Summary

This chapter covered some of the firewall options available when you're protecting a LAN. Security policies are defined relative to the site's level of security needs, the importance of the data being protected, and the cost of lost data or privacy. Starting with the bastion firewall developed in Chapter 4 as the basis, LAN and firewall setup options were discussed in increasingly complex configurations.

The major emphasis in this chapter was to use the firewall example from Chapter 4 as the basis to develop a formal, elaborate, textbook type of firewall. The bastion became a forwarding gateway firewall with two network interfaces: one connected to the Internet and one connected to a perimeter network, or DMZ. Public Internet services were offered from machines in the DMZ network. A second firewall, a choke firewall, was also connected to the DMZ network, separating the internal, private LAN from the quasi-public server machines in the perimeter network. Private machines were protected behind the choke firewall on the internal LAN. The choke firewall protected any other machine in the perimeter network.

Some services, such as IRC or RealAudio, do not lend themselves to packet filtering because of their application communication protocols, such as requiring incoming connections from the server or multiple client/server exchanges over both TCP and UDP. These types of services require additional help from application-level proxies.