Hi everyone, Ed Amoroso here. I want to tell you a little story that will motivate our topic, this video, which is firewalls. Back in the late '80s, there was a worm that bounced around. I think I've discussed a little bit of this on other videos you may have seen. It's called the Morris Worm. The thing was bouncing all over the Internet. It was trying to in some sense test, but the designer, a young man at the time, had miscoded it and the thing started taking companies and infrastructure just cascaded all kinds of ways. But one thing that was sort of interesting is that where I was working at the time, Bell Laboratories, the worm didn't get in, like there was something that had stopped it. At that time, I was doing cyber security. We didn't call it, that was computer security. I wanted to know how come it didn't get in. What is it that we were doing? I met these two wonderful people, Steve Bellovin is now a professor at Columbia; and Bill Cheswick, who a lot of people refer to as in some sense, the father of the firewall. These guys had written some software that basically would sit at the gateway to Bell Labs, inspecting things that were coming inbound packets and making decisions about them. It was the embryonic beginnings of firewalls at the enterprise. It's an interesting concept. Years later, I was writing my textbook. I wrote my first textbook in cyber security in 1993. It actually is a funny story here. When I sent to the publisher, it's a popular publisher at the time called Prentice Hall. I sent them a proposal. I said, "I've been teaching. I got a textbook," big, fat thing, 400 and something pages without even a publisher. I liked it, and I sent it as a proposal. Here's what they said. They said, so 1992, they said, "Well, there are already two books on cyber security, one that had been written in 1986 and another that had been written in 1989, Dorothy Denning and Morrie Gasser had written something, and Chuck Pfleeger was also working on a book, so there were like three books." It was like, "Do we really need three books in cyber security?" I remember saying, "I think this might be a growing area." I kind of talked them into it. So, my first book came out. It's called the Fundamentals of Cyber Security Technology. Don't go buy it, it's out of print. But the reason I tell the story is because around the time I was writing the book, Cheswick and Bellovin, the two people I've just mentioned were writing a book on firewalls, and we kind of compared notes. I loved their book. My book, graduate students bought it, I don't think anybody else bought it. Well, some did. It was in print. It was in print until recently. But at any rate, their book was on firewalls, and it was one of the most popular successful books ever. But get this, they were kind enough or just by accident, they liked what I was doing and they referenced it in their book. So they had maybe 20 references, I was one of them. I did more sales because they referenced my book. But whatever, their book was on firewalls. Here's what they did. They came up basically with a definition that I think has stood the test of time. Here's what they say. Basically five things that define a firewall. First thing is it's going to separate two or more networks. So, you're going to use firewalls between networks as a separation point, and usually administered by one- we'll get to that in a second. Second is that it enforces policy. So, somebody decides somewhere what the darn thing it's going to do, what it lets through, what it doesn't let through. So that's the second. The third is that some network administrator is going take care of this. It's going to be administrated, but generally by one or the other of the networks though not always, sometimes an ISP might sit in the middle and do some arbitration between networks, but for the most part administered by one or the other. Fourth is that you can't tamper with this thing. So it has to be bullet proof. The most difficult requirement, the thing has just been almost impossible to deal with is the problem of making sure that it can't be bypassed. That just has turned out to be the most difficult requirement in firewall design, firewall implementation, firewall deployment. This idea that going to put it in place, you can't go around it. Now, think about how silly that is probably where you are right now. If you're at school, say, watching these videos or you're in the office watching these videos. Let's say at work somebody decides at a gateway that you can't look at Facebook for whatever reason because they don't want you to be distracted by being on Facebook. Well, what are you going to do? Reach in your pocket and grab your smartphone and go on Facebook. You go right around the local area network gateway that's imposing policy to keep you from being distracted, but you distract with your phone. Do you follow? I think it's easy to get around these things, and it's turned out to be just spectacularly difficult to impose uniform policies across large groups of people using firewalls. But I get ahead of myself, I still have to spend time with you explaining how these things work. In some subsequent videos, we'll start establishing rules, building access policies. I'll show you exactly how it works. We'll do it more or less for routers, but it all works the same way for any device that takes rules and makes decisions about what's allowed and what's not. So, we'll see on the next video.
