Firewall design

By D. Brent Chapman, Unix Insider |  Security

Whereas a dual-homed host architecture provides services from a host
that's attached to multiple networks (but has routing turned off), a
screened host architecture provides services from a
host that's attached to only the internal network, using a separate
router. In this architecture, the primary security is provided by packet
filtering. (For example, packet filtering is what prevents people from
going around proxy servers to make direct connections.)

The bastion host sits on the internal network. The packet filtering
on the screening router is set up in such a way that the bastion host
is the only system on the internal network that hosts on the Internet
can open connections to (for example, to deliver incoming email). Even
then, only certain types of connections are allowed. Any external
system trying to access internal systems or services will have to
connect to this host. The bastion host thus needs to maintain a high
level of host security.

The packet filtering also permits the bastion host to open allowable
connections (what is "allowable" will be determined by your site's
particular security policy) to the outside world. The section about
bastion hosts in the discussion of the screened subnet architecture
later in this chapter, contains more information about the functions of
bastion hosts, and Chapter 5 of our book describes in detail how to
build one.

The packet filtering configuration in the screening router may do one
of the following:

  • Allow other internal hosts to open connections to hosts on the
    Internet for certain services (allowing those services via packet
    filtering, as discussed in Chapter 6 of our book),
  • Disallow all connections from internal hosts (forcing those hosts
    to use proxy services via the bastion host, as discussed in Chapter 7
    of our book).

You can mix and match these approaches for different services; some
may be allowed directly via packet filtering, while others may be
allowed only indirectly via proxy. It all depends on the particular
policy your site is trying to enforce.

Because this architecture allows packets to move from the Internet to
the internal networks, it may seem more risky than a dual-homed host
architecture, which is designed so that no external packet can
reach the internal network. In practice, however, the dual-homed host
architecture is also prone to failures that let packets actually cross
from the external network to the internal network. (Because this
type of failure is completely unexpected, there are unlikely to be
protections against attacks of this kind.) Furthermore, it's easier to
defend a router, which provides a very limited set of services, than it
is to defend a host. For most purposes, the screened host architecture
provides both better security and better usability than the dual-homed
host architecture.

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question