A firewall guards and isolates an inside (private) network--an intranet--from an outside (hence untrusted) network: the Internet, for instance. A firewall may also guard some parts of an internal network against other parts.
Domains A and A*, though parts of one organization's network, are physically separate and communicate through an outside (untrusted) network. Firewalls can only control communication traffic to, from, or through that outside network, such as indicated by arrows a, b, and c. They cannot control communication traffic d and d', which do not leave the protected networks' boundaries, and communication traffic e, which simply extends through the outside network. Note that arrow c indicates virtual private networking (VPN) traffic.
We define firewall technology as a set of mechanisms that collectively enforce a network domain security policy on communication traffic entering or leaving a guarded network policy domain.
In general, the various firewall security mechanisms address themselves to specific layers in the open systems interconnection (OSI) network model. Several mechanisms can be combined into a comprehensive firewall system, but the mechanisms should be chosen and coordinated so that they do not work against each other.
All packet-filter firewalls deny access to traffic that does not meet a set of rules [indicated by a red line with x] and pass traffic that does [green lines with arrowheads].
In a screened-host firewall, a router at network level controls access to and from a single host - called a bastion host - through which all traffic to and from the protected network must travel. Direct access to the protected network is denied and the bastion host does not forward packets. The bastion host is a highly defended, secured strongpoint that - one hopes - can resist attack.
In a screened-subnet firewall, a pair of routers control access to a small network of bastion hosts. The screened subnet is also called a "demilitarized zone" (DMZ).
A network address translator hides internal addresses from the outside world. Network address translation (NAT) routers contain a table of outside and inside addresses. They translate the outside address of an incoming message into the hidden inside address, and do the reverse for an outgoing message.
Many firewalls now include built-in support for Socks (the name derives from Unix Sockets), software that allows applications to access a variety of communication protocols. Thus Socks can handle many different types of traffic, routing packets between compatible clients and servers in the untrusted network and the protected one. In effect, it forms a circuit between a client and server; but it acts as a proxy, too, forwarding only those packets deemed acceptable.
An application-level firewall uses application-specific proxies that can interact with the source and destination of a message to determine whether it meets security standards, and then allows or denies access on the basis of its evaluation. Separate proxies are needed for each application. Further, a so-called "dual-homed" application-level firewall can be built by installing two interfaces, one on each network. So a popular location for such a firewall is a bastion host, in either a screened-host or screened-subnet firewall.
The phases of the firewall's life cycle, shown in blue rectangles, use the methods in the brown hexagonals to the right to produce the results noted in the beige ovals. The life cycle progresses diagonally, beginning with the all important definition of security policy and arriving at implementation, review, and testing after high-level design, selection of components, and detailed design. Even after the firewall is in use, periodic review and testing during the system's lifetime may result in an earlier phase being revisited (indicated by the upward-pointing blue arrows), as when a new, improved firewall component becomes available or when defects in an earlier phase are discovered.
