Notes from: Wikipedia - Firewall

  1. Firewall controls incoming and outgoing network based on applied rules.
  2. Basically establishes a barrier between internal network and outside network.
  3. Proxies can be firewalls by blocking certain connections from certain hosts or addresses.
  4. Network Address Translation (NAT) has become an important part of firewalls. It hides addresses of hosts behind the firewall.

First Generation: Packet Filters

  1. First paper on firewall technology published was in 1988 by DEC. Talked about a packet filter firewall.
  2. Act by inspecting packets. If it matches set of filtering rules, it silently drops packet or reject it with error message back to source.
  3. The mechanism does not look at whether the packet is part of a connection stream, etc. Thus, it doesn’t really maintain a state. It rejects based on looking at combination of source, destination address, protocol, port number, etc.
  4. Pretty much works on the first three layers of OSI Model. It does peek into transport layer sometimes for source/destination port numbers.
  5. Term originated in context of BSD operating systems.
  6. Examples are iptables for Linux and PF for BSD.

Second Generation: Stateful Filters

  1. 1989-1990 from AT&T Bell Labs developed second gen firewall calling it circuit level gateway.
  2. Operates up to Layer 4 (Transport Layer). Achieved by retaining enough packets in the buffer until enough information is availabe to make a judgement about its state.
  3. Thus, it records all connections passing through it and determines if a packet is a part of current connection or new connection. Known as stateful packet inspection.
  4. Can DoS by flooding firewall with thousands of fake connection packets.

Third Generation: application layer

  1. Key benefit is that it can understand certain Application Layer protocols (FTP, HTTP, DNS).
  2. Useful to detect if unwanted protocol is trying to use standard port from known applications (e.g. HTTP) to bypass firewall.
  3. Can inspect if packet contains virus signatures.
  4. Hooks into socket calls automatically.
  5. Disadvantages are that it is quite slow and that rules can get complicated. It also can’t possibly support of applications at application layer.