Hardware Firewall Architectures

Firewalls can be configured in many different hardware architectures providing various levels of security with different installation and operation costs. Organizations should match their risks to the type of firewall architecture selected. The following briefly describes firewall architectures.

Multiple-homed host. This is a firewall that has more than one network interface card, NIC. Each NIC is logically and physically connected to separate network segments. A dual-homed host, one with two NICs is the most common example of a multi-homed host. One NIC is connected to the external or untrusted network, like the Internet, and the other NIC is connected to the internal or trusted network. In this configuration, the key point is not to allow computer traffic to be passed from the untrusted network directly to the trusted network. The firewall acts as an intermediary

Screened hosts. Screened firewall architecture uses a host called a bastion host. It usually has two network interface cards, but may have several NICs, making it a multiple-homed device. All outside hosts connect to this device rather than allowing direct connection between inside and outside hosts. To achieve this character, a filtering router is configured in such a fashion as to remove all unnecessary services, thereby earning its name as a hardened host. If superfluous services and features are removed or disabled, they cannot be exploited to gain unauthorized access. In the bastion host, a filtering router is installed and configured so that all connection traffic from between the internal and external networks must pass through the bastion host. No direct internal-network-to-external-network connections are allowed.

Bastion hosts can be deployed to partition sub-networks from other interior networks; for example, an interior network handling company e-mail is partitioned by a bastion host from another interior network where employee records are kept. This architecture is known as a screened sub-network, and adds an extra layer of security by creating a separate but connected internal network or sub-network

Firewall Administration
Firewalls consisting of hardware, software, or appliances have to be the ongoing job of a responsible and senior employee. After all, this employee literally has the "keys to the kingdom." It is a wise business practice to have two firewall administrators, assuring continuity and institutional knowledge in the event of an absence

Firewall Administrators
For each duty-day, it is recommended that two experienced employees are available to address firewall issues. In this manner, the firewall administrator function is constantly covered. It is compulsory that these employees have a thorough understanding of network architectures, TCP/IP protocols, and security policies

Remote Firewall Administration
Firewalls are usually the first line and sometimes the last line of defense against attackers. By design, firewalls are supposed to be difficult to attack directly, causing attackers to attack the accounts on the firewall itself. Additionally, there should be no user accounts on the firewall host other than those of the administrators. User names and passwords must be strongly protected. One of the most common protections is strong physical security surrounding the firewall host and permitting firewall administration from one attached terminal. Only the primary and secondary firewall administrators should have physical access to the firewall host. Depending on the sensitivity of the data stored on the protected network, it is strongly recommended that firewall administrators are not allowed to remotely access firewalls. Depending on the business' operations, it may be prudent to have a firewall administrator on duty constantly. What degree of profit losses will be incurred if users are unable to access information assets because of firewall problems? Although having a firewall administrator on duty full-time, in the long run it provides increased integrity and availability for firewalls and the systems they protect

Internet Firewall Policy

Because the Internet is not trustworthy, an organization's system connected to the Internet is vulnerable to abuse and attack. Enabling a firewall between the organization's local area network and the Internet can go a long way to control access between trusted parties and less-trusted ones. A firewall is not a single component; rather it is a strategy for protecting an organization's Internet-reachable assets. Firewalls serve as gatekeepers between the untrustworthy Internet and the more-trusted organization networks.



The primary function of a firewall is to centralize system access controls. If remote users, authorized or not, can access the internal networks without traversing the firewalls, their effectiveness is diminished. If a traveling employee has the ability to connect to his office workstation, circumventing the organization's firewall architecture, then an attacker can do the same. Firewalls have the ability to allow network services to be passed or blocked; consequently, system administrators must consult with firewall administrators relative to which services are necessary for business operations. All unnecessary services must be disabled, denied, or blocked.

Firewalls provide several layers and types of protection:

- Firewalls can block unwanted traffic, essentially partitioning the inside network from the outside network.

- Firewall can direct incoming traffic to more trustworthy internal systems.

- Firewall can conceal vulnerable systems that cannot be secure from the Internet.

- Firewall can provide audit trails logging traffic to and from the organization's private networks and the Internet.

- Firewalls can conceal information such as system addresses, network devices, and user identification from the Internet.

Authentication
Firewalls located at the perimeter of the organization's network, interfacing between the Internet and the internal networks, do not provide user authentication. Host-based firewalls usually provide these types of user authentication:

User names and passwords. User names and unique passwords are compared against authorized user lists and verified by correct passwords. This is one of the least secure methods.

One-time passwords. One-time passwords using software or hardware tokens produce a new password for each user session. Old passwords cannot be reused if they were stolen, intercepted, or borrowed. This method is one where the user must know something and must possess something before gaining access.

Digital certificates. Digital certificates use a certificate generated using public key encryption from a trusted third party. This access method is one where the user must know something and have something.

Firewall Types
Packet-filtering firewalls are gateways located at network routers that have packet-screening abilities based on policy rules granting or denying access based on several factors:

Information packet source address. It is capable of denying system access from specific source addresses; for example, it is possible to deny outside entry of any information packet having a source address of a competing company.

Information packet destination address. It is capable of denying access to any internal workstation or host based on its IP address; for example, all traffic can be blocked attempting to connect to the client list file server.

Service port. Firewalls are capable of blocking or allowing access to specific services; for example, connection attempts to workstation TCP Port 139 are denied.

Packet-filtering firewalls offer minimum security but very low cost. They can be an appropriate choice for a low-risk network environment. However, there are some drawbacks:

- They do not protect against IP or DNS address spoofing.

- Attackers will have direct access to any host on the internal network once access has been granted by the firewall.

- Strong user authentication is not a feature supported with many packet-screening firewalls.

- They do not generally provide complete or useful logging features.

Application Firewalls
Application firewalls use server programs, called proxies, running on the firewall. These proxies arbitrate transactions between interior and exterior networks. They accept requests, examine them, and forward legitimate requests to internal hosts that provide appropriate service. Application firewalls generally support functions as user authentication and logging features. Application firewalls require that a proxy is configured for each applicable service such as FTP, HTTP, etc.

Application-level firewalls generally offer the solution of network address translation (NAT). This feature may be configured so that outbound traffic appears as if the traffic had originated from the firewall itself. In this fashion, all IP addresses of the hosts behind the firewall are protected from discovery in that once they depart the firewall outbound, they all have the same IP address.

- Application firewalls supporting proxies for different services prevent direct access to internal network services, protecting the business against insecure or poorly configured internal servers.

- Application firewalls generally offer strong user authentication.

- Application firewalls generally provide detailed logging of user activities.