Introduction to Firewalls
Firewalls are used to control inbound and outbound access into and out of a private network. Firewalls see networks as trusted or untrusted. A trusted network is typically all the network segments contained on the internal, private network. Packets are allowed to flow relatively freely between segments on the trusted network. An untrusted network includes all hosts that are not part of the internal, private network. These can be Internet hosts, untrusted segments on the private network, or DMZ segments that are under your direct control. DMZ is a military abbreviation for “demilitarized zone” and refers to a specific buffer area between the inside and outside boundaries around an installation; we discuss DMZ segments later in this chapter.
WARNING
Secure Hosts on Trusted Networks A trusted network does not mean that all the hosts on the network can be trusted. Trusted networks are within your administrative control, but if you have not adequately secured the hosts on the trusted network, those hosts could be as dangerous as untrusted network hosts—that is, they can provide direct points of attack into your systems and networks.
When evaluating a firewall solution for the corporate network, you should take two major issues into consideration:
The type of firewall
The firewall architecture
The type of firewall determines the features and capabilities provided by the firewall. The firewall architecture determines where you place the firewalls and firewalled hosts on your network. Your network security policies determine what type of firewall is appropriate, and also determine what kind of firewall architecture you will implement. Important considerations include the kinds of resources to be made available for external consumption, what kinds of services in-house users are permitted to access on the Internet, and so forth.
In the following sections, we discuss the various types of firewalls and firewall architectures.