The Firewall System


To paraphrase Shrek, the network perimeter is like an onion; it has lots of layers. Historically, a firewall has always been considered a device. It exists on the network perimeterin many cases, it is the network perimeterand is wholly responsible for controlling traffic entering and exiting a protected network. This philosophy is antiquated and no longer a relevant philosophy.

Instead, a firewall should no longer be considered a device, but a system of devices that work in concert to control the flow of traffic into and out of a protected network. In doing so, the firewall system implements a layered design that eliminates the reliance of any one device to do all the filtering. This has the effect of eliminating many of the single points of failure that exist in traditional "firewall device"based implementations.

The firewall system layers depend on whether a single- or dual-firewall architecture has been implemented.

Single-Firewall System

With a single-firewall architecture, the firewall system consists of the following layers:

  • External router

  • Network segment between the external router and firewall

  • DMZ segment

Figure 9-4 depicts this architecture.

Figure 9-4. Single Firewall System


At the outermost layer of the firewall system, the external router should be the first point of control of traffic entering (ingress filtering) and exiting (egress filtering) your network. The only traffic that should be allowed to traverse the router is traffic destined for the firewall or resources being protected by the firewall. This serves two purposes. First, it makes it easier to monitor the traffic on the segment between the router and the firewall because only traffic that should be delivered to the firewall should exist on that segment. Second, it protects the firewall from any nonpermitted traffic, thus helping to ensure that if for some reason the firewall may be vulnerable to an exploit based on that nonpermitted traffic, it is stopped by the router. Keep in mind that in addition to protecting the firewall and protected resources, the router itself should be hardened and protected to ensure that external threats are not able to target the router directly.

The network segment between the external router and the firewall is the first point for implementing intrusion detection and prevention systems (IDS/IPS). Because only explicitly permitted traffic should be allowed to traverse the router, the IDS/IPS can be configured to send an alarm any time it detects nonpermitted traffic. This serves as an alarm that somehow the filtering at the external router has failed.

The firewall itself is the next layer, and it should be configured with ingress and egress filters to permit only traffic required by protected resources on either the DMZ or internal network segments. As previously mentioned, allowing traffic from external sources to internal sources should be prevented at all costs.

Resources in the DMZ segment should be protected by a combination of host-based firewalls and host- and network-based IDS/IPS. Such a setup enables you to permit or deny, at the server itself, exactly which traffic should be allowed. This setup effectively provides for three separate and distinct filtering layersthe external router, the firewall, the host itselfto provide for maximum protection of the resources in the DMZ. In addition to host-based firewalls, Layer 2 security controls such a private virtual LAN (VLAN) and IDS/IPS can protect the servers in the DMZ from being accessed by other servers in the DMZ, helping to ensure that if one server is compromised that it is unable to be used to access another server in an open and unfiltered manner.

Finally, the internal network is protected by filtering at the external router and the firewall and includes IDS/IPS between the firewall and the internal network, allowing you to identify and monitor all traffic that comes from the firewall.

Dual-Firewall System

With a dual-firewall architecture, the firewall system consists of the following layers:

  • External router

  • Network segment between external router and exterior firewall

  • Exterior firewall

  • DMZ segment

  • Interior firewall

Figure 9-5 depicts a dual-firewall system.

Figure 9-5. Dual-Firewall System


The only real physical difference with the dual-firewall system over the single-firewall system is the implementation of two firewalls. This setup provides for separate and distinct choke points in your network to control the flow of traffic, with the appropriate ingress and egress filtering on the exterior and interior firewalls.




Firewall Fundamentals
Firewall Fundamentals
ISBN: 1587052210
EAN: 2147483647
Year: 2006
Pages: 147

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net