2. Defining Terms
 

So how do we define a firewall? Broadly speaking, it is a system or group of systems that enforces an access control policy between two networks [FAQ]. More specifically, a firewall is a collection of components or a system that is placed between two networks and possesses the following properties:

1. all traffic from inside to outside, and vice-versa, must pass through it;

2. only authorized traffic, as defined by the local security policy, is allowed to pass through it; and

3. the system itself is immune to penetration [Ches94].

As we said earlier, a firewall is a mechanism used to protect a trusted network from an untrusted network; the two networks in question are typically an organization's internal network (trusted) and the Internet (untrusted). But there is nothing in the definition of a firewall that ties the concept to the Internet (remember that we defined the Internet as the global network of networks that communicates using TCP/IP and an internet as any connected set of networks).

Internal Firewalls
Consider a manufacturing company that has different networks for sales, marketing, payroll, accounting, production, and product development. Over time, these have been connected because some users have made a case for having access to more than one network. But it is probably unnecessary and undesirable for all users to have access to all of these networks. Although application level security may be used to protect sensitive data in a wide area network that offers any-to-any connectivity, segregation of networks by means of firewalls greatly reduces many of the risks involved; in particular, firewalls can notably reduce the threat of hacking between networks by insiders (44% of respondents to Respondents in a recent Infosecurity News/Yankee Group survey reported security compromises by insiders). Insider hacking encompasses unauthorized or inappropriate access to data and processing resources by employees, including authorized users. It should be noted that the importance of insider abuse consistently outranks that of external hacking in information security surveys.

Although the phenomenal growth of Internet connections has understandably focused attention on Internet firewalls, modern business practices continue to underline the importance of internal firewalls. Consider mergers, acquisitions, reorganizations, outsourcing, joint ventures, and strategic partnerships. In all but the most technologically challenged industries these increasingly common occurrences have significant internet implications. Suddenly, someone outside the organization needs access to internal information. Multiple networks designed by different people, according to different rules, are suddenly asked to trust each other. In these circumstances, firewalls have an important role to play as a mechanism to enforce an access- control policy between networks and to protect trusted networks from those that are untrusted.

Gateways
Medieval towns were often surrounded by huge walls for protection. Access to and from the town was possible only through a limited number of large gates or gateways. As a digital version of this concept, "gateway" is now an important term often used as synonymous, or in conjunction, with firewall; that is, a point of control through which network traffic must pass. Internet firewalls are often referred to as secure Internet gateways [Wack].

More specifically, a gateway is a computer that provides relay services between two networks. As you can see from Figure 2, a firewall may consists of several different components, including filters or screens that block transmission of certain classes of traffic. A gateway is a machine or set of machines that provides relay services which complement the filters. Another term illustrated in Figure 2 is "demilitarized zone" or "DMZ" [Ches94]. This is an area or sub-network between the inside and outside networks that is partially protected. One or more gateway machines may be located in the DMZ. Exemplifying a traditional security concept, defense-in-depth, the outside filter protects the gateway from attack, while the inside gateway guards against the consequences of a compromised gateway [Ches94].

Figure 2: Firewall schematics