25 Aug Understanding the main firewall topologies
Firewall is one of the assets of a security architecture, strategically positioned between two or more networks, to provide regulation and traffic control. Although this definition is simplistic, it guarantees the understanding base necessary to understand it within the perspective of a network topology.
Firewall topologies are nothing more than physical and logical representations of the positioning of computational assets, and within the purpose of this article, we will bring the main applications of corporate firewalls.
It should be noted that the scope of this article is limited to the firewall element. For the definition of a topology or security architecture in depth, consider other key elements such as IDS/IPS, proxies, etc.
Bastion host topology
The most common option of use for firewalls, especially in small environments, is called a bastion host. Through this topology, the firewall is placed between the internet and the internal network segment.
Although extremely simple, it is possible to visualize that for the traffic to enter or leave the protected network, it is obligatory to pass through the firewall. This topology offers only a real layer of security, so it is necessary to evaluate carefully the scenarios where the use of this topology is recommended.
Once the firewall is compromised, there is no impediment for the attacker to access the protected network. Regardless of the amount of logical layers present in the firewall, if the firewall is compromised, the local network may be potentially attacked.
So keep in mind to use this architecture for small needs for Internet access, where there are no internal servers that are publicly accessed over the internet, or that offer some kind of valuable internal service to the company, such as databases, files, and others.
A very common firewall topology that preserves flexibility and, at the same time security levels suitable for most environments, is called screened subnet. Through this topology, companies can offer services to the internet without compromising their protected networks.
The basis for the operation of a screened subnet is that the firewall has at least three communication interfaces, so that it can isolate the Internet, protected networks, and finally, create a so-called DMZ.
Public network services, such as web servers, e-mail servers, and others, are strategically positioned in the DMZ. If an attacker compromises the access of some of these servers, it will still not have direct access to the protected networks because the firewall is interposed in this architecture.
In cases when there are multiple protected networks that must be directly interconnected by the firewall, one can work with VLANs associated with a smaller number of physical interfaces. From the security point of view there is no impact; however, it is important to validate whether there will be sufficient throughput to meet the traffic demands.
Multi-homed or dual firewall topology
In addition to the Screened subnet topology, multi-homed architectures are composed of several connections that allow segmenting of various networks. In addition, in many cases these architectures work with two distinct devices, further enhancing the security of the environment, since the compromise of one of them does not mean access to the protected networks.
The number of physical and logic connections (ports or interfaces) through VLANs offered by this topology allows you to define, in a very segregated way, how to create the appropriate security policy to protect computers, servers, and other important assets in an organization.
It is important to highlight that the final topology of the security architecture can (and should) mix the concepts covered, allowing to create a real shield for its infrastructure. In-depth defense, especially when applied to isolated devices, offers interesting levels of resilience in an attack environment.
There is no topology that can be considered better, understanding is best for the protection reality of your company. Architectures that are more complex require higher total cost of ownership (TCO) for both technology / product acquisition and specialized labor for continuity of the environment.
What about? Already able to identify which architecture or topology is used in your company? Increase this article with comments on this topic.