direction. Reading this book six times, buying a copy for each of
your friends, and reading any and all available resources on the sub-
ject will be a good start. However, just like oil painting, reading
a book on the subject will not produce an expert. Getting elbows
deep into a dual-homed host configuration while knee deep in users
baying at the gates may not be an option, either. Late nights, after
hours, are best for developing this art. Firewall configuration, from
scratch, takes many hours of concentration, and frequent interrup-
tions can be unnerving and detrimental to the process.
In the end, a packaged solution may be ideal. The phone and
e-mail technical support team is usually excellent, and software
updates for a thriving company will be frequent. Beware of purchas-
ing from up-and-comers, because oftentimes they get bought out,
and although they seemed like a bargain at the time, you will lament
a great deal when the new proprietor opts to discontinue the prod-
uct line in favor of another.
12.3 Single-box architecture
Much of what has been discussed in these past few chapters relates
to single-box architecture. This refers to the concept of a single unit,
such as a dual-homed host or a souped-up router, used to provide
gateway security. The advantage of such consolidated systems
includes the following points:
Easier to understand
Easier for management to understand
Simple to purchase
Well supported
Quick to implement
Easy to maintain
Alternatively, some would suggest (and as the name implies) that
a single-box firewall presents a security risk because in the event of
a breach, a potential for system-wide enthrallment exists. However,
if in-depth defense is the goal, then a comprehensive single-box
12.3 Single-box architecture 213
Chapter 12
architecture can be just as capable as multiple component systems of
a multiple, layered defense. In some cases, such architectures may
incorporate series, parallel, or series and parallel defense strategies,
wherein multiple firewalls and DMZs exist on the perimeter with
specialized functions. This can lighten the load of network traffic on
a single machine, easing a bottleneck, or it can merely be that the
one-box solution provides better security in some particular area
than another. Multiple firewall devices and appliances may end up
grouped at the perimeter and providing a range of security services.
Single-box architectures and blended defenses are common; many
are the IT security centers where a stack of mismatched boxes and
appliances serve in a variety of security roles. Again, Figure 12.1
shows multiple single-box points. There is a box for FTP service,
secure virtual private networking (VPN) from the DMZ to another
DMZ, gateway e-mail firewall, proxy service, and stateful packet
inspection. Network tasks have been broken out and isolated to pro-
vide additional security. Connectivity to the remote host actually
requires a workstation attached to the VPN firewall device; it’s not
even accessible from anywhere in the internal network. Sometimes
security is less about the physical approach and more about best
Such a system as the one in Figure 12.1 can be very complicated.
It follows, then, that physical security precautions become more
important, because tampering may not be immediately evident.
Systems such as these, often on busy and mutating networks with
diverse missions, also may be subject to frequent physical alteration.
A component may fail, and rerouting may be necessary. New appli-
ances may be introduced and removed and patch cables may be
added and removed or added and forgotten. For this reason, network
diagrams should be detailed and kept current. Such modularity may
be appealing to some, but the complexity and the distributed nature
increase maintenance, and management costs can be prohibitive to
others. However, the nicest thing about this structure is the ease with
which systems can be brought online and offline without affecting
other enterprise systems.
Often, a single-box implementation will be just that—a single
box. In these cases, there may be no screened subnet or perimeter
network at all. NAT is disabled, and both sides of the router are set
with the same external IP address. This turns the router into little
214 12.3 Single-box architecture

Get Firewalls now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.