A firewall guards and isolates an inside (private) network--an intranet--from an outside (hence untrusted) network: the Internet, for instance. A firewall may also guard some parts of an internal network against other parts.
Domains A and A*, though parts of one organization's network, are physically separate and communicate through an outside (untrusted) network. Firewalls can only control communication traffic to, from, or through that outside network, such as indicated by arrows a, b, and c. They cannot control communication traffic d and d', which do not leave the protected networks' boundaries, and communication traffic e, which simply extends through the outside network. Note that arrow c indicates virtual private networking (VPN) traffic.
We define firewall technology as a set of mechanisms that collectively enforce a network domain security policy on communication traffic entering or leaving a guarded network policy domain.
In general, the various firewall security mechanisms address themselves to specific layers in the open systems interconnection (OSI) network model. Several mechanisms can be combined into a comprehensive firewall system, but the mechanisms should be chosen and coordinated so that they do not work against each other.
All packet-filter firewalls deny access to traffic that does not meet a set of rules [indicated by a red line with x] and pass traffic that does [green lines with arrowheads].
In a screened-host firewall, a router at network level controls access to and from a single host - called a bastion host - through which all traffic to and from the protected network must travel. Direct access to the protected network is denied and the bastion host does not forward packets. The bastion host is a highly defended, secured strongpoint that - one hopes - can resist attack.
In a screened-subnet firewall, a pair of routers control access to a small network of bastion hosts. The screened subnet is also called a "demilitarized zone" (DMZ).
A network address translator hides internal addresses from the outside world. Network address translation (NAT) routers contain a table of outside and inside addresses. They translate the outside address of an incoming message into the hidden inside address, and do the reverse for an outgoing message.
Many firewalls now include built-in support for Socks (the name derives from Unix Sockets), software that allows applications to access a variety of communication protocols. Thus Socks can handle many different types of traffic, routing packets between compatible clients and servers in the untrusted network and the protected one. In effect, it forms a circuit between a client and server; but it acts as a proxy, too, forwarding only those packets deemed acceptable.
An application-level firewall uses application-specific proxies that can interact with the source and destination of a message to determine whether it meets security standards, and then allows or denies access on the basis of its evaluation. Separate proxies are needed for each application. Further, a so-called "dual-homed" application-level firewall can be built by installing two interfaces, one on each network. So a popular location for such a firewall is a bastion host, in either a screened-host or screened-subnet firewall.
