Firewalls come in several categories and sub-categories. The basic goal is to prevent intrusion from a connected network -- the difference is in how they try to accomplish this. The two major categories of firewalls are network layer firewalls and application layer firewalls. The former operate at the (relatively low) level of the TCP/IP protocol stack as an IP-packet filter, not allowing packets to pass the firewall unless they meet the rules defined by the firewall administrator or applied by default as in some inflexible firewall systems. The latter work on the application level (ie, all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. Other packets are blocked (usually dropped without acknowledment to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. By inspecting all otherwise allowed packets for improper content, firewalls can even prevent such things as viruses. However, in practice, this is not easily achieved, and would be so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that it is not generally attempted as a comprehensive firewall design. These two types of firewall are not mutuually exclusive and indeed have been implemented in a single system. By inspecting all otherwise allowed packets for improper content (a difficult tasking, to be sure) firewalls can even prevent such things as viruses and other unwelcome content.
A proxy? device (running on either dedicated hardware or as software on a general purpose machine) may act as a firewall by responding to input packets (eg, connection requests) in the manner of an application whilst blocking other packets. A proxy can also disguise the internal address, network, and user structure of a computer network by translating IP addresses and thus preventing direct access to internal systems; this is sometimes called IP masquerading and is possible because the IETF has defined some 'Net addresses as not publically allowable (ie, they are private only and may be reused on different private networks). In this way, tampering with an internal system is much more difficult from outside such a protected private network, and misuse of one of its internal systems would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy were intact and properly configured). Conversely, a hacker might hi-jack? a publically reachable system use it as a proxy for himself which then masquerades as that system as far as others are concerned.
Proper configuration of firewalls is not simple. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool. Faith in misconfigured firewalls is misplaced indeed.
![[Home]](wikipedia.png)