A firewall is either the program or the computer it runs on, usually an Internet gateway server, that protects the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet will want a firewall to prevent outsiders from accessing its own private data resources.





A firewall is a safeguard utilized by many Local Area Networks (LANs) or Wide Area Networks (WANs) to protect the network from unauthorized access from the outside. They are basically gates that verify the users before they leave or enter the network by way of a User ID, Password or IP address.

Pretend your computer is like your home, with windows, doors, locks and various rooms. In it are valuable things such as jewelry (your passwords, Soc Sec number, and banking info) and other private data. The firewall is like the front and back door to your house- it prevents others from peeping into your home, entering or leaving without your permission (in the form of viruses, trojan horses, worms, etc.). You're the only one with the key to the door.



Now pretend your home is in an extremely high crime area (which the internet is). Without a firewall and other security protection, it's like going on vacation to Italy for 6 months and leaving your front and back doors wide open- not just unlocked. Now, all you need o do is to add a sign in your front yard that says: "Please look inside- take what you want- leave what you want.. and by the way, the jewelry is on the 2nd floor under the dresser in a locked box with the combination- 12-6-9-5!"

Firewall is either hardware or software device that control Internet access to the computers from the outside and prevents the access to undesirable sites from the Inside. Also like a router or a proxy server, firewall can close the holes in the system, open ports, etc.

It is a program which acts like a virtual wall. It blocks suspicious things from sending data or retreiving data. It also prevents viruses from coming in (although not always effective). You can customize your firewall to allow certain programs to connect to the internet although this is sometimes dangerous.

A firewall is an essential tool, helping your computer by keeping virus, worm or trojan horse at bay. It also helps your computer by making it invinsible to the cyberspace ( internet ). In that way, hackers wont know where your computer is located.

it means it there to keep virus out and the content you want to block

A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization's security policy. Firewalls can either be hardware and/or software based.



Function:



A firewall's basic task is to control traffic between computer networks with different zones of trust. Typical examples are the Internet which is a zone with no trust and an internal network which is (and should be) a zone with high trust. The ultimate goal is to provide controlled interfaces between zones of differing trust levels through the enforcement of a security policy and connectivity model. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).



A firewall's function is analogous to firewalls in building construction.



Proper configuration of firewalls demands skill from the firewall administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.



Generation of Firewalls:



First generation - packet filters



The first paper published on firewall technology was in 1988, when Jeff Mogul from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.



Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).



This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).



Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.



Second generation - "stateful" filters



From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Howard Trickey, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.



This technology is generally referred to as a 'stateful firewall' as it maintains records of all connections passing through the firewall, and is able to determine whether a packet is the start of a new connection, or part of an existing connection. Though there's still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.



This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks, including the SYN flood which sends improper sequences of packets to consume resources on systems behind a firewall.



Third generation - application layer



Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories and Marcus Ranum described a third generation firewall known as application layer firewall, also known as proxy based firewalls. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.



The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS or web browsing), and can detect whether an unwanted protocol is being sneaked through on a non-standard port, or whether a protocol is being abused in a known harmful way.



This type of filtering can be carried out by proxy servers, but if the filtering is done by a standalone firewall appliance, or in a device for traffic shaping, the technology is likely to be referred to as deep packet inspection.



Subsequent developments



In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were developing their own fourth generation packet filter firewall system. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.



A second generation of proxy firewalls was based on Kernel Proxy technology. This design is constantly evolving but its basic features and codes are currently in widespread use in both commercial and domestic computer systems. Cisco, one of the largest internet security companies in the world released their PIX product to the public in 1997.



Some modern firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system (IPS).



Types of Firewall:



There are several classifications of firewalls depending on:



* Whether the communication is being done between a single node and the network, or between two or more networks.

* Whether the communication is intercepted at the network layer, or at the application layer.

* Whether the communication state is being tracked at the firewall or not.



With regard to the scope of filtered communications there exist:



* Personal firewalls, a software application which normally filters traffic entering or leaving a single computer. This filtering may be based on the traffic itself or on the identity of the process which is attempting to listen for or send data.

* Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). Such a firewall filters all traffic entering or leaving the connected networks.



The latter definition corresponds to the conventional, traditional meaning of "firewall" in networking.



In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist:



* Network layer firewalls. An example would be iptables.

* Application layer firewalls. An example would be TCP Wrappers.

* Application firewalls. An example would be restricting ftp services through /etc/ftpaccess file



These network-layer and application-layer types of firewall may overlap, even though the personal firewall does not serve a network; indeed, single systems have implemented both together.



There's also the notion of application firewalls which are sometimes used during wide area network (WAN) networking on the world-wide web and govern the system software. An extended description would place them lower than application layer firewalls, indeed at the Operating System layer, and could alternately be called operating system firewalls.



Lastly, depending on whether the firewalls keeps track of the state of network connections or treats each packet in isolation, two additional categories of firewalls exist:



* Stateful firewalls

* Stateless firewalls