Physical network topology remains one of the most overlooked aspects of firewall security. In fact, building the best possible network topology is not only a critical component of firewall security, but the strategy can also extend the power and reach of the firewall to help secure additional parts of the network, as I explained in my recent article on designing a secure firewall policy.
The ideal topology
Let's start with an ideal network topology example. Figure A illustrates a Cisco PIX 525 firewall with two Gigabit Ethernet ports and six 100-Mb Fast Ethernet ports. This is a great way to achieve physical separation of the different subnets needed for an Enterprise network, provided that each port is plugged in to a physically different Ethernet switch.
|Cisco PIX 525 firewall|
However, this strategy is rarely followed in the real world. It is often impractical to deploy more than half a dozen physical switches in the data center for each subnet. More often than not, enterprises employ virtual LANs by segmenting a single physical switch in to multiple bridge groups; it is extremely easy to provision additional ports for any existing subnets or future ones.
Because of this, and the fact that all the enterprise firewall vendors have added 802.1q trunking support (Cisco was a latecomer in February 2003), one can easily use a single Gigabit port to connect the Layer 3 core switch, DMZ, extranet, guest subnet, and any other VLAN subnets that an enterprise needs. Therefore, one can do without the second Gigabit Ethernet card and 4-port Fast Ethernet card in the PIX 525 shown in Figure A.
This has, however, raised the need for Layer 2 switch security against things such as VLAN hopping, which is rarely discussed (even among experts), but we'll leave that for another article. But even with the trunked Gigabit port, you should continue using the two built-in Fast Ethernet ports for public Internet and stateful failover synchronization. The bottom line is that two firewalls in the same class as a PIX 525 can provide enough flexibility and throughput for most enterprise networks.
A better topology
Figure B illustrates the use of the two firewalls in a stateful failover configuration. Network connections were only drawn to the logical firewall to avoid messy connectors in the drawing but, in reality, there would be a physical connection to each firewall for each subnet. Those connections could be physically separate cables or a single trunked cable over a single Gigabit connection into your 802.1q VLAN capable switch.
|A stateful failover configuration|
The two built-in fast Ethernet ports in a PIX 525 are used for the public Internet connection and the stateful failover synchronization. The remaining internal subnets can share the Gigabit port. This configuration is much faster than a configuration with separate fast Ethernet ports, which can often get congested when trying to do network-intensive tasks such as tape backup between zones.
The internal side of the firewall can connect the following subnets:
- Core Layer 3 switch
- Extranet and WAN
- Guest zone
The core Layer 3 connection typically goes to your core switch with routing capability between VLANs. VLANs from that core switch may contain hundreds of user VLANs with tens of thousands of users, and server farm VLANs with hundreds of servers that do not get direct Internet exposure. You must understand, however, that there is no firewall between the server farm VLANs and the user VLANs, in this example, because user-to-server traffic is routed by the core Layer 3 switch and never passes through the firewall. There are companies that go to the extreme of putting all of their servers directly behind the firewall so that they are separated from the users, but the management of that many internal servers behind a firewall with several port requirements can be very difficult, so this is not often recommended.
In this scenario, the DMZ (for servers that need to be accessed from the public Internet) is located directly behind the firewall and is always filtered for traffic. The Extranet and WAN zone is for the internal interfaces of routers that connect to the remote WAN sites and partner sites (extranets). Using this configuration allows you to secure against WAN and extranet sites without having to buy or configure firewall feature sets on the routers themselves. You can even go to the extreme of putting the external interfaces of the routers in a non-NAT zone on the firewall. This helps prevent hackers from compromising the router from the outside and allows the high availability enterprise firewall to secure countless routers.
The guest zone is new, but this is actually a security feature. Instead of guests connecting to your internal LAN when they need access to the VPN or the Internet, have them connect to a guest network with access to the Internet but not to your internal LAN. This new zone is also extremely useful in the wireless environment. With new Wi-Fi infrastructure technology supporting VLANs and 802.1q trunking, a single wireless Wi-Fi infrastructure can support multiple VLANs, one internal VLAN running its own SSID and 802.1x/EAP security, and a guest VLAN that runs a simple WEP password for Internet-only access.
These examples are just some of the applications of this advanced firewall architecture. As you can see, this type of setup offers a great deal of flexibility for securing your enterprise.
Now that you see the power of what a modern firewall can offer, I must remind you that a firewall is only the first step in a network security plan. Just because you have the ultimate network and firewall design does not excuse you from all other security duties. Remember that a firewall only mitigates security holes and doesn’t eliminate them by itself.
You still need to do things like implement an intrusion detection/prevention system that actively blocks attacks, engage in continual server hardening, and develop a systematic routine of patching all devices and systems.