Firewall terminology
Before we look at specific firewall designs, let's run through some basic firewall terminology you should become familiar with:
- Gatewayââ,¬" A gateway is usually a computer that acts as a connector from a private network to another network, usually the Internet or a WAN link. A firewall gateway can transmit information from the internal network to that Internet in addition to defining what should and should not be able to pass between the internal network and the Internet.
- Network Address Translation (NAT)ââ,¬" NAT hides the internal addresses from the external network (Internet) or outside world. If your firewall is using NAT, all internal addresses are translated to public IP addresses when leaving the internal network, thus concealing their original identity.
- Proxy serversââ,¬" A proxy server replaces the network's IP address and effectively hides the actual IP address from the rest of the Internet. Examples of proxy servers include Web proxies, circuit level gateways, and application level gateways.
- Packet filtering firewallââ,¬" This is a simple firewall solution that is usually implemented on routers that filter packets. The headers of network packets are inspected when going through the firewall. Depending on your rules, the packet is either accepted or denied. Because most routers can filter packets, this is an easy way to quickly configure firewall rules to accept or deny packets.
However, it's difficult for a packet filtering firewall to differentiate between a benign packet and a malicious packet. Screening routersââ,¬"This is a packet filtering router that contains two network interface cards. The router connects two networks and performs packet filtering to control traffic between the networks. Security administrators configure rules to define how packet filtering is done. This type of router is also known as an outside router or border router.
- Application level gatewayââ,¬" This type of gateway allows the network administrator to configure a more complex policy than a packet filtering router. It uses a specialised program for each type of application or service that needs to pass through the firewall. Bastion hostââ,¬"A bastion host is a secured computer that allows an untrusted network (such as the Internet) access to a trusted network (your internal network). It is typically placed between the two networks and is often referred to as an application level gateway.
- Demilitarised zone (DMZ)ââ,¬" A DMZ sits between your internal network and the outside world, and it's the best place to put your public servers. Examples of systems to place on a DMZ include Web servers and FTP servers.
Screening router
A screening router is one of the simplest firewall strategies to implement. This is a popular design because most companies already have the hardware in place to implement it. A screening router is an excellent first line of defense in the creation of your firewall strategy. It's just a router that has filters associated with it to screen outbound and inbound traffic based on IP address and UDP and TCP ports. Figure A shows an example of a screening router.
Figure A
Screening router firewall
If you decide to implement this strategy, you should have a good understanding of TCP/IP and how to create filters correctly on your router(s). Failure to implement this strategy properly can result in dangerous traffic passing through your filters and onto your private LAN. If this is your only device, and a hacker is able to pass through it, he or she will have free rein. It's also important to note that this type of configuration doesn't hide your internal network IP addresses and typically has poor monitoring and logging capabilities.
If you have little or no money to spend and need a firewall configuration quickly, this method will cost you the least amount of money and will let you use existing routers. It's an excellent start to your firewall strategy and is a good device to use on networks that use other security tools as well.
Screened host firewalls
A screened host firewall configuration uses a single homed bastion host in addition to a screening router. This design uses packet filtering and the bastion host as security mechanisms and incorporates both network- and application-level security. The router performs the packet filtering, and the bastion host performs the application-side security. This is a solid design, and a hacker must penetrate the router and the bastion host to compromise your internal network.
Also, by using this configuration as an application gateway (proxy server), you can hide your internal network configuration by using NAT translation. Figure B shows an example of this firewall design.
Figure B
Screening router with bastion host
The above design configures all incoming and outgoing information to be passed through the bastion host. When information hits the screening router, the screening router filters all data through the bastion host prior to the information passing to the internal network.
You can go one step further by creating a dual-homed bastion host firewall. This configuration has two network interfaces and is secure because it creates a complete physical break in your network. Figure C shows an example of this firewall design.
Figure C
Screening router with dual-homed bastion host
Hello,
I am starting to hear a lot about NetScreen & via the web NetScreen features alongside Cisco PIX
can you run something to update readers about NetScreen, perhaps run an unbias feature on NetScreen verses other Firewalls with VPN, etc.
Many thanks,
Josephine