A firewall is a network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented as both hardware and software, or a combination of both. Network firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Information systems in corporations, government agencies, and other organizations have undergone a steady evolution. The following are notable developments:
• Centralized data processing system, with a central mainframe supporting a number of directly connected terminals
• Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe
• Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two
• Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN)
• Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN
Summary of Firewall Locations and Topologies
We can now summarize the discussion from Sections 22.4 and 22.5 to define a spectrum of firewall locations and topologies. The following alternatives can be identified:
• Host-resident firewall: This category includes personal firewall software and firewall software on servers. Such firewalls can be used alone or as part of an in-depth firewall deployment.
• Screening router: A single router between internal and external networks with stateless or full packet filtering. This arrangement is typical for small office/home office (SOHO) applications.
• Single bastion inline: A single firewall device between an internal and external router (e.g., Figure 22.1a). The firewall may implement stateful filters and/or application proxies. This is the typical firewall appliance configuration for small to medium-sized organizations.
• Single bastion T: Similar to single bastion inline but has a third network interface on bastion to a DMZ where externally visible servers are placed. Again, this is a common appliance configuration for medium to large organizations.
• Double bastion inline: Figure 22.3 illustrates this configuration, where the DMZ is sandwiched between bastion firewalls. This configuration is common for large businesses and government organizations.
• Double bastion T: The DMZ is on a separate network interface on the bastion firewall. This configuration is also common for large businesses and government organizations and may be required. For example, this configuration is required for Australian government use (Australian Government Information Technology Security Manual – ACSI33).
• Distributed firewall configuration: Illustrated in Figure 22.5. This configuration is used by some large businesses and government organizations.