Firewall (computing)

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

History
The term firewall originally referred to a wall intended to confine a fire within a line of adjacent buildings. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment. The term was applied in the 1980s to network technology that emerged when the Internet was fairly new in terms of its global use and connectivity. The predecessors to firewalls for network security were routers used in the 1980s. Because they already segregated networks, routers could apply filtering to packets crossing them.

Before it was used in real-life computing, the term appeared in the 1983 computer-hacking movie WarGames, and possibly inspired its later use.

One of the earliest commercially successful firewall and network address translation (NAT) products was the PIX (Private Internet eXchange) Firewall, invented in 1994 by Network Translation Inc., a startup founded and run by John Mayes. The PIX Firewall technology was coded by Brantley Coile as a consultant software developer. Recognizing the emerging IPv4 address depletion problem, they designed the PIX to enable organizations to securely connect private networks to the public internet using a limited number of registered IP addresses. The innovative PIX solution quickly gained industry acclaim, earning the prestigious "Hot Product of the Year" award from Data Communications Magazine in January 1995. Cisco Systems, seeking to expand into the rapidly growing network security market, subsequently acquired Network Translation Inc. in November 1995 to obtain the rights to the PIX technology. The PIX became one of Cisco's flagship firewall product lines before eventually being succeeded by the Adaptive Security Appliance (ASA) platform introduced in 2005.

Types of firewall
Firewalls are categorized as a network-based or a host-based system. Network-based firewalls are positioned between two or more networks, typically between the local area network (LAN) and wide area network (WAN), their basic function being to control the flow of data between connected networks. They are either a software appliance running on general-purpose hardware, a hardware appliance running on special-purpose hardware, or a virtual appliance running on a virtual host controlled by a hypervisor. Firewall appliances may also offer non-firewall functionality, such as DHCP or VPN services. Host-based firewalls are deployed directly on the host itself to control network traffic or other computing resources. This can be a daemon or service as a part of the operating system or an agent application for protection.

Packet filter
The first reported type of network firewall is called a packet filter, which inspects packets transferred between computers. The firewall maintains an access-control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard. Three basic actions regarding the packet consist of a silent discard, discard with Internet Control Message Protocol or TCP reset response to the sender, and forward to the next hop. Packets may be filtered by source and destination IP addresses, protocol, or source and destination ports. The bulk of Internet communication in 20th and early 21st century used either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) in conjunction with well-known ports, enabling firewalls of that era to distinguish between specific types of traffic such as web browsing, remote printing, email transmission, and file transfers.

The first paper published on firewall technology was in 1987 when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin continued their research in packet filtering and developed a working model for their own company based on their original first-generation architecture. In 1992, Steven McCanne and Van Jacobson released a paper on BSD Packet Filter (BPF) while at Lawrence Berkeley Laboratory.

Connection tracking


From 1989–1990, three colleagues from AT&T Bell Laboratories, Dave Presotto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling them circuit-level gateways.

Second-generation firewalls perform the work of their first-generation predecessors but also maintain knowledge of specific conversations between endpoints by remembering which port number the two IP addresses are using at layer 4 (transport layer) of the OSI model for their conversation, allowing examination of the overall exchange between the nodes.

Application layer
Marcus Ranum, Wei Xu, and Peter Churchyard released an application firewall known as Firewall Toolkit (FWTK) in October 1993. This became the basis for Gauntlet firewall at Trusted Information Systems.

The key benefit of application layer filtering is that it can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non standard port, or detect if an allowed protocol is being abused. It can also provide unified security management including enforced encrypted DNS and virtual private networking.

As of 2012, the next-generation firewall provides a wider range of inspection at the application layer, extending deep packet inspection functionality to include, but is not limited to:
 * Web filtering
 * Intrusion prevention systems
 * User identity management
 * Web application firewall
 * Content inspection and heuristic analysis

Endpoint specific
Endpoint-based application firewalls function by determining whether a process should accept any given connection. Application firewalls filter connections by examining the process ID of data packets against a rule set for the local process involved in the data transmission. Application firewalls accomplish their function by hooking into socket calls to filter the connections between the application layer and the lower layers. Application firewalls that hook into socket calls are also referred to as socket filters.

Most common firewall log types
Traffic Logs:


 * Description: Traffic logs record comprehensive details about data traversing the network. This includes source and destination IP addresses, port numbers, protocols used, and the action taken by the firewall (e.g., allow, drop, or reject).
 * Significance: Essential for network administrators to analyze and understand the patterns of communication between devices, aiding in troubleshooting and optimizing network performance.

Threat Prevention Logs:

Audit Logs:
 * Description: Logs specifically designed to capture information related to security threats. This encompasses alerts from intrusion prevention systems (IPS), antivirus events, anti-bot detections, and other threat-related data.
 * Significance: Vital for identifying and responding to potential security breaches, helping security teams stay proactive in safeguarding the network.
 * Description: Logs that record administrative actions and changes made to the firewall configuration. These logs are critical for tracking changes made by administrators for security and compliance purposes.
 * Significance: Supports auditing and compliance efforts by providing a detailed history of administrative activities, aiding in investigations and ensuring adherence to security policies.

Event Logs:

Session Logs:
 * Description: General event logs that capture a wide range of events occurring on the firewall, helping administrators monitor and troubleshoot issues.
 * Significance: Provides a holistic view of firewall activities, facilitating the identification and resolution of any anomalies or performance issues within the network infrastructure.
 * Description: Logs that provide information about established network sessions, including session start and end times, data transfer rates, and associated user or device information.
 * Significance: Useful for monitoring network sessions in real-time, identifying abnormal activities, and optimizing network performance.

DDoS Mitigation Logs:


 * Description: Logs that record events related to Distributed Denial of Service (DDoS) attacks, including mitigation actions taken by the firewall to protect the network.
 * Significance: Critical for identifying and mitigating DDoS attacks promptly, safeguarding network resources and ensuring uninterrupted service availability.

Geo-location Logs:

URL Filtering Logs: User Activity Logs:
 * Description: Logs that capture information about the geographic locations of network connections. This can be useful for monitoring and controlling access based on geographical regions.
 * Significance: Aids in enhancing security by detecting and preventing suspicious activities originating from specific geographic locations, contributing to a more robust defense against potential threats.
 * Description: Records data related to web traffic and URL filtering. This includes details about blocked and allowed URLs, as well as categories of websites accessed by users.
 * Significance: Enables organizations to manage internet access, enforce acceptable use policies, and enhance overall network security by monitoring and controlling web activity.
 * Description: Logs that capture user-specific information, such as authentication events, user login/logout details, and user-specific traffic patterns.
 * Significance: Aids in tracking user behavior, ensuring accountability, and providing insights into potential security incidents involving specific users.

VPN Logs:


 * Description: Information related to Virtual Private Network (VPN) connections, including events like connection and disconnection, tunnel information, and VPN-specific errors.
 * Significance: Crucial for monitoring the integrity and performance of VPN connections, ensuring secure communication between remote users and the corporate network.

System Logs:

Compliance Logs:
 * Description: Logs that provide information about the overall health, status, and configuration changes of the firewall system. This may include logs related to high availability (HA), software updates, and other     system-level events.
 * Significance: Essential for maintaining the firewall infrastructure, diagnosing issues, and ensuring the system operates optimally.
 * Description: Logs specifically focused on recording events relevant to regulatory compliance requirements. This may include activities ensuring compliance with industry standards or legal mandates.
 * Significance: Essential for organizations subject to specific regulations, helping to demonstrate adherence to compliance standards and facilitating audit processes.

Configuration
Setting up a firewall is a complex and error-prone task. A network may face security issues due to configuration errors.

Firewall policy configuration is based on specific network type (e.g., public or private), and can be set up using firewall rules that either block or allow access to prevent potential attacks from hackers or malware.