Chapter 3
Firewall Configuration Strategies
LECTURE NOTES
Establishing Rules and Restrictions for Your Firewall
The firewall rules and the definitions you set up tell the firewall what types of traffic to
allow into and out of your network. Note that all firewalls have a rules file which is the
most important configuration file on your firewall.
The Role of the Rules File
The specific packet-filtering rules that you set up for a firewall actually implement the
security approach specified in your security policy. A restrictive approach will be reflected
in a set of rules that blocks all access by default, then permits only specific types of
traffic to pass through. A connectivity-based approach will have fewer rules because its
primary orientation is to let all traffic through and then block specific types of traffic.
Restrictive Firewalls
If the primary goal of your planned firewall is to block unauthorized access, the emphasis
needs to be on restricting rather than enabling connectivity. The table below describes
some primarily restrictive approaches:
Approach
Deny-All
In Order
(sometimes
called “first
fit”)
Best Fit
What It Does
Blocks all packets
except those
specifically allowed
Processes firewall
rules in top-tobottom order
Advantage
More secure;
requires fewer rules
Disadvantage
May result in user
complaints
Good security
Incorrect order
can cause chaos
The firewall
determines the order
in which the rules
are processed –
usually it starts with
the most specific
rules and goes to the
most general
Easy to manage;
reduces risk of
operator error
Lack of control
Instructor: Prof. Michael P. Harris
ITSC 2401 – Firewalls and Network Security
Chapter 3
Firewall Configuration Strategies
Connectivity-Based Firewalls
The following table lists the advantages and disadvantages of whether your firewall
should enforce a restrictive policy or one that emphasizes connectivity:
Approach
Allow-All
Port 80/
Except Video
What It Does
Allows all packet to
pass through except
those specifically
identified to be
blocked
Allows Web surfing
without restrictions,
except for video files
Advantage
Easy to implement
Disadvantage
Provides minimal
security;
Requires complex
rules
Lets users surf the
Web
Opens network to
Web vulnerabilities
Firewall Configuration Strategies: The 10,000-Ft Overview
A firewall needs to adapt to the changing needs of the organization whose network it
protects. Therefore, it you should provide for the firewall’s growth by recommending a
periodic review and upgrading software and hardware as needed.
Productivity
Two important features of the firewall are the processing and memory resources
available to the bastion host. A bastion host, though it may not be the only hardware
component in a firewall architecture, is of central importance to the operation of the
firewall software that it hosts. If the host machine runs too slowly or does not have
enough memory to handle the large number of packet-filtering decisions, proxy service
requests, and other traffic, the productivity of the entire organization can be adversely
affected. That is because the bastion host resides on the perimeter of the network and,
unless other bastion hosts and firewalls have been set up to provide the network with
load balancing, the bastion host is the only gateway through which inbound and
outbound traffic can pass.
Dealing with IP Address Issues
The more complex a network becomes, the more IP-addressing complications arise. It is
important to plan out the installation, including IP addressing, before you start
purchasing or installing firewalls.
IP forwarding enables a packet to get from one network’s OSI stack of interfaces to
another. Most operating systems are set up to perform IP forwarding. Proxy servers that
handle the movement of data from one external network to another perform the same
function; however, if a proxy server is working, IP forwarding should be disabled on
routers and other devices that lie between the networks.
2
Greg Holden, GUIDE TO Firewalls and Network Security
Thompson/Course Technology ©2004 ISBN: 0-619-13039-3
Page 2
Instructor: Prof. Michael P. Harris
ITSC 2401 – Firewalls and Network Security
Chapter 3
Firewall Configuration Strategies
Different Firewall Configuration Strategies You Can Use
The following table describes a variety of firewall configurations:
Name
Screening router
Description
Packet-filtering router sits between client computers and
the Internet.
Dual-homed host
A client computer that is connected to the Internet hosts
firewall software.
Screened host
A host dedicated to security functions hosts the firewall
software.
Two routers with
one firewall
Routers are positioned on the external and internal
interfaces of the firewall and perform packet filtering.
DMZ screened
subnet
A network of publicly accessible servers (the DMZ) is
connected to the firewall but is outside the internal
network being protected.
Multi-firewall DMZ
A DMZ is enclosed by two firewalls for added security.
Reverse firewalls
A firewall that monitors outbound rather than inbound
traffic.
Specialty firewalls
Firewalls designed to protect specific types of
communications, such as e-mail.
Screening Router
1. One of the simplest types of protection is a router that sits between the client
computer(s) and the Internet and that is set up to do packet filtering. Such a
screening router filters traffic to individual computers within the internal network.
You should only choose this very simple, minimally secure setup in a situation such
as a subnet within a network that is already protected by a firewall.
2. A router has two interfaces: the external interface is the one that connects to the
outside network while the internal interface connects to the internal network that is
being protected. Note that each interface has its own unique IP address.
3
Greg Holden, GUIDE TO Firewalls and Network Security
Thompson/Course Technology ©2004 ISBN: 0-619-13039-3
Page 3
Instructor: Prof. Michael P. Harris
ITSC 2401 – Firewalls and Network Security
Chapter 3
Firewall Configuration Strategies
Dual-Homed Host
Dual-homed host is a fancy-sounding term for a computer that has two network
interfaces (and correspondingly, two network interface cards). Typically, one interface
card is assigned to the Internet and the other to a local area network. By default, the
host’s ability to forward IP packets from one network to the other is completely disabled.
Rules are then established by the end user to enable traffic to flow through the firewall as
needed. You might choose this setup in situations such as securing a single standalone
workstation and securing a small home network.3
Screened Host
A screened host is sometimes also called a dual-homed gateway or bastion host. A
bastion host is a screened host, but one that has been hardened through the addition of
all available security patches and service packs. In addition, the bastion host has had all
but the necessary services and TCP and UDP ports disabled, and all of its security-related
events are extensively logged.
Two Routers, One Firewall
A common configuration is to put a router on either side of the screened host that serves
as a firewall. The router positioned on the outside can perform initial, static packet
filtering. The router positioned just inside the network can route traffic to the appropriate
computers in the LAN being protected. You might choose this setup in situations where
you truly need Defense in Depth, such as a government office network or a financial
institution.
DMZ Screened Subnet
1. A DMZ is a network that sits outside the internal network but is connected to the
firewall. Note that the firewall in a DMZ screened subnet setup is sometimes
described as three pronged (sometimes also called tri-homed). The firewall connects
to three separate networks and thus requires a separate network interface card for
each. The three networks are as follows:
Networks
:
a. The external network - the Internet or a branch office
b. The DMZ screened subnet
c. The LAN being protected
4
Greg Holden, GUIDE TO Firewalls and Network Security
Thompson/Course Technology ©2004 ISBN: 0-619-13039-3
Page 4
Instructor: Prof. Michael P. Harris
ITSC 2401 – Firewalls and Network Security
Chapter 3
Firewall Configuration Strategies
2. Three-pronged firewalls that use only a single firewall have advantages and
disadvantages, which are summarized as follows:
Advantages
&
Disadvantag
es:
Simplification: Only one set of rules to be configured.
Complexity: Rules need to control both outbound and inbound
traffic.
Lower cost: Only one firewall needs to be licensed.
Vulnerability: The firewall and DMZ provide a single point of
protection that, if breached, opens the entire local network and
DMZ to the hacker.
Performance: The firewall and DMZ can become a bottleneck
Multiple-Firewall DMZs
Firewall security is a tradeoff between enabling access from the protected network to the
Internet, while providing the maximum security possible to the private network. For many
large corporations, having two or more firewalls is a necessity rather than a luxury. They
develop security policies that mandate the use of more than one firewall to protect the LAN
from the Internet and the added security offsets any slowdown in performance that the two
firewalls will bring. Note that end users may have to wait a few seconds before connecting
to a Web site or downloading a file, but the added security makes it worthwhile.
Two Firewalls, One DMZ
You can set up a three-pronged network with a DMZ using two (or even more) firewalls
for a number of different reasons:


One firewall can control traffic between the DMZ and the Internet, while the
other can control traffic between the protected LAN and the DMZ.
The second firewall can serve as a failover firewall. It provides a backup that
can be configured to switch on if the first one fails, thus providing
uninterrupted service for the organization.
Two Firewalls, Two DMZs
A company that commits to using multiple firewalls makes its security setup more
complex, but it gains flexibility as well. The company can set up separate DMZs for
different parts of the organization. This is advantageous because it helps balance the
traffic load between parts of the organization.
5
Greg Holden, GUIDE TO Firewalls and Network Security
Thompson/Course Technology ©2004 ISBN: 0-619-13039-3
Page 5
Instructor: Prof. Michael P. Harris
ITSC 2401 – Firewalls and Network Security
Chapter 3
Firewall Configuration Strategies
Approaches that Add Functionality to Your Firewall
A router or firewall that performs NAT converts publicly accessible IP addresses to private
ones and vice versa, thus shielding the IP addresses of computers on the protected
network from those on the outside.
Encryption
A firewall or router that includes Secure Sockets Layer (SSL) or some other type of
encryption, takes a request, turns it into gibberish using a private key, and exchanges
the public key with the recipient firewall or router. The recipient then decrypts the
message and presents it to the end user in understandable form.
Application Proxies
An application proxy is software that acts on behalf of a host, receiving requests,
rebuilding them completely from scratch, and forwarding them to the intended location
as though the request originated with it (the proxy). It can be set up with either a dual
homed host or a screened host system. In a dual-homed host setup, the host that
contains the firewall or proxy server software has two interfaces, one to the Internet and
one to the internal network being protected.
VPNs
Many companies use the Internet to provide them with a VPN that connects internal
hosts with specific clients in other organizations. The advantage to a VPN over a
conventional Internet-based connection is that VPN connections are encrypted and
limited only to machines with specific IP addresses.
Intrusion Detection Systems
An external router with an intrusion detection system (IDS) can notify you of intrusion
attempts from the Internet. An internal router with IDS can notify you when a host on
the internal network attempts to access the Internet through a suspicious port or using
an unusual service, which may be a sign of a Trojan horse that has entered the system.
An IDS might also be configured to look for a large number of TCP connection requests
(SYN) to many different ports on a target machine, thus discovering if someone is
attempting a TCP port scan. The IDS sends the alert so an administrator can either
prevent it or cut the attack short before too much damage occurs.
6
Greg Holden, GUIDE TO Firewalls and Network Security
Thompson/Course Technology ©2004 ISBN: 0-619-13039-3
Page 6
Instructor: Prof. Michael P. Harris
ITSC 2401 – Firewalls and Network Security
Chapter 3
Firewall Configuration Strategies
Reverse Firewalls
Some forward-thinking companies have installed a reverse firewall, a device that
monitors information going out of a network rather than trying to block what is coming
in. In a Denial of Service attack, information will be flooding out of the network from the
infected computer(s), thus overloading the network. A reverse firewall, such as the
hardware device sold by Los Angeles-based company Cs3, inspects outgoing packets and
tracks where they are coming from within the network. If a high number of “unexpected”
packets is detected leaving the network, the firewall notifies the network administrator.
Class Discussion Topics
1. Discuss the role played by a rules file in the firewall’s operation.
2. Discuss various firewall configuration strategies.
3. Discuss approaches that add specific functionality to a firewall.
Additional Case Projects
1. Ask students to try and identify some specialty firewalls that are widely used.
2. Ask students to draw the layouts for different firewall configurations.
Further Readings or Resources
1. For a description of VPN technologies, see: http://www.vpnc.org/vpntechnologies.pdf
2. For product comparisons, see:
http://www.remainsecure.com/whitepapers/firewalls/fwswcomp.htm
7
Greg Holden, GUIDE TO Firewalls and Network Security
Thompson/Course Technology ©2004 ISBN: 0-619-13039-3
Page 7