i. Internet connectivity is no longer optional for organizations. The information and services available are essential to the organization.

ii. Moreover, individual users within the organization want and need internet access, and if this is not provided via their LAN, they will use dial-up capability from their PC to an Internet Service Provider (ISP).

iii. However while Internet access provides benefit to the organization. It enables the outside world to reach and interact with local network asset.

iv. This creates a treat to the organization while it is possible to equip each workstation and server on the premises network with strong security features such as instructions, protection. This is not a practical approach.

v. The alternative, increasingly accepted is the firewall. The firewall is inserted between the premises network and the internet to establish a controlled link and to extract on outer security wall or perimeter.

vi. The aim of this perimeter is to protect the premises network from internet based attacks and to provide a single choke point. Where security and audit can be imposed. The firewall may be a single computer system or set of two or more systems that cooperate to perform the firewall function.

vii. The following are the design goals for a firewall:

• All traffic from inside to outside and vice versa must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible.
• Only authorised traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies.
• The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system.

viii. Types of firewall:

1. Packet-filtering router
2. Application level gateway
3. Circuit level gateway

$$\text{(c) Circuit-level gateway Figure 6.2 Types of Firewall}$$

ix. Firewall Techniques:

• Service Control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a web or mail service.
• Direction Control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall.
• User Control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology, such as is provided IPsec.
• Behaviour Control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local web server.

x. Scope of a firewall:

• A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network and provides protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management because security capabilities are consolidated on a single system or set of systems.
• A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system.
• A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses and a network management function that audits or lags internet usage.
• A firewall can serve as the platform for IPsec.

xi. Limitations of firewall:

• The firewall can’t protect against attacks that bypass the firewall. Internet systems may have dial out capability to connect an ISP. An internet LAN may support a modern pool that provides dial-in capability for travelling employees and telecommuters.
• The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly co-operates with an external attacker.
• The firewall can’t protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail and messages for viruses.