Firewall planning | General Recommendations
The following recommendations for firewall planning and implementation will help administrators plan for firewall placement and implement their firewall policies:
- Placement and Deployment
- Place a packet-filtering firewall at the edge of each discrete network in the organization.[..]
Firewalls | Deploy and Manage
Deploy
Once testing is complete and all issues have been resolved, the next phase of the firewall planning and implementation model is deployment, which should be done in accordance with organization policies.
Before deploying the firewall, administrators should notify users or owners of potentially affected systems of the planned deployment, and instruct them who to notify if they encounter any problems.Any changes required to other equipment, such as changing default routes, should [..]
Firewall Planning
The planning phase for choosing and implementing a firewall can begin only after an organization has determined that a firewall is needed to enforce the organization’s security policy. This typically occurs following a risk assessment of the overall system.
A risk assessment includes :
- the identification of threats and vulnerabilities in the information system;
- the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have on the [..]
Firewalls | Policies Based on Applications
Most early firewall work involved simply blocking unwanted or suspicious traffic at the network boundary. Inbound application proxies take a different approach—they let traffic destined for a particular server into the network, but capture that traffic in a server that processes it like a port-based firewall.
The application proxy approach provides an additional layer of security for incoming traffic by validating some of the traffic before it reaches the desired [..]
TCP and UDP,ICMP and IPSEC PROTOCOLS
TCP and UDP
TCP and UDP are used by applications. An application server typically listens at a fixed TCP or UDP port, while application clients typically use any of a wide range of ports—and as with other aspects of firewall rulesets, deny by default policies should be used for incoming TCP and UDP traffic.
Less stringent policies are generally used for outgoing TCP and UDP traffic because most organizations permit their users [..]
Firewall policies | IP Addresses and Characteristics
Firewall policies should only permit appropriate source and destination IP addresses to be used. Specific recommendations for IP addresses include:
- Traffic with invalid source or destination addresses should always be blocked, regardless of the firewall location. Examples of relatively common invalid IPv4 addresses are 127.0.0.1 (also known as the localhost address) and 0.0.0.0 (interpreted by some operating systems as a localhost or a broadcast address). These have no legitimate use on [..]
Architecture with Multiple Layers of Firewalls
There is no limitation on where a firewall can be placed in a network. While firewalls should be at the edge of a logical network boundary, creating an “inside” and “outside” on either side of the firewall, a network administrator may wish to have additional boundaries within the network and deploy additional firewalls to establish such boundaries.
The use of multiple layers of firewalls is quite common to provide defense-in-depth. For [..]
Network Layouts with Firewalls
The figure below shows a typical network layout with a hardware firewall device acting as a router. The unprotected side of the firewall connects to the single path labeled “WAN,” and the protected side connects to three paths labeled “LAN1,” “LAN2,” and “LAN3.” The firewall acts as a router for traffic between the Wide Area Network (WAN) path and [..]
Firewalls – Dedicated Proxy Servers
Dedicated proxy servers differ from application-proxy and circuit-level gateways in that while they retain proxy control of traffic, they do not have firewalling capabilities.
Although dedicated proxy servers are not firewalls, they are described in this section because of their close relationship to application-proxy gateway firewalls and circuit-level gateway firewalls. Many proxies are application-specific, and some actually perform analysis and [..]
Firewalls – Application Proxy Gateways
An application-proxy gateway is a feature of advanced firewalls that combines lower layer access control with upper layer functionality. These firewalls contain a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other, and never allows a direct connection between the two hosts.
Each successful connection attempt actually results in the creation of two separate connections—one between the client and the proxy server, and [..]