Cryptography Reference
In-Depth Information
Origins of Firewalls
: Development of firewall architecture has been con-
temporaneous with the evolution of the Internet. Not surprisingly, initial fund-
ingfor firewall research was the domain of the U.S. Department of Defense.
The origins of the first commercial firewall architecture may be traced to the
mid-to-late 1980s with Cisco Systems, who introduced (static)
packet filters
.
In the late 1980s and early 1990s the next generation of firewalls, called
cir-
cuit level firewalls
came out of research at AT&T Bell Labs. Then the third
generation of firewalls came to attention in the early 1990s, out of work from
Bell Labs and others, with
application layer firewalls
. A fourth generation,
called
dynamic packet filtering firewalls
, sometimes called
stateful inspection
,
was epitomized by
Firewall-1
, the first user-friendly firewall architecture, re-
leased by Check Point Technologies in 1994. This essentially replaced static
packet filteringas a standard. Today there is the fifth eneration of firewall,
called
Kernel Proxy Architecture
, the first commercial incarnation beingCisco
System's
Centri Firewall
, released in 1997. All of the aforementioned types will
be discussed below.
Firewall Design Principals
: If the security goal of a local network
that has its own local security policy is to explicitly deny all transmission that
fail those criteria, then the following firewall design goals should be sought: (1)
all data traJc into and out of the local network must physically be directed
through the firewall; and (2) the firewall must be impenetrable.
The local security policy will dictate the level of monitoring, and what traJc
will be permitted or denied access. Typically a local network will want a balance
between protection of that local system from threats, and access to the Internet.
What A Firewall Can Do
◗
First of all, in general terms, firewalls guard against unauthorized access
from outside the protected local network, but allow access from within the local
network to the outside. A more intricate firewall scheme will ensure that certain
entities within the local network are prevented from accessingcertain sensitive
documents inside, as well as prevent users from within the local network from
sendingconfidential, sensitive, or vulnerable data outside the firewall.
◗
A firewall provides a single
choke point
where security, audit, tracking(of
logins, Internet usage, etc.), and other management functions may be concen-
trated into a single system. Security alarms can also be set.
◗
A firewall may be employed as a foundation upon which to implement
IPSec (see Section 8.3). Some opinions in the cryptographic community even
suggest that IPSec usage will replace firewalls altogether, but that remains to
be seen. What can be done is to use a firewall to establish VPNs via IPSec
employed in firewall-to-firewall tunnel mode (see Diagram 8.20).
◗
Firewalls may also serve the function of
Network Address Translator
(NAT), by which it can alter data in packets to change the network address,
which means one set of IP addresses is used for local network traJc and another
is used for external traJc. The firewall would have a
NAT box
installed to make
all the requisite IP address translations. In this fashion, the firewall hides all
local network IP addresses. Moreover, behind the firewall in the local network,
Search WWH ::
Custom Search