other security precautions must be in place. One advantage of imple-
menting the firewall as a DNS server is that it can be configured to
hide the internal host information of a site. In other words, with the
firewall acting as a DNS server, internal hosts get an unrestricted
view of both internal and external DNS data. External hosts, on the
other hand, do not have access to information about internal host
machines. To the outside world, all connections to any host in the
internal network will appear to have originated from the firewall.
With the host information hidden from the outside, an attacker will
not know the host names and addresses of internal hosts that offer
service to the Internet.
Tip:
2.6 Intranet
Although firewalls are usually placed between a network and the out-
side, untrusted network, large companies or organizations often use
firewalls to create different subnets of the network, often called an
intranet. Intranet firewalls are intended to isolate a particular subnet
from the overall corporate network. The reason for the isolation of a
network segment might be that certain employees can only access
subnets guarded by these firewalls on a need-to-know basis. An
example could be a firewall for the payroll or accounting department
of an organization. The decision to use an intranet firewall is gener-
ally based on the need to make certain information available to some,
but not all, internal users, or to provide a high degree of accountability
for the access and use of confidential or sensitive information.
Tip:
For any systems hosting organization critical applications or providing access to sensitive or
confidential information, internal firewalls or filtering routers should be used to provide
strong access control and support for auditing and logging.These controls should be used
to segment the internal organization network to support the access policies developed by
the designated owners of information.
A security policy for DNS hiding might state the following: If the firewall is to run as a DNS
server, then the firewall must be configured to hide information about the network, so that
internal host data are not advertised to the outside world.
32 2.6 Intranet

Get Firewalls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.