Firewalling: One problem in computer security is keeping outsiders from contacting network services that they have no reason to interact with. Many of these services are ancillary --- they aren't core services (like a webserver, or a ftp server), and are often overlooked by the local site's administrator. For this reason, when a security breach exists, it sometimes goes without notice --- the admins might not even realize that they are running it. An exceptional solution to this sort of problem is a firewall. A firewall is software that filters network traffic, and allows a site to block services that shouldn't be seen by the outside world. The basic diagram is as follows: Network <---> Firewall <---> Services Firewall software is often seen in conjunction with routing software (many routers have firewall modules, and many hosts that are used as firewalls are also equipped to be routers). There are two basic types of firewall: a branch firewall, and a leaf firewall. A branch firewall is used where the network is physically broken by a single firewall host: Outside Network <---> Firewall <---> Network of hosts (w/ services) With this scheme, the only way for network traffic to get from the outside to the inside, is if the firewall passes it across. Similarly, the only way for network traffic to get from the inside to the outside is if the firewall passes it across. Many businesses use this type of firewall not only to protect their branch offices, but also to monitor the network use of their employee's workstations. Most branch firewalls are routers. A leaf firewall is software that runs on a leaf of the network: a host running one of the services that should be protected. With this scheme, the outside network comes right up to each of the sites workstations. Both schemes have their strengths and weaknesses: branch firewalls provide yet another point of failure, but can be easier to administer. Leaf firewalls compromise less when they fail, but can be more of a hassle to administer. Firewalls are configured with rule sets that categorize traffic and describe whether the traffic should be "accepted", "rejected", or "denied". Traffic that is accepted is allowed to go through. Denied traffic is dropped without notifying the sender. Rejected traffic is dropped, but the sender is notified. The difference between rejecting and denying traffic is political --- if the traffic is likely only to be coming from a hacker (not as accident, but with malicious intent), there is no reason to provide the outside with any evidence of why their traffic didn't get through: you would just deny it. The rules that are used to decide whether or not packets should be "accepted", "rejected", or "denied", are based at least upon the IP address of the requesting host, the IP address of the requested host, and the port that the requesting host is trying to contact (the service). In addition, the firewall looks at flags set in the headers of traffic (this allows them to distinguish responses to communication from attempts to initiate communication). The biggest weakness of a firewall is false confidence: sites that believe themselves to be impermeable to outside attacks might not bother to fix security problems. It is still possible to make network attacks through a firewall (attacks known as SYN attacks work by sending traffic that pretends to be a response to a host with in the firewall), and many admins are unaware of their sites actual vulnerabilities.