Firewall Strategies

Firewall Strategies

A firewall is a system that enforces access control policies. The
enforcement is done between an internal, or "trusted" network and an
external, or "untrusted" network. The firewall can be as advanced as your
standards require. Firewalls are commonly used to shield internal networks
from unauthorized access via the Internet or other external network.

Logical Construction

The single basic function of a firewall is to block unauthorized traffic
between a trusted system and an untrusted system. This process is normally
referred to as Filtering. Filtering can be viewed as either permitting or
denying traffic access to a network.

Firewalls know what traffic to block because they are configured with the
proper information. This information is known as an Access Control Policy.
The proper approach to an access control policy will depend on the goals of
the network security policy and the network administrator.

Exploring Firewall Types

In the origins of firewalls, there were two types. These two types have now
grown and overlapped each other to the point where distinction is hard. We
will explore the differences between these two types and discuss Firewall
building topologies.

Network Level Firewalls

Network level firewalls operate at the IP packet level. Most of these have a
network interface to the trusted network and an interface to the untrusted
network. They filter by examining and comparing packets to their access
control policies or ACL's.

Network level firewalls filter traffic based on any combination of Source
and Destination IP, TCP Port assignment and Packet Type. Network Level
firewalls are normally specialized IP routers. They are fast and efficient
and are transparent to network operations. Today's network level firewalls
have become more and more complex. They can hold internal information about
the packets passing through them, including the contents of some of the
data. We will be discussing the following types of network level firewalls:

* Bastion Host
* Screened Host
* Screened Subnet

Bastion Host Firewall

Bastion host are probably one of the most common types of firewalls. The
term bastion refers to the old castle structures used in Europe, mainly for
draw bridges.

The Bastion host is a computer with at least one interface to the trusted
network and one to the untrusted network. When access is granted to a host
from the untrusted network by the bastion host, all traffic from that host
is allowed to pass unbothered. In a physical layout, bastion hosts normally
stand directly between the inside and outside networks, with no other
intervention. They are normally used as part of a larger more sophisticated
firewall.

The disadvantages to a bastion host are:

- After an Intruder has gained access, he has direct access to the entire
network.
- Protection is not advanced enough for most network applications.

Screened Host Firewall

A more sophisticated network level firewall is the screened host firewall.
This firewall uses a router with at least on connection to trusted network
and one connection to a bastion host. The router serves as a preliminary
screen for the bastion host. The screening router sends all IP traffic to
the bastion host after it filters the packets. The router is set up with
filter rules. These rules dictate which IP addresses are allowed to connect,
and which ones are denied access. All other packet scrutiny is done by the
bastion host. The router decreases the amount of traffic sent to the bastion
host and simplifies the bastions filtering algorithms.

The physical layout of a Screened Host is a router with one connection to
the outside network, and the other connection with a bastion host. The
bastion host has one connection with the router and one connection with the
inside network.

Disadvantages to the Screened Host are:

- The single screen host can become a traffic bottleneck
- If the host system goes down, the entire gateway is down.

Screened Subnet Firewalls

A screened subnet uses on or more addition routers and on more additional
bastion hosts. In a screened subnet, access to and from the inside network
is secured by using a group of screened bastion host computers. Each of the
bastion hosts acts as a drawbridge to the network.

The physical layout of a Screened subnet is somewhat more difficult, but the result is a more secure, robust environment. Normally, there is a router with one connection to the outside network and the other connection to a bastion host. The bastion host has one connection to the outer most router and one connection to another bastion host, with an addressable network in the middle. The inner most bastion host has one connection to the outer most bastion and another connection to an inside router. The inside router has one connection to the inner bastion host and the other connection to the inside network. The result of this configuration is the security components are normally never bogged down with traffic and all internal IP addresses are hidden from the outside, preventing someone from "mapping" your internal network.

Disadvantages to using this type of firewall are:

- The can be two or three times more expensive than other types of firewalls
- Implementation must be done by some type of security professional, as
these types of firewalls are not for the un-initiated.

Application Level Firewalls

Application level firewalls are hosts running proxy server software located
between the protected network and the outside network. Keep in mind that
even though Microsofts product is called Proxy Server 2.0, it is actually a
stand alone Bastion Host type of system. Microsoft Proxy Server can also,
single-handedly, disguise your internal network to prevent mapping.
Microsoft Proxy Server 1.0 did not have many of the advanced features
presented in version 2.0. The 1.0 version can definitely be called a true
proxy server, while the 2.0 version is more of a firewall.

Viewed from the client side, a proxy server is an application that services
network resource requests by pretending to be the target source. Viewed from
the network resource side, the proxy server is accessing network resources
by pretending to be the client. Application level firewalls also do not
allow traffic to pass directly between to the two networks. They are also
able to use elaborate logging and auditing features. They tend to provide
more detailed audit reports, but generally, as stand alone security unites,
do not perform that well. Remember that an Application level firewall is
software running on a machine, and if that machine can be attacked effective
and crashed, in effect, youre crashing the firewall.

You may wish to use an application level firewall in conjunction with
network level firewalls, as they provide the best all around security.

Since we get a lot of donated Step x Step, White Papers and Faq's please let us know if they contain errors by emailing us here.
 

Search or Choose a Link from the top of this page.

Enter your search terms Submit search form   Web CpuCare.net

Search or Choose a Link from the top of this page.

Webmasters, please don't throw away your old whitepapers or Faq's or let them fade away, we would be more than happy to host them here on our site, even if they are antiquated and outdated!