Network security

Firewall types and architecture

February 3, 2021 by Nitesh Malviya

Firewall

A typical corporate network makes use of a number of networking devices for preventing various attacks and maintaining the security of their network. Firewall is one of the most important defense in line to achieve this goal. In this article, we will be learning in depth about firewalls, their types and their architecture.

Firewall Working

A firewall is a network security device placed at the perimeter of the corporate network. The main function of the firewall is to screen all the packets entering, leaving and flowing in the network to prevent unauthorized access between two or more computers. A firewall scans all the packets and accordingly accepts, rejects or drops the packet, depending upon the rules configured on it. Rules are defined based on the security policy of the organization.

Rules 

Accept : Allow the traffic

Reject : Block the traffic, replying with an “unreachable error”

Drop : Block/Reject the traffic and don’t give any reply

Firewall Architecture Significance

A firewall is a network security device placed at the perimeter of the corporate network, thus all the packets entering and leaving the network goes through the firewall first and appropriate actions are taken based on the network rules configured by the organization.

Firewall is placed at the network level closely with a router for filtering all the network packets as per the rule configured. Thus, architecting a firewall and placing it in the right location in the corporate network architecture is of utmost importance since it controls incoming and outgoing traffic. 

Factors For Architecting Firewall

There are many factors which come into consideration for architecting a firewall. Major ones are – 

  1. Organization‘s ability to implement and develop the architecture
  2. Budget allotted by the organization
  3. Objectives of the network 

Firewall Architecture Implementation

There are 4 common architectural implementations of firewalls widely in use. They are – screened host firewalls, packet filtering routers,screened subnet firewalls and dual-homed firewalls. Let’s understand each one of them in details – 

  • Packet filtering routers – Most of the organizations have a router as the interface to the Internet. This router is placed at the perimeter between the organization‘s internal networks and the internet service provider. These routers can be configured to accept or reject the packets as per the rule of the organization. This is one of the simple and effective ways to lower down the organization‘s risk from the internet. 

Drawbacks

The length and the complexity of the rule sets implemented to filter the packets can grow and degrade network performance. Also, it suffers from a lack of  auditing and strong authentication mechanisms.

  • Screened Host Firewalls – This firewall combines a packet filtering router with a discrete firewall such as an application proxy server. In this approach, the router screens the packet before entering the internal network and minimizes the traffic and network load on the internal proxy. The application proxy inspects application layer protocol such as HTTP or HTTPS and performs the proxy services. This separate host is called a bastion host and can be a rich target for external attacks, thus it should be thoroughly secured.

The bastion host stores copies of the internal documents, making it a promising target to the attackers. Bastion host is also commonly referred to as the Sacrificial Host.

Advantage

This configuration requires the attacker to hack and compromise two separate systems, before accessing the internal data. In this way, the bastion host and router protects the data and is more effective and secure implementation.

  • Dual-Homed Host Firewalls – This architecture is a more complex implementation of screened host firewalls. In this architectural approach the bastion host accommodates two NICs (Network Interface Cards) in the bastion host configuration. One of the NIC is connected to the external network, and the other one is connected to the internal network thus providing an additional layer of protection. 

This architecture often makes use of Network Address Translation (NATs). NAT is a method of mapping external IP addresses to internal IP addresses, thus forming a barrier to intrusion from external attackers. 

  • Screened Subnet Firewalls (with DMZ) – Of all the architecture available, Screened Subnet Firewall is widely used and implemented in Corporate Network. Screened Subnet Firewalls as the name suggests make use of DMZ and is a combination of dual-homed gateways and screened host firewalls. 

In a screened subnet firewall setup, the network architecture has three components and setup is as follows – 

1) 1st component – This component acts as a public interface and it connects to the Internet.

2) 2nd component – This component is a middle zone called a demilitarized zone. It acts as a buffer between 1st and 3rd component.

3) 3rd component – The system in this component connects to an intranet or other local architecture.

Advantage

The use of an additional “layer” and other aspects of the screened subnet firewall makes it a viable choice for many high traffic or high-speed traffic sites. Screened subnet firewall also helps with throughput and flexibility.

Conclusion

In this article, we have seen the various architecture and implementation of firewalls in a typical network. As per the needs and the requirement, right architecture must be selected and used to secure the network from external attacks and intrusion.

 

Sources

  1. https://www.techopedia.com/definition/16146/screened-subnet-firewall  
  2. http://www.blacksheepnetworks.com/security/info/fw/steph/theory.html 
  3. http://www.idc-online.com/technical_references/pdfs/data_communications/Firewall_Architectures.pdf 
  4. https://ecomputernotes.com/computernetworkingnotes/security/types-of-firewall-architectures 
Posted: February 3, 2021
Articles Author
Nitesh Malviya
View Profile

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog – https://nitmalviya03.wordpress.com/ and Linkedin – https://www.linkedin.com/in/nitmalviya03/.