•A set of related programs that protects the resources of a private network from users from other networks.
•A mechanism for filtering network packets based on information contained within the IP header.
•Options available
–Commercial Firewall Devices (Watchguard, Cisco PIX)
–Routers (ACL Lists)
–Linux
–Software Packages (ZoneAlarm, Black Ice)
–Sneaker Net


•Routers: easy to say “allow everything but…”
•Firewalls: easy to say “allow nothing but…”
•This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risks
•Note: the only difference between a router and a firewall is the design philosophy:
–do we prioritize security, or connectivity ?
•configurability, logging

•Firewall ensures that the internal network and the Internet can both talk to the DMZ, but usually not to each other
•The DMZ relays services at the application level, e.g. mail forwarding, web proxying
•The DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.);
–it’s easier to secure 20 machines than 20,000
•Now the internal network is “safe” (but not from internal attacks, modems, etc.)