Browse Prior Art Database

Behavior of and Requirements for Internet Firewalls (RFC2979)

IP.com Disclosure Number: IPCOM000005172D
Original Publication Date: 2000-Oct-01
Included in the Prior Art Database: 2001-Aug-16
Document File: 8 page(s) / 14K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

N. Freed: AUTHOR

Abstract

This memo defines behavioral characteristics of and interoperability requirements for Internet firewalls. While most of these things may seem obvious, current firewall behavior is often either unspecified or underspecified and this lack of specificity often causes problems in practice. This requirement is intended to be a necessary first step in making the behavior of firewalls more consistent across implementations and in line with accepted IP protocol practices.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 23% of the total text.

Network Working Group N. Freed Request for Comments: 2979 Sun Category: Informational October 2000

Behavior of and Requirements for

Internet Firewalls

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This memo defines behavioral characteristics of and interoperability requirements for Internet firewalls. While most of these things may seem obvious, current firewall behavior is often either unspecified or underspecified and this lack of specificity often causes problems in practice. This requirement is intended to be a necessary first step in making the behavior of firewalls more consistent across implementations and in line with accepted IP protocol practices.

1. Introduction

The Internet is being used for an increasing number of mission critical applications. Because of this many sites find isolated secure intranets insufficient for their needs, even when those intranets are based on and use Internet protocols. Instead they find it necessary to provide direct communications paths between the sometimes hostile Internet and systems or networks which either deal with valuable data, provide vital services, or both.

The security concerns that inevitably arise from such setups are often dealt with by inserting one or more "firewalls" on the path between the Internet and the internal network. A "firewall" is an agent which screens network traffic in some way, blocking traffic it believes to be inappropriate, dangerous, or both.

Note that firewall functions are disjoint from network address translation (NAT) functions neither implies the other, although sometimes both are provided by the same device. This document only discusses firewall functions.

Freed Informational [Page 1]

RFC 2979 Firewall Requirements October 2000

1.1. Requirements notation

This document occasionally uses terms that appear in capital letters. When the terms "MUST", "SHOULD", "MUST NOT", "SHOULD NOT", and "MAY" appear capitalized, they are being used to indicate particular requirements of this specification. A discussion of the meanings of these terms appears in RFC 2119 [2].

2. Characteristics

Firewalls either act as a protocol end point and relay (e.g., a SMTP client/server or a Web proxy agent), as a packet filter, or some combination of both.

When a firewall acts a protocol end point it may

(1) implement a "safe" subset of the protocol,

(2) perform extensive protocol validity checks,

(3) use an implementation methodology designed to minimize

the likelihood of bugs,

(4) run in an insulated, "safe" environment, or

(5) use some combination of these techniques in tandem.

Firewalls acting as packet filters aren't visible as protocol end points. The firewall examines each packet and then

(1) passes the packet through to the other side unchanged,

(2) drops the packet entirely, or

(3) handles the packet ...