Firewall Wk. 2
Chapter 3 discuses Firewall Configuration Strategies. Generally, the chapter expounds on how to hoe to build perimeter security for a given network that uses firewalls along with several software and hardware components. Secondly, the chapter explores the rules and restrictions that impact the configuration of the security perimeter. Lastly, Chapter 3 discusses the security configurations that undertake firewall functions or that employ firewalls to build protected areas (Whitman, 2011).
A major take away from the chapter is that every firewall has a rules file which in itself is the most significant configuration file of the firewall. The rules and definitions are configured by the use to instruct the firewall on the kinds of traffic to be permitted into and out of the user’s network (Whitman, 2011). A restrictive security approach blocks all access by default and then allows only particular types of traffic to go through. On the other hand, a connectivity-based approach carries lesser rules and permits all types of traffic to pass through and later blocks particular types of traffic.
Restrictive firewall approaches
Approach Function Merit Demerit
Deny-All Blocks every packet except those particularly permitted More secure and needs fewer rules Often results in user complaints
In Order (“first fit”) Runs firewall rules in descending order Good security Chaos could arise in case of incorrect order
Best Fit Firewall determines processing order of rules, often from most specific rules to the most general Easy to manage and has reduced operator error risk Lack of control
Connectivity-based firewall approaches
Approach Function Merit Demerit
Allow-All Permits all packets to go through except those specified to be blocked Easy to implement Offers minimal security and needs complex rules
Port 80/Except Video Permits Web surfing without restrictions, except for video files Allows users to surf Web Exposes network to Web threats
There are two critical features of firewall: processing and memory resources which are found on the bastion host. A bastion host is of great significance to the functions of the firewall software it hosts. If the firewall is stronger and more elaborate, the data transmission process will be slowest.
There are more IP-addressing difficulties as a network becomes more complex. Therefore, it is of paramount importance to first plan out the installation process, including the IP addressing, prior to starting the purchase or installation of firewalls. It is worth noting if a proxy is dysfunctional the appropriate intervention is to disable it on the router and related devices that are found between the networks (Whitman, 2011). A router has both an external and internal interfaces, with each interface having its individual IP address. A screening router gives a simple, minimally secure setup should only be chosen in instances such as a subnet found in a network already protected by a firewall.
Dual-Homed Host
Dual-homed host refers to a computer that has two network interfaces and two network interface cards. The users puts into place rules that allow traffic to flow through a firewall as required (Whitman, 2011). Such setup is best for securing one standalone workstation along with securing a small home network for the user.
Screened Host
A screened host also refers to a bastion host or dual-homed gateway. Such a host has been reinforced by the integration of all available service packs and security patches. In addition, all its ports with the exception of the necessary services and UDP and TCP have been disabled and its entire security-associated events extensively logged (Whitman, 2011). Typically, a router is set on either side of the screened host serving as a firewall. This setup is most appropriate where the user needs Defense in Depth, for instance a financial institution ore a government office network.
DMZ Screened Subnet
A DMZ screened subnet is a network located on the outside of the internal network but connected to the firewall (Whitman, 2011). Ideally, the firewall serves to connect to the three differentiated networks of the DMZ meaning that it needs a different network interface card for the individual networks.
Multiple-Firewall DMZs
It is necessary for large corporations to have more than one firewall. This is because of the need to have security policies that allow for the use several firewalls to safeguard the LAN from the Internet and offsetting any drag in performance that result from the several firewalls (Whitman, 2011). While connection to the Web or downloading may be a few seconds slower, it is worthwhile because of the added security. In the same light, it is possible to set up two firewalls connected to a single DMZ, or two firewalls linked to two DMZ for more enhanced security. The latter results to increased flexibility because it assists in bringing about balance of the traffic load between different parts of the organization utilizing this sort of security setup.
There are a number of approaches that a user that employ to boost the functionality of the firewall. These include an encryption, application proxies, VPN connections, Intrusion detection systems (IDS), and reverse firewalls (Whitman, 2011).
References:
Whitman, E. M., Mattord,J. H., & Green, A. (2011). Guide to Firewalls & VPNs. Connecticut, Cengage Learning.
