|On occasion, companies
choose to implement a firewall based solely on a single
machine, be it a router or host. More often than not,
however, the stronger firewalls are composed of multiple
parts. In this section, we'll take a look at what we
consider the five most common types of firewall
architectures : the screening router, the dual homed
gateway, the screened gateway, the screened subnet, and
the "belt-and-suspenders" firewall.
The simplest way to implement a firewall is by placing packet filters on the router itself. This architecture is completely transparent to all parties involved, but leaves us with a single point of failure. Moreover, since routers are primarily designed to route traffic, the default failure mode on routers is usually to pass traffic to another interface. (Although most routers include an implied" .. and deny everything else" statement at the end of an access list, we are referring more to the possibility of a failure in the security mechanism.) If something were to happen to the router access control mechanism (such as the vulnerability found in one router vendor's software in early 1995), then the possibility would exist for unauthorized traffic to find its way into the network or for proprietary information to "leak" out of the network.
Moreover, screening routers tend to violate the choke point principle of firewalls. Although all traffic does pass through the router at one point or another, the router merely passes the traffic on to its ultimate destination. Each and every potential destination within the network, rather than just a single choke point, must therefore be secured. Although screening routers can be an important part of a firewall architecture, we don't consider them adequate firewall mechanisms on their own.
Another common architecture places a single machine with two networks as a dual-homed gateway. Such gateway can be used as a generic dual-homed gateway, as described earlier, in which all users must log in to the machine before proceeding on to the other network, or as a host for proxy servers, in which user accounts are not required.
From a "fail-safe" perspective, dual-homed gateways offer a step up from the simple screening router. Because most host-based systems such as these have packet forwarding disabled by default, passing traffic without configuring the host to do so is nearly impossible. As a result, the failure mode of dual-homed gateways is usually more robust than that of screening routers. Nevertheless, as we discussed earlier in this chapter, dual-homed gateways have certain feasibility and usability problems that don't always make them easy to use.
Screened Host Gateway
Now let's take a look at how hosts and routers
can be used together in a firewall architecture. One of
the most common combinations in use today is the screened
host gateway, illustrated in figure 1.
It is fairly straightforward to implement public servers such as FTP, Web, and DNS, but this machine must have modified servers to handle other individual protocols such as incoming telnet and non anonymous FTP.
|These servers can be
modified in one of two ways : they can be replaced with
proxy servers, such as those described earlier, and they
can be made capable of communicating with a separate
authentication server. This architecture has two major
Nevertheless, screened host gateways remain a popular implementation, since they allow companies to easily enforce various security policies in different directions without much inconvenience to internal users. Moreover, they are relatively easy to implement, using a standard router and a single host machine. Screened gateways provide a substantial improvement over both screening routers and dual homed gateways.
The screened subnet approach takes the idea of a screened host gateway one step further. The screening router is still present as the first point of entry into the corporate network, and screens incoming traffic between the Internet and the public hosts. Rather than a single gateway, as in the screened host gateway approach, however, the functions of that gateway are spread among multiple hosts. As shown in figure 2, one of the hosts could be a Web server, another could serve as the anonymous FTP server, and yet a third as the proxy server host, from which all connections to and from the internal corporate are made.
Functionally, the screened subnet is similar to the screened host gateway : the router protects the gateway from the Internet, and the gateway protects the internal network from the Internet and other public hosts. One distinct advantage that the subnet has over the screened gateway is that it is much easier to implement a screened subnet using "stripped down" hosts, that is, each host on the subnet can be configured to run only those services it is required to server, thus providing an intruder with fewer potential targets on each machine. Furthermore, the machines on the subnet can be made equally accessible to clients on the internal network as well as Internet-based clients.
The internal machines need not treat the machines on the subnet any differently than they would any other "external" machines on the Internet. In fact, if this approach is taken, a screened subnet can significantly increase the potential security of a network, as any compromise of an external machine (except, perhaps, for the gateway machine with the proxy servers running) is unlikely to provide access into the internal network.
Belt and Suspenders Approach
A final architecture takes the idea of the screened subnet and extend still another step further, as shown in figure 3. The principles are the same as the subnet architecture : an external screening router protects "public" machines from the Internet. Instead of a gateway running proxy server software as well as protecting the internal network, however, those functions are split : the proxy server host now resides on the DMZ subnet, while an internal screening router serves to protect the internal network from the public machines. This architecture is often called the "belt-and-suspenders" architecture.
The belt-and-suspenders architecture is only subtly different from the screened subnet, but the difference is important from a security point of view. Whereas the subnet relies on the proxy servers to perform all access control to and from the internal network, the belt-and-suspenders approach relies on the proxy server as the first line of authentication defense, but the internal router serves to back up the server, as well as to protect the internal network from the machines on the public network
|[Home] - [Isi Buku Tamu] - [Lihat Buku Tamu] - [Email]|
|Copyright © 1999-2007, InVirCom. All rights reserved.|