Technical Library
|
|
Technical Library |
|
|
|
|
11 Oct 2000 
|
 |
FirewallsWhat is a firewall?A firewall is used to prevent unauthorized access between networks by examining IP packets. The firewall will pass or reject packets based on any of the following criteria: source / destination IP address, source / destination port. A policy must be established to determine what is allowed and disallowed across the firewall. Firewall policies will take one of two forms:
Screening RouterA screening router examines all IP packets (incoming and outgoing) and implements packet filtering which decides whether or not to pass the packet. This gives the screening router the ability to block traffic between networks and / or specific hosts. What is and is not allowed through the screening router is based on the security policy. 
Dual-Homed GatewayA bastion host is a system which is recognized as a strong point of the network's security. Bastion hosts are focused on providing security, possibly through software, regular auditing, and logging. A dual-homed gateway is a firewall consisting of a single system, which is a bastion host, with at least two network interfaces. The dual-homed gateway does not directly forward packets, but acts as a block between the local network and outside networks. Dual-homed gateways run programs called proxies (or application gateways) to forward application packets between networks (the Internet and the LAN). To pass packets into or out of the Local Area Network they must be examined and directed by the dual-homed gateway. 
Screened Host GatewayA screened host gateway consists of at least one router and a bastion host with a single network interface. The router is used to block all traffic to the LAN except to the bastion host. Usually the router is configured to allow any outgoing traffic from internal sites to pass so internal users do not need to use a proxy. The screened host gateway is used to limit the amount of traffic to the bastion host, by rejecting certain packets (as specified by the security policy) at the router. 
Screened SubnetA screening subnet consists of two screening routers and a bastion host. An isolated subnet is created and placed between the private network and outside networks (the Internet). Both the Internet and the private network can access hosts on the screened subnet. Traffic across the screened subnet is blocked, but may be forwarded by proxies on a bastion host in the screened subnet. Therefore, the private network and outside networks can communicate only through the screened subnet. 
Additional Resources
Thinking About Firewalls, by Marcus Ranum      |