Firewall Architecture

firewall architectureThe most securely configured firewall in existence will not provide much protection if a network was not designed properly. For example, if the firewall was installed into an environment that allows an alternate network path that bypasses the firewall, the firewall would only be providing a false sense of security. This is an firewall architecture error that would render the firewall useless. Thus, where the firewall is implemented is every bit as important as how it is implemented. The first step to installing anything is always planning. What follows in this article is a discussion of the most common firewall architectures, in increasing order of security.

Firewall Architecture: Screened Subnet

A screened subnet is the simplest and most common firewall architecture implementation. Most small businesses and homes use this type of firewall. This design places the firewall on the edge of your network, dividing everything (from the firewall’s point of view) into internal and external, with nothing in between.

The screened subnet firewall (or edge firewall) is a straightforward as you can get. Internet users who need access to an internal server must traverse the firewall to do so. Internal users needing access to those same servers would able to access them directly. Internet traffic not destined for any server the admin does not want to provide access to would be blocked at the firewall to prevent attacks on internal systems. All internal users must also traverse firewalls to access the Internet. This is the same type of firewall you would have at home with a small network behind, say, a Linksys or Netgear router. This configuration has several advantages. The primary advantage is simplicity. With only two interfaces, the Access Control Lists (ACLs) – the filters that define the criteria for permitting or denying traffic – are much simpler.

Although this configuration is cost effective and simple to implement, it is not without its drawbacks. In this arrangement, the hacker has several chances to penetrate your network. If they can find a security hole in the firewall, or if the firewall is improperly configured, the hacker might be able to gain access to the internal network. Even if the firewall is executed flawlessly, the hacker has a second opportunity to gain access. If the hacker can compromise any available web-based services and take control of the servers, they would have an internal system from which to launch additional attacks. Finally, if the servers are critical to the business function, by allowing the internal users to access them without going through the firewall, you may lose some audit capability that the firewall might otherwise offer. By far the biggest security weakness in the configuration is that if you are exposing any web-based services: the servers hosting those services will be attacked frequently, and a compromise of one of those servers may expose your entire network. Thus, we are led to consider other forms of firewall architecture: the one-legged DMZ and true DMZ.

Firewall Architecture: One-Legged DMZ

The one-legged demilitarized zone (DMZ) still has the advantage of cost, because you are building a DMZ using only a single firewall. Commonly, the firewall interfaces are called Internal or Inside, External or Outside, and DMZ.

With this type of firewall architecture you get to keep the low-cost benefit, but add some isolation to your Internet-based servers. Internal users must traverse the firewall to access the servers or the Internet. External users must traverse the firewall to access the Web-based services. The real strength of this type of configuration is that if the servers that are hosting the web-based services are compromised, the hacker still needs to contend with the firewall to continue attacking the internal network. As an added feature, because all users (internal and external) must traverse the firewall to access the web-based servers, you may gain a higher degree of auditing from the firewall logs. If you wanted to provide even further isolation, assuming you have the available interfaces on the firewall, you could implement a separate DMZ for each web-based server you needed.

The only real disadvantages to this configuration are complexity, and to a small degree, cost. As you add interfaces to the firewall, the configuration will become more complex. not only does this complexity add to the time and labor for configuration and maintenance, it also increases the chance that an error could be made in the configuration. As you add interfaces there will often be additional costs associated with them. In most cases this cost will be minor and far less than an additional firewall, but with some high-speed interfaces, they can become very costly. Lastly, with this configuration, if the firewall itself is defeated, the entire network is open to attack.

Firewall Architecture: True DMZ

The true DMZ is generally considered the most secure of firewall architectures. With this design, there is an external and internal firewall. Between the two is sandwiched any Internet accessible devices.

Internet traffic is only permitted to a server in the SMZ, and only on the port that server is listening on. For example, if you had a web server in the DMZ and an FTP server in the DMZ, traffic with a destination port of 80 would only be permitted to the web server. For users accessing the same servers, the same rules would apply. Internal users would have to have permission through both firewalls to access the Internet. Obviously, this type of design costs more, typically double, but that cost buys you increased security. In a true DMZ, if the web server is compromised the hacker is still trapped between two firewalls. For those who want to go the extra mile, the inside and outside firewalls can be of different types. In this way, a hacker that finds a security hole in one firewall is unlikely to be able to apply the same techniques to the other firewall.

Firewall Architecture: Conclusion

Now that we have covered the basics of firewall architecture, you should be in a better position to make a decision about proposing and implementing a firewall solution for your network. In the next article, we will cover firewall implementation.

External Links:

DMZ at Wikipedia

SolutionBase: Strengthen Network Defenses by Using a DMZ at

Four Tips for Securing a Network DMZ at

Designing and Using DMZ Netwroks to Protect Internet Servers at

© 2013 David Zientara. All rights reserved. Privacy Policy