Firewall Wizards mailing list archives
Re: firewall architectures
From: Bill_Royds () pch gc ca
Date: Sat, 20 May 2000 14:15:06 -0400
The design in that book is fairly old because it was created before many modern firewall systems were available. It assumes a 2 NIC firewall with Internet servers in a DMZ between the firewall and the Internet router. More often one creates a hierarchy of servers based on trade-offs of security versus accessibility. A more common architecture now-a-days is to have a separate server segment hanging off the firewall that holds web available servers. The firewall restricts access from the Internet to these servers to appropriate web traffic, but also restricts access by these servers to Internal network. ASCII diagram Internet | [screening router] | [firewall]----------------[Internet servers] | [screening router] | Internal WAN There may be bastion hosts on the segment between the external screening routier and the firewall to handle things that you want to minimize latency for (DNS, multi-media, front page web services). But anything that holds risk or has difficulty being locked down is in server segment. It is a tradeoff between responsiveness and security. The external screening router could also be a stateful packet filtering firewall like FW-1, while the box labelled firewall could be an application proxy like Axent Raptor or Gauntlet. The latter are slower but examine transactions in more detail. Kelly Scroggins <kelly () cliffhanger com> on 05/18/2000 10:20:33 Please respond to Kelly Scroggins <kelly () cliffhanger com> To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: [fw-wiz] firewall architectures In the book 'Building Internet Firewalls', several architectural designs are discussed. I beleive the 'screened subnet' architecture is the best. In a discussion with a freind, the argument that the sreened subnet is old, outdated, and should no longer be considered and option, was presented. He argued that it introduced too much latency. It is true that the more devices a packet has to go through, the more latency will be involved. But is it enough to be noticed? I disagree with this idea. I'm wondering what others opinions are on this. What architecture do you prefer? I've included a picture of what I'm calling a screened subnet below. kelly internet | \ / | +------------------+ ******************************* | choke router 1 | ********** * +------------------+ * * | * * ---------------------------------------------- * * | | | | * * +----+ +----+ +----+ | * * | | | | | | | Firewall * * | | | | | | | (DMZ) * * +----+ +----+ +----+ | * * email dns http/ | * * proxy | * * +------------------+ * ******************************* | choke router 2 | ********** +------------------+ | | | | | There could be more than one choke router on the inside network. But there shouldn't be more than one access point to the internet. Kelly
Current thread:
- firewall architectures Kelly Scroggins (May 19)
- <Possible follow-ups>
- firewall architectures Kelly Scroggins (May 19)
- Re: firewall architectures Bill_Royds (May 21)