Single-Firewall Architectures

There are two predominant firewall architectures, the single-firewall and dual-firewall architectures.
Nội dung trích xuất từ tài liệu:
Single-Firewall ArchitecturesSingle-Firewall ArchitecturesThere are two predominant firewall architectures, the single-firewall and dual-firewallarchitectures. The single-firewall architecture is simpler because it relies on the use of asingle firewall device with which to filter and control the flow of traffic.If you elect to go with a single firewall for your firewall implementation, you can choosefrom a few different designs: • Internet firewall with a single DMZ • Internet firewall with multiple DMZs • Internet-screening firewall (no DMZ)Internet Firewall with a Single DMZThe Internet firewall with a single DMZ is the most common firewall architecture,because it lends itself to being an all-around general-purpose architecture. With thisarchitecture, the firewall has three interfaces: an internal interface that is connected to theprotected network, an external interface that is connected to the Internet, and a DMZinterface that is connected to a screened subnet upon which reside the servers andsystems that external users need to access. Because the resources on the DMZ segmenthave to go through the same interface to access both internal or external resources, thisarchitecture is frequently referred to as a DMZ-on-a-stick architecture.In this architecture, traffic flow is controlled in three directions. Traffic from Internet-based systems is permitted only to resources on the DMZ segment. Internet-basedsystems can never directly access resources on the internal network. Traffic from DMZ-based systems is permitted both to the Internet as well as to internal resources. In thisfashion, the DMZ resources can frequently serve as a proxy in the event that data thatresides on the internal network is required by the external system. Finally, traffic from theinternal network is permitted to the DMZ as well as to the external network. In allsituations, the only traffic that should be allowed is traffic that is explicitly permitted by acorresponding access control list (ACL). Figure 9-1 illustrates a single DMZimplementation with the corresponding traffic flow restrictions. Figure 9-1. Single Firewall with Single DMZ [View full size image]Internet Firewall with Multiple DMZsThe Internet firewall with multiple DMZs is similar to the single DMZ architecture, theonly real difference being that there will be multiple single-homed DMZ segmentscoming off the firewall. There is no practical limit to the number of DMZ segments, theonly real restriction being the number of interfaces the firewall can physically or logicallysupport.This architecture is typically implemented when the need to separate resources ondifferent and distinct DMZ segments exists. With a single DMZ, all resources that will beaccessed from external sources exist on the same DMZ segment, which means that if anyone of those systems is compromised, there is nothing to stop the attacker from using thatsystem to compromise more critical servers on that DMZ segment. To mitigate this, youcan place systems with differing security requirements in their own DMZ segment, thusreducing the possibility that a compromise of an unrelated system will impact your morecritical resources. For example, you may place web servers in one DMZ segment andSimple Mail Transfer Protocol (SMTP) servers in a different DMZ segment, so that if theweb servers (which are traditionally more susceptible to attacks) are compromised, theSMTP servers are still safely protected on another DMZ segment where the firewall doesnot allow traffic between DMZ segments to pass.Like with the single DMZ architecture, you want to control the flow of traffic in the samemanner, preventing all traffic from external sources from accessing internal resourcesdirectly and, unless otherwise required, preventing all traffic from traversing from oneDMZ segment to another. Figure 9-2 illustrates a single firewall with multiple DMZsarchitecture. Figure 9-2. Single Firewall with Multiple DMZs [View full size image]Internet-Screening Firewall (No DMZ)A single firewall without a DMZ is really only suited to function as an Internet-screeningfirewall. This is because without a DMZ segment, any traffic coming from the externalnetwork breaks the cardinal rule of firewall design: that no traffic from an untrustedsource can directly access internal resources.An Internet-screening firewall exists to do two things. First, it prevents external hostsfrom initiating connections to any protected resource. Second, it can be implemented insuch a manner as to filter and restrict traffic from internal hosts to external resources,typically through the use of content-filtering software such as Websense or SurfControl.Internet-screening firewalls are also frequently implemented for remote office scenarios,because it is relatively rare that a remote office contains resources that need to beaccessed from external sources.