Firewall design

By D. Brent Chapman, Unix Insider |  Security

Some sites go so far as to create a layered series of perimeter nets
between the outside world and their interior network. Less trusted and
more vulnerable services are placed on the outer perimeter nets,
farthest from the interior network. The idea is that an attacker who
breaks into a machine on an outer perimeter net will have a harder
time successfully attacking internal machines because of the
additional layers of security between the outer perimeter and the
internal network. This is only true if there is actually some meaning
to the different layers, however; if the filtering systems between
each layer allow the same things between all layers, the
additional layers don't provide any additional security.

The next few sections
describe the components in a firewall configuration
that uses the screened subnet architecture.

Perimeter network

The perimeter network is another layer of security, an additional
network between the external network and your protected internal
network. If an attacker successfully breaks into the outer reaches of
your firewall, the perimeter net offers an additional layer of
protection between that attacker and your internal systems.

Here's an example of why a perimeter network can be helpful. In many
network setups, it's possible for any machine on a given network to
see the traffic for every machine on that network. This is true for
most Ethernet-based networks, (and Ethernet is by far the most common
local area networking technology in use today); it is also true for
several other popular technologies, such as token ring and
FDDI. Snoopers may succeed in picking up passwords
by watching for those used during Telnet, FTP,
and rlogin sessions. Even if passwords aren't
compromised, snoopers can still peek at the contents of
sensitive files people may be accessing, interesting email they
may be reading, and so on; the snooper can essentially "watch over
the shoulder" of anyone using the network.

With a perimeter network, if someone breaks into a bastion host on the
perimeter net, he'll be able to snoop only on traffic on that net. All
the traffic on the perimeter net should be either to or from the
bastion host, or to or from the Internet. Because no strictly internal
traffic (that is, traffic between two internal hosts, which is
presumably sensitive or proprietary) passes over the perimeter net,
internal traffic will be safe from prying eyes if the bastion host is

Obviously, traffic to and from the bastion host, or the external world,
will still be visible. Part of the work in designing a firewall is
ensuring that this traffic is not itself confidential enough that
reading it will compromise your site as a whole. (This is discussed in
Chapter 5 of our book.)

Bastion host

Join us:






Ask a Question