Firewall types and architecture
A firewall is a network security device placed at the perimeter of the corporate network, thus all the packets entering and leaving the network go through the firewall first and appropriate actions are taken based on the network rules configured by the organization.
The firewall is placed at the network level closely with a router for filtering all the network packets as per the rule configured. Thus, architecting a firewall and placing it in the right location in the corporate network architecture is of utmost importance since it controls incoming and outgoing traffic.
Factors for architecting a firewall
There are many factors that come into consideration for architecting a firewall. The major ones are:
- Organization‘s ability to implement and develop the architecture
- The budget allotted by the organization
- Objectives of the network
Learn Network Security Fundamentals
Firewall architecture implementation
There are four common architectural implementations of firewalls widely in use. They are packet filtering routers, screened host firewalls, dual-homed firewalls and screened subnet firewalls. Let’s understand each one of them in detail.
Packet filtering routers
Most of organizations have a router as the interface to the Internet. This router is placed at the perimeter between the organization‘s internal networks and the internet service provider. These routers can be configured to accept or reject the packets as per the rule of the organization. This is one of the simple and effective ways to lower down the organization‘s risk from the internet.
Drawbacks
The length and the complexity of the rule sets implemented to filter the packets can grow and degrade network performance. Also, it suffers from a lack of auditing and strong authentication mechanisms.
Screened host firewalls
This firewall combines a packet-filtering router with a discrete firewall such as an application proxy server. In this approach, the router screens the packet before entering the internal network and minimizes the traffic and network load on the internal proxy. The application proxy inspects application layer protocol such as HTTP or HTTPS and performs the proxy services. This separate host is called a bastion host and can be a rich target for external attacks, thus it should be thoroughly secured.
The bastion host stores copies of the internal documents, making it a promising target to the attackers. A bastion host is also commonly referred to as the Sacrificial Host.
Advantage
This configuration requires the attacker to hack and compromise two separate systems, before accessing the internal data. In this way, the bastion host and router protects the data and is more effective and secure implementation.
Dual-homed host firewalls
This architecture is a more complex implementation of screened host firewalls. In this architectural approach, the bastion host accommodates two NICs (Network Interface Cards) in the bastion host configuration. One of the NIC is connected to the external network, and the other one is connected to the internal network thus providing an additional layer of protection.
This architecture often makes use of Network Address Translation (NATs). NAT is a method of mapping external IP addresses to internal IP addresses, thus forming a barrier to intrusion from external attackers.
Screened subnet firewalls (with DMZ)
Of all the architecture available, Screened Subnet Firewall is widely used and implemented in corporate networks. Screened Subnet Firewalls as the name suggests make use of DMZ and are a combination of dual-homed gateways and screened host firewalls.
In a screened subnet firewall setup, the network architecture has three components and the setup is as follows:
- 1st component: This component acts as a public interface and connects to the Internet.
- 2nd component: This component is a middle zone called a demilitarized zone. It acts as a buffer between 1st and 3rd components.
- 3rd component: The system in this component connects to an intranet or other local architecture.
Advantage
The use of an additional "layer" and other aspects of the screened subnet firewall makes it a viable choice for many high-traffic or high-speed traffic sites. Screened subnet firewall also helps with throughput and flexibility.
Conclusion
In this article, we have seen the various architecture and implementation of firewalls in a typical network. As per the needs and the requirement, the right architecture must be selected and used to secure the network from external attacks and intrusion.
Learn Network Security Fundamentals
Sources
- https://www.techopedia.com/definition/16146/screened-subnet-firewall
- http://www.blacksheepnetworks.com/security/info/fw/steph/theory.html
- http://www.idc-online.com/technical_references/pdfs/data_communications/Firewall_Architectures.pdf
- https://ecomputernotes.com/computernetworkingnotes/security/types-of-firewall-architectures
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- Firewall types and architecture
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
