An Overview of Firewall Technologies

ii ii ii ii

Abstract
The iiincreasing iicomplexity iiof iinetworks, the iinetwork iithus iicaused iimakes iithe
iiand iithe iineed iito iimake iithem iimore iiopen
question iiof iisecurity iimore iicomplicated
iithan iihitherto, iiand iinecessitates iithe
iidue iito iithe iigrowing iiemphasis iion iiand

iidevelopment iiof iisophisticated iisecurity

iiattractiveness iiof iithe iiInternet iias iia

iitechnologies iiat iithe iiinterface iibetween

iimedium iifor iibusiness iitransactions,

iinetworks iiof iidifferent iisecurity iidomains,

iimean iithat iinetworks iiare iibecoming

iisuch iias iibetween iiIntranet iiand iiInternet

iimore iiand iimore iiexposed iito iiattacks,

iior iiExtranet. iiThe iibest iiway iiof iiensuring

iiboth iifrom iiwithout iiand iifrom iiwithin.

iiinterface iisecurity iiis iithe iiuse iiof iia ii ii ii

iiThe iisearch iiis iion iifor iimechanisms iiand

iifirewall.
iitechniques iifor iithe iiprotection iiof

iiinternal iinetworks iifrom iisuch iiattacks.

iiOne iiof iithe iiprotective iimechanisms

A iiFirewall iiis iia iicomputer, iirouter iior
iiother iicommunication iidevice iithat
iiunder iiserious iiconsideration iiis iithe
iifilters iiaccess iito iithe iiprotected
iifirewall. iiA iifirewall iiprotects iia iinetwork
iinetwork ii[18]. iiCheswick iiand iiBellovin
iiby iiguarding iithe iipoints iiof iientry iito iiit.
ii[6] iidefine iia iifirewall iias iia iicollection
iiFirewalls iiare iibecoming iimore
iiof iicomponents iior iia iisystem iithat iiis
iisophisticated iiby iithe iiday, iiand iinew
iiplaced iibetween iitwo iinetworks iiand
iifeatures iiare iiconstantly iibeing iiadded, iiso
iipossesses iithe iifollowing iiproperties:
iithat, iiin iispite iiof iithe iicriticisms iimade iiof

iithem iiand iidevelopmental iitrends

iithreatening iithem, iithey iiare iistill iia

• All iitraffic iifrom iiinside iito iioutside,
iiand iivice-versa, iimust iipass
iipowerful iiprotective iimechanism. iiThis
iithrough iiit.
iiarticle iiprovides iian iioverview iiof

iifirewall iitechnologies.
• Only authorised traffic, as
defined by the local security
Keywords: iiFirewall iitechnologies, policy, is allowed to pass
iinetwork iisecurity, iiaccess iicontrol, through it.
iisecurity iipolicy, iiprotective
• The iifirewall iiitself iiis iiimmune iito
iimechanisms.
iipenetration.

ii ii ii ii ii ii ii ii ii ii ii

1 Introduction
Today's iinetworks iichange iiand iidevelop
iion iia iiregular iibasis iito iiadapt iito iinew

iibusiness
Outside
iisituations,suchasreorganisations,acquisi

tions,outsourcing,mergers,joint
iiventures, iiand iistrategic iipartnerships,

iiand iithe iiincreasing iidegree iito iiwhich

iiinternal iinetworks ii Internal&External iiGateway iiSystems

are iiconnected iito iithe iiInternet. iiThe

iiincreased iicomplexity iiand iiopenness iiof ii
ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii
ii ii ii ii ii ii ii ii ii ii ii ii Figure1:FirewallSchematics

Such iitraditional iinetwork iifirewalls iiprevent

iiunauthorised iiaccess iiand iiattacks iiby

1
 iiprotecting iithe iipoints iiof iientry iiinto iithe iiTherearethreebasicapproachesor
iinetwork. iiAs iiFigure ii1 iishows, iia iifirewall iiservicesthat iiafirewallusesto iiprotect

iimay iiconsist iiof iia iivariety iiof iicomponents iianetwork: iipacket iifiltering, iicircuit iiproxy,

iiincluding iihost ii(called iibastion iihost), iirouter iiand iiapplication iiproxy ii[6, ii11]. iiSome

iifilters ii(or iiscreens), iiand iiservices. iiA iiauthors ii[13, ii10] iibroadly iiclassify iithese iiinto

iigateway iiis iia iimachine iior iiset iiof iimachines iitwo iikinds iiof iiapproach: iitransport iilevel iiand

iithat iiprovides iirelay iiservices iicomplementing iiapplication iilevel ii(by iiincluding iicircuit

iithe iifilters. iiAnother iiterm iiillustrated iiin iithe iiproxy iiin iithis iicategory).

iifigure iiis ii"demilitarised iizone iior iiDMZ"[6].

iiThis iiis iian iiarea iior iisub-network iibetween iithe 2.1 Packet iifiltering
iiinside iiand iioutside iinetworks iithat iiis
Firewall iishaving iithis iifunction iiperform iionly
iipartially iiprotected. iiOne iior iimore iigateway
iivery iibasic iioperations, iisuch iias iiexamining
iimachines iimay iibe iilocated iiin iithe iiDMZ.
iithe iipacket iiheader, iiverifying iithe iiIP iiaddress,
iiExemplifying iia iitraditional iisecurity
iithe iiport iior iiboth, iiand iigranting iiand iidenying
iiconcept, iidefence-in- iidepth, iithe iioutside
iiaccess iiwithout iimaking iiany iichanges. iiDue
iifilter iiprotects iithe iigateway iifrom iiattack,
iito iithis iisimplicity iiof iioperation, iithey iihave
iiwhile iithe iiinside iigateway iiguards iiagainst
iithe iiadvantage iiof iiboth iispeed iiand iiefficiency.
iithe iiconsequences iiof iia iicompromised
iiThe iifiltered iipackets iimay iibe iiincoming,
iigateway ii[6, ii10]. iiDepending iion iithe
iioutgoing iior iiboth, iidepending iion iithe iitype iiof
iisituation iiof iithe iinetwork iiconcerned, iithere
iirouter. iiAn iiadditional iiadvantage iiis iithat iithey
iimay iibe iimultiple iifirewalls, iimultiple iiinternal
iido iithei iijob iiquiet iiindependently iiof iithe
iinetworks, iiVPNs, iiExtranets iiand iiperimeter
iiuser's iiknowledge iior iiassistance, iii.e., iithey
iinetworks. iiThere iimay iialso iibe iia iivariety iiof
iihave iigood iitransparency. iiPackets iican iibe
iiconnection iitypes, iisuch iias iiTCP iiand iiUDP,
iifiltered iion iithe iibasis iiof iisome iior iiall iiof iithe
iiaudio iior iivideo iistreaming, iiand iidownloading
iifollowing iicriteria: iisource iiIP iiaddress,
iiof iiapplets. iiDifferent iitypes iiof iifirewall
iidestination iiIP iiaddress, iiTCP/UDP iisource
iiconfiguration iiwith iiextensive iipractical
iiport, iiand iiTCP/UDP iidestination iiport. iiA
iiguides iican iibe iifound iiin ii[6, ii4]. iiThere iiare
iifirewall iiof iithis iitype iican iiblock iiconnections
iialso iimany iifirewall iiproducts iion iithe iimarket
iito iiand iifrom iispecific iihosts, iinetworks iiand
iifrom iidifferent iivendors. iiSee ii[9] iifor iian
iiports. iiThey iiare iicheap iisince iithey iiuse
iiupdated iilist iiof iiproducts iiand iivendors.
iisoftware iialready iiresident iiin iithe iirouter, iiand

iiprovide iia iigood iilevel iiof iisecurity iisince iithey

This iiarticle iisurveys iithe iibasic iiconcept iiof iiare iiplaced iistrategically iiat iithe iichoke iipoint.
iifirewall iitechnology iiby iiintroducing iithe

iivarious iikinds iiof iiapproach, iitheir

2.2 Circuit iiProxy
iiapplications, iilimitations iiand iithreats iiagainst

iithem.
The iisecond iiapproach iiis iithe iiuse iiof iiwhat iiis
iicalled iia iicircuit iiproxy. iiThe iimain iidifference

iibetween iithe iicircuit iiproxy iiand iithe iipacket

iifiltering iifirewall iiis iithat iithe iiformer iiis iithe

2 Firewalls: Basic Approaches
ii ii
iiaddressee iito iiwhich iiall iicommunicators
and Limitations
ii ii
iimust iiaddress iitheir iipackets. iiAssuming

iiaccess iihas iibeen iigranted, iithe iicircuit iiproxy

Firewalltechnologycanbeusedto iiprotect
iireplaces iithe iioriginal iiaddress ii(its iiown) iiwith
iinetworks, iibyinstallingit iistrategicallyat iia
iithe iiaddress iiof iithe iiintended iidestination. iiIt
iisingle iisecurity iiscreen iistation iiwhere iithe
iihas iithe iidisadvantage iiof iilaying iiclaim iito iithe
iiprivate iinetwork iior iithe iiIntranet iiconnects iito
iiprocessing iiresources iirequired iito iimake
iithe iipublic iiInternet, iimaking iiit iieasier iito
iichanges iito iithe iiheader, iiand iithe iiadvantage
iiensure iisecurity, iiaudit iiand iimonitor iitraffic,
iiof iiconcealing iithe iiIP iiaddress iiof iithe iitarget
iiand iitrace iibreak-in iiattempts. iiIt iican iialso iibe
iisystem.
iiused iito iiisolate iisub-networks, iiin iiorder iito

iiprovide iiadditional iilayers iiof iisecurity

2.3 Application iiProxy
ii(defence-in-depth) iiwithin iithe iiorganisation.

2
 The iithird iiapproach iiinvolves iithe iiuse iiof iioften iifind iithemselves iiworking
iiwhat iiis iiknown iias iian iiapplication iiproxy. iiAn iiagainst iimisconception iiand iipopular

iiapplication iiproxy iiis iimore iicomplicated iiin iiopinions iiformed iifrom iiincomplete

iioperation iithan iia iipacket iifiltering iifirewall iior iidata. iiSome iiof iithese iiopinions

iia iicircuit iiproxy. iiThe iiapplication iiproxy iispring iimore iifrom iihope iithan iifact,

iiunderstands iithe iiapplication iiprotocol iiand iisuch iias iithe iiidea iithat iiinternal

iidata, iiand iiintercepts iiany iiinformation iinetwork iisecurity iican iibe iisolved

iiintended iifor iithat iiapplication. iiOn iithe iibasis iisimply iiby iideploying iia iifirewall".

iiof iithe iiamount iiof iiinformation iiavailable iito iiWhile iiit iiis iitrue iithat iifirewalls iiplay

iimake iidecisions, iithe iiapplication iiproxy iican iian iiimportant iiand iicentral iirole iiin

iiauthenticate iiusers iiand iijudge iiwhether iiany iithe iimaintenance iiof iinetwork

iiof iithe iidata iicould iipose iia iithreat. iiThe iiprice iisecurity iiand iiany iiorganisation iithat

iito iibe iipaid iifor iithis iimore iicomprehensive iiignores iithem, iidoes iiso iiat iiits iiperil,

iifunction iiis iithat iiusers iior iiclients iioften iihave iithey iiare iineither iithe iipanacea iiof

iito iibe iireconfigured iito iithem, iisometimes iia iievery iisecurity iiaspect iiof iia iinetwork,

iicomplicated iiprocess, iiwith iia iiconsequent iinor iithe iisole iisufficient iibulwark

iiloss iiof iitransparency. iiApplication iiproxies iiagainst iiintrusion. iiKnowing iiwhat

iiare iireferred iito iias iiproxy iiservices, iiand iithe iifirewalls iican't iido iiis iias iiimportant

iihost iimachines iirunning iithem iias iiapplication iias iiknowing iiwhat iithey iican. iiThe

iigateways. iifollowing iiare iilimitations iione

iishould iibe iiaware iiof.

2.4 Packet ii iiInspection iiApproach

This iiapproach, iiin iicontrast iito iithe • A firewall is by its nature perimeter defence,
iitechnologies iiso iifar iidescribed, iiinvolves
and not geared to combating the enemy
iiinspecting iithe iicontents iiof iipackets iias iiwell
within, and consequently no useful counter
iias iitheir iiheaders. iiAn iiinspection iifirewall
measure against a user who abuses
iicarries iiout iiits iiinspection iiby iiusing iian
authorised access to the domain.
iiinspection iimodule, iiwhich iiunderstands, iiand
• A iifirewall iiis iino iireal iidefence iiagainst
iimalicious iicode iiproblems iilike iiviruses iiand
iican iitherefore iiinspect, iidata iidestined iifor iiall

iiTrojan iihorses, iialthough iisome iiare iicapable

iilayers ii(from iinetwork iilayer iito iiapplication

iiof iiscanning iithe iicode iifor iitelltale iisigns.

iilayer). iiIt iicarries iiout iiits iiinspection iiby

iiintegrating iiall iiin iiformation iigathered iifrom

• Configuring iipacket-filtering iirules iitends iito
iibe iicomplicated iiprocess iiin iithe iicourse iiof
iiall iilayers iiinto iia iisingle iiinspection iipoint,

iiwhich iierrors iican iieasily iioccur, iileading iito

iiand iithen iiexamining iiit. iiA iistate-full

iiholes iiin iithe iidefence. iiIn iiaddition, iitesting

iiinspection iifirewall iiis iione iiwhich iialso

iithe iiconfigured iirules iitends iito iibe iia iilengthy

iiregisters iithe iistate iiof iiany iiconnection iiit iiis

iiand iidifficult iiprocess iidue iito iithe

iihandling, iiand iiacts iion iithis iiinformation. iiAn

iishortcomings iiof iicurrent iitesting iitools.

iiexample iiof iia iistate-full ii iiinspection iifirewall

iiNormal iipacket-filtering iirouters iicannot

iiis iithe iistate-full iipacket- iifiltering iimode iiin

iienforce iisome iisecurity iipolicies iisimply

iiCheckpoint's ii“Firewall-1”[5] iior iiNetwork

iibecause iithe iinecessary iiinformation iiis iinot

iiAssociates' iiGauntlet.

iiavailable iito iithem.

Inspection iifirewalls iican iiprovide iiaddress

iitranslation iiand iihiding, iivirus iiscanning, iiWeb

iisite iifiltering, iiscreening iifor iikey iiwords

3 Additional Important Features
ii ii

ii(typically iiin iie-mail), iiand iicontext-sensitive

iisecurity iifor iicomplex iiapplications.

Firewalls iiare iibecoming iimore iicomplex iiand
iisophisticated iiby iithe iiday, iiand iithus iimore

2.5 Firewall iiLimitations iiefficient iiat iiidentifying iiintrusions iiand

iilogging iithem, iiand iiautomatically iinotifying

As iipointed iiout iiin ii[10], iithe iiright iipeople. iiThey iiprovide iimultiple
ii"Information iisecurity iiprofessionals
iilayers iiof iiprotection iiand iisome iicache iidata

3
 iito iiimprove iiperformance, iiand iisupport iivendors, iiisa iicritical iiproblem. iiAs iimore iiand
iiVirtual iiPrivate iiNetwork ii(VPNs), iiWeb- iimore iisecurity iiservices iiare iiintroduced iiand

based iiadministration, iiauthentication, iietc. iiapplied iito iidifferent iifirewall iicomponents,

iiThere iiis iialso iia iitendency iito iiadd iinon- iiproperly iiconfiguring iiand iimaintaining iithe

security- iirelated iifunctions iito iithe iifirewall iiservices iiconsistently iibecomes iiincreasingly

iisuch iias iibuilt-inWebservers, iiFTP iiservers, iidifficult. iiAn iierror iiby iian iiadministrator iiin

iiand iie-mail iisystems, iiand iieven iiproxy iimaintaining iia iiconsistent iiconfiguration iiof

iiservers iifor iistreaming iiaudio iiand iivideo. iisecurity iiservices iican iieasily iilead iito iisecurity

iivulnerability. iiA iifirewall iishould iithus

We iiagree iiwith iithose iiwho iifeel iithat iisome iiprovide iia iisecurity iimanagement iiinterface

iiadditions iito iifirewalls iimake iisense iiand iiare iithat iienables iiit iito iibe iilocally iior iiremotely

iiuseful iiwhen iithey iienhance iisecurity, iiwhile iimanaged iiin iia iicoherent iiand iicomprehensible

iiothers iidon't iimake iisense iiand iimay iieven iibe iifashion.

iidangerous, iiespecially iiover iitime, iiwhen iithey

iirepresent iia iidecrease iiin iisecurity iiand iian

iiincrease iiin iivulnerability. iiFor iiexample, iito 3.4 Virtual iiPrivate iiNetworks ii(VPNs)
iiadd iiservices iithat iiincrease iithe A iiVPN iiis iian iiencrypted iitunnel iiover iithe
iiadministration iiload iiadds iianother iipotential iiInternet iior iianother iiuntrusted iinetwork

iiavenue iiof iiattack. iiproviding iiconfidentiality iiand iiintegrity iiof

iitransmissions, iiand iilogically iiall iihosts iiin iia

iiVPN iiare iiin iione iiIntranet ii[18]. iiSome

3.1 Content ii iiCaching iifirewalls iiinclude iiVPN iicapabilities

While caching is not traditionally a function ii(reasonable iiextension) iito iisecure iinetworks,

of firewalls, iiit iiis iibecoming iian iiincreasingly iiso iithat iithey iican iisafely iicommunicate iiin

iifrequent iiand iiimportant iifeature. iiAn iiincrease iiprivate iiover iithe iipublic iinetwork. iiThey

iiin iiperformance iiis iiachieved iiby iicaching iithe iiachieve iithis iiby iistrong iiauthentication iiand

iicontents iiof iian iiaccessed iilocation iiwith iithe iiencryption iiof iiall iitraffic iibetween iithem.

iiresult iithat iisubsequent iirequests iifor iiaccess

iiwill iilead iito iialready iicached iicontents iibeing 3.5 Adaptive iiFirewalls
iiused, iiwithout iiit iibeing iinecessary iito iiaccess
The iinew iitrend iiis iitowards iiadaptive iifirewalls
iithe iilocation iiagain ii(except iiwhen iiit iiis
iithat iitie iifilters, iicircuit iigateways iiand iiproxies
iinecessary iito iirefresh).
iitogether iiin iiseries ii[2]. iiThis iigives iithe

iifirewall iiadministrator iigreater iicontrol iiover

3.2 Logging iiand iiAlerts iithe iilevel iiof iisecurity iiused iifor iidifferent

It iiis iiimportant iifor iia iifirewall iito iilog iievents, iiservices iior iiat iidifferent iipoint iisin iithe iiuse iiof

iidetermine iitheir iilegitimacy iior iiotherwise, iithose iiservices. iiHe iimay, iifor iiexample,

iiand iinotify iithe iinetwork iiadministrator. iiIt iiconfigure iithe iifirewall iito iigive iipriority iito

iishould iibe iinoted iithat iiit iiis iiessential iito iispeed iiof iitransfer iiat iithe iiexpense iiof iisecurity

iiprotect iithe iiintegrity iiof iithe iilog, iisince iiwhen iithis iiis iiappropriate. iiThe iifirewall iiwill

iiunauthorised iiaccess iito, iiand iiediting iiof, iithe iithen iion iisuch iioccasions iireduce iisecurity iito iia

iilog iiwill, iiof iicourse, iineutralise iiits iiraison iilower iilevel, iithus iiallowing iifor iigreater iispeed

iid’être. iiWhether iithe iifunction iiof iiprotecting iiof iitransfer, iiand iireturn iiit iito iiits iioriginal

iithe iilog iiis iifulfilled iiby iithe iifirewall iiitself iior iilevel iion iicompletion iiof iithe iitransfer.

iinot, iiis iia iimatter iiof iiimplementation.

3.3 Management Phoenix[17] iistates iithat iiAdaptive iiFirewall

iiTechnology iiprovides iifluid, iiself-adapting
Management iiranges iifrom iicommand iiline iito
iicontrol iiof iinetwork iiaccess, iia iikey iito
iisophisticated iiGUI-based iiand iisecured
iiestablishing iian iieffective iinetwork iisecurity
iiremote iiaccess. iiSecurity iimanagement iiand
iipolicy iiby iiexamining iievery iipacket ii(and
iiadministration, iiparticularly iias iiit iiapplies iito
iiadapting iirules" iion-the-fly" iibased iion
iidifferent iifirewalls iiusing iidifferent
iiinformation iiin iithe iipacket) iipassing iithrough
iitechnologies iiand iiprovided iiby iidifferent

4
 ii the iinetwork iiinterface. iiTherefore iithere iiare iiregularly iinew iipolicies
iito iibe iienforced, iiand, iito iiremain iieffective,

iitoday’s iifirewalls iimust iibe iiable iito iiadapt iito

3.6 Quality iiof iiService ii(QoS) iithem.

Some iifirewalls iiinclude iiQoS iifeatures iithat

iiallow iiadministrators iito iicontrol iiwhat
4 Trends Threatening Firewalls–
ii ii
iiproportion iiof iia iigiven iinetwork iiconnection

iiis iito iibe iidedicated iito iia iigiven iiservice. iiThere

and Counter Trends
ii ii

iiare iithose iiwho iifeel iithat iiQoS iishould iibe

iihandled iiby iiInternet iirouters, iiwhile iiothers 4.1 Trends iiThreatening iiFirewalls
iiinsist iithat iithis iiis iia iimatter iiof iiaccess iicontrol,
Common iinetwork iidenial iiof iiservice iiattacks
iiand iithus iishould iibe iiincluded iiin iithe iifirewall.
iiinclude iimail iibombs, iiping iifloods, iiand

iiQuoting ii[2]: ii"Moreover, iisome iivendors,

iiattacks iiusing iiknown iisoftware iibugs, iiall iiof

iinotably iiCheck iiPoint, iihave iibuilt iitheir iiQoS ii

iiwhich iiare iireported iito iibe iion iithe iiincrease.

ii iiengineusing iithe iisame iitechnology iithat iiis iiin

iiThis iifact iialone iimeans iithat iitraditional

iitheir iifirewall. iiThe iiphilosophy iihere iiseems

iifirewalls iiperforming iipacket iianalysis iiusing

iito iibe, iiaccess iicontrol iiis iiaccess iicontrol."

iirules iiand iipatterns iiare iino iilonger iiadequate

iiprotection iiagainst iinetwork-based iiattacks,

iiin iiaddition iito iiwhich, iiaccording iito iirecent

3.7 Policy iiand iiFirewalls iirisk iisurveys ii[20, ii19, ii16, ii7], iimore iithan iihalf

There iiare iitwo iilevels iiof iinetwork iipolicy iithat iiof iiall iibreaches iitoday iiare iiperpetrated iiby

iidirectly iiinfluence iithe iidesign, iiinstallation iisome iilegitimate iiuser iialready iibehind iithe

iiand iiuse iiof iia iifirewall iisystem: iihigher-level iifirewall.

iipolicy iiand iilower-level iipolicy ii[10]. iiThe

iiformer iiis iithe iinetwork iiservice iiaccess The iitraditional iiassumption iithat iiall iiinside
iipolicy, iiwhich iilays iidown iiwhich iiservices iithe iifirewall iiare iifriendly iiand iiall iioutside iiit

iiare iito iibe iiaccessible iito iiwhom, iiand iihow iipotentially iihostile, iiis iinow iibecoming

iithey iiare iito iibe iiused. iiThe iilatter iiis iithe iisomewhat iioutdated. iiInternet iiconnectivity

iifirewall iidesign iipolicy, iiwhich iidescribes iihas iiexpanded, iiExtranets iican iiallow

iihow iithe iifirewall iiwill iiimplement iithe iioutsiders iiaccess iito iiareas iiprotected iiby

iinetwork iiservice iiaccess iipolicy, iiand iifirewalls, iiand

iiprecisely iihow iiit iiwill iitake iiaccess iidecisions iisomemachinesrequiregreateraccesstotheouts

iiin iiaccordance iiwith iiit. iiFirewalls iitypically idethanothers,whichofteninvolves

iiimplement iione iiof iitwo iidesign iipolicies. iiThe iiachangeintheinternalIPaddress.Anotherthrea

iifirewall iimay iipermit iiany iiservice iinot tistheuseofend-to-endencryption iisince iithe

iiexpressly iidenied, iior iiit iimay iideny iiany iifirewall iiis iiunable iito iipeer iithrough iithe

iiservice iinot iiexpressly iipermitted. iiencryption.

Service iiaccess iipolicy iimay, iifor iiexample, In iithe iiliterature ii[3], iisome iipeople iihave iigone
iidecree iithat iithere iishall iibe iino iiaccess iito iia iiso iifar iias iito iisuggest iithat iia iimore iiadaptive

iisite iifrom iithe iiInternet, iibut iiallow iiaccess iiapproach iiwould iibe iito iidrop iifirewalls

iifrom iithe iisite iito iithe iiInternet. iiAlternatively, iialtogether iion iithe iibasis iithat iithey iiare

iiit iimay iidecree iithat iiaccess iifrom iithe iiInternet iiobsolete, iior iithat iithe iiuse iiof iicryptography

iishall iibe iirestricted iito iicertain iiselected iiobviates iithe iineed iifor iithem. iiBellovin ii[3]

iiservices iiin iithe iisite. iiThe iilatter iiis iithe iimore iidisagrees iiwith iithis iiview, iiand iiso iido iiwe.

iiwidespread iiof iithe iitwo.

4.2 CounterTrends iiand iiArguments

Today’s iibusiness iienvironments iiare,
Bellovin ii[3] iiargues iithat iifirewalls iiare iistill
iihowever, iidynamic. iiOrganisations iiare
iipowerful iiprotective iimechanisms iifor iithe
iicontinually iichanging iito iiadapt iito iinew
iifollowing iireasons:
iicircumstances iibrought iiabout iiby
• Most iisecurity iiproblems iiare iidue iito iibuggy
iireorganisations, iimergers, iiacquisitions iietc.

5
 iicode ii- iiin ii1998, ii9 iiof ii13 iiCERT iiadvisories iibut iia iifew, iithat iiillustrate iithis iipoint iiare:
iiconcerned iibuffer iioverflows iiand iitwo iiof iithe • The iiproposal iiof iia iidistributed iifirewall ii[3],
iirest iiwere iicryptographic iibugs ii- iiand iicannot iiusing iiIPSEC ii(IP iiSecurity), iia iipolicy

iibe iiprevented iiby iiencryption iior iilanguage, iiand iisystem iimanagement iitools,

iiauthentication. iiA iifirewall iishields iimost iithat iipreserves iicentral iicontrol iiof iiaccess

iisuch iiapplications iifrom iihostile iiconnections. iipolicy iiwhile iireducing iior iieliminating iiany

iidependency iion iitopology.

• Firewalls iiare iialso iiuseful iiat iiprotecting
iilegacy iisystems. iiWhile iiapplications iithat • Phoenix's iiAdaptive iiFirewall iiTechnology
iirequire iistrong iiauthentication iishould ii[17], iias iinoted iiabove, iiprovides iiself-

iiprovide iitheir iiown, iithere iiare iitoo iimany iiadapting iicontrol iiof iinetwork iiaccess, iithus

iiolder iiprotocols iiand iiimplementations iithat iiestablishing iian iieffective iinetwork iisecurity

iido iinot. iiSaying iithat iistrong iicryptography iipolicy iiby iiexamining iievery iipacket iiand

iishould iibe iiused iiis iitrue iibut iiirrelevant. iiIn iithe iiadapting iirules ii"on-the-fly" iibased iion

iicontext iiof iisuch iiapplications, iiit iiis iisimply iiinformation iiin iithe iipacket iipassing iithrough

iiunavailable.
iithe iinetwork iiinterface.

• More iisubtly, iifirewalls iiare iia iimechanism iifor • FORE iiSystems' iiFirewall iiSwitching
iipolicy iicontrol. iiThat iiis, iithey iipermit iia iisite's
iiAgent[8], iiin iicombination iiwith iiCheck

iiadministrator iito iiset iia iipolicy iion iiexternal

iiPoint's iiFirewall-1 ii[5], iiprovides ii20 iiGbps iiof

iiaccess. iiJust iias iifile iipermissions iienforce iian

iifirewall iiswitching iibandwidth iiwhile

iiinternal iisecurity iipolicy, iia iifirewall iican

iidelivering iiwire-speed iirouting, iiswitching,

iienforce iian iiexternal iisecurity iipolicy.

iiand iiclass-of-service iidelivery.

• OMG's[15]CORBAFirewallSecurity[13],
As iialready iistated, iiwe iiconcur iiwith iithe iiwhichbringsfirewallsto iidistributed iiobject
iiabove, iiand iicite iithe iifollowing iiadditional
iitechnology iiand iiprovides iia iistandard
iiarguments.
iiapproach iiby iiwhich iiha iifirewall iiidentifies

iiand iicontrols iithe iiflow iiof iiIIOP ii(Internet

Cryptography iinotwithstanding, iithe iiuse iiof iiInter-ORB iiProtocol), iiwhich iihas iibecome
iifirewalls iiis iideeply iientrenched iiin iia iinumber
iithe iidefacto iistandard iiinteroperability
iiof iiorganizations iiand iiis iipart iiand iiparcel iiof
iiprotocol iifor iiInternet, iiproviding ii"out-of-the-
iitheir iisecurity iiset iiup, iiand iiwill iicontinue iito
iibox" iiinteroperation iiwith iiORBs ii(Object
iibe iiso iifor iisome iiyears iiyet. iiWhile iiit iiis iitrue
iiRequest iiBrokers), iithereby iiincreasing iithe
iithat iicryptography iiis iithe iiheir iiapparent iito
iisecurity iiof iiCORBA-based iiapplications ii[1].
iithe iifirewall, iithe iinumber iiof iias iiyet

iiunresolved iiissues iiprevents iithe iiassembling

These iitrends iiin iithe iidevelopment iiof
iiof iia iicomprehensive iisolution iifor iisecuring
iifirewalls iimake iithem iiimportant iimechanisms
iidistributed iicomputing iiresources iiaround
iito iiease iithe iitransition iito iiflexible iiand iitruly
iiPublic iiKey iiInfrastructure ii(PKI) iiand
iidistributed iisecurity iisolutions, iisuch
iiencryption. iiIn iiaddition, iithe iiprocess iiof
iiasCORBA iiSecurity iiServices ii[14], iithus
iistandardisation iiwithin iithe iiarea iiof iiPKI iiis
iisparing iitraditionally-minded
iinot iiproceeding iiparticularly iirapidly. iiThus,
iinetwork/firewall iiadministrators iimuch
iieven iithose iiorganizations iifavouring
iidiscomfort. iiAfter iiall, iithe iilaboratory iitest
iitechnologies iiother iithan iifirewalls iiwill iijust
iiresults iidescribed iiin ii"Super iifirewalls" ii[12]
iihave iito iibite iithe iibullet iiand iilive iiwith iithem
iishow iithat iitoday's iihigh-end iifirewalls iiare
iifor iithe iimoment.
iitougher, iifaster, iiand iieasier iito iiuse.

Another iifactor iiis iithe iiongoing iidevelopment 5 Conclusions

iiof iinew iifeatures iiand iiservices iiat iipresent

iibeing iicontinually iiadded iito iifirewalls. iiThese

Notwithstanding iithe iilimitations iiof iifirewalls
iiand iithe iifact iithat iithey iiare iineither iithe
iireduce iia iinumber iiof iithe iilimitations iilisted
iipanacea iiof iievery iisecurity iiaspect iiof iia
iiabove iiand iiincrease iithe iifirewall's iiflexibility
iinetwork, iinorth iiesolesufficient iibulwark
iiwhile iiallowing iiit iito iiretain iiits iioriginal
iiagainst iinetwork iiintrusion, iiand iidespite
iifunction iiunimpaired. iiExamples, iito iimention

6
 iidevelopment iitrends iithat iithreaten iithem,
iithey iiare iistill iia iipowerful iiprotective

iimechanism, iiand iiwill iicontinue iito iiplay iian

iiimportant iiand iicentral iirole iiin iithe

iimaintenance iiof iinetwork iisecurity iifor iisome

iiyears iiyet, iiand iiany iiorganisation iithat iiignores

iithem iidoes iiso iiat iiits iiperil.

They iicontinue iito iichange iiand iidevelop, iiand

iinew iifeatures iiare iiregularly iiadded iias iithe

iineed iiarises. iiIf iidevelopments iifollow iithe

iipresent iitrend, iithey iiwill iicontinue iito

iicombine iiconfigurable iiaccess iicontrol iiand

iiauthentication iimechanisms iiwith iitheir

iitraditional iifunctions, iithus iiproviding iimore

iipowerful iiand iiflexible iiprotection iifor

iinetworks iito iimake iithem iisecure.

References
1. http://www.crossnodes.com/icsa/
perimeter.html ii
2. http://www.checkpoint.com/products/
whitepapers/wp30.pdf

7
9