FIREWALL

INTRODUCTION
What Is Firewall?
Firewall is a network security device that observes and filters incoming and outgoing network
traffic, adhering to the security policies defined by an organization. Essentially, it acts as a
protective wall between a private internal network and the public Internet.
Fencing your property protects your house and keeps trespassers at bay; similarly, firewalls
are used to secure a computer network. Firewalls are network security systems that prevent
unauthorized access to a network. It can be a hardware or software unit that filters the
incoming and outgoing traffic within a private network, according to a set of rules to spot and
prevent cyberattacks.
Firewalls are used in enterprise and personal settings. They are a vital component of network
security. Most operating systems have a basic built-in firewall. However, using a third-party
firewall application provides better protection
A firewall is a network security device, either hardware or software-based, which monitors all
incoming and outgoing traffic and based on a defined set of security rules accepts, rejects, or
drops that specific traffic.
A firewall is a type of network security device that filters incoming and outgoing network
traffic with security policies that have previously been set up inside an organization. A
firewall is essentially the wall that separates a private internal network from the open Internet
at its very basic level.

Page 1 of 20
FIREWALL

Basic concepts of a firewall

To understand what a firewall is, one can simply imagine it in biological terms as the
organ of a human known as skin. Skin does not actually kill foreign hostile bodies, it
simply obstructs them.
In a human for example, the loss of more than 50% of skin will result in death, simply
because the immune system cannot repel invaders from such a large and exposed surface
area. The same can be said of firewalls which unlike IDS (Intrusion Detection Systems)
can not actually detect hostile invaders but simply limits their access to your sensitive
internal servers.
Properly designed and deployed, a firewall operates as a shield around your network just
as skin on a human.
A firewall functions by acting on traffic based on its policy. A policy is comprised of a
set of rules. A rule is an action taken on traffic that fit a certain criteria. A single rule is
comprised of four basic elements:
Source
o This is where the IP traffic is coming from and is comprised of the
following
o Single IP address or multiple IP addresses
o One or more networks in the form of a network ID and subnet mask
o A combination of IP addresses and Network addresses

Destination
o This is where the IP traffic is going to and is comprised of the following
o Single IP address or multiple IP addresses
o One or more networks in the form of a network ID and subnet mask
o A combination of IP addresses and Network addresses

Page 2 of 20
FIREWALL

Service
o This is the type of protocol that the traffic is using and is comprised of the
following
o One or more destination TCP ports
o One or more destination UDP ports
o A group or combination of destination TCP and UDP ports
o Although source port can be limited to a certain range, it is generally left
wide open. It is the destination port that is primarily specified.

Action
o The administrator chooses from the following options if all the above
three criteria match
o Reject the traffic
o Drop the traffic
o Permit the traffic
o Encrypt the traffic on IPSEC VPN capable firewalls

Page 3 of 20
FIREWALL

Types of firewalls
Firewalls are categorized as a network-based or a host-based system. Network-based
firewalls are positioned between two or more networks, typically between the local area
network (LAN) and wide area network (WAN), their basic function being to control the flow
of data between connected networks. They are either a software appliance running on
general-purpose hardware, a hardware appliance running on special-purpose hardware, or a
virtual appliance running on a virtual host controlled by a hypervisor. Firewall appliances
may also offer non-firewall functionality, such as DHCP or VPN services. Host-based
firewalls are deployed directly on the host itself to control network traffic or other computing
resources.This can be a daemon or service as a part of the operating system or an agent
application for protection.

Packet filter
The first reported type of network firewall is called a packet filter, which inspects packets
transferred between computers. The firewall maintains an access-control list which dictates
what packets will be looked at and what action should be applied, if any, with the default
action set to silent discard. Three basic actions regarding the packet consist of a silent
discard, discard with Internet Control Message Protocol or TCP reset response to the sender,
and forward to the next hop.Packets may be filtered by source and destination IP addresses,
protocol, or source and destination ports. The bulk of Internet communication in 20th and
early 21st century used either Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) in conjunction with well-known ports, enabling firewalls of that era to
distinguish between specific types of traffic such as web browsing, remote printing, email
transmission, and file transfers.

Page 4 of 20
FIREWALL

The first paper published on firewall technology was in 1987 when engineers from Digital
Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. At
AT&T Bell Labs, Bill Cheswick and Steve Bellovin continued their research in packet
filtering and developed a working model for their own company based on their original first-
generation architecture. In 1992, Steven McCanne and Van Jacobson released a paper on
BSD Packet Filter (BPF) while at Lawrence Berkeley Laboratory.

Connecting Tracking

From 1989–1990, three colleagues from AT&T Bell Laboratories, Dave Presotto, Janardan
Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling them
circuit-level gateways.

Second-generation firewalls perform the work of their first-generation predecessors but also
maintain knowledge of specific conversations between endpoints by remembering which port
number the two IP addresses are using at layer 4 (transport layer) of the OSI model for their
conversation, allowing examination of the overall exchange between the nodes.

Application layer
Main article: Application firewall
Marcus Ranum, Wei Xu, and Peter Churchyard released an application firewall known as
Firewall Toolkit (FWTK) in October 1993. This became the basis for Gauntlet firewall at
Trusted Information Systems.

The key benefit of application layer filtering is that it can understand certain applications and
protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext
Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a
non standard port, or detect if an allowed protocol is being abused.It can also provide unified
security management including enforced encrypted DNS and virtual private networking.

Page 5 of 20
FIREWALL

As of 2012, the next-generation firewall provides a wider range of inspection at the

application layer, extending deep packet inspection functionality to include, but is not limited
to:

➢ Web filtering
➢ Intrusion prevention systems
➢ User identity management
➢ Web application firewall
➢ Content inspection and heuristic analysis

Endpoint specific
Endpoint-based application firewalls function by determining whether a process should
accept any given connection. Application firewalls filter connections by examining the
process ID of data packets against a rule set for the local process involved in the data
transmission. Application firewalls accomplish their function by hooking into socket calls to
filter the connections between the application layer and the lower layers. Application
firewalls that hook into socket calls are also referred to as socket filters.

Page 6 of 20
FIREWALL

History of Firewalls
Firewall technology first began to emerge in the late 1980s. Internet was still a fairly new
technology in terms of its global usage and connectivity. The original idea was formed in
response to a number of major internet security breaches, which occurred in the late 1980s.In
1988 an employee at the NASA Ames Research Center in California sent a memo by an
Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and
NASA Ames."
This virus known as the Morris Worm was carried by e-mail and is now a common nuisance
for even the most innocuous domestic user.
The Morris Worm was the first large scale attack on Internet security, of which the online
community neither expected, nor were prepared for. The internet community made it a top
priority to combat any future attacks from happening and began to collaborate on new ideas,
systems and software to make the internet safe again.
The first paper published on firewall technology was in 1988, when Jeff Mogul from Digital
Equipment Corp. developed filter systems know as packet filter firewalls. This fairly basic
system was the first generation of what would become a highly evolved and technical internet
security feature. From 1980-1990 two colleagues from AT&T Bell Laboratories, Dave
Presetto and Howard Trickey, developed the second generation of firewalls known as circuit
level firewalls.
Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T laboratories and
Marcus Ranum described a third generation firewall known as application layer firewall, also
known as proxy-based firewalls. Marcus Ranum's work on the technology spearheaded the
creation of the first commercial product.
The product was released by Digital Equipment Corporation's (DEC) who named it the SEAL
product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the
East-Coast of the USA.
At AT&T Bill Cheswick and Steve Bellovin were continuing their research in packet filtering
and developed a working model for their own company based upon their original 1st
generation architecture. In 1992, Bob Braden and Annette DeSchon at the University of
Southern California were developing their own fourth generation packet filter firewall
system.
The product known as “Visas” was the first system to have a visual integration interface with
colours and icons, which could be easily implemented to and accessed on a computer
operating system such as Microsoft's Windows or Apple's Mac/OS. In 1994 an Israeli
company called Check Point Software Technologies built this in to readily available software
known as FireWall-1.

Page 7 of 20
FIREWALL

Application
A firewall is a crucial component of network security that monitors and controls incoming
and outgoing network traffic based on predetermined security rules. Its primary function is to
establish a barrier between a trusted internal network and untrusted external networks (such
as the internet). Here are the key applications and details of how firewalls are used:
1. *Packet Filtering*: Firewalls inspect packets of data as they pass through it. They examine
the source and destination IP addresses, ports, and sometimes the packet's content. Based on
predefined rules, the firewall decides whether to allow or block the packet. This helps in
preventing unauthorized access and attacks from reaching the internal network.
2. *Stateful Inspection*: Modern firewalls go beyond simple packet filtering. They maintain
records of established connections and evaluate incoming packets in the context of these
connections. This approach ensures that only legitimate traffic associated with established
connections is allowed through.
3. *Proxy Service*: Some firewalls act as proxies for certain types of traffic. Instead of
directly passing packets between networks, they intercept and forward traffic on behalf of the
requesting device. This allows for additional security checks and can hide internal network
details from external sources.
4. *Application Layer Filtering*: Application layer firewalls (also known as next-generation
firewalls) operate at the application layer of the OSI model. They can inspect data beyond IP
addresses and ports, examining the actual content of the traffic to detect and block specific
application-layer threats and unauthorized activities.
5. *Virtual Private Network (VPN) Management*: Firewalls often include VPN capabilities,
allowing them to manage and secure encrypted connections between remote devices and the
internal network. This ensures that data exchanged over the VPN remains confidential and
secure from eavesdropping or tampering.
6. *Intrusion Detection and Prevention*: Some advanced firewalls integrate intrusion
detection and prevention systems (IDPS). These systems monitor network traffic for signs of
known attack patterns or suspicious behavior and can automatically block or alert
administrators about potential threats.
7. *Content Filtering*: Firewalls can enforce policies regarding the type of content that users
can access over the network. This includes blocking access to specific websites, filtering web
content based on categories (e.g., adult content, social media), or enforcing bandwidth
limitations for certain types of traffic.
8. *Logging and Reporting*: Firewalls maintain logs of network traffic and security events.
These logs are essential for monitoring network activity, identifying security incidents, and
auditing compliance with security policies. Reporting features provide administrators with
insights into network usage patterns and potential security threats.
In summary, firewalls are versatile tools that play a critical role in protecting networks from
unauthorized access, cyberattacks, and data breaches. Their application spans from basic
packet filtering to sophisticated inspection of application-layer traffic, making them essential
for maintaining network security in today's interconnected world.

Page 8 of 20
FIREWALL

How Technology works and its Architecture

Firewall match the network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. For example, Rules are defined as
any employee from Human Resources department cannot access the data from code server
and at the same time another rule is defined like system administrator can access the data
from both Human Resource and technical department. Rules can be defined on the firewall
based on the necessity and security policies of the organization. From the perspective of a
server, network traffic can be either outgoing or incoming.

Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing traffic,
originated from the server itself, allowed to pass. Still, setting a rule on outgoing traffic is
always better in order to achieve more security and prevent unwanted communication.
Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of
these three major Transport Layer protocols- TCP, UDP or ICMP. All these types have a
source address and destination address. Also, TCP and UDP have port numbers. ICMP uses
type code instead of port number which identifies purpose of that packet.

Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For
this reason, the firewall must always have a default policy. Default policy only consists of
action (accept, reject or drop). Suppose no rule is defined about SSH connection to the server
on the firewall. So, it will follow the default policy. If default policy on the firewall is set to
accept, then any computer outside of your office can establish an SSH connection to the
server. Therefore, setting default policy as drop (or reject) is always a good practice

Page 9 of 20
FIREWALL

Working of Firewall

Firewall match the network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. For example, Rules are defined as
any employee from Human Resources department cannot access the data from code server
and at the same time another rule is defined like system administrator can access the data
from both Human Resource and technical department. Rules can be defined on the firewall
based on the necessity and security policies of the organization. From the perspective of a
server, network traffic can be either outgoing or incoming.

Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing traffic,
originated from the server itself, allowed to pass. Still, setting a rule on outgoing traffic is
always better in order to achieve more security and prevent unwanted communication.
Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of
these three major Transport Layer protocols- TCP, UDP or ICMP. All these types have a
source address and destination address. Also, TCP and UDP have port numbers. ICMP uses
type code instead of port number which identifies purpose of that packet.

Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For
this reason, the firewall must always have a default policy. Default policy only consists of
action (accept, reject or drop). Suppose no rule is defined about SSH connection to the server
on the firewall. So, it will follow the default policy. If default policy on the firewall is set to
accept, then any computer outside of your office can establish an SSH connection to the
server. Therefore, setting default policy as drop (or reject) is always a good practice

Page 10 of 20
FIREWALL

Scope
A firewall is a crucial component of network security that monitors and controls incoming
and outgoing network traffic based on predetermined security rules. Its primary function is to
establish a barrier between a trusted internal network and untrusted external networks (such
as the internet). Here are the key applications and details of how firewalls are used:
1. *Packet Filtering*: Firewalls inspect packets of data as they pass through it. They examine
the source and destination IP addresses, ports, and sometimes the packet's content. Based on
predefined rules, the firewall decides whether to allow or block the packet. This helps in
preventing unauthorized access and attacks from reaching the internal network.

2. *Stateful Inspection*: Modern firewalls go beyond simple packet filtering. They maintain
records of established connections and evaluate incoming packets in the context of these
connections. This approach ensures that only legitimate traffic associated with established
connections is allowed through.

3. *Proxy Service*: Some firewalls act as proxies for certain types of traffic. Instead of
directly passing packets between networks, they intercept and forward traffic on behalf of the
requesting device. This allows for additional security checks and can hide internal network
details from external sources.

4. *Application Layer Filtering*: Application layer firewalls (also known as next-generation

firewalls) operate at the application layer of the OSI model. They can inspect data beyond IP
addresses and ports, examining the actual content of the traffic to detect and block specific
application-layer threats and unauthorized activities.

5. *Virtual Private Network (VPN) Management*: Firewalls often include VPN capabilities,
allowing them to manage and secure encrypted connections between remote devices and the
internal network. This ensures that data exchanged over the VPN remains confidential and
secure from eavesdropping or tampering.

6. *Intrusion Detection and Prevention*: Some advanced firewalls integrate intrusion

detection and prevention systems (IDPS). These systems monitor network traffic for signs of
known attack patterns or suspicious behavior and can automatically block or alert
administrators about potential threats.

Page 11 of 20
FIREWALL

7. *Content Filtering*: Firewalls can enforce policies regarding the type of content that users
can access over the network. This includes blocking access to specific websites, filtering web
content based on categories (e.g., adult content, social media), or enforcing bandwidth
limitations for certain types of traffic.

8. *Logging and Reporting*: Firewalls maintain logs of network traffic and security events.
These logs are essential for monitoring network activity, identifying security incidents, and
auditing compliance with security policies. Reporting features provide administrators with
insights into network usage patterns and potential security threats.

In summary, firewalls are versatile tools that play a critical role in protecting networks from
unauthorized access, cyberattacks, and data breaches. Their application spans from basic
packet filtering to sophisticated inspection of application-layer traffic, making them essential
for maintaining network security in today's interconnected world.

Page 12 of 20
FIREWALL

Limitation
Firewalls are critical components of network security, but they do have some limitations that
are important to understand:
1. *Inability to Protect Against Malicious Insiders*: Firewalls are primarily designed to
protect against external threats. They cannot prevent attacks from insiders who have
legitimate access to the network and may misuse their privileges.
2. *Encrypted Traffic Inspection Challenges*: Modern firewalls can inspect encrypted traffic,
but it's resource-intensive and may impact performance. Moreover, they can't inspect
encrypted traffic if they lack the decryption keys.
3. *Limited Application Awareness*: Traditional firewalls often operate at the network layer
(Layer 3 or 4 of the OSI model) and may not thoroughly inspect higher-layer protocols and
applications. This can allow certain application-layer attacks to bypass them.
4. *Vulnerabilities in Allowed Ports and Protocols*: Firewalls permit traffic based on
predefined rules for ports and protocols. Attackers can exploit vulnerabilities in allowed
services or misuse allowed ports (e.g., HTTP/HTTPS) for attacks.
5. *Lack of Protection Against Advanced Persistent Threats (APTs)*: Sophisticated attacks
like APTs can evade detection by traditional firewalls because they may involve slow and
subtle activities over a long period, making them difficult to detect based on predefined rules.
6. *Single Point of Failure*: If a firewall fails or becomes compromised, it can leave the
entire network vulnerable until the issue is resolved. Redundancy and failover configurations
help mitigate this risk but add complexity and cost.
7. *Limited Effectiveness Against Social Engineering*: Firewalls cannot prevent attacks that
rely on human manipulation, such as phishing attacks or pretexting, where attackers trick
users into divulging sensitive information or performing actions that compromise security.
8. *Performance Impact*: Firewalls inspect and filter traffic, which can introduce latency,
especially in high-traffic environments or when deep packet inspection (DPI) is enabled. This
impact may affect user experience and application performance.
9. *Complex Configuration*: Proper configuration of firewalls requires understanding of
network protocols, applications, and potential threats. Misconfiguration can inadvertently
allow unauthorized access or block legitimate traffic.
10. *Emerging Threats and Zero-Day Attacks*: Firewalls rely on known patterns and
signatures to detect threats. New and evolving threats, including zero-day exploits, may not
be detected until vendors update their threat databases and signatures.
Despite these limitations, firewalls remain essential components of network security. They
are often supplemented with other security measures such as intrusion detection/prevention
systems (IDS/IPS), endpoint protection, and user education to provide comprehensive
protection against a wide range of threats.

Page 13 of 20
FIREWALL

Advantages of using Firewall

➢ Protection from unauthorized access: Firewalls can be set up to restrict incoming
traffic from particular IP addresses or networks, preventing hackers or other malicious
actors from easily accessing a network or system. Protection from unwanted access.
➢ Prevention of malware and other threats: Malware and other threat prevention:
Firewalls can be set up to block traffic linked to known malware or other security
concerns, assisting in the defense against these kinds of attacks.
➢ Control of network access: By limiting access to specified individuals or groups for
particular servers or applications, firewalls can be used to restrict access to particular
network resources or services.
➢ Monitoring of network activity: Firewalls can be set up to record and keep track of all
network activity.
➢ Regulation compliance: Many industries are bound by rules that demand the usage of
firewalls or other security measures.
➢ Network segmentation: By using firewalls to split up a bigger network into smaller
subnets, the attack surface is reduced and the security level is raised.

Page 14 of 20
FIREWALL

Disadvantages of using Firewall

➢ Complexity: Setting up and keeping up a firewall can be time-consuming and
difficult, especially for bigger networks or companies with a wide variety of users and
devices.
➢ Limited Visibility: Firewalls may not be able to identify or stop security risks that
operate at other levels, such as the application or endpoint level, because they can
only observe and manage traffic at the network level.
➢ False sense of security: Some businesses may place an excessive amount of reliance
on their firewall and disregard other crucial security measures like endpoint security
or intrusion detection systems.
➢ Limited adaptability: Because firewalls are frequently rule-based, they might not be
able to respond to fresh security threats.
➢ Performance impact: Network performance can be significantly impacted by
firewalls, particularly if they are set up to analyze or manage a lot of traffic.
➢ Limited scalability: Because firewalls are only able to secure one network, businesses
that have several networks must deploy many firewalls, which can be expensive.
➢ Limited VPN support: Some firewalls might not allow complex VPN features like
split tunneling, which could restrict the experience of a remote worker.
➢ Cost: Purchasing many devices or add-on features for a firewall system can be
expensive, especially for businesses

Page 15 of 20
FIREWALL

Future
The future of firewalls is evolving rapidly due to the changing landscape of cybersecurity
threats and technological advancements. Here are some key trends shaping the future of
firewalls:
1. *Integration of AI and Machine Learning*: Firewalls are increasingly incorporating AI and
machine learning algorithms to enhance threat detection and response capabilities. These
technologies help in analyzing vast amounts of data to identify patterns indicative of cyber
threats, enabling quicker and more accurate responses.
2. *Cloud-Based Firewalls*: With the rise of cloud computing and the adoption of hybrid and
multi-cloud environments, traditional on-premises firewalls are being supplemented or
replaced by cloud-based firewall solutions. These offer scalability, flexibility, and centralized
management across distributed networks.
3. *Zero Trust Architecture (ZTA)*: Firewalls are moving towards Zero Trust principles,
where access to resources is granted based on strict verification of identity and continuous
monitoring of device health and behavior. This approach minimizes the attack surface and
improves overall security posture.
4. *Next-Generation Firewalls (NGFWs)*: NGFWs continue to evolve with added
capabilities such as advanced threat detection, application awareness, intrusion prevention,
and integration with threat intelligence feeds. They provide deeper visibility into network
traffic and more granular control over applications and user behavior.
5. *IoT and OT Security*: As the number of IoT (Internet of Things) and OT (Operational
Technology) devices grows, firewalls are adapting to secure these diverse and often
vulnerable endpoints. Specialized firewalls are being developed to address the unique
security challenges posed by IoT and OT environments.
6. *API Security*: With the increasing reliance on APIs (Application Programming
Interfaces) for connectivity and data exchange, firewalls are expanding to include API
security features. This includes validation, authentication, encryption, and monitoring of API
traffic to protect against vulnerabilities and attacks.
7. **Automated Response

Page 16 of 20
FIREWALL

Conclusion
As the Internet becomes more a part of business, firewalls are becoming an important
ingredient of an overall network security policy. We have seen that there are several
approaches to integrating a firewall into a network topology. We've also found that there are
many possible criteria upon which decisions are made regarding whether to implement a
firewall, and if so, which one. Generally, performance, feature set (that is, does this product
provide security in the ways that is most needed) and how well the product fits into the
current network infrastructure are the most important issues. The firewall market is still
relatively young and there are an abundance of choices (approximately 40 vendors currently
offer products), so it is expected that as the market matures, the products that are successful
are those that excel in these areas

Page 17 of 20
FIREWALL

Reference & Biography

1.Boudriga, Noureddine (2010). Security of mobile communications. Boca Raton: CRC

Press. pp. 32–33. ISBN 978-0849379420.
2. Macfarlane, Richard; Buchanan, William; Ekonomou, Elias; Uthmani, Omair; Fan, Lu; Lo,
Owen (2012). "Formal security policy implementations in network firewalls". Computers &
Security. 31 (2): 253–270. doi:10.1016/j.cose.2011.10.003.
3. Oppliger, Rolf (May 1997). "Internet Security: FIREWALLS and BEYOND".
Communications of the ACM. 40 (5): 94. doi:10.1145/253769.253802. S2CID 15271915.
4. Canavan, John E. (2001). Fundamentals of Network Security (1st ed.). Boston, MA: Artech
House. p. 212. ISBN 9781580531764.
5.Cheswick, William R.; Bellovin, Steven M. (1994). Firewalls and Internet Security:
Repelling The Wily Hacker. Addison-Wesley. ISBN 978-0201633573.
6. Liska, Allan (Dec 10, 2014). Building an Intelligence-Led Security Program. Syngress. p.
3. ISBN 978-0128023709.
7. Ingham, Kenneth; Forrest, Stephanie (2002). "A History and Survey of Network Firewalls"
(PDF). Retrieved 2011-11-25.
8. Boren, Jacob (2019-11-24). "10 Times '80s Sci-Fi Movies Predicted The Future".
ScreenRant. Retrieved 2021-03-04.
9. Mayes, John (2022-11-24). "NTI - JMA". Wikipedia. Retrieved 2023-03-04.
10. Naveen, Sharanya. "Firewall". Archived from the original on 21 May 2016. Retrieved 7
June 2016.

Page 18 of 20
FIREWALL

Page 19 of 20
FIREWALL

Page 20 of 20