|
|archive-url = https://web.archive.org/web/20160521201820/https://www.paloaltonetworks.com/documentation/glossary/what-is-a-firewall
|url-status = dead
}}</ref> their basic function being to control the flow of data between connected networks. They are either a [[software appliance]] running on general-purpose hardware, a [[Computer appliance#Types of appliances|hardware appliance]] running on special-purpose hardware, or a [[virtual appliance]] running on a virtual host controlled by a [[hypervisor]]. Firewall appliances may also offer non-firewall functionality, such as [[DHCP]]<ref>{{Cite web|title = Firewall as a DHCP Server and Client|url = https://paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/firewall-as-a-dhcp-server-and-client.html|website = Palo Alto Networks|access-date = 2016-02-08}}</ref><ref>{{Cite web|title = DHCP|url = http://www.shorewall.net/dhcp.htm|website = www.shorewall.net|access-date = 2016-02-08}}</ref> or [[VPN]]<ref>{{Cite web|title = What is a VPN Firewall? – Definition from Techopedia|url = https://www.techopedia.com/definition/30753/vpn-firewall|website = Techopedia.com|access-date = 2016-02-08}}</ref> services. Host-based firewalls are deployed directly on the [[Host (network)|host]] itself to control network traffic or other computing resources.<ref>{{cite book | first1=John R. | last1=Vacca | title=Computer and information security handbook | publisher=Elsevier | date=2009 | ___location=Amsterdam | page=355 | isbn=9780080921945}}</ref><ref>{{cite web |url=https://personalfirewall.comodo.com/what-is-firewall.html |title= What is Firewall? |access-date=2015-02-12 |archive-date=2015-02-12 |archive-url=https://web.archive.org/web/20150212104623/https://personalfirewall.comodo.com/what-is-firewall.html |url-status=dead }}</ref> This can be a [[daemon (computing)|daemon]] or [[Windows service|service]] as a part of the [[operating system]] or an [[endpoint security|agent application]] for protection.
[[File:Firewall.png|thumb|left|An illustration of a network-based firewall within a network]]
* [[identity management|User identity management]]
* [[Web application firewall]]
* Content inspection and heuristic analysis<ref>{{Cite book |title=Evolution of Firewalls: Toward Securer Network Using Next Generation Firewall |url=https://ieeexplore.ieee.org/document/9720435 |access-date=2024-02-02 |date=2022 |doi=10.1109/CCWC54503.2022.9720435 |last1=Liang |first1=Junyan |last2=Kim |first2=Yoohwan |pages=0752–0759 |isbn=978-1-6654-8303-2 }}</ref>
* [[TLS termination proxy|TLS Inspection]]
== Firewall Policies ==
At the core of a firewall's operation are the policies that govern its decision-making process. These policies, collectively known as firewall rules, are the specific guidelines that determine the traffic allowed or blocked across a network's boundaries.<ref>{{Cite web |title=Policy |url=https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy |access-date=2024-11-21 |website=docs.paloaltonetworks.com}}</ref><ref name="auto">{{Cite web |title=Creating Firewall Policy Rules {{!}} Juniper Networks |url=https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-firewall-policy-rule-creating.html |access-date=2024-11-21 |website=www.juniper.net}}</ref>
Firewall rules are based on the evaluation of network packets against predetermined security criteria. A network packet, which carries data across networks, must match certain attributes defined in a rule to be allowed through the firewall. These attributes commonly include:
=== USER ID ===
Implementing firewall rules based on IP addresses alone is often insufficient due to the dynamic nature of user ___location and device usage.<ref>{{Cite web |title=Creating Firewall Policy Rules {{!}} Juniper Networks |url=https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-firewall-policy-rule-creating.html |access-date=2024-11-21 |websitename=www.juniper.net}}<"auto"/ref><ref>{{Cite web |title=User-ID |url=https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id |access-date=2024-11-21 |website=docs.paloaltonetworks.com}}</ref> User ID will be translate to a IP address.
This is where the concept of "User ID" makes a significant impact. User ID allows firewall rules to be crafted based on individual user identities, rather than just fixed source or destination IP addresses. This enhances security by enabling more granular control over who can access certain network resources, regardless of where they are connecting from or what device they are using.
With this setup, only users who authenticate and are identified as members of "Students" are denied to access [[social media]] servers. All other traffic, starting from LAN interfaces, will be allowed.
== Most common firewall log types ==
'''Traffic Logs:'''
*'''Description:''' Traffic logs record comprehensive details about data traversing the network. This includes source and destination IP addresses, port numbers, protocols used, and the action taken by the firewall (e.g., allow, drop, or reject).
*'''Significance:''' Essential for network administrators to analyze and understand the patterns of communication between devices, aiding in troubleshooting and optimizing network performance.
'''Threat Prevention Logs:'''
*'''Description:''' Logs specifically designed to capture information related to security threats. This encompasses alerts from intrusion prevention systems (IPS), antivirus events, anti-bot detections, and other threat-related data.
*'''Significance:''' Vital for identifying and responding to potential security breaches, helping security teams stay proactive in safeguarding the network.
'''Audit Logs:'''
*'''Description:''' Logs that record administrative actions and changes made to the firewall configuration. These logs are critical for tracking changes made by administrators for security and compliance purposes.
*'''Significance:''' Supports auditing and compliance efforts by providing a detailed history of administrative activities, aiding in investigations and ensuring adherence to security policies.
'''Event Logs:'''
*'''Description:''' General event logs that capture a wide range of events occurring on the firewall, helping administrators monitor and troubleshoot issues.
*'''Significance:''' Provides a holistic view of firewall activities, facilitating the identification and resolution of any anomalies or performance issues within the network infrastructure.
'''Session Logs:'''
*'''Description:''' Logs that provide information about established network sessions, including session start and end times, data transfer rates, and associated user or device information.
*'''Significance:''' Useful for monitoring network sessions in real-time, identifying abnormal activities, and optimizing network performance.
'''DDoS Mitigation Logs:'''
*'''Description:''' Logs that record events related to Distributed Denial of Service (DDoS) attacks, including mitigation actions taken by the firewall to protect the network.
*'''Significance:''' Critical for identifying and mitigating DDoS attacks promptly, safeguarding network resources and ensuring uninterrupted service availability.
'''Geo-___location Logs:'''
*'''Description:''' Logs that capture information about the geographic locations of network connections. This can be useful for monitoring and controlling access based on geographical regions.
*'''Significance:''' Aids in enhancing security by detecting and preventing suspicious activities originating from specific geographic locations, contributing to a more robust defense against potential threats.
'''URL Filtering Logs:'''
*'''Description:''' Records data related to web traffic and URL filtering. This includes details about blocked and allowed URLs, as well as categories of websites accessed by users.
*'''Significance:''' Enables organizations to manage internet access, enforce acceptable use policies, and enhance overall network security by monitoring and controlling web activity.
'''User Activity Logs:'''
*'''Description:''' Logs that capture user-specific information, such as authentication events, user login/logout details, and user-specific traffic patterns.
*'''Significance:''' Aids in tracking user behavior, ensuring accountability, and providing insights into potential security incidents involving specific users.
'''VPN Logs:'''
*'''Description:''' Information related to Virtual Private Network (VPN) connections, including events like connection and disconnection, tunnel information, and VPN-specific errors.
*'''Significance:''' Crucial for monitoring the integrity and performance of VPN connections, ensuring secure communication between remote users and the corporate network.
'''System Logs:'''
*'''Description:''' Logs that provide information about the overall health, status, and configuration changes of the firewall system. This may include logs related to high availability (HA), software updates, and other system-level events.
*'''Significance:''' Essential for maintaining the firewall infrastructure, diagnosing issues, and ensuring the system operates optimally.
'''Compliance Logs:'''
*'''Description:''' Logs specifically focused on recording events relevant to regulatory compliance requirements. This may include activities ensuring compliance with industry standards or legal mandates.
*'''Significance:''' Essential for organizations subject to specific regulations, helping to demonstrate adherence to compliance standards and facilitating audit processes.
== Configuration ==
Setting up a firewall is a complex and error-prone task. A network may face security issues due to configuration errors.<ref>{{Cite journal|last1=Voronkov|first1=Artem|last2=Iwaya|first2=Leonardo Horn|last3=Martucci|first3=Leonardo A.|last4=Lindskog|first4=Stefan|date=2018-01-12|title=Systematic Literature Review on Usability of Firewall Configuration|url=http://dx.doi.org/10.1145/3130876|journal=ACM Computing Surveys|volume=50|issue=6|pages=1–35|doi=10.1145/3130876|s2cid=6570517|issn=0360-0300|url-access=subscription}}</ref>
Firewall policypolicies configurationare istypically basedconfigured onaccording specificto networkthe type (e.g.of network in use, such as public or private), andenvironments. canAdministrators bedefine setrules upthat usingpermit firewallor rulesrestrict thattraffic eitherin blockorder orto allowreduce accessexposure to preventthreats potentiallike attacksunauthorized fromaccess, hackersmalware, or malwareother forms of cyberattack.<ref>{{Cite web|url=https://www.fortinet.com/resources/cyberglossary/firewall-configuration|title=What is Firewall Configuration and Why is it Important?|website=Fortinet}}</ref>
== See also ==
== External links ==
* [http://docstore.mik.ua/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm Evolution of the Firewall Industry] – discusses different architectures, how packets are processed and provides a timeline of the evolution.
* [http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf A History and Survey of Network Firewalls] {{Webarchive|url=https://web.archive.org/web/20170830035901/http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf |date=2017-08-30 }} – provides an overview of firewalls at various ISO levels, with references to original papers where early firewall work was reported.
{{Computer security}}
| 