CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

Packet filtering at network boundaries

Like most texts, we shall use the term firewall[1] to describe any network device, appliance, or specially configured computer which protects the boundary of an internal network.

Specifically, we shall describe firewalls as software devices through which all network packets must pass, both incoming and outgoing.

Providing a single ingress point to an internal network clearly provides a single opportunity to apply a consistent policy to all network traffic.

The practices of:

  • end-runs, with which a computer can access the Internet without passing its traffic through the firewall (for example, with a modem or wireless connection), and
  • traffic tunneling, with which users or applications can embed certain types of unwanted network traffic within permitted protocols (for example, uploading a complete file via a web-based CGI program on a host not permitting HTTP's POST command),

often circumvent the purpose or effectiveness of having a firewall.

 

[1] The origin of the term firewall is variously described in texts, including the iron plates separating train-drivers from the firebox, car drivers from the engine, and even the walls of castles, from which arrows were fired through narrow slits.


CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p16, 15th May 2024.