Firewall Filtering Using ACLs

Figure 10-13 illustrates the use of a network firewall to control (or filter) access; this is a common network authorization implementation. An enterprise network is usually divided into separate security domains (also called perimeters or zones)—such as the untrusted Internet zone, the trusted Enterprise Campus zone, public and semipublic server zones, and so forth—to allow a network firewall to control all traffic that passes between the perimeters. Because all traffic must pass through the network firewall, it enforces the network's access and authorization policy effectively by specifying which connections are permitted or denied between security zones.

Figure 10-13 A Firewall Can Filter Network Sessions

Figure 10-13 A Firewall Can Filter Network Sessions

E-Commerce Zone

NOTE Security domains that are connected to a leg of a firewall and that contain one or more servers are also called demilitarized zones (DMZ). The purpose of a DMZ network is to contain an attacker who has compromised a host so that the firewall again filters all access from the compromised host. This allows the enforcement of an extremely strict connection policy that denies all connections from public servers by default and prevents connectivity to hosts outside the DMZ network. If multiple hosts are located in the same DMZ, LAN switch-based security access control mechanisms such as private VLANs can also effectively restrict communications among such hosts.

For example, the policy for the Internet interface of the firewall in Figure 10-13 is as follows:

■ From the Internet, HTTP traffic is permitted to the public web servers, and the public web servers can reply.

■ HTTP secured by SSL (HTTPS) traffic from the Internet is permitted to the e-commerce server, and response HTTPS traffic from the e-commerce server is allowed.

■ HTTP, FTP, and Telnet traffic initiated from the internal network to the Internet, and responses to this traffic, are allowed.

Was this article helpful?

0 0

Post a comment