Three Part Firewall System

The classic firewall system, called the three-part firewall system, has the following three specialized layers, as shown in Figure 4-10:

• An isolation LAN that is a buffer between the corporate internetwork and the outside world. (The isolation LAN is called the demilitarized zone (DMZ) in some literature.)

• A router that acts as an inside packet filter between the corporate internetwork and the isolation LAN.

• Another router that acts as an outside packet filter between the isolation LAN and the outside internetwork.

Figure 4-10 Structure and Components of a Three-Part Firewall System

Hidden Corporate Systems

Figure 4-10 Structure and Components of a Three-Part Firewall System

Hidden Corporate Systems

Isolation LAN

Services available to the outside world are located on bastion hosts in the isolation LAN. Example services in these hosts include:

• Anonymous FTP server

• Specialized security software such as Terminal Access Controller Access Control System (TACACS)

The isolation LAN has a unique network number that is different than the corporate network number. Only the isolation LAN network is visible to the outside world. On the outside filter, you should advertise only the route to the isolation LAN.

If internal users need to get access to Internet services, allow TCP outbound traffic from the internal corporate internetwork. Allow TCP packets back into the internal network only if they are in response to a previously sent request. All other TCP traffic should be blocked because new inbound TCP sessions could be from hackers trying to establish sessions with internal hosts.

NOTE To determine whether TCP traffic is a response to a previously sent request or a request for a new session, the router examines some bits in the code field of the TCP header. If the acknowledgement field (ACK) is valid or reset the connection (RST) bits are set in a TCP segment header, the segment is a response to a previously sent request. The established keyword in Cisco IOS access lists (filters) is used to indicate packets with ACK or RST bits set.

The following list summarizes some rules for the three-part firewall system:

• The inside packet filter router should allow inbound TCP packets from established sessions.

• The outside packet filter router should allow inbound TCP packets from established TCP sessions.

• The outside packet filter router should also allow packets to specific TCP or UDP ports going to specific bastion hosts (including TCP SYN packets that are used to establish a session).

Always block traffic from coming in from between the firewall routers and hosts and the internal network. The firewall routers and hosts themselves are likely to be a jumping-off point for hackers, as shown in Figure 4-11.

Figure 4-11 Firewall Routers and Hosts May Make Your Network Vulnerable to Hacker Attacks

Keep bastion hosts and firewall routers simple. They should run as few programs as possible. The programs should be simple because simple programs have fewer bugs than complex programs. Bugs introduce possible security holes.

Do not enable any unnecessary services or connections on the outside filter router. A list of suggestions for implementing the outside filter router follows:

• Turn off Telnet access (no virtual terminals defined).

• Use static routing only.

• Use password encryption.

• Turn off proxy ARP service.

• Turn off finger service.

• Turn off IP route caching.

• Do not make the router a MacIP server (MacIP provides connectivity for IP over AppleTalk by tunneling IP datagrams inside AppleTalk).

To provide stalwart security, hardware firewall devices can be used in addition to or instead of packet-filtering routers. For example, in the three-part firewall system illustrated earlier in Figure 4-10, a hardware firewall device could be installed on the isolation LAN. A hardware firewall device offers the following benefits:

• Less complex and more robust than packet filters

Figure 4-11 Firewall Routers and Hosts May Make Your Network Vulnerable to Hacker Attacks

Joe Hacker
0 0

Post a comment