Single-Firewall Architectures




Single-Firewall Architectures

There are two predominant firewall architectures, the single-firewall and dual-firewall architectures. The single-firewall architecture is simpler because it relies on the use of a single firewall device with which to filter and control the flow of traffic.

If you elect to go with a single firewall for your firewall implementation, you can choose from a few different designs:

  • Internet firewall with a single DMZ

  • Internet firewall with multiple DMZs

  • Internet-screening firewall (no DMZ)

Internet Firewall with a Single DMZ

The Internet firewall with a single DMZ is the most common firewall architecture, because it lends itself to being an all-around general-purpose architecture. With this architecture, the firewall has three interfaces: an internal interface that is connected to the protected network, an external interface that is connected to the Internet, and a DMZ interface that is connected to a screened subnet upon which reside the servers and systems that external users need to access. Because the resources on the DMZ segment have to go through the same interface to access both internal or external resources, this architecture is frequently referred to as a "DMZ-on-a-stick" architecture.

In this architecture, traffic flow is controlled in three directions. Traffic from Internet-based systems is permitted only to resources on the DMZ segment. Internet-based systems can never directly access resources on the internal network. Traffic from DMZ-based systems is permitted both to the Internet as well as to internal resources. In this fashion, the DMZ resources can frequently serve as a proxy in the event that data that resides on the internal network is required by the external system. Finally, traffic from the internal network is permitted to the DMZ as well as to the external network. In all situations, the only traffic that should be allowed is traffic that is explicitly permitted by a corresponding access control list (ACL). Figure illustrates a single DMZ implementation with the corresponding traffic flow restrictions.

Single Firewall with Single DMZ


Internet Firewall with Multiple DMZs

The Internet firewall with multiple DMZs is similar to the single DMZ architecture, the only real difference being that there will be multiple single-homed DMZ segments coming off the firewall. There is no practical limit to the number of DMZ segments, the only real restriction being the number of interfaces the firewall can physically or logically support.

This architecture is typically implemented when the need to separate resources on different and distinct DMZ segments exists. With a single DMZ, all resources that will be accessed from external sources exist on the same DMZ segment, which means that if any one of those systems is compromised, there is nothing to stop the attacker from using that system to compromise more critical servers on that DMZ segment. To mitigate this, you can place systems with differing security requirements in their own DMZ segment, thus reducing the possibility that a compromise of an unrelated system will impact your more critical resources. For example, you may place web servers in one DMZ segment and Simple Mail Transfer Protocol (SMTP) servers in a different DMZ segment, so that if the web servers (which are traditionally more susceptible to attacks) are compromised, the SMTP servers are still safely protected on another DMZ segment where the firewall does not allow traffic between DMZ segments to pass.

Like with the single DMZ architecture, you want to control the flow of traffic in the same manner, preventing all traffic from external sources from accessing internal resources directly and, unless otherwise required, preventing all traffic from traversing from one DMZ segment to another. Figure illustrates a single firewall with multiple DMZs architecture.

Single Firewall with Multiple DMZs


Internet-Screening Firewall (No DMZ)

A single firewall without a DMZ is really only suited to function as an Internet-screening firewall. This is because without a DMZ segment, any traffic coming from the external network breaks the cardinal rule of firewall design: that no traffic from an untrusted source can directly access internal resources.

An Internet-screening firewall exists to do two things. First, it prevents external hosts from initiating connections to any protected resource. Second, it can be implemented in such a manner as to filter and restrict traffic from internal hosts to external resources, typically through the use of content-filtering software such as Websense or SurfControl.

Internet-screening firewalls are also frequently implemented for remote office scenarios, because it is relatively rare that a remote office contains resources that need to be accessed from external sources.