Jacobson released a paper on [[Berkeley Packet Filter\|BSD Packet Filter]] (BPF) while at [[Lawrence Berkeley Laboratory]].<ref name="bpf93">{{cite web \| url=http://www.tcpdump.org/papers/bpf-usenix93.pdf Line 35: \| first2=Van \| last2=Jacobson \| date=1992-12-19~~}}</ref><ref>{{cite web~~ \| archive-url=https://web.archive.org/web/20000916155334/http://www.tcpdump.org/papers/bpf-usenix93.pdf \| archive-date=2000-09-16 \| url-status=dead}}</ref><ref>{{cite web \| url=https://www.usenix.org/conference/usenix-winter-1993-conference/bsd-packet-filter-new-architecture-user-level-packet \| title=The BSD Packet Filter: A New Architecture for User-level Packet Capture Line 65 ⟶ 68: * [[identity management\|User identity management]] * [[Web application firewall]] * Content inspection and heuristic analysis<ref>{{Cite book \|title=Evolution of Firewalls: Toward Securer Network Using Next Generation Firewall ~~\|url=https://ieeexplore.ieee.org/document/9720435 \|access-date=2024-02-02~~ \|date=2022 \|doi=10.1109/CCWC54503.2022.9720435 \|last1=Liang \|first1=Junyan \|last2=Kim \|first2=Yoohwan \|pages=0752–0759 \|isbn=978-1-6654-8303-2 }}</ref> * [[TLS termination proxy\|TLS Inspection]] ==== Endpoint specific ==== Line 71 ⟶ 75: Endpoint-based application firewalls function by determining whether a process should accept any given connection. Application firewalls filter connections by examining the process ID of [[data packets]] against a rule set for the local process involved in the data transmission. Application firewalls accomplish their function by hooking into [[Network socket\|socket]] calls to filter the connections between the [[application layer]] and the lower layers. Application firewalls that hook into socket calls are also referred to as socket filters.{{citation needed\|date=August 2020}} == Firewall Policies == ~~== Most common firewall log types ==~~ At the core of a firewall's operation are the policies that govern its decision-making process. These policies, collectively known as firewall rules, are the specific guidelines that determine the traffic allowed or blocked across a network's boundaries.<ref>{{Cite web \|title=Policy \|url=https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy \|access-date=2024-11-21 \|website=docs.paloaltonetworks.com}}</ref><ref name="auto">{{Cite web \|title=Creating Firewall Policy Rules {{!}} Juniper Networks \|url=https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-firewall-policy-rule-creating.html \|access-date=2024-11-21 \|website=www.juniper.net}}</ref> ~~'''Traffic Logs:'''~~ Firewall rules are based on the evaluation of network packets against predetermined security criteria. A network packet, which carries data across networks, must match certain attributes defined in a rule to be allowed through the firewall. These attributes commonly include: '''Description:''' Traffic logs record comprehensive details about data traversing the network. This includes source and destination IP addresses, port numbers, protocols used, and the action taken by the firewall (e.g., allow, drop, or reject). '''Significance:''' Essential for network administrators to analyze and understand the patterns of communication between devices, aiding in troubleshooting and optimizing network performance. * '''Direction''': Inbound or outbound traffic ~~'''Threat Prevention Logs:'''~~ * '''Source''': Where the traffic originates ([[IP address\|IP address, range, network]], or zone) * '''Destination''': Where the traffic is headed ([[IP address\|IP address, range, network]], or zone) * '''Port''': Network ports specific to various services (e.g., port 80 for [[HTTP]]) * '''Protocol''': The type of network protocol (e.g., [[Transmission Control Protocol\|TCP]], [[User Datagram Protocol\|UDP]], [[Internet Control Message Protocol\|ICMP]]) * '''Applications''': L7 inspection or grouping av services. * '''Action''': Whether to allow, deny, drop, or require further inspection for the traffic === Zones === '''Description:''' Logs specifically designed to capture information related to security threats. This encompasses alerts from intrusion prevention systems (IPS), antivirus events, anti-bot detections, and other threat-related data. Zones are logical segments within a network that group together devices with similar security requirements. By partitioning a network into zones, such as "[[Operational technology\|Technical]]", "[[Wide area network\|WAN]]", "[[Local area network\|LAN]]", "[[Wide area network\|Public]]," "[[Private network\|Private]]," "[[DMZ (computing)\|DMZ]]", and "[[Wireless network\|Wireless]]," administrators can enforce policies that control the flow of traffic between them. Each zone has its own level of trust and is governed by specific firewall rules that regulate the ingress and egress of data. '''Significance:''' Vital for identifying and responding to potential security breaches, helping security teams stay proactive in safeguarding the network. ~~'''Audit Logs:'''~~ '''Description:''' Logs that record administrative actions and changes made to the firewall configuration. These logs are critical for tracking changes made by administrators for security and compliance purposes. '''Significance:''' Supports auditing and compliance efforts by providing a detailed history of administrative activities, aiding in investigations and ensuring adherence to security policies. A typical default is to allow all traffic from LAN to WAN, and to drop all traffic from WAN to LAN. ~~'''Event Logs:'''~~ === Services === '''Description:''' General event logs that capture a wide range of events occurring on the firewall, helping administrators monitor and troubleshoot issues. In networking terms, services are specific functions typically identified by a network port and protocol. Common examples include HTTP/HTTPS (web traffic) on ports 80 and 443, FTP (file transfer) on port 21, and SMTP (email) on port 25. Services are the engines behind the applications users depend on. From a security aspect, controlling access to services is crucial because services are common targets for exploitation. Firewalls employ rules that stipulate which services should be accessible, to whom, and in what context. For example, a firewall might be configured to block incoming FTP requests to prevent unauthorized file uploads but allow outgoing HTTPS requests for web browsing. '''Significance:''' Provides a holistic view of firewall activities, facilitating the identification and resolution of any anomalies or performance issues within the network infrastructure. ~~'''Session Logs:'''~~ '''Description:''' Logs that provide information about established network sessions, including session start and end times, data transfer rates, and associated user or device information. '''Significance:''' Useful for monitoring network sessions in real-time, identifying abnormal activities, and optimizing network performance. === Applications === ~~'''DDoS Mitigation Logs:'''~~ Applications refer to the software systems that users interact with while on the network. They can range from web browsers and email clients to complex database systems and cloud-based services. In network security, applications are important because different types of traffic can pose varying security risks. Thus, firewall rules can be crafted to identify and control traffic based on the application generating or receiving it. By using application awareness, firewalls can allow, deny, or limit traffic for specific applications according to organizational policies and compliance requirements, thereby mitigating potential threats from vulnerable or undesired applications. Application can both be a grouping of services, or a [[OSI model\|L7 inspection]]. '''Description:''' Logs that record events related to Distributed Denial of Service (DDoS) attacks, including mitigation actions taken by the firewall to protect the network. '''Significance:''' Critical for identifying and mitigating DDoS attacks promptly, safeguarding network resources and ensuring uninterrupted service availability. === USER ID === ~~'''Geo-___location Logs:'''~~ Implementing firewall rules based on IP addresses alone is often insufficient due to the dynamic nature of user ___location and device usage.<ref name="auto"/><ref>{{Cite web \|title=User-ID \|url=https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id \|access-date=2024-11-21 \|website=docs.paloaltonetworks.com}}</ref> User ID will be translate to a IP address. This is where the concept of "User ID" makes a significant impact. User ID allows firewall rules to be crafted based on individual user identities, rather than just fixed source or destination IP addresses. This enhances security by enabling more granular control over who can access certain network resources, regardless of where they are connecting from or what device they are using. '''Description:''' Logs that capture information about the geographic locations of network connections. This can be useful for monitoring and controlling access based on geographical regions. '''Significance:''' Aids in enhancing security by detecting and preventing suspicious activities originating from specific geographic locations, contributing to a more robust defense against potential threats. ~~'''URL Filtering Logs:'''~~ '''Description:''' Records data related to web traffic and URL filtering. This includes details about blocked and allowed URLs, as well as categories of websites accessed by users. '''Significance:''' Enables organizations to manage internet access, enforce acceptable use policies, and enhance overall network security by monitoring and controlling web activity. ~~'''User Activity Logs:'''~~ '''Description:''' Logs that capture user-specific information, such as authentication events, user login/logout details, and user-specific traffic patterns. '''Significance:''' Aids in tracking user behavior, ensuring accountability, and providing insights into potential security incidents involving specific users. The User ID technology is typically integrated into firewall systems through the use of directory services such as [[Active Directory]], [[Lightweight Directory Access Protocol\|LDAP]], [[RADIUS]] or [[TACACS\|TACACS+]]. These services link the user's login information to their network activities. By doing this, the firewall can apply rules and policies that correspond to user groups, roles, or individual user accounts instead of purely relying on the network topology. ~~'''VPN Logs:'''~~ ==== Example of Using User ID in Firewall Rules ==== '''Description:''' Information related to Virtual Private Network (VPN) connections, including events like connection and disconnection, tunnel information, and VPN-specific errors. Consider a school that wants to restrict access to a [[social media]] server from students. They can create a rule in the firewall that utilises User ID information to enforce this policy. '''Significance:''' Crucial for monitoring the integrity and performance of VPN connections, ensuring secure communication between remote users and the corporate network. # Directory Service Configuration — First, the firewall must be configured to communicate with the directory service that stores user group memberships. In this case, an [[Active Directory\|Active Directory server.]] ~~'''System Logs:'''~~ # User Identification — The firewall maps network traffic to specific user IDs by interpreting authentication logs. When a user logs on, the firewall associates that login with the user's [[IP address]]. # Define User Groups — Within the firewall's management interface, define user groups based on the directory service. For example, create groups such as "Students". # Create Firewall Rule: #* Source: User ID (e.g., Students) #* Destination: list of [[IP address\|IP addresses]] #* Service/Application: Allowed services (e.g., [[HTTP]], [[HTTPS]]) #* Action: Deny # Implement Default Allow Rule: #* Source: [[Local area network\|LAN]] zone #* Destination: [[Wide area network\|WAN]] zone #* Service/Application: Any #* Action: Allow With this setup, only users who authenticate and are identified as members of "Students" are denied to access [[social media]] servers. All other traffic, starting from LAN interfaces, will be allowed. '''Description:''' Logs that provide information about the overall health, status, and configuration changes of the firewall system. This may include logs related to high availability (HA), software updates, and other system-level events. '''Significance:''' Essential for maintaining the firewall infrastructure, diagnosing issues, and ensuring the system operates optimally. ~~'''Compliance Logs:'''~~ '''Description:''' Logs specifically focused on recording events relevant to regulatory compliance requirements. This may include activities ensuring compliance with industry standards or legal mandates. '''Significance:''' Essential for organizations subject to specific regulations, helping to demonstrate adherence to compliance standards and facilitating audit processes. == Configuration == Setting up a firewall is a complex and error-prone task. A network may face security issues due to configuration errors.<ref>{{Cite journal\|last1=Voronkov\|first1=Artem\|last2=Iwaya\|first2=Leonardo Horn\|last3=Martucci\|first3=Leonardo A.\|last4=Lindskog\|first4=Stefan\|date=2018-01-12\|title=Systematic Literature Review on Usability of Firewall Configuration\|url=http://dx.doi.org/10.1145/3130876\|journal=ACM Computing Surveys\|volume=50\|issue=6\|pages=1–35\|doi=10.1145/3130876\|s2cid=6570517\|issn=0360-0300\|url-access=subscription}}</ref> Firewall ~~policy~~policies ~~configuration~~are istypically ~~based~~configured onaccording ~~specific~~to ~~network~~the type ~~(e.g.~~of network in use, such as public or private), ~~and~~environments. ~~can~~Administrators bedefine ~~set~~rules upthat ~~using~~permit ~~firewall~~or ~~rules~~restrict ~~that~~traffic ~~either~~in ~~block~~order orto ~~allow~~reduce ~~access~~exposure to ~~prevent~~threats ~~potential~~like ~~attacks~~unauthorized ~~from~~access, ~~hackers~~malware, or ~~malware~~other forms of cyberattack.<ref>{{Cite web\|url=https://www.fortinet.com/resources/cyberglossary/firewall-configuration\|title=What is Firewall Configuration and Why is it Important?\|website=Fortinet}}</ref>▼ ▲Firewall policy configuration is based on specific network type (e.g., public or private), and can be set up using firewall rules that either block or allow access to prevent potential attacks from hackers or malware.<ref>{{Cite web\|url=https://www.fortinet.com/resources/cyberglossary/firewall-configuration\|title=What is Firewall Configuration and Why is it Important?\|website=Fortinet}}</ref> == See also == Line 144 ⟶ 150: == External links == ~~{{Wikibooks\| Guide to Unix\|BSD/OpenBSD/As a Firewall\|OpenBSD PF firewall}}~~ ~~{{commons category\|Firewall}}~~ * [http://docstore.mik.ua/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm Evolution of the Firewall Industry] – discusses different architectures, how packets are processed and provides a timeline of the evolution. * [http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf A History and Survey of Network Firewalls] {{Webarchive\|url=https://web.archive.org/web/20170830035901/http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf \|date=2017-08-30 }} – provides an overview of firewalls at various ISO levels, with references to original papers where early firewall work was reported. {{Computer security}}