Firewall Wizards mailing list archives
Re: firewall architectures
From: Bill_Royds () pch gc ca
Date: Sat, 20 May 2000 14:15:06 -0400
The design in that book is fairly old because it was created before many modern
firewall systems were available. It assumes a 2 NIC firewall with Internet
servers in a DMZ between the firewall and the Internet router. More often one
creates a hierarchy of servers based on trade-offs of security versus
accessibility.
A more common architecture now-a-days is to have a separate server segment
hanging off the firewall that holds web available servers. The firewall
restricts access from the Internet to these servers to appropriate web traffic,
but also restricts access by these servers to Internal network.
ASCII diagram
Internet
|
[screening router]
|
[firewall]----------------[Internet servers]
|
[screening router]
|
Internal WAN
There may be bastion hosts on the segment between the external screening routier
and the firewall to handle things that you want to minimize latency for (DNS,
multi-media, front page web services). But anything that holds risk or has
difficulty being locked down is in server segment. It is a tradeoff between
responsiveness and security. The external screening router could also be a
stateful packet filtering firewall like FW-1, while the box labelled firewall
could be an application proxy like Axent Raptor or Gauntlet. The latter are
slower but examine transactions in more detail.
Kelly Scroggins <kelly () cliffhanger com> on 05/18/2000 10:20:33
Please respond to Kelly Scroggins <kelly () cliffhanger com>
To: firewall-wizards () nfr net
cc: (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject: [fw-wiz] firewall architectures
In the book 'Building Internet Firewalls',
several architectural designs are discussed.
I beleive the 'screened subnet' architecture
is the best.
In a discussion with a freind, the argument
that the sreened subnet is old, outdated, and
should no longer be considered and option,
was presented.
He argued that it introduced too much
latency. It is true that the more devices a
packet has to go through, the more latency
will be involved. But is it enough to be
noticed?
I disagree with this idea. I'm wondering
what others opinions are on this. What
architecture do you prefer?
I've included a picture of what I'm
calling a screened subnet below.
kelly
internet
|
\
/
|
+------------------+
******************************* | choke router 1 | **********
* +------------------+ *
* | *
* ---------------------------------------------- *
* | | | | *
* +----+ +----+ +----+ | *
* | | | | | | | Firewall *
* | | | | | | | (DMZ) *
* +----+ +----+ +----+ | *
* email dns http/ | *
* proxy | *
* +------------------+ *
******************************* | choke router 2 | **********
+------------------+
|
|
|
|
|
There could be more than one choke router on the inside network. But
there shouldn't be more than one access point to the internet.
Kelly
Current thread:
- firewall architectures Kelly Scroggins (May 19)
- <Possible follow-ups>
- firewall architectures Kelly Scroggins (May 19)
- Re: firewall architectures Bill_Royds (May 21)