1.1 Firewall in computer networks
Firewall: A set of related programs, located at a network gateway server, which protects the resources of a private network from users from other networks using security policies.
The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. Users who connect their computers to the Internet must be aware of these dangers, their implications and how to protect their data and their critical systems. Firewalls can protect both individual computers and corporate networks from hostile intrusion from the Internet, but must be understood to be used correctly.
But even with firewalls there is a concern of policy anomalies. Firewall policy management is a challenging task due to the complexity and interdependency of policy rules. This is further exacerbated by the continuous evolution of network and system environments. The process of configuring a firewall is tedious and error prone. Therefore, effective mechanisms and tools for policy management are crucial to the success of firewalls. The quickly advancing changes to the protocols and the network changes demand stronger and more efficient firewall policies. Some new technologies in the field of firewall are suggested.
Firewalls have existed since about 1987, and several surveys and histories have already been written. However, none of them provide both the depth and breadth of this survey, nor do they focus on the peer-reviewed literature describing firewall technology. In 1994, Alec Muffett wrote a paper which provided an excellent review of the firewall policies and architectures of the time. This paper was aimed at people considering implementing a firewall, describing the technologies which they might select, their tradeoffs, and how to maintain a firewall. One section of the Internet standards document RFC 1636 [Braden et al. 1994] is about the status of firewalls as of February, 1994. In this section, they discuss the problem of false security that a firewall often provides to an organization behind one. They also review the concepts of application- and transport-level proxies, as well as simple packet filtering. They discuss the problems of authentication and enforcing policy, and provide some solutions from the time. One of the most important parts of the firewall section is a discussion of how to design firewall-friendly protocols in the future.
The ﬁrst generation of ﬁrewall architectures has been around almost as long as routers, ﬁrst appearing around 1985 and coming out of Cisco’s IOS software division. These ﬁrewalls are called packet ﬁlter ﬁrewalls. However, the ﬁrst paper describing the screening process used by packet ﬁlter ﬁrewalls did not appear until 1988, when Jeff Mogul from Digital Equipment Corporation published his studies.
During the 1989-1990 timeframe, Dave Presotto and Howard Trickey of AT&T Bell Laboratories pioneered the second generation of ﬁrewall architectures with their research in circuit relays, which are also known as circuit level ﬁrewalls. They also implemented the ﬁrst working model of the third generation of ﬁrewall architectures, known as application layer ﬁrewalls. However, they neither published any papers describing this architecture nor released a product based upon their work.
As is often the case in research and development, the third generation of ﬁrewall architectures was independently researched and developed by several people across the United States during the late 1980’s and early 1990’s. Publications by Gene Spafford of Purdue University, Bill Cheswick of AT&T Bell Laboratories, and Marcus...