One of the crucial devices in any IP network is the firewall, which is used to provide a means of access control between different segments of the network and particularly between private networks and the Internet. The Internet is often referred to as an untrusted network in terms of security, while the local network is trusted. We create security domains with different levels of trust, with a firewall providing the entry points to each security domain.
When a company needs to provide a service, such as a web service, to users on the Internet, a DMZ (demilitarized zone) is often created to isolate the web server from other corporate IT resources. The company’s main network is called the Inside Network, the Internet is called the Outside Network, and then we have a DMZ. The firewall controls access to the DMZ from internal and external networks to the DMZ by using packet filters and other packet filters for traffic entering the internal network from the Internet. A simple DMZ is commonly referred to as a “shielded subnet”.
For added security, some DMZs employ a proxy server or ALG (Application Layer Gateway) to provide a more secure means of controlling the flow of data between the internal and external network. The proxy server or ALG establishes separate application sessions between a client on the internal network and servers on the external network, acting as a server to the clients and a client to the Internet servers. This ensures that when a session is initiated from within, the ALG can check the status of the request and then establish another session with the internet server.
The DMZ itself is used to host any service that a business or organization wants to access over the internet. The additional proxy server or ALG provides secure external access for internal network users. Any attacks on the DMZ hosts can be contained without endangering the users’ client devices.
The firewall device provides packet filtering points to contain Internet attacks within the DMZ. Additional security measures such as private VLANs can also be used to ensure that an attack on one DMZ server does not leave other DMZ servers vulnerable by isolating each service on its own VLAN or subnet.
If cost is not an issue or a higher level of security is required, multiple firewalls can be used, one facing the Internet in front of the DMZ and one facing the internal network after the DMZ, with the DMZ being the security zone between the two firewalls .
There are 3 general types of firewalls using 3 types of technologies:
Packet filtering that limits traffic entering a network using ACLs (Access Control Lists) that allow or deny traffic based on Layer 3 IP address and/or Layer 4 TCP and UDP port numbers.
Stateful packet filters, often referred to as application-aware packet filters. These types of packet filters maintain a state table that contains the status of each incoming and outgoing session. This filter examines all packet flows and if these packets have the properties that match the information in the state table, they are forwarded. The state table is updated dynamically, determined by changes in the state of any session.
Application layer gateways operate at the application layer of the network model, examining packets primarily at the transport layer, but also using information from other layers, including the application layer. This type of firewall acts as an intermediary between the Internet and internal networks. A proxy server is another term sometimes given to an ALG.