Tải bản đầy đủ - 0 (trang)
Chapter 9. Where Firewalls Fit in a Network

Chapter 9. Where Firewalls Fit in a Network

Tải bản đầy đủ - 0trang

DifferentTypesofOfficeRequirements

Althougheveryfirewallimplementationistrulyunique,acouple

offundamentaldesignsfromwhichvirtuallyallfirewalldesigns

arecreated.Thefirstquestiontoaskwhenimplementinga

firewalliswhetherthefirewallisgoingbelocatedatacentral

locationoraremotelocation.Whenyouhaveansweredthat

question,youneedtoexaminetheresourcesthatneedtobe

protected.Withthatinmind,thenextstepistodeterminehow

manydemilitarizedzones(DMZs),ifany,needtobe

implemented.

Althoughmostofthesedesignquestionsarebasedon

protectinginternalresources,theyshouldbeequallyappliedto

thequestionofhowthefirewallwillscreenInternetaccessfor

yourinternalresources,essentiallyprotectingtheInternetfrom

yoursystems,whileatthesametimeenablingyoutorestrict

andfilterthekindsofInternet-basedtrafficthatwillbeallowed

fromyourinternalresources.



CentralOffice

Althoughreferredtoasacentralofficeimplementation,thekey

tothisimplementationisnotnecessarilythatitexistsatthe

centraloffice.Rather,thecentralofficeimplementationrefersto

animplementationthathasanumberofcommonelements:

Aconcentrationofresourcesmustbeprotectedbythe

firewall.

Asignificantnumberofinternalusersneedaccessto

externalresourcesthroughthefirewall(forexample,ifthe

firewallhandlesthemajorityofthecompany'sInternet



access).

Technicalpersonnelcanactivelymonitorandmanagethe

firewallbecausetheyarephysicallylocatedatthesame

location.

Asaresult,thecentralofficeimplementationisapplicablein

anyenvironmentthatmatchestheseelements.Forexample,

manylargecompanieshavemultiplelocationsthatwouldall

warrantthecentralofficedesign,becausetheremaybetwoor

more"hub"locationswithahighconcentrationofusers,

resources,andadministrators.

Thecentralofficeimplementationishighlightedbyan

implementationthattendstobemorecomplexthantheremote

officeimplementationandtendstoutilizehigherendhardware

andsoftwaretoachievetheobjectiveofprotectingresources.

Forexample,thecentralofficemayutilizemultiplefirewallsina

dual-firewallimplementationtoprotectresourcesandmayhave

multiplefirewallsimplementedinatask-specificfashion.You

mighthaveaseparateInternet-screeningfirewall,webapplicationfirewall,ande-mail-filteringfirewall.

Centralofficeimplementationarealsofrequentlyunderpinned

bymoreadvancedfirewallssuchasCiscoSecurePIXFirewalls,

NetScreen,CheckPoint,orMicrosoftISAServerasopposedto

smallerNetworkAddressTranslation(NAT)routersorsmall

office/homeoffice(SOHO)firewallproducts.

Asageneralrule,thecentralofficeimplementationtendsto

provideforthemosthardenedandsecurefirewall

implementation.



RemoteOffice

Theremoteofficeimplementationtendstorevolvearounda



moresimple,pointsolutiondesign.Asopposedtothecentral

office,remoteofficestypicallyhavefewtechnicalresourcesat

thelocationwiththeexpertiserequiredtoeffectivelymanage

andmaintainafirewall.Remoteofficesalsorarelyhaveinternal

resourcesthatmustbeaccessedbyremotesources,which

meansthatoftenthefirewallimplementationislittlemorethan

anInternet-screeningfirewall,keepingallInternetsourcesfrom

accessinginternalresourcesandrestrictingInternetaccessby

internalresources.

Althoughthecentralofficeimplementationlendsitselfto

protectingliterallythousandsofusersandresources,the

remoteofficeimplementationisreallyonlyeffectiveat

protectingarelativelysmallnumberofusersandresources,

generallyfewerthan100usersandresources.Consequently,

theremoteofficeimplementationlendsitselftotheuseof

SOHOfirewallsolutionsrangingfromlower-endfirewallssuch

astheCiscoPIX506E,NetScreen5,orNetScreen25allthe

waydowntothebasicNATfilteringrouterssuchassomeofthe

LinksysorD-Linkproductlines.







Single-FirewallArchitectures

Therearetwopredominantfirewallarchitectures,thesinglefirewallanddual-firewallarchitectures.Thesingle-firewall

architectureissimplerbecauseitreliesontheuseofasingle

firewalldevicewithwhichtofilterandcontroltheflowoftraffic.

Ifyouelecttogowithasinglefirewallforyourfirewall

implementation,youcanchoosefromafewdifferentdesigns:

InternetfirewallwithasingleDMZ

InternetfirewallwithmultipleDMZs

Internet-screeningfirewall(noDMZ)



InternetFirewallwithaSingleDMZ

TheInternetfirewallwithasingleDMZisthemostcommon

firewallarchitecture,becauseitlendsitselftobeinganallaroundgeneral-purposearchitecture.Withthisarchitecture,the

firewallhasthreeinterfaces:aninternalinterfacethatis

connectedtotheprotectednetwork,anexternalinterfacethat

isconnectedtotheInternet,andaDMZinterfacethatis

connectedtoascreenedsubnetuponwhichresidetheservers

andsystemsthatexternalusersneedtoaccess.Becausethe

resourcesontheDMZsegmenthavetogothroughthesame

interfacetoaccessbothinternalorexternalresources,this

architectureisfrequentlyreferredtoasa"DMZ-on-a-stick"

architecture.

Inthisarchitecture,trafficflowiscontrolledinthreedirections.

TrafficfromInternet-basedsystemsispermittedonlyto



resourcesontheDMZsegment.Internet-basedsystemscan

neverdirectlyaccessresourcesontheinternalnetwork.Traffic

fromDMZ-basedsystemsispermittedbothtotheInternetas

wellastointernalresources.Inthisfashion,theDMZresources

canfrequentlyserveasaproxyintheeventthatdatathat

residesontheinternalnetworkisrequiredbytheexternal

system.Finally,trafficfromtheinternalnetworkispermittedto

theDMZaswellastotheexternalnetwork.Inallsituations,

theonlytrafficthatshouldbeallowedistrafficthatisexplicitly

permittedbyacorrespondingaccesscontrollist(ACL).Figure

9-1illustratesasingleDMZimplementationwiththe

correspondingtrafficflowrestrictions.



Figure9-1.SingleFirewallwithSingleDMZ



[Viewfullsizeimage]



InternetFirewallwithMultipleDMZs

TheInternetfirewallwithmultipleDMZsissimilartothesingle

DMZarchitecture,theonlyrealdifferencebeingthattherewill

bemultiplesingle-homedDMZsegmentscomingoffthe



firewall.ThereisnopracticallimittothenumberofDMZ

segments,theonlyrealrestrictionbeingthenumberof

interfacesthefirewallcanphysicallyorlogicallysupport.

Thisarchitectureistypicallyimplementedwhentheneedto

separateresourcesondifferentanddistinctDMZsegments

exists.WithasingleDMZ,allresourcesthatwillbeaccessed

fromexternalsourcesexistonthesameDMZsegment,which

meansthatifanyoneofthosesystemsiscompromised,there

isnothingtostoptheattackerfromusingthatsystemto

compromisemorecriticalserversonthatDMZsegment.To

mitigatethis,youcanplacesystemswithdifferingsecurity

requirementsintheirownDMZsegment,thusreducingthe

possibilitythatacompromiseofanunrelatedsystemwillimpact

yourmorecriticalresources.Forexample,youmayplaceweb

serversinoneDMZsegmentandSimpleMailTransferProtocol

(SMTP)serversinadifferentDMZsegment,sothatiftheweb

servers(whicharetraditionallymoresusceptibletoattacks)are

compromised,theSMTPserversarestillsafelyprotectedon

anotherDMZsegmentwherethefirewalldoesnotallowtraffic

betweenDMZsegmentstopass.

LikewiththesingleDMZarchitecture,youwanttocontrolthe

flowoftrafficinthesamemanner,preventingalltrafficfrom

externalsourcesfromaccessinginternalresourcesdirectlyand,

unlessotherwiserequired,preventingalltrafficfromtraversing

fromoneDMZsegmenttoanother.Figure9-2illustratesa

singlefirewallwithmultipleDMZsarchitecture.



Figure9-2.SingleFirewallwithMultipleDMZs



[Viewfullsizeimage]



Internet-ScreeningFirewall(NoDMZ)

AsinglefirewallwithoutaDMZisreallyonlysuitedtofunction

asanInternet-screeningfirewall.ThisisbecausewithoutaDMZ

segment,anytrafficcomingfromtheexternalnetworkbreaks

thecardinalruleoffirewalldesign:thatnotrafficfroman

untrustedsourcecandirectlyaccessinternalresources.

AnInternet-screeningfirewallexiststodotwothings.First,it

preventsexternalhostsfrominitiatingconnectionstoany

protectedresource.Second,itcanbeimplementedinsucha

mannerastofilterandrestricttrafficfrominternalhoststo

externalresources,typicallythroughtheuseofcontent-filtering

softwaresuchasWebsenseorSurfControl.

Internet-screeningfirewallsarealsofrequentlyimplementedfor

remoteofficescenarios,becauseitisrelativelyrarethata



remoteofficecontainsresourcesthatneedtobeaccessedfrom

externalsources.



Dual-FirewallArchitecture

Thedual-firewallarchitectureismorecomplexthanthesinglefirewallarchitecture,butitisalsoamoresecureoveralldesign

andprovidesforamuchmoregranularlevelofcontrolover

traffictraversingthefirewalls.Thisisbecausethearchitecture

usestwofirewalls,ideallyofdifferentvendorsandmodels,to

actasexteriorandinteriorfirewallsprovidingaDMZsegment

betweenthetwofirewalls,asshowninFigure9-3.Likeprevious

designs,trafficispermittedintotheDMZsegmentaswellas

fromtheinternalnetworktotheexternalnetwork,butnotraffic

fromtheexternalnetworkispermitteddirectlytotheinternal

network.



Figure9-3.Dual-FirewallArchitecture



[Viewfullsizeimage]



Thegranularcontrolinadual-firewallarchitecturecomesfrom

thefactthateachfirewallcontrolsasubsetofallthetraffic

enteringandexitinganetwork.Becauseuntrusted(thatis,

external)trafficshouldneverbeallowedtodirectlyaccessa

trusted(thatis,internal)network,theexteriorfirewallcanbe

configuredspecificallytograntaccesstoandfromtheDMZ

segmentandexternalsystems.Similarly,theinteriorfirewall



canbeconfiguredtograntaccesstoandfromtheDMZ

segmentandinternalresources.Thisallowsforthecreationof

twodistinctandindependentpointsofcontrolofalltrafficinto

andoutofallcorporatenetworksegments,whethertheyare

DMZsegmentsorinternalnetworksegments.

Whenadual-firewallarchitectureisimplementedwithdifferent

firewallmodels(forexample,aCiscoPIXFirewallanda

MicrosoftISAServerfirewall),youalsogainadditionalsecurity

becauseanattackerwouldneedtocompromisetwoseparate

firewalls(whichwilllikelynotbesusceptibletothesameattack

methods)togainaccesstoprotectedresources.Inaddition,an

attackeralsoneedstobeknowledgeableintheworkingsoftwo

differenttypesoffirewallstotamperwiththeconfigurations.

Thedownsidesofadual-firewallarchitecturerelateto

implementationcomplexityandcost.Withregardtocomplexity,

adual-firewallarchitecturefrequentlyrequiressomeformof

routingbeimplementedintheDMZsegmenttoallowresources

intheDMZsegmenttosendexternal-destinedtraffictothe

exteriorfirewallandinternal-destinedtraffictotheinterior

firewall.Althoughmanycompaniesjustusestaticrouting

statementsontheserversthemselves,thelargerthenumberof

serversintheDMZ,themoredifficultitbecomestomanage

andmaintainsomanyroutingstatements.Whereasrouterscan

beused,allowingtheadministratorjusttoupdatetherouter

withnewroutes,theuseofroutingprotocolsshouldbeavoided,

becauseanattackercanpotentiallyusetheinformation

providedbytheroutingprotocoltogaininsightregardingthe

internalnetworktopologyandstructure.

Asidefromtheobviouscostsrelatedtoimplementingand

maintainingmultiplefirewalls,itisalsomoreexpensiveto

implementandmanageadual-firewallarchitecturebecauseyou

needpeoplewhounderstandmultiplefirewalltechnologies.

Becauseofthecostandcomplexityofthedual-firewall

architecture,itistypicallyimplementedinenvironmentswith



criticalsecurityrequirementssuchasbanking,government,

finance,andlargermedicalorganizations.







Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 9. Where Firewalls Fit in a Network

Tải bản đầy đủ ngay(0 tr)

×