Firewall Architecture

It is a good idea to you use a screened subnet architecture as mentioned in "Building Internet Firewalls" (D.Brent Chapman, Elizabeth D. Zwicky, O'Reilly & Associates, Inc.).

The figure below illustrates a screened subnet architecture with an internal net and a perimeter net:

The most important services will be served from three servers on the perimeter network :

 

one INternet-server for services like ftp, www, news.

 

one LocalNet-server for services like dns, mail which are needed in the internal network.

 

one GateWay for login from the internet.

A host named trusted will be connected to the internal net  by a seperate device (ippp1).
The
internal network can use all "secure services" directly in outgoing direction.
The
perimeter network contains all hosts which are using "unsecure services" like ftp. Also a gateway (GW) for login is located on the perimeter network.

The firewall acts like an exterior and interior router together. The outgoing device is ippp0, the device to the perimeter network is eth1 and the internal network is connected through device eth0. An external trusted host is connected to the firewall through a seperate device ippp1.

The above architecture supports most configurations:

 

If you don´t have an internal and/or perimeter network, ignore the internal interface(s) and the connected network(s).

 

If you don´t have more external interfaces (ippp1) ignore the trusted connections.

In either of these two situations you have to setup only the services which are available on the firewall itself - otherwise you have to additionally define the Screening rules of the services to the  internal and/or perimeter networks.

 

(c) 1998 Jens Friedrich