Internet Security
FIREWALL ARCHITECTURES

 
On occasion,  companies choose to implement a firewall based solely on a single machine, be it a router or host. More often than not, however, the stronger firewalls are composed of multiple parts. In this section, we'll take a look at what we consider the five most common types of firewall architectures : the screening router, the dual homed gateway, the screened gateway, the screened subnet, and the "belt-and-suspenders" firewall.

Screening Router

The simplest way to implement a firewall is by placing packet filters on the router  itself. This architecture is completely transparent to all parties involved, but leaves us with a single point of failure. Moreover, since routers are primarily designed to route traffic, the default failure mode on routers is  usually to pass traffic to another interface. (Although most routers include an implied" .. and deny everything else" statement at the end of an access list, we are referring more to the possibility of a failure in the security mechanism.) If  something were to happen to the router access control mechanism (such as the vulnerability found in one router vendor's software in early 1995), then the possibility would exist for unauthorized traffic to find its way into the network or for proprietary information to "leak" out of the network.

Moreover, screening routers tend to violate the choke point principle of firewalls. Although all traffic does pass through the router at one point or another, the router merely passes the traffic on to its ultimate destination. Each and every potential destination within the network, rather than just a single choke point, must therefore be secured. Although screening routers can be an important part of a firewall architecture, we don't consider them adequate firewall mechanisms on  their own.

Dual-Homed Gateways

Another common architecture places a single machine with two networks as a dual-homed gateway. Such gateway can be used as a generic dual-homed gateway, as described earlier, in which all users must log in to the machine before proceeding on to the other network, or as a host for proxy servers, in which user accounts are not required.

From a "fail-safe" perspective, dual-homed gateways offer a step up from the simple screening router. Because most host-based systems such as these have packet forwarding disabled by default, passing traffic without configuring the host to do so is nearly impossible. As a result, the failure mode of dual-homed gateways is usually more robust than that of screening routers. Nevertheless, as we discussed earlier in this chapter, dual-homed gateways have certain feasibility and usability problems that don't always make them easy to use.

Screened Host Gateway

Now let's take a look at how hosts  and routers can be used together in a firewall architecture. One of the most common combinations in use today is the screened host gateway, illustrated in figure 1.
In the screened host gateway scenario, the router is still the first line of defense. All packet filtering and access control is performed at the router. The router permits only that traffic that the policy explicitly identifies,  and further restricts incoming connections to the host gateway. This gateway performs a number of functions :

  • It acts as the name server for the entire corporate network.
  • It serves as a "public" information server, offering Web and anonymous FTP access to the world.
  • It serves as a gateway from which external parties can communicate with internal machines.

It is fairly straightforward to implement public servers such as FTP, Web, and DNS, but this machine must have modified servers to handle other individual protocols such as incoming telnet and non anonymous FTP.

These servers can be modified in one of two ways : they can be replaced with proxy servers, such as those described earlier, and they can be made capable of communicating with a separate authentication server. This architecture has two major drawbacks :
  • The gateway host must run a number of services, in order to be able to offer them to external users. if proxy servers are not used, user accounts must also be established on the gateway. Both of these  items tend to create attractive targets to a potential intruder, who will now have additional passwords to try and guess, and additional services to try and break.
  • The gateway still provides a single point of failure - if anything were to happen to an individual service on the machine, such as a DNS server crash or a flaw in the Web server, then the entire Internet connection could be shut down or compromised.

Nevertheless, screened host gateways remain a popular implementation, since they allow companies to easily enforce various security policies in different directions without much inconvenience to internal users. Moreover, they are relatively easy to implement, using a standard router and a single host machine. Screened gateways provide a substantial improvement over both screening routers and dual homed gateways.

Screened Subnet

The screened subnet approach takes the idea of a screened host gateway one step further. The screening router is still present as the first point of entry into the corporate network, and screens incoming traffic between the Internet and the public hosts. Rather than a single gateway, as in the screened host gateway approach,  however, the functions of that gateway are spread among multiple hosts. As shown in figure 2, one of the hosts could be a Web server, another could serve as the anonymous FTP server, and yet a third as the proxy server host, from which all connections to and from the internal corporate are made.

Functionally, the screened subnet is similar to the screened host gateway : the router protects the gateway from the Internet, and the gateway protects the internal network from the Internet and other public hosts. One distinct advantage that the subnet has over the screened gateway is that it is much easier to implement a screened subnet using "stripped down" hosts, that is, each host on the subnet can be configured to run only those services it is required to server, thus providing an intruder with fewer  potential targets  on each machine. Furthermore, the machines on the subnet can be made equally accessible to clients on the internal network as well as Internet-based clients.

The internal machines need not treat the machines on the subnet any differently than they would any other "external" machines on the Internet. In fact, if this approach is taken, a screened subnet can significantly increase the potential security of a network, as any compromise of an external machine (except, perhaps, for the gateway machine with the proxy servers running) is unlikely to provide access into the internal network.

Belt and Suspenders Approach

A final architecture takes the idea of the screened subnet and extend still another step further, as shown in figure 3. The principles are the same as the subnet architecture : an external screening router protects "public" machines from the Internet. Instead of a gateway running proxy server software as well as protecting the internal network, however, those functions are split : the proxy server host now resides on the DMZ subnet, while an internal screening router serves to protect the internal network from the public machines. This architecture is often called the "belt-and-suspenders" architecture.

The belt-and-suspenders architecture is only subtly different from the screened subnet, but the difference is important from a security point of view. Whereas the subnet relies on the proxy servers to perform all access control to and from the internal network, the belt-and-suspenders approach relies on the proxy server as the first line of authentication defense, but the internal  router serves to back up the server, as well as to protect the internal network from the machines on the public network

Architecture Advantages Disadvantages
Screening Router
  • Completely transparent
  • Relatively easy and cheap
  • Difficulty handling certain traffic
  • Difficult to configure
  • Limited or no logging
  • Lack of user authentication
  • Difficult to hide internal network structure
  • Dual-Homed Gateway
  • "Fail-safe" mode
  • Internal structure hidden from outside
  • Inconvenient to users
  • Requires modification of user behavior
  • Multiple proxies necessary
  • Proxies not always available
  • Screened Host Gateway
  • Security distributed between two points
  • Transparent outbound access
  • Restricted inbound access
  • Internal structure not hidden
  • Single point of failure (router)
  • No protection from compromised gateway
  • Screened Subnet
  • Transparent to end users
  • Flexible
  • Internal network structure hidden
  • Provides services to outside without compromising  inside
  • All security functions provided by gateway, a single point of security failure
  • Belt-and-Suspenders
  • Extremely secure
  • Internal network structure hidden
  • Redundancy built into design
  • Not very user-friendly
  • Difficult to configure
  • References : 
    Terry Bernstein, Anish B. Bhimani, Eugene Schultz, Carol A. Siegel, Internet Security for Business, Wiley Computer Publishing, John Wiley & Sons Inc, 1996 


    [Home] - [Isi Buku Tamu] - [Lihat Buku Tamu] - [Email]
    Copyright 1999-2007, InVirCom. All rights reserved.