A firewall is a network device that enforces security policy for network traffic. The term originates from fire wall, a fireproof wall used as a barrier to prevent the spread of fire. An Internet firewall creates a barrier between separate networks by imposing a point of control that traffic needs to pass before it can reach a different network [2]. A firewall may limit the exposure of hosts to malicious network traffic, e.g., remote adversaries attempting to exploit security holes in vulnerable applications, by preventing certain packets from entering networks protected by the firewall.
When inspecting a network packet, a firewall decides if it should drop or forward the packet. The decision is based on a firewall's security policy and its internal state. Before forwarding a packet, a firewall may modify the packet's content. Packet inspection may occur at several different layers:
The link layerprovides physical addressing of devices on the same network. Firewalls operating on the...
This is a preview of subscription content, log in via an institution.
References
Bellovin, S.M. (1989). “Security problems in the TCP/IP protocol suite.” ACM Computer Communications Review 2:19, pp. 32–48, April 1989.
Cheswick, William R. and Steven M. Bellovin (1994). Firewalls and Internet Security Repelling the Willy Hacker. Addison-Wesley, Reading, MA.
Ferguson, P. and D. Senie (2000). “Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing.” RFC 2827.
Handley, M., C. Kreibich, and V. Paxson (2001). “Network intrusion detection: Evasion, traffic normalization and end-to-end protocol semantics.” Proceedings of the 10th USENIX Security Symposium, August 2001.
Paxson, V. (1988). “Bro: A system for detecting network intruders in real-time.” Proceedings of the 7th USENIX Security Symposium, January 1998.
Ptacek, Thomas and Timothy Newsham (1998). “Insertion, evasion, and denial of service: Eluding network intrusion detection.” Secure Networks Whitepaper, August 1998.
Stevens, W.R. (1994). TCP/IP Illustrated, vol. 1. Addison-Wesley, Reading, MA.
van Rooij, Guido (2000). “Real stateful TCP packet filtering in IP filter.” Proceedings of the 2nd International SANE Conference, May 2000.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this entry
Cite this entry
Provos, N. (2005). Firewall. In: van Tilborg, H.C.A. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA . https://doi.org/10.1007/0-387-23483-7_169
Download citation
DOI: https://doi.org/10.1007/0-387-23483-7_169
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-23473-1
Online ISBN: 978-0-387-23483-0
eBook Packages: Computer ScienceReference Module Computer Science and Engineering