How
to Build a Firewall
Building and installing a firewall
is easier than
you think! Simon Bisson explains how, in this practical guide from PC
Network Advisor.
This is a plain html version of the
original article. For the original version in PDF format complete with pictures,
click here.
Building a firewall has in the space of
a few years, gone from a luxury to a necessity.
With attacks on business computer systems becoming more visible (and potentially more expensive), and with holes in operating systems more public, some form of Internet security policy is essential.
This can include everything from limiting the number of machines and systems with an Internet connection, to controlling what files can enter or leave a company network. A security policy alone won’t prevent attacks and intrusions, so some
form of defence is required, often implemented in the form of a firewall.
Definition
When you build a firewall you are setting up a set of tools designed to prevent unauthorised access to a network, and can mix hardware and software solutions to provide a layered defence.
A typical firewall architecture is based around two concepts: the “choke router” and the “bastion host”
If you are not comfortable with these concepts, read
this article from PC Network Advisor Understanding
Firewalls.
Most routers allow you to define access control lists, which can control exactly which IP packets are routed and to where. Whilst choking an Internet connection this way is an all-or-nothing security mechanism, you can use router access control lists to explicitly deny access to your network for specific packet types, or to make sure that certain packets are only delivered to specific machines so that, for example, mail is only delivered to your mail server or Web access is only to your public Web server or Web proxies.
Bastion Host
Keeping the network itself secure is the job of the bastion host. Taking its name from the fortified gateways of a feudal Norman castle, this is what is often thought of as the firewall but is really only part of a layered firewall architecture.
The bastion host is a machine with only one purpose: to pass packets between your network and the Internet. Usually, it’s a dedicated machine with two separate network interfaces. The
bastion host will act as an active router, linking your private network to the Internet, monitoring the state of connection and blocking packets that don’t meet the rules you have defined.
If you use it for anything else than as an Internet gateway, you may be adding weaknesses to a security architecture. For example, if you use the machine for reading email, it’s possible for someone to send an email with an embedded ActiveX control so that, when you read the message, the control turns off the firewall.
You must make sure that the bastion’s operating system is configured to prevent any packets being routed directly between its network interfaces. Most commercial packages will handle this for you, but if you are unsure, you can configure most dialects of Unix to stop any internal routing.
The DMZ
Between the choke router and the bastion host lies the “Demilitarised Zone”. The DMZ is a partially protected area, where you can install public services. Machines in the DMZ should not be fully trusted, and should only be used for single purposes - such as a Web server or an ftp server. Any
extra services should be disabled, and user accounts kept to a minimum. If it is possible to only allow logins from trusted hosts or the system console, all other access routes should be removed.
Some firewall packages make the DMZ more secure by using a third network interface to host public services and using the firewall software to protect them rather than a choke router.
When you build a firewall with any
firewall software package you will encounter these concepts, though the
names may differ slightly.
Building and Installing a
Firewall Page 2
Sponsored links:
|