The Firewall System

To paraphrase Shrek, the network perimeter is like an onion; it has lots of layers.
Nội dung trích xuất từ tài liệu:
The Firewall SystemThe Firewall SystemTo paraphrase Shrek, the network perimeter is like an onion; it has lots of layers.Historically, a firewall has always been considered a device. It exists on the networkperimeterin many cases, it is the network perimeterand is wholly responsible forcontrolling traffic entering and exiting a protected network. This philosophy is antiquatedand no longer a relevant philosophy.Instead, a firewall should no longer be considered a device, but a system of devices thatwork in concert to control the flow of traffic into and out of a protected network. In doingso, the firewall system implements a layered design that eliminates the reliance of anyone device to do all the filtering. This has the effect of eliminating many of the singlepoints of failure that exist in traditional firewall devicebased implementations.The firewall system layers depend on whether a single- or dual-firewall architecture hasbeen implemented.Single-Firewall SystemWith a single-firewall architecture, the firewall system consists of the following layers: • External router • Network segment between the external router and firewall • DMZ segmentFigure 9-4 depicts this architecture. Figure 9-4. Single Firewall System [View full size image]At the outermost layer of the firewall system, the external router should be the first pointof control of traffic entering (ingress filtering) and exiting (egress filtering) your network.The only traffic that should be allowed to traverse the router is traffic destined for thefirewall or resources being protected by the firewall. This serves two purposes. First, itmakes it easier to monitor the traffic on the segment between the router and the firewallbecause only traffic that should be delivered to the firewall should exist on that segment.Second, it protects the firewall from any nonpermitted traffic, thus helping to ensure thatif for some reason the firewall may be vulnerable to an exploit based on thatnonpermitted traffic, it is stopped by the router. Keep in mind that in addition toprotecting the firewall and protected resources, the router itself should be hardened andprotected to ensure that external threats are not able to target the router directly.The network segment between the external router and the firewall is the first point forimplementing intrusion detection and prevention systems (IDS/IPS). Because onlyexplicitly permitted traffic should be allowed to traverse the router, the IDS/IPS can beconfigured to send an alarm any time it detects nonpermitted traffic. This serves as analarm that somehow the filtering at the external router has failed.The firewall itself is the next layer, and it should be configured with ingress and egressfilters to permit only traffic required by protected resources on either the DMZ or internalnetwork segments. As previously mentioned, allowing traffic from external sources tointernal sources should be prevented at all costs.Resources in the DMZ segment should be protected by a combination of host-basedfirewalls and host- and network-based IDS/IPS. Such a setup enables you to permit ordeny, at the server itself, exactly which traffic should be allowed. This setup effectivelyprovides for three separate and distinct filtering layersthe external router, the firewall, thehost itselfto provide for maximum protection of the resources in the DMZ. In addition tohost-based firewalls, Layer 2 security controls such a private virtual LAN (VLAN) andIDS/IPS can protect the servers in the DMZ from being accessed by other servers in theDMZ, helping to ensure that if one server is compromised that it is unable to be used toaccess another server in an open and unfiltered manner.Finally, the internal network is protected by filtering at the external router and thefirewall and includes IDS/IPS between the firewall and the internal network, allowingyou to identify and monitor all traffic that comes from the firewall.Dual-Firewall SystemWith a dual-firewall architecture, the firewall system consists of the following layers: • External router • Network segment between external router and exterior firewall • Exterior firewall • DMZ segment • Interior firewallFigure 9-5 depicts a dual-firewall system. Figure 9-5. Dual-Firewall System [View full size image]The only real physical difference with the dual-firewall system over the single-firewallsystem is the implementation of two firewalls. This setup provides for separate anddistinct choke points in your network to control the flow of traffic, with the appropriateingress and egress filtering on the exterior and interior firewalls.