Architecture with Multiple Layers of Firewalls

You are here: Technology Topics » Computer & Gadgets » Computer & Network Security » Firewalls - VPN » Architecture with Multiple Layers of Firewalls

In this article, we will continue the precedent post Network Layouts with Firewalls

Security requirements vary between organizations and the network administrator can place a firewall in a network wherever he want. While firewalls should be at the edge of a logical network boundary, creating an inside and outside on either side of the firewall, a network administrator may wish to have additional boundaries within the network and deploy additional firewalls to establish such boundaries.

The use of multiple layers of firewalls is quite common to provide defense-in-depth. For example,  a host-based firewall creates a boundary just before the host it is installed upon and adds another set of firewall policies to the architecture of the network. Using multiple layers of network firewalls is another common technique.

Incorporating multiple layers of firewalls is required to enforce the principle of privilege. For example the presence of internal users with varying levels of trust. An organization might want to protect its accounting databases from being accessed by users who are not part of the accounting department.

This could be accomplished with to firewalls. The first firewall is placed at the edge of the network (to prevent general access to the network from the Internet) and the second firewall at the edge of the internal network that defines the boundary of the accounting department. The inner firewall would block access to the database server by anyone outside the accounting network while allowing limited access to other resources on the accounting network.

Another typical use for firewalls inside a network with a firewall at its edge involves visitors who need access to the Internet. Many organizations deploy specific wireless access points within their networks for visitor use. A firewall between each access point and the rest of the internal network can prevent visitors from accessing the local network with the same privileges as an employee.

Also we recommend to consider auditing, monitoring, logging, and watching all forms of security.Auditing prevents casual attacks and detects intentional attacks.

Placing a firewall within a network that already has one at the edge requires good planning and policy coordination to prevent inadvertent security lapses. When designing policies for an inner firewall, the administrator could make assumptions that result in poor policy choices—for example, if the inner firewall’s administrator assumes that the outer firewall is already preventing certain types of traffic from reaching the inner firewall, and the outer firewall’s administrator later modifies existing policy, hosts behind the inner firewall will be exposed to additional threats.

The usual approach is to replicate outer firewall policies that are also relevant for inner firewalls on each inner firewall. This can be difficult if the inner firewalls are not able to coordinate their policies automatically, which is particularly likely when firewalls are from different manufacturers.

Another common problem with using multiple layers of network firewalls is the increased difficulty it presents in tracing firewall problems. If one firewall stands between a user and a server, and the user cannot connect to the server, it is easy to check that firewall’s logs to see if the connection is being permitted.

But if multiple firewalls are involved, the problem becomes more difficult because an administrator must locate all firewalls in the chain and check their logs to find where the problem originates. The presence of multiple layers of application layer gateways (ALG) is particularly daunting, because each ALG can change a message, which makes debugging even more difficult.



12 Responses to “Architecture with Multiple Layers of Firewalls”

1. Carmine says:

   What is NetWare ?
2. admin says:

   Is a server-based networking environment/operating system, offers network
   protocols, services, and applications.It is developed by Novell.
3. Carl says:

   What is NetBIOS ?
4. admin says:

   Network Basic Input Output System (NetBIOS) is the native protocol of Windows PCs.
   NetBIOS provides a 15-character naming convention for resources on the network. It’s a broadcast-oriented network protocol in that all traffic is available to all devices in a LAN.
   The protocol can be transported over NetBEUI, TCP/IP, or IPX/SPX.
5. Carl says:

   What is IDS ?
6. admin says:

   Intrusion detection systems (IDSs) is a relatively new technology created with the purpose of monitoring events in a system or network to determine if an intrusion is occurring.
7. Aleen says:

   What is NIPSs ?
8. admin says:

   Network Intrusion Prevention Systems (NIPSs)is a security system which focus on prevention (focus on signature matches and then take a course of action).
9. Krim says:

   What is Social Engineering ?
10. admin says:

    Social engineering is the process by which intruders gain access to your facilities, your network,and even to your employees by exploiting the generally trusting nature of people.

    Kevin Mitnick,the famous hacker wrote a book called The Art of Deception:
    Controlling the Human Element of Security in which 14 chapters are devoted to social engineering scenarios that have been played out.
11. Lima says:

    What are the basic prevention mechanisms available for every system ?
12. admin says:

    1. Firewall
    2. Antivirus
    3. Antispyware
    4. Anti-adware
    5. E?mail filtering
13. Ken says:

    interesting post
14. P. Silva says:

    a very good article about Architecture with Multiple Layers of Firewalls