Chapter 6. Firewall Architectures

This chapter describes a variety of ways to put firewall components together, and discusses their advantages and disadvantages. We’ll tell you what some appropriate uses are for each architecture.

Single-Box Architectures

The simplest firewall architectures have a single object that acts as the firewall. In general, the security advantage of single-box architectures is that they provide a single place that you can concentrate on and be sure that you have correctly configured, while the disadvantage is that your security is entirely dependent on a single place. There is no defense in depth, but on the other hand, you know exactly what your weakest link is and how weak it is, which is much harder with multiple layers.

In practice, the advantages of single-box architectures are not in their security but in other practical concerns. Compared to a multiple-layer system that’s integrated with your network, a single-box architecture is cheaper, easier to understand and explain to management, and easier to get from an external vendor. This makes it the solution of choice for small sites. It also makes it a tempting solution for people who are looking for magic security solutions that can be put in once and forgotten about. While there are very good single-box firewalls, there are no magic firewalls, and single-box solutions require the same difficult decisions, careful configuration, and ongoing maintenance that all other firewalls do.

Screening Router

It is ...

Get Building Internet Firewalls, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.