SMB Secure

Make Security easier for Small and Medium Business

HOME / Architecture

Firewall Architecture

Firewall Architecture refers to the way firewalls interact with the existing network infrastructure to ensure the expected level of protection. Depending on where the firewall is placed and how it is combined with other components, the architecture will serve different objectives.

Single Firewall Architecture

In this design, security relies on a single device placed at the boundary between the trusted and un-trusted network. Straightforward to implement, this approach is widely used and stays the cheapest solution. Easy to manage, it provides for a centralized and efficient security; However, this advantage constitutes also its biggest weakness as the system integrates a unique point of failure. Single Firewall Architecture can be declined in three sub-categories:

Simple Screening Architecture

This architecture is the most basic one: the firewall simply divides the network in two zones, a trusted zone (the private Network) and the outside world (the Internet). This configuration best suits for relatively small networks that provide no services to the external Network, which implies that no internal resources need to be accessible from the outside.

Simple Screening Firewall Architecture

Depending on the technology employed, three types of firewall can be used in this architecture, each of them serving a different purpose.

Screening Router / Network Layer Firewall

Appliance-based solution, a screening router is a simple device that integrates packet filtering features to block the unwanted traffic entering and leaving the Network. As its name indicates, routing is the first function of this device; its filtering features are secondary and thus basic (only at the network Layer). It is more likely a router with firewall capabilities than the opposite. Refers to Packet Filtering Firewall
Why and How to use it?
Screening router provides the best performance and redundancy; as another advantage, this option is the cheapest and easiest to implement. While screening router are inescapably part of any firewall architecture, router screening as a single architecture can be only used in the following configuration(Zwicky, Cooper and Chapman 2000): -No services are being provided to the external users (No internal resources is available from the internet) -Every host in the private Network is highly secured (Personal Firewall on each host) -Protocol used are straightforward as no inspection is provided at the Application Layer.

Dual Homed Host also called bastion Host / Application Layer Firewall

Software-based solution, a bastion host is a dedicated computer with two network interfaces on which routing function has been disable. Functioning as an intermediate between the two networks, this firewall implements proxy features to allow targeted services to pass through in both directions. Refers to Proxy Firewall
Why and How to use it?
Dual Homed Host Architecture allows for an in-depth inspection with the ability to parameter protocols to enable only the wanted functionalities while disabling the worrying options. This architecture, while attractive, presents some disadvantages as it relies on the Operating System prone to various weaknesses. As a result, this architecture may be used in the following scenario(Zwicky et al. 2000): -No services are being provided to the external users (No internal resources is available from the internet)
-The outgoing traffic (to the internet) is small, as the filtering process is resource consuming
-The traffic to the internet is not business critical, as high availability is not ensured.
-The internal Network does not integrate extremely valuable information

Multi-purpose Box / Multi-Layer Firewall

Appliance-based solution, this box is a mixture of the two precedent solutions providing both packet filtering and proxy features. Its particular interest is to bring together the performance of the router and the deep inspection of the bastion host. Refers to Deep Inspection Firewall
Why and How to use it?
Multi-purpose Box Architecture seems to provide a good alternative to the above architectures and should be used in the following scenario: -No services are being provided to the external users (No internal resources is available from the internet)
-The network is relatively small

Multi-Screening Architecture

Single point architecture, this topology differs from the previous one by its DMZ (Demilitarized Zone) Indeed, this architecture offers a minimum of 3 network interfaces and prevent any direct communication from the internet to the intranet. This solution creates a pseudo-trusted domain, where services can be provided to the internet. Simple Screening Firewall Architecture This architecture is more adapted for hardware based firewalls, as the technology used (ASIIC) offers a greater performance and reliability than software based firewalls.
Why and How to use it?
This architecture may be adopted in the following scenario:
-Some services are provided to external users
-Every host in the private Network is highly secured (Personal Firewall on each host)
-The internal Network does not integrate extremely valuable information

Dual Firewall Architecture

In this design, security relies on the use of two firewalls to provide an additional layer of protection. More secure than the single Firewall architecture, this model is however more expensive and somewhat difficult to maintain as security is now distributed in two different locations. As shown in the following figure, it is composed of:
-an external firewall that controls internal and external traffic
-a DMZ which contains resources accessible from both internal and external users
-an internal firewall that controls internal traffic while preventing external traffic to go inside the private network

Simple Screening Firewall Architecture

Concerning the technology in use for this model, there are typically two variant: -The hardware approach, which consists in using indifferently screening routers or multi-purpose-boxes for both internal and external firewalls. -The mixed approach, which consists in using a bastion host for the external firewall and a screening router or multi-purpose box for the internal firewall. It is to be noticed that the contrary is ban (Zwicky et al. 2000).
Why and How to use it?
Due to its cost and complexity, this architecture is implemented mainly in big organisations where security is critical such as banking, government finance and larger medical organisations.(Wes et al. 2006) The typical scenario for adopting this model is as follow:
-Services are provided to external users
-The internal Network contains critical information
-The private Network is large
-A security team is involved to maintain the security architecture

DeMilitarized Zone (DMZ)

 Some of the architectures presented above contain a DMZ, known as a neutral domain which provides services for both the trusted internal network and the un-trusted external internet. This zone only holds resources that require external access and typically contains servers such as Web Server, DNS Server, SMTP Servers...(McKeag 2004) More than just a public access zone, a DMZ creates a security perimeter where direct communication between the trusted and un-trusted zone is prohibitive. Since the outside world only gets permitted access to the DMZ, the DMZ becomes the main target of attackers. As a result, this part of the Network needs to be highly-secured in addition to the residential security provided by the firewall architecture itself.

 

View Comments