Network Firewalls   «Prev  Next»

Lesson 7Common firewall designs
Objective Assess common firewall designs.

Common Firewall Designs

Most firewall systems today are combinations of
  1. Packet filter: A type of firewall devices that process network traffic on a packet-by-packet basis. Packet filter devices allow or block packets, and are typically implemented through standard routers.
  2. Circuit-level gateway: Circuit-level gateways are similar to packet filters. The main advantage of circuit-level gateways is their ability to provide network address translation.
  3. Application-level gateway: Application gateways function at all four layers of the TCP/IP suite. They are typically implemented through software installed on a specialized server. Application gateways are sometimes known as proxy servers.
A simple rule of thumb is, the more sensitive the data, the more extensive the firewall strategy should be.

Common Firewall Designs

Each of the four common firewall designs creates a matrix of filters and points that can process and secure information. Four firewall designs are:
  1. The screening router
  2. The screened host firewall using a single-homed bastion host
  3. The screened host firewall using a dual-homed bastion host
  4. A screened subnet
  • Screened subnet firewall:
    The most secure of the four general implementations is the screened subnet firewall (demilitarized zone) shown in the MouseOver below.

The external packet filtering router uses standard filtering to restrict external access
  1. The external packet filtering router uses standard filtering to restrict external access to the bastion host, and rejects any traffic that does not come from the bastion host. It prevents attacks such as IP spoofing and source routing.
  2. The bastion host constitutes a second security device that is significantly more difficult to subvert than a router.
  3. Incoming traffic is filtered through the external packet filtering router and then through the bastion host prior to arriving at the Web or FTP servers.
  4. The internal packet filtering router is also configured so that traffic flows only to or from the bastion host. It serves as a third line of defense, preventing IP spoofing and source routing. In addition, internal users cannot access the Internet without going through the bastion host.
  5. The internal network is effectively invisible to the Internet, because all packets going out and coming in go directly to the DMZ, not to your network.
  6. All publicly accessible devices, including modem pools and other resources are placed inside this zone. All packets going into and out of the internal network must pass through the DMZ. To access your network, a hacker must subvert three separate devices without being detected


Demilitarized zone consisting of Internet, Web Server, Internal Network

Demilitarized zone
Demilitarized zone

Bastion hostThe bastion host constitutes a second security device that is significantly more difficult to subvert than a router.
Server (Web and FTP)Incoming traffic is filtered through the external packet filtering router and then through the bastion host prior to arriving at the Web or FTPservers.
Packet filtering router (internal)The internal packet filtering router is also configured so that traffic flows only to or from the bastion host. It serves as a third line ofdefense, preventing IP spoofing and source routing. In addition, internal users cannot access the Internet without going through the bastionhost.
Internal networkThe internal network is effectively invisible to the Internet, because all packets going out and coming in go directly to the DMZ, not to yournetwork.
DMZ (Demilitarized zone) All publicly accessible devices, including modem pools and other resources are placed inside this zone. All packets going into and out of theinternal network must pass through the DMZ. To access your network, a hacker must subvert three separate devices without being detected.
  • Packet filtering router (external): The external packet filtering router uses standard filtering to restrict external access to the bastion host, and rejects any traffic that does

Demilitarized Zone

The screened subnet firewall[1] uses a bastion host to support both circuit- and application-level gateways and creates a Demilitarized zone (DMZ): Networks that are between a company's internal network and the external network. A DMZ is used as an additional buffer to further separate the public network from your internal private network.demilitarized zone (DMZ) that functions as an isolated network between the Internet and the internal network. The use of external and internal screening routers prevents any traffic from directly traversing the sub-network, or DMZ.

[1] screened subnet firewall: A screened subnet firewall is a network security architecture that uses two routers to create three separate zones: an external zone, an internal zone, and a demilitarized zone (DMZ) in between. This DMZ acts as a buffer, housing public-facing servers and services while protecting the internal network from direct exposure to external threats.

SEMrush Software 7 SEMrush Banner 7