Another research paper from the beginning of 2011...
In the early 1980's, networking technology was becoming more widespread, and the need for higher security for large corporate networks was becoming greater. Though the specific year is under dispute, the first firewall was created near the end of the decade. Thirty years later, the modern firewall has evolved into a sophisticated protection device for personal and corporate networks worldwide. Every day, these tailor-made software applications and devices fend off hundreds to thousands of attacks from outside users, acting as a "front gate" to filter out suspicious activity.
A firewall is a system that is designed to prevent unauthorized access to a private network, and is usually considered the first line of defense in a secure network. In most cases, these unauthorized access attempts originate from outside the private network. However, attacks from inside the network are also possible, in which case a firewall can help reduce the attack surface by segmenting the intranet, possibly slowing down the intruder. Firewalls work by examining every unit of data that enters or leaves the network, and matching it against a rule set that determines if the data meets specific requirements to be allowed through the firewall to it's destination.
Firewall solutions can fall into one of two broad categories: hardware and software. A hardware firewall is a physical device that can be strategically placed in the network based on the filtering rules to be applied to the traffic across a specific network segment. These physical devices can be anything from a proprietary "firewall in a box," which resembles an inline repeater, to a dedicated PC with a stripped down operating system running a firewall software solution. Hardware firewalls are generally placed at the beginning of the internal network, between the building's point of presence and the first LAN device on the network. This allows the device to filter all incoming and outgoing data for the entire network. Software firewalls perform the exact same tasks as hardware solutions, but run as a software application or service on end devices, such as workstations and servers. These software solutions are optimally designed to protect a single device, but can also be used in the same manner as a hardware device to filter all traffic for a network.
Firewalls can also be sub categorized based on how they operate. At this time, there are six major operation roles that a firewall can fulfill:
Note that firewall roles, specifically packet and protocol filters, can run in one of two modes: stateful, where the firewall can determine the state of the connection and packet order, and stateless, where each packet is inspected without any knowledge of the connection's status or other packets sent and received. These roles are often combined within a single firewall solution to increase the protective qualities of the product. By working together, each role can be used to help prevent different methods of attack.
Now that we understand how a firewall filters traffic, we can discuss what they are designed to defend against. Every day, millions of networks across the world are penetrated by a variety of attacks. While there are hundreds of reasons, oftentimes the motivating factor for these attacks is for profit, be it monetary or information gain. Sometimes, it can be as simple as a disgruntled employee "getting revenge" on their employers. Regardless of the reason, the purpose of a firewall is to reduce the attack surface, attempt to prevent intrusions, and to monitor and log any attempts to break into the network.
There are dozens of methods a "Hacker" (a person who exploits vulnerabilities in a system or application to gain entry) can use to penetrate a network. Some of the more common methods include the utilization of Virus', Trojan Horses, Worms, Root kits, and Scanners to gain access to an internal network. Hackers can also exploit vulnerabilities in applications, network protocols, and even hardware to gain access. After an intruder has gained access to a network, they have the potential to wreak havoc by gaining administrative privileges, which can be used to steal and destroy information, vandalize websites, deny services to legitimate users, and even destroy critical hardware. In most cases, these intruders also open up more holes in the network perimeter so they can return at a later time.
Firewalls are designed to allow and deny, as well as monitor all incoming and outgoing connections that they are responsible for. A firewall will usually block all unused and disabled ports by default, reducing the attack surface substantially. For active ports, the firewall can be configured to either filter traffic based on a rule set, or ignore the port and allow all traffic. The same method is used for building application and system service connection rules. After all ports are configured, the firewall begins monitoring and filtering all connections.
When an attempt to break into a network or device is detected, most firewalls will immediately begin logging all activity that is originating from the suspicious IP (if they are not already logging network connections). Some of the more advanced firewalls are able to immediately notify the network administrator via email, phone, or text message when an intrusion attempt is detected. Some of the attacks that can trigger a firewall's intrusion alarm include:
Firewalls have played a vital role in network security for over three decades, acting as the gatekeeper for the connections it manages. By filtering traffic, securing ports, and monitoring and logging connections, a well-configured firewall can successfully prevent most attempts to penetrate a network. A firewall, in conjunction with other common network security measures, make up the foundation of a well-formed security plan to help ensure network security. While there are always going to be unpreventable Zero-Day attacks and missed security bugs in software, firewalls will continue to stand at the front lines to defend networks for years to come.