Firewalls

The distinctions between screened host, screened subnet and DMZ perimeter security architectures

Screen Host:

The screened host firewall s a more flexible firewall than the dual-homed gateway firewall, however the flexibility is achieved with some cost to security. The screened host firewall is often appropriate for sites that need more flexibility than that provided by the dual-homed gateway firewall.

The screened host firewall combines a packet-filtering router with an application gateway located on the protected subnet side of the router.gif The application gateway needs only one network interface. The application gateway's proxy services would pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters or screens inherently dangerous protocols from reaching the application gateway and site systems. It rejects (or accepts) application traffic according to the following rules:

1. Application traffic from Internet sites to the application gateway gets routed,

2. All other traffic from Internet sites gets rejected, and

3. The router rejects any application traffic originating from the inside unless it came from the application gateway.

The application gateway needs only one network interface and does not require a separate subnet between the application gateway and the router. This permits the firewall to be made more flexible but perhaps less secure by permitting the router to pass certain trusted services ``around'' the application gateway and directly to site systems. The trusted services might be those for which proxy services don't exist, and might be trusted in the sense that the risk of using the services has been considered and found acceptable. For example, less-risky services such as NTP could be permitted to pass through the router to site systems. If the site systems require DNS access to Internet systems, DNS could be permitted to site systems. In this configuration, the firewall could implement a mixture of the two design policies, the proportions of which depend on how many and what types of services are routed directly to site systems.

The additional flexibility of the screened host firewall is cause for two concerns. First, there are now two systems, the router and the application gateway, that need to be configured carefully. As noted before, packet filtering router rules can be complex to configure, difficult to test, and prone to mistakes that lead to holes through the router. However, since the router needs to limit application traffic only to the application gateway, the ruleset may not be as complex as for a typical site using a packet filtering firewall (which may restrict application traffic to multiple systems).

The second disadvantage is that the flexibility opens up the possibility that the policy can be violated (as with the packet filtering firewall).

Screened Subnet Firewall

The screened subnet firewall is a variation of the dual-homed gateway and screened host firewalls. It can be used to locate each component of the firewall on a separate system, thereby achieving greater throughput and flexibility, although at some cost to simplicity. But, each component system of the firewall needs to implement only a specific task, making the systems less complex to configure.

Two routers are used to create an inner, screened subnet. This subnet (sometimes referred to in other literature as the ``DMZ'') houses the application gateway, however it could also house information servers, modem pools, and other systems that require carefully-controlled access. The router shown as the connection point to the Internet would route traffic according to the following rules:

* application traffic from the application gateway to Internet systems gets routed,

* e-mail traffic from the e-mail server to Internet sites gets routed,

* application traffic from Internet sites to the application gateway gets routed,

* e-mail traffic from Internet sites to the e-mail server gets routed,

* ftp, gopher, etc., traffic from Internet sites to the information server gets routed, and

* all other traffic gets rejected.

The outer router restricts Internet access to specific systems on the screened subnet, and blocks all other traffic to the Internet originating from systems that should not be originating connections (such as the modem pool, the information server, and site systems). The router would be used as well to block packets such as NFS, NIS, or any other vulnerable protocols that do not need to pass to or from hosts on the screened subnet.

The inner router passes traffic to and from systems on the screened subnet according to the following rules:

* application traffic from the application gateway to site systems gets routed,

* e-mail traffic from the e-mail server to site systems gets routed,

* application traffic to the application gateway from site systems

...