© Copyright IBM Corp. 2001 3
Chapter 1. The design of firewall environments
This chapter is intended to provide a quick introduction to the design of
firewall security environments.
1.1 Basic firewall design
The most basic firewall system is one that separates two IP networks, for
example, the Internet and the company LAN, as shown in Figure 1. All traffic
between the two security zones must pass through the firewall system for it to
be effective. The configuration of the firewall specifies which connections are
permitted and which are not.
Figure 1. Simplest classic firewall
Different technologies can be used for controlling the traffic flow between the
networks. Packet filtering checks individual IP packets, and proxies work on
the level of connections and application byte streams. In modern firewall
products, these techniques are often combined in a hybrid design that
supports both techniques in some way.
It is important to keep in mind that a firewall is only able to check the traffic
between the different attached networks. It can not prohibit unwanted
connections within one security zone. This fact can lead to major security
risks.
External Network
Firewall
Internal Network
4 Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions
For example, if the company's public Web server is placed within the internal
network, the firewall needs to be configured to allow HTTP connections to this
system, so that everyone can get to the Web pages.
If the Web server contains security holes (due to software bugs, configuration
errors, insecure dynamic content, or any one of many other possible causes),
an attacker can gain full access to the Web server system. The firewall can
not prevent the attacker from leveraging this access to access other systems
within one security zone (in other words, the internal network).
Experience shows that it is not realistic to expect complex server software
(such as Web servers) to be free of security holes. Major companies and
government institutions (such as NATO, whitehouse.gov, and so on) have
frequently been victim to these kinds of attacks. Everyday, new security holes
are found and shared in the underground by hackers, and knowledge of this is
delayed on public Internet sites, which can cause unknown security breaches.
For more information on the phenomenon, see:
http://www.atstake.com/security_news/transition/
Placing important servers outside the firewall in the external network is not
recommended either, since they then cannot be protected by the firewall
against attacks.
More security can be gained by introducing a perimeter network placing
servers in them. This is known as a Demilitarized Zone (DMZ). The classical
DMZ setup has two firewalls and a DMZ server network between them, as
shown in Figure 2 on page 5.
Chapter 1. The design of firewall environments 5
Figure 2. Classic DMZ firewall environment
The advantage of this setup is that the publicly accessible servers are now
protected from the external network and also separated from the internal
network.
The obvious disadvantage of this setup is that you need two firewalls, which
increases the complexity and the administrative overhead, especially if
different technologies are used for the two firewalls.
More importantly, in the worst case scenario, when Public Server 1 is broken
into, more security is lost than necessary. For example:
1. The intruder that broke into Public Server 1 can now freely attack Public
Server 2, because there is no firewall between them.
2. The intruder on Public Server 1 can easily monitor all network traffic
(including company e-mail and other possibly sensitive information when
collected systematically) that leaves Firewall A and Firewall B on the DMZ
Network side. This technique is known as network sniffing. Analyzing who
is talking to whom is called traffic analysis (even encrypted mail typically
External Network
Firewall B
DMZ Network
Internal Network
Firewall A
Public Server 2Public Server 1
(Web server) (mail server)

Get Check Point VPN-1 / FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.