Configure IT: Design the best security topology for your firewall

Choose a network topology without sacrificing security

With network security becoming such a hot topic, you may have come under the microscope about your firewall and network security configuration. You may have even been assigned to implement or reassess a firewall design. In either case, you need to be familiar with the most common firewall configurations and how they can increase security. In this article, I will introduce you to some common firewall configurations and some best practices for designing a secure network topology. I have also put together a free download that includes Visio diagrams of all the topology examples used in this article.

Setting up a firewall security strategy
At its most basic level, a firewall is some sort of hardware or software that filters traffic between your company’s network and the Internet. With the large number of hackers roaming the Internet today and the ease of downloading hacking tools, every network should have a security policy that includes a firewall design.

If your manager is pressuring you to make sure that you have a strong firewall in place and to generally beef up network security, what is your next move? Your strategy should be twofold:
  • Examine your network and take account of existing security mechanisms (routers with access lists, intrusion detection, etc.) as part of a firewall and security plan.
  • Make sure that you have a dedicated firewall solution by purchasing new equipment and/or software or upgrading your current systems.

Keep in mind that a good firewall topology involves more than simply filtering network traffic. It should include:
  • A solid security policy.
  • Traffic checkpoints.
  • Activity logging.
  • Limiting exposure to your internal network.

Download notes

The download associated with this article contains four Microsoft Visio diagrams and one PDF file containing the diagrams in image form for easier printing.

Before purchasing or upgrading your dedicated firewall, you should have a solid security policy in place. A firewall will enforce your security policy, and by having it documented, there will be fewer questions when configuring your firewall to reflect that policy. Any changes made to the firewall should be amended in the security policy.

One of the best features of a well-designed firewall is the ability to funnel traffic through checkpoints. When you configure your firewall to force traffic (outbound and inbound) through specific points in your firewall, you can easily monitor your logs for normal and suspicious activity.

How do you monitor your firewall once you have a security policy and checkpoints configured? By using alarms and enabling logging on your firewall, you can easily monitor all authorized and unauthorized access to your network. You can even purchase third-party utilities to help filter out the messages you don't need.

It's also a good practice to hide your internal network address scheme from the outside world. It is never wise to let the outside world know the layout of your network.

Firewall terminology
Before we look at specific firewall designs, let's run through some basic firewall terminology you should become familiar with:
  • Gateway—A gateway is usually a computer that acts as a connector from a private network to another network, usually the Internet or a WAN link. A firewall gateway can transmit information from the internal network to that Internet in addition to defining what should and should not be able to pass between the internal network and the Internet.
  • Network Address Translation (NAT)—NAT hides the internal addresses from the external network (Internet) or outside world. If your firewall is using NAT, all internal addresses are translated to public IP addresses when leaving the internal network, thus concealing their original identity.
  • Proxy servers—A proxy server replaces the network's IP address and effectively hides the actual IP address from the rest of the Internet. Examples of proxy servers include Web proxies, circuit level gateways, and application level gateways.
  • Packet filtering firewall—This is a simple firewall solution that is usually implemented on routers that filter packets. The headers of network packets are inspected when going through the firewall. Depending on your rules, the packet is either accepted or denied. Because most routers can filter packets, this is an easy way to quickly configure firewall rules to accept or deny packets. However, it's difficult for a packet filtering firewall to differentiate between a benign packet and a malicious packet.
  • Screening routers—This is a packet filtering router that contains two network interface cards. The router connects two networks and performs packet filtering to control traffic between the networks. Security administrators configure rules to define how packet filtering is done. This type of router is also known as an outside router or border router.
  • Application level gateway—This type of gateway allows the network administrator to configure a more complex policy than a packet filtering router. It uses a specialized program for each type of application or service that needs to pass through the firewall.
  • Bastion host—A bastion host is a secured computer that allows an untrusted network (such as the Internet) access to a trusted network (your internal network). It is typically placed between the two networks and is often referred to as an application level gateway.
  • Demilitarized zone (DMZ)—A DMZ sits between your internal network and the outside world, and it's the best place to put your public servers. Examples of systems to place on a DMZ include Web servers and FTP servers.

Now that we have gone over some of the basics, it is time to discuss common firewall designs.

Screening router
A screening router is one of the simplest firewall strategies to implement. This is a popular design because most companies already have the hardware in place to implement it. A screening router is an excellent first line of defense in the creation of your firewall strategy. It's just a router that has filters associated with it to screen outbound and inbound traffic based on IP address and UDP and TCP ports. Figure A shows an example of a screening router.

Figure A
Screening router firewall

If you decide to implement this strategy, you should have a good understanding of TCP/IP and how to create filters correctly on your router(s). Failure to implement this strategy properly can result in dangerous traffic passing through your filters and onto your private LAN. If this is your only device, and a hacker is able to pass through it, he or she will have free rein. It's also important to note that this type of configuration doesn't hide your internal network IP addresses and typically has poor monitoring and logging capabilities.

If you have little or no money to spend and need a firewall configuration quickly, this method will cost you the least amount of money and will let you use existing routers. It's an excellent start to your firewall strategy and is a good device to use on networks that use other security tools as well.

Screened host firewalls
A screened host firewall configuration uses a single homed bastion host in addition to a screening router. This design uses packet filtering and the bastion host as security mechanisms and incorporates both network- and application-level security. The router performs the packet filtering, and the bastion host performs the application-side security. This is a solid design, and a hacker must penetrate the router and the bastion host to compromise your internal network.

Also, by using this configuration as an application gateway (proxy server), you can hide your internal network configuration by using NAT translation. Figure B shows an example of this firewall design.

Figure B
Screening router with bastion host

The above design configures all incoming and outgoing information to be passed through the bastion host. When information hits the screening router, the screening router filters all data through the bastion host prior to the information passing to the internal network.

You can go one step further by creating a dual-homed bastion host firewall. This configuration has two network interfaces and is secure because it creates a complete physical break in your network. Figure C shows an example of this firewall design.

Figure C
Screening router with dual-homed bastion host

Demilitarized zone (DMZ) topology
A DMZ is the most common and secure firewall topology. It is often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network, as shown in Figure D.

Figure D
A DMZ topology

A DMZ will typically contain the following:
  • Web server
  • Mail server
  • Application gateway
  • E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)

A DMZ is considered very secure because it supports network- and application-level security in addition to providing a secure place to host your public servers. A bastion host (proxy), modem pools, and all public servers are placed in the DMZ.

Furthermore, the outside firewall protects against external attacks and manages all Internet access to the DMZ. The inside firewall manages DMZ access to the internal network and provides a second line of defense if the external firewall is compromised. In addition, LAN traffic to the Internet is managed by the inside firewall and the bastion host on the DMZ. With this type of configuration, a hacker must compromise three separate areas (external firewall, internal firewall, and the bastion host) to fully obtain access to your LAN.

Many companies take it one step further by also adding an intrusion detection system (IDS) to their DMZ. By adding an IDS, you can quickly monitor problems before they escalate into major problems.

Additional Resources

"Internet Connectivity Options"

"Internet Edge Security Implementation"

"Frame Relay Design Guide"

In this article, we've examined the basic firewall designs that are prevalent in the business world today. Of course, there is no perfect firewall design. Every network is unique in its business model and should have a firewall tailored for the company’s specific needs.

When designing a firewall, you must consider numerous factors, including cost, training, security, technical expertise, and timeframe to implement. Once you've taken all these factors into account and have established a good security policy, you can begin implementing your firewall topology. The diagrams I've presented here—which are available for download—can serve as templates when you design your own topology.