A firewall is a hardware or software device which is configured to permit, deny or proxy data through a computer network which has different levels of trust. An example is XPPro's firewall ( part of the security package ). Note the this is not a true firewall as it only protects in ONE direction. It filters incoming packets, but not outgoing. This is important as sooner or later you are going to get another virus. If it is typical of today's virii, it will send out many many emails to all of your friends in your address book ( so that they get to send emails out too...) then start sending to 1000's if not 100,000's of other folks you may or may not know. Having a two way firewall can protect you by filtering some of the outgoing packets by blocking or dropping them. Here in Libby we have ISP's that don't screw around and shut off your internet access until a professional looks at your computer and blesses it as OkieDokie. Of course, this is after $$$$ in repair and even more important, lost work because of downtime.

A highly configurable and very secure firewall usually runs on a router as the firewall application software can make decisions of what to do with certain packets, modify them before they get to the routing software; which sends either somewhere new ( pre-routing ), or the original destination ( packet forwarding ) or even drop them before they reach the internal network. I build firewalls using 'older' PC equipment. They are very secure and usually sit under a desk somewhere out of the way silently filtering traffic inbound to network. No monitor, keyboard or mouse attached which permits placing them in remote spots. If you don't have physical access to the machine, or a logname and password, you don't get in. Very secure! One of the best things a standalone box does is it prevents people from turning off the firewall! Windoz lets you do that, as does a MAC. If the firewall is running on a local machine and there are problems not related to packet routing, the first thing to get shut down is ... guess what? Yup. The firewall; and we are lucky if it gets turned back on! Is your network protected?

More Info:

1. Function
2. History
• Packet filters
• Stateful filters
• Application layer products
• Subsequent developments
3. Types
• Network layer and packet filters
• Application-layer
• Proxies
• Network address translation

A firewall's basic task is to inspect traffic coming and going between computer networks. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone network. (DMZ). By using a properly configured firewall you are isolating one network from another. Ok, so if you are totally isolated, you wouldn't be able to surf or check your email. Guess what? Network firewalls are designed to allow some traffic to flow.

Without proper configuration, a firewall is worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has specifically blocked. In fact, micro$oft first shipped XP with the firewall turned on, but allowed anything into the comptuter. This configuration makes inadvertent network connections and system compromise highly likely. Newer versions of micro$oft stuff has changed, but you never know what they will do. Check your computers security!

Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The original idea was formed in response to a number of major internet security breaches, which occurred in the late 1980s. In 1988 an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read,

We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.

The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one. [edit] First generation - packet filters

The first paper published on firewall technology was in 1988, when Dodong Sean James and Elohra from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture. Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source). This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number). Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

Second generation - "stateful" filters

Third generation - application layer

Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were developing their own fourth generation packet filter firewall system. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

A second generation of proxy firewalls was based on Kernel Proxy technology. This design is constantly evolving but its basic features and codes are currently in widespread use in both commercial and domestic computer systems. Cisco, one of the largest internet security companies in the world released their PIX product to the public in 1997.

Some modern firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system (IPS). Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes, a way of transfering policy enforcement.

Types

There are several classifications of firewalls depending on where the communnication is taking place, where the communication is intercepted and the state that is being traced.

Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply. The term packet filter originated in the context of BSD operating systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed up packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection. If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls have packet-filtering capabilities, but cannot make more complex decisions on what stage communications between hosts have reached. Stateless firewalls therefore offer less security.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes. Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).

Application-layer