Tip

Choosing the right firewall topology: Bastion host, screened subnet or dual firewalls

When developing a perimeter protection strategy for an organization, one of the most common questions is "Where should I place firewalls for maximum effectiveness?" In this tip, we'll take a look at the three basic options and analyze the scenarios best suited for each case.

Before we get started, please note that this tip deals with

    Requires Free Membership to View

firewall placement only. Anyone building a perimeter protection strategy should plan to implement a defense-in-depth approach that utilizes multiple security devices including firewalls, border routers with packet filtering and intrusion-detection systems.

Option 1: Bastion host

The first and most basic option is the use of a bastion host. In this scenario (shown in figure 1 below), the firewall is placed between the Internet and the protected network. It filters all traffic entering or leaving the network.

Figure 1: Bastion host

The bastion host toplogy is well suited for relatively simple networks (e.g. those that don't offer any public Internet services.) The key factor to keep in mind is that it offers only a single boundary. Once someone manages to penetrate that boundary, they've gained unrestricted (at least from a perimeter protection perspective) access to the protected network. This may be acceptable if you're merely using the firewall to protect a corporate network that is used mainly for surfing the Internet, but is probably not sufficient if you host a Web site or e-mail server.

Option 2: Screened subnet

The second option, the use of a screened subnet, offers additional advantages over the bastion host approach. This architecture uses a single firewall with three network cards (commonly referred to as a triple homed firewall). An example of this topology is shown in figure 2 below.

Figure 2: Screened subnet

The screened subnet provides a solution that allows organizations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarized Zone (DMZ), which is separated from both the Internet and the trusted network by the firewall. Therefore, if a malicious user does manage to compromise the firewall, he or she does not have access to the Intranet (providing that the firewall is properly configured).

Option 3: Dual firewalls

The most secure (and most expensive) option is to implement a screened subnet using two firewalls. In this case, the DMZ is placed between the two firewalls, as shown in figure 3 below.

Figure 3: Dual firewalls

The use of two firewalls still allows the organization to offer services to Internet users through the use of a DMZ, but provides an added layer of protection. It's very common for security architects to implement this scheme using firewall technology from two different vendors. This provides an added level of security in the event a malicious individual discovers a software-specific exploitable vulnerability.

Higher-end firewalls allow for some variations on these themes as well. While basic firewall models often have a three-interface limit, higher-end firewalls allow a large number of physical and virtual interfaces. For example, the Sidewinder G2 firewall from Secure Computing allows up to 20 physical interfaces. Additional virtual interfaces may be added through the use of VLAN tagging on the physical interfaces. What does this mean to you? With a greater number of interfaces, you can implement many different security zones on your network. For example, you might have the following interface configuration:

  • Zone 1: Internet
  • Zone 2: Restricted workstations
  • Zone 3: General workstations
  • Zone 4: Public DMZ
  • Zone 5: Internal DMZ
  • Zone 6: Core servers

This type of architecture allows you to take any of the three topologies described above and add a tremendous degree of flexibility.

That's a brief primer on firewall architectures. Now that you're familiar with the basic concepts, you should be able to help select an appropriate architecture for use in various situations.


FIREWALL ARCHITECTURE GUIDE

  Introduction
  How to choose a firewall
  Choosing the right firewall topology
  Placing systems in a firewall topology
  Auditing firewall activity

 

ABOUT THE AUTHOR:

 
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide andInformation Security Illuminated.
 


This was first published in October 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.