Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info

 

 

Firewall Terminology

Related Entries    Web Links    New/Updated Information

  
Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

A standard firewall terminology helps remove the confusion surrounding firewall technology.RFC 2647 (Benchmarking Terminology for Firewall Performance, August 1999) is one document that attempts to establish such terminology. The most important terms it describes are outlined next. Refer to the RFC for a more complete description. The following list has been reordered for clarity and reworded for conciseness.

  • Firewall A device or group of devices that enforces an access control policy among networks. Firewalls connect protected and unprotected networks, or support tri-homing, which allows a DMZ network.
  • Protected network A network segment or segments to which access is controlled. Protected networks are sometimes called "internal networks," but RFC 2647 states that the term is inappropriate because firewalls increasingly are deployed within an organization, where all segments are by definition internal.
  • Unprotected network A network segment or segments to which access is not controlled by the firewall.
  • Demilitarized zone (DMZ) A network segment or segments located between protected and unprotected networks. The DMZ may not be connected to the protected network in any way. The DMZ may also include perimeter defense systems. For example, The DMZ can be made to look like it is part of the protected network, luring hackers into traps that log their activities and attempt to track the source of the activity.
  • Dual-homed firewall A firewall with two interfaces, one attached to the protected network and one attached to the unprotected network.
  • Tri-homed firewall A tri-homed firewalls connect three network segments with different network addresses. Typically, these would be protected, DMZ, and unprotected segments.
  • Proxy A request for a connection made on behalf of a host. A proxy stands between the protected and unprotected network. Think of a quarantined area where people on the inside use a telephone to talk to people on the outside. All external connections leading into the proxy terminate at the proxy. This effectively eliminates IP routing between the networks. The proxy repackages the messages into new packets that are allowed into the internal network. The proxy also terminates internal traffic that is headed out to the Internet and repackages it in a new packet with the source IP address of the proxy, not the internal host. Most important, the proxy inspects and filters traffic. A predefined "rule set" is used to determine which traffic should be forwarded and which should be rejected. There are two types of proxies: application proxies and circuit proxies, as described shortly.
  • Network address translation A method of mapping one or more private, reserved IP addresses to one or more public IP addresses. NAT was defined to conserve IPv4 address space and refer to a specific block of IP addresses that are never recognized or routed on the Internet. It allows organizations to use their own internal IP addressing scheme. A NAT device translates between internal and external addresses, and is usually combined with proxy services. NAT devices are implemented in firewalls to support the private addressing scheme as defined in RFC 1918 .
  • Application proxy A proxy service that is set up and torn down in response to a client request, rather than existing on a static basis (as is the case with circuit proxies). The application proxy performs all of the services of a proxy, but for specific applications. In contrast, a basic proxy performs generic packet filtering. The application proxy only processes packets related to the applications that it supports. If code is not installed for an application, those incoming packets are dropped. Packets are only forwarded after a connection has been made, which is subject to authentication and authorization.
  • Circuit proxy A proxy service that statically defines which traffic will be forwarded. The circuit proxy is a special function performed by application proxies, usually to support proxy connection between internal users and outside hosts. The packets are relayed without performing any extensive processing or filtering because the packets are from trusted internal users, and they are going outside. However, packets that return in response to these packets are fully examined by the application proxy services.
  • Policy A document defining acceptable access to protected, DMZ, and unprotected networks. Security policies set general guidelines for what is and is not acceptable network access.
  • Rule set The collection of access control rules that determines which packets are forwarded or dropped.
  • Allowed traffic Packets forwarded as a result of the rule set.
  • Illegal traffic Packets specified for rejection in the rule set.
  • Rejected traffic Packets dropped as a result of the rule set.
  • Authentication The process of verifying that a user requesting a network resource is who he, she, or it claims to be, and vice versa. The entity being authenticated might be the client machine or a user, so authentication may take the form of verifying IP addresses, TCP or UDP port numbers, and passwords. Other advanced forms of identification include token cards and biometrics.
  • Security association The set of security information related to a given network connection or set of connections. This definition covers the relationship between policy and connections. Associations may be set up during connection establishment, and they may be reiterated or revoked during a connection.
  • Packet filtering The process of controlling access by examining packets based on the content of packet headers. Header information, such as IP address or TCP port number, is examined to determine whether a packet should be forwarded or rejected, based on a rule set.
  • Stateful packet filtering The process of forwarding or rejecting traffic based on the contents of a state table maintained by a firewall. When stateful filtering is used, packets are only forwarded if they belong to a connection that has already been established and that is being tracked in a state table.
  • Logging The recording of user requests made to the firewall. All requests are typically logged, including allowed, illegal, and rejected traffic.



Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.