Firewall
A firewall is a device that separates
or joins the inside network to the dirty DMZ and any optional protected DMZs.
The firewall can be a router-running firewall feature set, a specialty server
with two or more NICs in different networks, or a specialty device like the
Cisco PIX that does nothing but provide firewall services. While suitable
applications exist for each type of firewall, generally best is to use a
dedicated device performing only security features, and leave routing and
serving to other devices.
In a network like the example in Figure 5-1, the firewall would
typically be configured to prevent access from the outside to the inside,
possibly limiting access to those sessions originating from the inside network.
The firewall configuration might allow inside users access to DMZ resources,
while providing some defense for the inside from attackers who compromise a
bastion host.
Unsolicited access from the outside directed to the inside would
typically be blocked. Certain well-thought-out exceptions and configurations
could be created, so e-mail server(s) residing on the inside network, instead of
the DMZ, could still exchange e-mails. Securing this type of connection is
covered in the firewall chapters.
The typical firewall device has two or more LAN interfaces: one
each for the inside and outside networks. Optionally, an additional LAN
interface can exist for each protected DMZ network. Today, the LAN interfaces
are typically Fast Ethernet or Gigabit Ethernet, but there’s no reason they
couldn’t be Ethernet, Token Ring, or FDDI.
Some small firewalls used in implementations like branch locations
or telecommuter residences could only have two interfaces for separating the
inside network from the outside world. In those small implementations, the
inside interface could connect to a user machine via a crossover cable, or to a
small hub or switch. The external interface would often connect to the DSL,
cable modem, or ISDN device. The Cisco 806 router, shown in Figure 5-2,
with an Ethernet interface, four-port hub, Cisco IOS, and supporting the
firewall feature set, is an example.
While a firewall is normally used to separate the inside
network from the outside world, also possible is to use a firewall to separate
internal departments where additional security is required. For example, a
school might choose to place a firewall between the student network and the
faculty network. In this case, the firewall might have only two interfaces, with
the inside interface connected to the protected network
and the outside interface connected to the network
perceived as the potential threat.
Sections
Comments (0 posted)
Syndication
