3.6 Firewall configurations

3.6.1    Dual-homed firewall

In TCP/IP parlance, the term multihomed host refers to a host with multiple network interfaces. Usually, each network interface is connected to a separate network segment, and the multihomed host can typically forward or route IP packets between these network segments. If, however, IP forwarding and IP routing are disabled on the host, it provides isolation between the network segments and may be used in a firewall configuration accordingly . To disable IP routing is usually a relatively simple and straightforward task. It basically means to turn off any program that might be advertising the host as a router. To disable IP forwarding is considerably more difficult and may require modifying the operating system kernel. Fortunately, a number of operating system vendors provide a simple possibility to modify the kernel and to turn off IP forwarding accordingly.

A dual-homed host is a special case of a multihomed host, namely, one that has exactly two network interfaces. Again, IP routing and IP forwarding can be disabled to provide isolation between the two network segments the dual-homed host physically interconnects.

As illustrated in Figure 3.1, a simple dual-homed firewall configuration may consist of a dual-homed host that serves as a bastion host. IP routing and IP forwarding are disabled so that IP packets can no longer be routed or forwarded between the two network interfaces. Consequently, data can only be transferred from one network interface to the other if there is an application-level gateway (or proxy) process to do it. Note that Figure 3.1 is simplified in the sense that the routers are not shown (they are assumed to be part of the intranet and Internet environments). In contrast, Figure 3.2 shows a more detailed configuration of a dual-homed firewall. In this configuration, the bastion host s external network interface is connected to an outer network segment and the bastion host s internal network interface is connected to an inner network segment: ^[17]

Figure 3.1: A simple dual-homed firewall configuration.

Figure 3.2: A more realistic configuration of a dual-homed firewall.

• The outer network segment is connected with a screening router to the Internet. ^[18] The aim of the screening router is to ensure that any outbound IP packet carries the IP address of the bastion host as its source IP address, and that any inbound IP packet carries the IP address of the bastion host as its destination IP address. The packet-filtering rules must be configured accordingly.

• Similarly, the inner network segment hosts a screening router that is interconnected to the intranet. The aim of this screening router is to make sure that any outbound IP packet carries the IP address of the bastion host as its destination IP address, and that any inbound IP packet carries the IP address of the bastion host as its source IP address. Again, the packet-filtering rules must be configured accordingly.

In the firewall configuration illustrated in Figure 3.2, the outer network segment can be used to host server systems that are intended to be publicly accessible, such as public Web servers, DNS servers with public information, and access servers for other networks (e.g., modem pools for the PSTN or ISDN). This is common practice to make server systems and corresponding services publicly available and accessible from the Internet.

It is fairly obvious that the bastion host (and the application gateways running on it) can be replicated an arbitrary number of times in a dual-homed firewall configuration (e.g., to improve performance). The resulting configuration is sometimes also called a parallel dual-homed firewall. It may consist of several bastion hosts that are all connected to the same inner and outer network segments.

The dual-homed firewall is a simple and highly secure firewall configuration. The security originates from the fact that all data must pass an application gateway to get from one network interface of the bastion host to the other. There is no possibility of bypassing the bastion host or its application gateways. There are, however, also several disadvantages that are important in practice, and that should be considered with care accordingly:

• Performance is a problem because the bastion host may become a bottleneck (note that all data must pass the bastion host).

• The bastion host represents a single point of failure. If it crashes, Internet connectivity is also lost.

• There are some practical problems related to TCP/IP application protocols with no proxy support (e.g., proprietary protocols). In this case, the dual-homed firewall configuration turns out to be rather inflexible , and this inflexibility could turn out to be disadvantageous.

In summary, the dual-homed firewall configuration is secure but rather inflexible. Contrary to this, the screened host and screened subnet firewall configurations discussed next are more flexible but less secure. Consequently, where throughput and flexibility are important or required, these configurations may be the preferable choices.

3.6.2    Screened host firewall

As illustrated in Figure 3.3, a screened host firewall configuration basically consists of a screening router that interconnects the intranet to the Internet, and a bastion host that is logically situated on the intranet. Contrary to the bastion host of a dual-homed firewall, the bastion host of a screened host firewall is single-homed, meaning that it has only one network interface that interconnects it with an internal network segment (i.e., a network segment that is part of the intranet).

Figure 3.3: A simple configuration of a screened host firewall.

In a screened host firewall configuration, the screening router has to make sure that IP packets destined for intranet systems are first sent to an appropriate application gateway on the bastion host. If a specific TCP/IP application protocol is assumed to be secure, the screening router also can be configured to bypass the bastion host and to send the corresponding IP packets directly to the destination system. For very obvious reasons, this possibly increases flexibility but also decreases security.

Similar to the dual-homed firewall configuration, the bastion host and its application gateways can also be replicated an arbitrary number of times in the screened host firewall configuration. In fact, this is likely to be the preferred configuration, as different application gateways are typically running on different hosts (all of them representing bastion hosts for the applications they serve as a gateway).

In summary, the screened host firewall configuration is very simple and straightforward. As compared with the dual-homed firewall configuration, it is more flexible but also potentially less secure. This is because the bastion host can be bypassed (i.e., by configuring the screening router that interconnects the intranet and the Internet accordingly). Due to the dual-homed nature of the bastion host, this is not possible in the dual-homed firewall configuration.

3.6.3    Screened subnet firewall

As illustrated in Figure 3.4, a screened subnet firewall configuration basically consists of a subnet that is screened by a single-homed bastion host. The outer screening router has to make sure that all (or at least most) data pass an application gateway running on a bastion host. Consequently, the bastion host screens the subnet located between the outer and the inner screening router, and this screened subnet is sometimes also referred to as a demilitarized zone (DMZ). ^[19] Similar to the other configurations discussed thus far, the bastion host can be replicated an arbitrary number of times in a screened subnet firewall configuration. Each bastion host may provide a specific service. In fact, the resulting separation of servers and services is an interesting feature from a security point of view. A screened subnet firewall configuration with multiple bastion hosts is illustrated in Figure 3.5.

Figure 3.4: A screened subnet firewall configuration.

Figure 3.5: A screened subnet firewall configuration with multiple bastion hosts.

Note that the two screening routers provide redundancy in that an attacker would have to subvert both routers in order to access intranet systems. Also note that the bastion host and the additional servers on the DMZ could be set up to be the only systems seen from the Internet; no other system name would be known or used in a DNS database that is made accessible to the outside world.

A screened subnet firewall configuration can be made more flexible by permitting certain services to pass around the bastion host and the corresponding application gateways. As an alternative to passing services directly between the intranet and Internet, one may also place the systems that need these services directly on the screened subnet. In fact, this would be the preferred configuration but is not always possible (e.g., if the placement of the systems on the screened subnet represents an unacceptable tradeoff between security and functionality). Again, we refer to the importance of policy.

In summary, the screened subnet firewall configuration is flexible and provides a reasonable level of security. As such, it has been the firewall configuration of choice for many network security professionals in the past.

^[17] In some literature, the outer network segment is labeled red and the inner network segment is labeled blue to refer to their different sensitivity and security status.

^[18] Consequently, this router serves as an access router.

^[19] The DMZ is named after the strip of no-man s-land between North and South Korea.