Student Name : AVNEESH DATTA
Title of Project : Firewall Design for Internet Security
Goal of the Project
To discuss some firewall definitions, the Firewall Design outlining the basic
components and major architectures used in constructing firewalls: dual-homed hosts,
screened hosts, screened subnets, and variations on these basic architectures. Also a
brief discussion on Internal Firewalls and what future holds.
Brief discussion of how my goal will be achieved
Firewalls are a very effective way to protect a system from most Internet security
threats and are a critical component of today's computer networks. Firewalls in
networks keep damage on one part of the network from spreading to the rest of the
network. Without firewalls, network security problems can rage out of control,
dragging more and more systems down.
In this project I plan to discuss how to build firewalls on the Internet providing stepby-step explanations of how to design and install firewalls, and how to configure
Internet services to work with a firewall. I would describe a variety of firewall
technologies (packet filtering, proxying, network address translation, virtual private
networks) and architectures (e.g., screening routers, dual-homed hosts, screened
hosts, screened subnets, perimeter networks, internal firewalls). And also describe
issues involved in a variety of new Internet services and protocols through a
firewall.
Designing the firewall system
Designing a firewall requires that you understand and identify the boundaries between
security domains in your network. The most common boundary where firewalls are
applied today is between an organization’s internal networks and the Internet. When
establishing an Internet firewall, the first thing one must decide is its basic
architecture. In this context, architecture refers to the inventory of components
(hardware and software), and the connectivity and distribution of functions among
them. There are two classes of firewall architectures, which we refer to as the single
layer and the multiple layer architectures.
In a single layer architecture, one network host is allocated all firewall functions and
is connected to each network for which it is to control access.
In a multiple layer architecture, the firewall functions are distributed among a small
number of hosts, typically connected in series, with DMZ networks between them.
Having chosen the basic architecture (i.e., the number of hosts, the method in which
they are connected, the tasks that each will perform), the next step is to select the
firewall functions to be implemented in these hosts. The two most basic categories of
firewall function are packet filtering and application proxies. These functions can be
used separately or jointly and can be implemented on the same or on different firewall
hosts.
How to do it ?
 Document the environment
The generation and use of diagrams are extremely important while designing
your architecture.
 Select firewall functions
Firewall functions available in today's products include packet filtering,
application proxies, and state-full inspection filtering. Each of these functions implies
a certain range of possible choices for deployment platforms. A firewall deployment
platform is the combination of the particular hardware and operating system on which
the desired firewall functions execute. The following sections lists each of these
functions and the platform choices available.
 Packet filtering
Since routers are commonly deployed where networks with differing
security requirements and policy meet, it makes sense to employ packet filtering
on routers to allow only authorized network traffic to the extent possible.
 Application proxies
An application proxy is an application program that runs on a firewall
system between two networks.
 Stateful inspection or dynamic packet filtering
We use the terms stateful inspection or dynamic packet filtering to refer to
a more capable set of filtering functions on routers.
 Select the firewall topology
While the firewall functions described above can be deployed in a wide
variety of ways, there are a small number of commonly deployed architectures. They
are presented in order of increasing effectiveness.
1. Basic border firewall
2. Untrustworthy host
3. DMZ network
4. Dual firewall
 Perform architectural trade-off analysis
Firewalls are typically thought of in their restrictive or protective sense. That
is, they protect your network from the Internet or they restrict access to your network
from the Internet. In today’s Internet-enabled organizations, firewalls are more
frequently thought of as safely empowering the organization to interact with the
Internet. As such, firewalls are very much part of an organization’s mission-critical
infrastructure and they need to be designed accordingly.
As a result, you must make the same architectural tradeoffs in designing your firewall
that are commonly made in other mission-critical systems. Architectural
characteristics that must be considered include : Performance, availability, reliability,
security, cost, manageability, configurability and function.
References (Not the complete list) :
 www.itworld.com
 www.cert.org/security-improvement
 http://www.interhack.net/pubs/fwfaq/
 Firewalls: a complete guide / Marcus Gonçalves.

Building Internet firewalls / D. Brent Chapman and Elizabeth D. Zwicky
GOOD. I HAVE UNDERLINED WHAT I CONSIDER TO BE WHERE YOUR
FOCUS SHOULD BE. A DETAILED TECHNICAL PRESENTATION IS
EXPECTED.