Naturally, you need to do more than create and populate a DMZ to build a strong perimeter network. What ultimately distinguishes the DMZ from your internal network is your firewall.
Your firewall (or firewalls) provides the first and last word as to which traffic may enter and leave each of your networks. Although it’s a mistake to mentally elevate firewalls to a panacea, which can lead to complacency and thus to bad security, it’s imperative that your firewalls are carefully configured, diligently maintained, and closely watched.
As I mentioned earlier, in-depth coverage of firewall architecture and specific configuration procedures are beyond the scope of this chapter. What we will discuss are some essential firewall concepts and some general principles of good firewall construction.
In increasing order of strength, the three primary types of firewall are the simple packet-filter, the so-called “stateful” packet-filter, and the application-layer proxy. Most packaged firewall products use some combination of these three technologies.
Simple packet-filters evaluate packets based solely on IP headers (Figure 2-5). Accordingly, this is a relatively fast way to regulate traffic, but it is also easy to subvert. Source-IP spoofing attacks generally aren’t blocked by packet-filters, and since allowed packets are literally passed through the firewall, packets with “legitimate” IP headers but dangerous data payloads (as in buffer-overflow ...