Hardware Firewall Architectures

Firewalls can be configured in many different hardware architectures providing various levels of security with different installation and operation costs. Organizations should match their risks to the type of firewall architecture selected. The following briefly describes firewall architectures.

Multiple-homed host. This is a firewall that has more than one network interface card, NIC. Each NIC is logically and physically connected to separate network segments. A dual-homed host, one with two NICs is the most common example of a multi-homed host. One NIC is connected to the external or untrusted network, like the Internet, and the other NIC is connected to the internal or trusted network. In this configuration, the key point is not to allow computer traffic to be passed from the untrusted network directly to the trusted network. The firewall acts as an intermediary

Screened hosts. Screened firewall architecture uses a host called a bastion host. It usually has two network interface cards, but may have several NICs, making it a multiple-homed device. All outside hosts connect to this device rather than allowing direct connection between inside and outside hosts. To achieve this character, a filtering router is configured in such a fashion as to remove all unnecessary services, thereby earning its name as a hardened host. If superfluous services and features are removed or disabled, they cannot be exploited to gain unauthorized access. In the bastion host, a filtering router is installed and configured so that all connection traffic from between the internal and external networks must pass through the bastion host. No direct internal-network-to-external-network connections are allowed.


Bastion hosts can be deployed to partition sub-networks from other interior networks; for example, an interior network handling company e-mail is partitioned by a bastion host from another interior network where employee records are kept. This architecture is known as a screened sub-network, and adds an extra layer of security by creating a separate but connected internal network or sub-network

Firewall Administration
Firewalls consisting of hardware, software, or appliances have to be the ongoing job of a responsible and senior employee. After all, this employee literally has the "keys to the kingdom." It is a wise business practice to have two firewall administrators, assuring continuity and institutional knowledge in the event of an absence

Firewall Administrators
For each duty-day, it is recommended that two experienced employees are available to address firewall issues. In this manner, the firewall administrator function is constantly covered. It is compulsory that these employees have a thorough understanding of network architectures, TCP/IP protocols, and security policies

Remote Firewall Administration

Firewalls are usually the first line and sometimes the last line of defense against attackers. By design, firewalls are supposed to be difficult to attack directly, causing attackers to attack the accounts on the firewall itself. Additionally, there should be no user accounts on the firewall host other than those of the administrators. User names and passwords must be strongly protected. One of the most common protections is strong physical security surrounding the firewall host and permitting firewall administration from one attached terminal. Only the primary and secondary firewall administrators should have physical access to the firewall host. Depending on the sensitivity of the data stored on the protected network, it is strongly recommended that firewall administrators are not allowed to remotely access firewalls. Depending on the business' operations, it may be prudent to have a firewall administrator on duty constantly. What degree of profit losses will be incurred if users are unable to access information assets because of firewall problems? Although having a firewall administrator on duty full-time, in the long run it provides increased integrity and availability for firewalls and the systems they protect

0 comments:

Popular Posts