Main Page | See live article | Alphabetical index


Table of contents
1 Construction
2 Computer Networking
3 External links


In the traditional meaning, a firewall is simply a windowless, non-flammable wall (or a wall of substantially heavier construction than other walls in the building) built to prevent fire from spreading beyond one section of a building. Such firewalls form the built-up equivalent of firebreaks in a landscape.

Computer Networking

By extension, the computing world uses the term firewall for a piece of hardware or software put on the network to prevent some communications forbidden by the network policy.

A major distinction separates:

The latter definition is the conventional meaning of "firewall": the remainder of this article addresses such traditional firewalls.

Firewalls (in the sense of computer networking devices) come in several categories and sub-categories. They have the basic task of preventing intrusion from a connected network -- but they try to accomplish this in varing ways. Distinguish two major categories of firewalls:

These two types of firewall may overlap; indeed single systems have implemented both together.

Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass the firewall unless they meet the rules defined by the firewall administrator or applied by default (as in some inflexible firewall systems). A more permissive setup could allow any packet to pass the filter as long as it does not match one or more "negative-rules", or "deny rules".

Application layer firewalls work on the application level (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. By inspecting all packets for improper content, firewalls can even prevent the spread of such things as viruses. However, in practice, this become complex, and would become so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

A proxy device (running either on dedicated hardware or as software on a general purpose machine) may act as a firewall by responding to input packets (eg, connection requests) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult, and misuse of one of its internal systems would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system as far as others are concerned. While use of internal address spaces enhances security, hackers may still employ methods such as IP spoofing to attempt to pass packets to the target internal network.

Firewalls often have network address translation functionality, and the hosts protected behind a firewall commonly use so-called "private address space", as defined in RFC 1918. Administrators often set up such scenarios in a effort (of debatable effectiveness) to disguise the internal address or network.

Proper configuration of firewalls demands skill. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool. Faith in misconfigured firewalls is misplaced indeed.

Also see: stateful firewall, stateless firewall, end-to-end connectivity

External links