AVAILABLE: 5
Screened Host Firewall System (Single-Homed Bastion)
In this configuration, the firewall functionality is carried out by a packet-filtering router and a bastion host. The router is configured so that for all data traffic from the Internet, only IP packets directed to the bastion host are allowed. For traffic from the internal network, only IP packets from the bastion host are permitted to exit. This configuration supports flexibility in direct Internet access. For example, if a web server is in this network, it can be configured to allow direct access from the Internet. The bastion host performs authentication and proxy functions. This configuration provides better security compared to using a packet-filtering router or an application-level gateway separately.
Screened Host Firewall System (Dual-Homed Bastion)
In this configuration, there is a physical separation in the network. The advantage of having two physical routes is enhanced security compared to the first configuration. Servers requiring direct access can be placed in a segment directly connected to the Internet. This can be achieved by using two NICs (Network Interface Cards) on the bastion host.
Screened Subnet Firewall
This is the configuration with the highest level of security. Why? Because it uses two packet-filtering routers: one between the Internet and the bastion host, and another between the bastion host and the local network. This setup creates an isolated subnet.Advantages:
- Provides three layers of defense against intruders.
- The external router only serves the connection between the Internet and the bastion host, making the local network invisible.
- The local network cannot directly route to the Internet, making the Internet effectively invisible (though connections can still be made).
Figure 6.11 Screened Subnet Firewall
Bastion Host
The bastion host is considered the strongest point in a network security system by administrators. It serves as the front line and most robust component in defending against attacks, making it the most critical part of network security. Typically, the bastion host is a component of the firewall or the outermost layer of the public system. It usually operates on robust operating systems capable of handling all necessary tasks (e.g., Unix, Linux, NT).
Steps to Build a Firewall
1. Identify the Network Architecture
Understanding the network's architecture, especially its topology and network protocols, simplifies the firewall design process.
2. Define Policies
Establishing clear policies is crucial. The effectiveness of a firewall depends heavily on the policies implemented, such as:
- Defining what needs to be protected, i.e., which aspects require specific policies.
- Identifying individuals or groups to whom the policies apply.
- Determining the services required by each individual or group using the network.
- Based on these services, configure the firewall for optimal security.
- Enforcing all established policies.
3. Prepare the Necessary Software and Hardware
This includes operating systems and specialized firewall support software like ipchains or iptables on Linux. Ensure the hardware is configured to support the firewall system.
4. Test the Configuration
Testing the completed firewall setup is essential to assess its effectiveness. Tools such as Nmap can be used to audit and test the system.