Please Note: Much of this data is out of date.

Introduction

This site provides the comprehensive list of resources associated with Internet firewalls. The list is divided into sections to make finding information easier. Much of the information presented here is also available at the COAST Archive.

The term firewall has seen limited use since the late 1980s to describe a device to block unwanted network traffic while allowing other traffic to pass. The first published description of a "modern" firewall including use of that name was in 'Practical Unix Security' written in 1990 and published in 1991. The first description of a firewall, although not by that name, was also in 1990, in a paper by Bill Cheswick. A few of the industry pioneers tried to track down the etymology of the word as described in this context. They found several references from the mid-80's that used the word to describe a damage-limiting device. The earliest use they found that seems to correspond to a security device was by Steve Bellovin, in some email to Phil Karn, in 1987. But the context suggests that Phil knew what Steve meant, yet Steve doesn't think he invented it.

The first section of this resource deals with books and chapters in books which discuss firewalls. The second section is a collection of papers and articles related to firewalls. A comprehensive list is next to impossible, especially given the number of articles appearing daily in the trade rags. Also, since firewalls are hot topics in the commercial arena as companies struggle to connect securely to the Internet, much research and information is available. The papers listed include the original papers in the field by the pioneers up to current research on parallelism and high-speed bandwidth.

The third section is a list of current firewall products. This list presents the most popular offerings available today. Two other comprehensive lists are presented which are maintained elsewhere. A small section on firewall testing is next. This area will expand in the future as more people try to formally prove that their firewall will do what it is configured to do.

The next section presents firewall tools. First, there is a list of freely available firewalls. After that, tools to monitor the network and system are listed. Many of these tools are available at the COAST Archive.

More information about firewalls and network security can be found in the next section on mailing lists and newsgroups. A list of conferences with firewalls being discussed is presented. Next, the Frequently Asked Questions for the topic is made available. Finally, the developer and maintainer of this resource is presented.

Obviously, the field of Internet firewalls is fast-paced and rapidly changing. If you see something we've missed, please let us know using this comment form.


Books

Chapters in Books


Papers

  • Alves-Foss, An Overview of SNIF: A Tool for Surveying Network Information Flow, Proceedings Symposium on Network and Distributed System Security, 1995
  • Bellovin and Cheswick, Network Firewalls, IEEE Communications, Sep, 1994
  • Bellovin, Packets Found on An Internet, Computer Communication Review, Jul, 1993
  • Boshoff and Olivier, Increasing Firewall Reliability by Recording Routes, IFIP TC-6 and TC-11 Joint Working Conference on Communications and Multimedia Security, University of Essen, Germany, September 23-24, 1996
  • Bradner and McQuaid, Benchmarking Methodology for Network Interconnect Devices, Request For Comment # 1944
  • Chapman, Network (In)Security Through IP Packet Filtering, 1992 USENIX Security Symposium
  • Cheriton, Greenwald, Singhal, and Stone, Designing an Academic Firewall: Policy, Practice, and Experiences with SURF, Internet Society Symposium on Network and Distributed System Security, San Diego, CA, February 22-23, 1996
  • Cheswick, An Evening with Berferd, 1992
  • Cheswick, The Design of a Secure Internet Gateway, 1990 USENIX Summer Conference
  • D'Alotto, Internet Firewalls Policy Development and Technology Choices, 19th National Information Systems Security Conference, Baltimore, MD, Oct. 21-25, 1996
  • DeSchon and Cohen, The ISI "Tunnel", ISI/SR--93--358, Oct 1993
  • Drake and Morse, Applying the Eight Stage Risk Assessment Methodology to Firewalls, 19th National Information Systems Security Conference, Baltimore, MD, Oct. 21-25, 1996
  • Hale and Mannarino, MISSI Compliance for Commercial-Off-The-Shelf Firewalls, 19th National Information Systems Security Conference, Baltimore, MD, Oct. 21-25, 1996
  • Hughes, IP Security, Creating Secure Intranets over the Internet, INET'96, Spring 1996
  • Hughes, A High Speed Firewall Architecture for ATM OC-3c, Interop Engineering Conference, Spring 1996
  • Kahn, Safe Use of X Window System Protocol Across a Firewall, 1995 USENIX Security Symposium
  • Metzler, It's After Midnight, Do You Know Who Your Modem Is Talking To?, DECUS, 1994
  • Molitor, An Architecture for Advanced Packet Filtering, 1995 USENIX Security Symposium
  • Ranum, Evaluating Firewall Products, Internet Security Review, Oct. 1995
  • Ranum, On the net, you can run, but you can't hide..., Internet Security Review, Oct. 1995
  • Ranum and Avolio, A network perimeter with secure external access, 1994 Internet Society Symposium on Network and Distributed System Security
  • Ranum, Internet Firewalls - An Overview, 1993
  • Ranum, A Network Firewall, 1992
  • Reese and Wolman, X Through the Firewall and Other Application Relays, 1993 USENIX Summer Conference
  • Robinson, Internet Firewalls: An Introduction, Jan, 1995
  • Woycke, A Community of Firewalls: An Implementation Example, 11th Annual Computer Security Applications Conference

Articles

Reports and Guides

Research

  • Authenticated Firewall Traversal by the IETF
  • S/WAN Initiative at RSA
  • Adaptive Firewalls by Mark Crosbie

Products


Firewall Testing


Firewall Tools

Below is a list of programs that can be used in conjunction with a firewall or create to a firewall. A firewall can be any of the many different methods of protecting a network from untrusted networks.

  • Freestone --- A freeware version of their Brimstone firewall by SOS Corp.
    Availability: anonymous ftp at COAST
  • ipfilterd --- A IP filtering daemon.
    Availability: anonymous ftp at coombs.anu.edu.au or at COAST
  • Socks --- Socks is a package which allows various Internet services such as gopher, ftp and telnet to be used through a Firewall.
    Availability: anonymous ftp at ftp.nec.com or at COAST
    Additional Info: SOCKS Version 5 Information and NEC's SOCKS 5 page
  • Tcpr --- Tcpr is a set of perl scripts that forwards ftp and telnet commands across a firewall.
    Availability: anonymous ftp at ftp.alantec.com or at COAST
  • TIS Firewall Toolkit --- Firewall Toolkit is a software package to build and maintain a system which is used to protect a network from unwanted network activities.
    Availability: anonymous ftp at ftp.tis.com
    Additional Info: Network Security and Firewalls
  • udprelay --- The udprelay package by Tom Fitzgerald. A daemon process that runs on a firewall host and forwards UDP packets into and out of the firewalled network, as directed by a configuration file.
    Availability: anonymous ftp at COAST
  • xforward --- The xforward package by Win Treese. Used for relaying X Window System connections across network firewalls.
    Availability: anonymous ftp at Digital Equipment (link removed)
  • Xp-BETA --- It is an application gateway for X11 protocol that uses Socks and/or CERN WWW Proxy.
    Availability: anonymous ftp at ftp.mri.co.jp (link removed)

Network Tools

Below is a list of programs that gather information from the network or improve the security of the network.

  • Argus --- Argus is a powerful tool for monitoring IP networks. It provides tools for sophisticated analysis of network activity that can be used to verify the enforcement of network security policies, network performance analysis and more.
    Availability: anonymous ftp at ftp.sei.cmu.edu or COAST

  • Arpwatch --- An ethernet monitor program that keeps tracks of ethernet/IP address pairings.
    Availability: anonymous ftp at ftp.ee.lbl.gov or at COAST

  • Courtney --- It is a program that tries to identify the use of SATAN on a subnet. The program tcpdump will also be needed in order to run Courtney. See below for information above tcpdump.
    Availability: anonymous ftp at ciac.llnl.gov
    Additional Info: CIAC Notes 08

  • Dig --- Dig is a network utility which queries Domain Name Servers similar to nslookup but it's more reflexible.
    Availability: anonymous ftp at venera.isi.edu or at COAST

  • Drawbridge --- Powerful bridging filter package.
    Availability: anonymous ftp at net.tamu.edu (link removed)

  • Fping --- An efficient way to test whether a large number of hosts are up.
    Availability: anonymous ftp at slapshot.stanford.edu

  • IPACL --- Filters incoming and outgoing TCP and UDP in a SVR4/386 kernel.
    Availability: anonymous ftp at ftp.win.tue.nl or at COAST

  • ISS --- Checks hosts within a specified range of IP address for various security vulnerabilities in sendmail, anonymous FTP setup, NFS and many more. Produced by ISS
    Availability: anonymous ftp at aql.gatech.edu or at COAST
    Additional Info: CERT Advisory 93:14.Internet.Security.Scanner (link removed)

  • Klaxon --- It is a daemon that is used to identify the use of port scanners like ISS and SATAN.
    Availability: anonymous ftp at ftp.eng.auburn.edu or at COAST

  • Netlog --- Network logging and monitoring of all TCP and UDP connections on a subnet. Netlog also includes tools to analyzing the output.
    Availability: anonymous ftp at net.tamu.edu or at COAST

  • nfsbug --- ?? Tickles an NFS bug.
    Availability: anonymous ftp at COAST

  • NFSWatch --- NFSWatch monitors NFS requests and measures response time for each RPC.
    Availability: anonymous ftp at COAST

  • Pidentd --- Identd tries to identify the remote user name of a TCP/IP connection. Identd is an implementation of RFC 1413.
    Availability: anonymous ftp at ftp.lysator.liu.se
    or ftp.csc.ncsu.edu
    Additional Info: RFC 1413

  • Rscan --- Rscan is a extensible network scanner that checks for common network problems and SGI specific vulnerabilities.
    Availability: anonymous ftp at ftp.vis.colostate.edu (link removed)
    Additional Info: Rscan: Heterogeneous Network Interrogation (link removed)

  • SATAN --- SATAN is a program that gathers network information such as the type of machines and services available on these machine as well as potential security flaws.
    Availability: anonymous ftp at ftp.win.tue.nl or at COAST.
    Additional Info: Cert Advisory CA-95:06.satan (link removed)

  • Scan-Detector --- Scan-detector determines when an automated scan of UDP/TCP ports is being done on a host running this program. Logs to either syslog or strerr.
    Availability: anonymous ftp at COAST
    Additional Info: COAST Projects' Tools

  • screend --- Program by Jeff Mogul at DEC.
    Availability: anonymous ftp at COAST

  • Netscape Secure Sockets Layer --- Netscape SSLRef is a reference implementation of the Secure Sockets Layer protocol intended to aid and accelerate developers' efforts to provide advanced security within TCP/IP applications that use SSL. SSLRef consists of a library, distributed in ANSI C source-code form, that can be compiled on a wide variety of platforms and operating systems and linked into an application program. It's free for noncommercial use and available now.
    Availability: apply to download at Netscape

  • Simple Key-Management For Internet Protocols (SKIP) --- SKIP adds privacy and authentication at the network level.
    Availability: USA and Canada--via web form
    Availability: International--anonymous ftp at ftp.elvis.ru
    Additional Info: SKIP Information

  • S-Key --- Software-based one time password scheme.
    Availability: anonymous ftp at COAST

  • Strobe --- Strobe displays all active listening TCP port on remote hosts. It uses an algorithm which efficiently uses network bandwidth.
    Availability: anonymous ftp at suburbia.apana.org or minnie.cs.adfa.oz.au or at COAST

  • TCP Wrapper --- Allows a Unix System Administrator to control access to various network services through the use of access control lists. It also provides logging information of wrapped network services which may be used to prevent or monitor network attacks.
    Availability: anonymous ftp at ftp.win.tue.nl or at COAST
    Additional Info: TCP Wrapper (link removed)

  • Tcpdump --- It captures and dumps protocol packets to monitor or debug a network.
    Availability: anonymous ftp at ftp.ee.lbl.gov or at COAST

  • Traceroute -- Traceroute traces the route IP packets take from the current system to a destination system.
    Availability: anonymous ftp at ftp.psc.edu or at COAST

  • Xinetd --- It's a replacement for inetd which has extensive logging and access control capabilities for both TCP and UDP services.
    Availability: anonymous ftp at qiclab.scn.rain.com or at COAST

System Monitoring Tools

Below is a list of programs that help check the security of a system.

  • COPS --- COPS (Computer Oracle and Password System) is a security program that tries to identify security risks on a Unix system. It checks for empty passwords in /etc/passwd, world-writable files, misconfigure anonymous ftp and many others.
    Availability: anonymous ftp at ftp.cert.org or at COAST

  • Lsof --- lsof displays all open files on a UNIX system.
    Availability: anonymous ftp at vic.cc.purdue.edu or at COAST

  • Merlin --- Merlin is an interface to five popular security packages (COPS 1.04, TAMU Tiger 2.2.3, Crack 4.1, Tripwire 1.2, and SPI 3.2.2) to make it easier to analyze and manage the data.
    Availability: anonymous ftp at ciac.llnl.gov (link removed)
    Additional Info: Merlin Information (link removed)

  • Swatch --- Swatch is a package used to monitor and filter log files and executes a specified action depending on the pattern in the log.
    Availability: anonymous ftp at ee.stanford.edu or at COAST

  • Tripwire --- Monitor for changes in system binaries and configuration files. It is a static file integrity checker utilizing many hash algorithms including MD5.
    Availability: anonymous ftp at COAST
    Additional Info: Tripwire

  • TTY-Watcher --- TTY-Watcher monitors, logs and interacts with all of the tty devicses on a system.
    Availability: anonymous ftp at COAST
    Additional Info: TTY-Watcher

  • Tiger --- Checks for known security vulnerabilities of Unix workstations. It is similar to Cops with many extensions.
    Availability: anonymous ftp at net.tamu.edu or at COAST

Others


Mailing Lists

  • Academic Firewalls --- This is a list based out of Texas A&M. It tries to deal with firewalling issues as they relate to the special circumstances that universities face. It has very little traffic and is generally cross posted to the Firewalls group so it is not vital to subscribe. Send e-mail to majordomo@net.tamu.edu with "subscribe academic-firewalls" in the first line of the body.

  • Bugtraq --- My favorite list name...Bugtraq members talk about the various bugs and glitches in various OS's and the security implications that go along with them. To be a Bugtraqor send e-mail to listserv@netspace.org with "subscribe bugtraq" in the first line of the body.

  • 8lgm Mailing List --- This list is for *detailed* discussion of security holes: what they are, how to exploit, and what to do to fix them. The mailing list is only used for mailing advisories, there is no 'junk mail'. Send e-mail to 8lgm-list-request@8lgm.org with "subscribe" in the first line of the body.

  • Intrusion Detection Systems Mailing List --- The list is a forum for discussions on topics related to development of intrusion detection systems. Send email to majordomo@uow.edu.au with "subscribe ids" in the first line of the body.

  • CERT --- This clearing house for security information hails from the fine folks at Carnegie-Mellon and is in the forefront of issuing warnings and advisories to the Internet community on every thing from break-ins to new cracker tools and methods. Of all lists you can get hooked up with, THIS ONE IS THE MOST IMPORTANT! Send e-mail to info@cert.org or read the comp.security.announce newsgroup.

  • CIAC-BULLETIN --- Funded and maintained by the Department of Energy, this list sends out updates and emergency notices concerning network security, especially if the government is impacted. They support several other mailings but those are limited to government agencies. Send email to ciac-listproc@llnl.gov with "subscribe CIAC-BULLETIN last-name first-name phone-number" in the first line of the body. Also check out their Web site at ciac.llnl.gov.

  • Firewalls --- This is an e-mail mailing list that talks about firewalls and related issues. If you have questions or ideas this is a good forum to bring them up in. Send e-mail to majordomo@greatcircle.com with "subscribe firewalls" or "subscribe firewalls-digest" in the first line of the body. If you would rather look through the firewalls-digest files with your Web browser then click here.

  • Firewalls-UK -- This is a list devoted to firewall issues in the UK. Send e-mail to majordomo@gbnet.net with "subscribe firewalls-uk" in the first line of the body.

  • Socks --- Not that lovable White House cat, but a mailing list that deals with the SOCKS proxy. If you have questions about socks-ifying applications to run with your firewall this is a great source for getting that help. Most of the assistance is carried on off the list so post your plea and someone is bound to respond. Send e-mail to majordomo@syl.dl.nec.com with "subscribe socks" in the first line of the body.

  • WWW-Security --- This list focuses on the security issues surrounding the development of http. Its not a help list for http but if you wrote nicely to someone on the list and begged them for help it might work, but other wise help come up with a more secure http. Send e-mail to majordomo@rutgers.edu with "subscribe www-security" in the first line of the body.

  • Best-of-Security --- There is no discussion on this list, just announcements and information that show up in most of the other groups. Send e-mail to best-of-security-request@suburbia.net with "subscribe best-of-security" in the first line of the body.

  • Legal Aspects of Computer Crime --- This list has been created in an attempt to mitigate the lack of tangible resources people involved with computer crime rely on. It is hoped that by bringing together knowledgeable people in the aforementioned fields together with para-legal personnel and informed lay persons; information and resources relevant to the difficult task of analyzing, presenting in court or otherwise dealing with computer crime law and computer crimes may be shared and intelligent discussion stimulated. Send e-mail to lacc-request@suburbia.net with "subscribe lacc" in the first line of the body.

  • WWW Proxy Mailing List --- Send e-mail to www-proxy-request@info.cern.ch with "subscribe www-proxy YourName" in the first line of the body.

  • BIND Mailing List --- List for the BIND name server software. Send e-mail to bind-request@uunet.uu.net with "subscribe bind" in the first line of the body.

  • TIS Firewall-users Mailing List --- List for the TIS Firewall Toolkit users. Send e-mail to fwall-users-request@tis.com with "subscribe fwall-users" in the first line of the body.

  • SKey-users Mailing List --- List for porting, usage, and maintenance discussions of the S/Key single use password system. Send e-mail to skey-users-request@thumper.bellcore.com with "subscribe skey-users" in the first line of the body.

  • Netscape Secure Sockets Layer Mailing List --- If you have technical questions about SSL or SSLRef, please send email. Send e-mail to ssl-talk-request@netscape.com with "subscribe ssl-talk" in the first line of the body.

  • Sneakers Mailing List --- the Internet Wide Area "Tiger Teamers" mailing list. Send E-Mail to Sneakers-Request@CS.Yale.EDU with the word "Subscribe" in the body (not the Subject) of the message.

Newsgroups


Conferences


Frequently Asked Questions (FAQ)


Credits for this resource

  • Compiled by Steve Lodin
  • Maintained by The COAST Project
  • Thanks to CIAC, LLSI, and NIH