When developing a perimeter protection strategy for an organisation, one of the most common questions is "Where should I place firewalls for maximum effectiveness?" In this tip, we'll take a look at the three basic options and analyse the scenarios best suited for each case.
Before we get started, please note that this tip deals with firewall placement only. Anyone building a perimeter protection strategy should plan to implement a defence-in-depth approach that utilises multiple security devices including firewalls, border routers with packet filtering and intrusion-detection systems.
Option 1: Bastion host
The first and most basic option is the use of a bastion host. In this scenario (shown in figure 1 below), the firewall is placed between the Internet and the protected network. It filters all traffic entering or leaving the network.
Figure 1: Bastion host
The bastion host topology is well suited for relatively simple networks (e.g. those that don't offer any public Internet services.) The key factor to keep in mind is that it offers only a single boundary. Once someone manages to penetrate that boundary, they've gained unrestricted (at least from a perimeter protection perspective) access to the protected network. This may be acceptable if you're merely using the firewall to protect a corporate network that is used mainly for surfing the Internet, but is probably not sufficient if you host a Web site or e-mail server.
Option 2: Screened subnet
The second option, the use of a screened subnet, offers additional advantages over the bastion host approach. This architecture uses a single firewall with three network cards (commonly referred to as a triple homed firewall). An example of this topology is shown in figure 2 below.
Figure 2: Screened subnet
The screened subnet provides a solution that allows organisations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarised Zone (DMZ), which is separated from both the Internet and the trusted network by the firewall. Therefore, if a malicious user does manage to compromise the firewall, he or she does not have access to the Intranet (providing that the firewall is properly configured).
Option 3: Dual firewalls
The most secure (and most expensive) option is to implement a screened subnet using two firewalls. In this case, the DMZ is placed between the two firewalls, as shown in figure 3 below.
Figure 3: Dual firewalls
The use of two firewalls still allows the organisation to offer services to Internet users through the use of a DMZ, but provides an added layer of protection. It's very common for security architects to implement this scheme using firewall technology from two different vendors. This provides an added level of security in the event a malicious individual discovers a software-specific exploitable vulnerability.
Higher-end firewalls allow for some variations on these themes as well. While basic firewall models often have a three-interface limit, higher-end firewalls allow a large number of physical and virtual interfaces. For example, the Sidewinder G2 firewall from Secure Computing allows up to 20 physical interfaces. Additional virtual interfaces may be added through the use of VLAN tagging on the physical interfaces. What does this mean to you? With a greater number of interfaces, you can implement many different security zones on your network. For example, you might have the following interface configuration:
- Zone 1: Internet
- Zone 2: Restricted workstations
- Zone 3: General workstations
- Zone 4: Public DMZ
- Zone 5: Internal DMZ
- Zone 6: Core servers
This type of architecture allows you to take any of the three topologies described above and add a tremendous degree of flexibility.
That's a brief primer on firewall architectures. Now that you're familiar with the basic concepts, you should be able to help select an appropriate architecture for use in various situations.