A network firewall is a network access control system that protects both users and the network itself from unauthorized access and malicious attacks. A traditional firewall is implemented at a network gateway to filter traffic passing through the gateway according to a security policy. A traditional firewall splits a network into an internal portion, which is behind the firewall, and an external portion, which is outside of the firewall. Internal traffic is defined as communications between users attached to the internal portion of the network. Internal traffic does not pass through the firewall, and is not affected by the security policy. Therefore, a traditional firewall cannot protect systems that are behind the firewall from each other. A traditional firewall is sometimes referred to as a perimeter firewall.
Users today may access a plethora of different networks. For example, a user may transport and connect a terminal to a residential network, an office network, an airport network, a cyber café network, or the like. Other users having terminals connected to, for example, a cyber café network, may not be trustworthy. The assumption, on which a traditional firewall is based, that users behind the firewall may trust each other, is no longer valid.
In a traditional firewall, a security policy is defined and enforced by a network administrator at some central point, such as a network gateway. Users may not be free to choose which traffic is enabled or disabled for their terminals, even though different users may have different network access preferences and requirements. A centralized network security policy defined by a network administrator may not meet the requirements of each individual user.
For example, an enterprise firewall may be deployed at an enterprise gateway. When users move their terminals from the enterprise network to other networks, they may be without any protection. Furthermore, the enterprise firewall policy may block their access to the internal network from outside the firewall, without remedial measures, such as a Virtual Private Network (VPN) implementation.
Distributed firewalls for terminals, or for network interface cards, have been proposed. A distributed firewall implementation essentially places a firewall around each terminal. Distributed firewalls may protect users on a common network from each other. However, there are other issues that distributed firewalls may not address. First, unauthorized packets are not dropped until the packets reach a terminal, so network bandwidth, which is especially valuable in a wireless network, is wasted. Second, a network using a distributed firewall may be forced to depend upon each terminal to control the firewall. Third, a network using a distributed firewall may have to trust a terminal to charge itself a network usage fee.