- Get link
- X
- Other Apps
Firewall Architecture
You certainly realized that judging by the variety of types, firewalls can be implemented in a variety of ways to meet the most diverse needs. This aspect leads to another important feature of the subject: the architecture of a firewall.
When we talk about architecture, we mean how the firewall is designed and implemented. There are basically three types of architecture. We will see them below.
Dual-Homed Host Architecture
In this mode, there is a computer called a dual-homed host that sits between an internal network and the external network - usually the internet. The name is due to the fact that this host has at least two network interfaces, one for each "side".
Realize that there is no other communication path, therefore, all traffic passes through this firewall, with no access from the internal network to the external network (and vice versa) directly. The main advantage of this approach is that there is great traffic control. The most significant disadvantage, in turn, is that any problem with dual-homed - an intrusion, for example - can jeopardize network security or even paralyze traffic. For this reason, its use may not be suitable for networks where internet access is essential.
This type of architecture is widely used for proxy firewalls.
Screened Host
In the Screened Host architecture, instead of having a single machine acting as an intermediary between the internal network and the external network, there are two: one that acts as a router ( screening router ) and another called a bastion host.
The bastion host acts between the router and the internal network, not allowing direct communication between both sides. Realize then that this is an extra layer of security: communication takes place in the internal network - bastion host - screening router - external network and vice versa.
The router normally works by filtering packets, the filters being configured to redirect traffic to the bastion host. This, in turn, can decide whether certain connections should be allowed or not, even if they have passed through the router's filters.
Being the critical point of the structure, the bastion host needs to be well protected, otherwise, it will jeopardize the security of the internal network or even make it inaccessible.
Screened Subnet
The Screened Subnet architecture also has the figure of the bastion host, but this is within an isolated area with an interesting name: the DMZ, which stands for Demilitarized Zone - Demilitarized Zone.
The DMZ, in turn, is between the internal network and the external network. It turns out that between the internal network and the DMZ there is a router that normally works with packet filters. Besides, between the DMZ and the external network, there is another router of the type.
Note that this architecture proves to be quite secure, since, if the attacker passes through the first router, he will still have to deal with the demilitarized zone. This can even be configured in different ways, with the implementation of proxies or with the addition of more bastion hosts to deal with specific requests, for example.
The security level and configuration flexibility make Screened Subnet a normally more complex and, consequently, more expensive architecture.
Personal Firewalls
The topic on architectures shows the options for configuring firewalls on networks. But, as you probably know, there are simpler firewalls designed to protect your computer, be it a desktop, a laptop, a tablet, anyway. These are personal (or home) firewalls , which MUST be used by anyone.
Fortunately, current operating systems for the home or office use often contain an internal firewall by default, as is the case with Linux, Windows 8, or Mac OS X distributions. In addition, it is common for antivirus developers to offer other protection options with software, including a firewall.
But, for those looking for a more efficient solution that allows various types of adjustments, it is possible to find numerous options, many of them free. Windows users, for example, can count on ZoneAlarm, Comodo, among others.
Regardless of what your operating system is, it is worth researching for an option that can meet your needs.
Hardware Firewall
It has already been mentioned in this text that a firewall can be a software or hardware solution. This information is not incorrect, but a supplement is required: the hardware is nothing more than a device with firewall software installed.
It is possible to find, for example, routers or equipment similar to these that perform the function in question. In this case, the goal is usually to protect a network with considerable traffic or very important data.
The advantage of a hardware firewall is that the equipment, being specifically developed for this purpose, is prepared to handle large volumes of data and is not subject to vulnerabilities that can eventually be found on a conventional server (due to a failure in other software, for example).
Firewall Limitations
Reading this text, you may have already noticed that firewalls have their limitations there, which vary according to the type of solution and the architecture used. In fact, firewalls are very important security features, but they are not perfect in every way.
Summarizing this aspect, we can mention the following limitations:
- A firewall can offer the desired security, but compromise the performance of the network (or even a computer). This situation can generate more expenses for an expansion of infrastructure capable of overcoming the problem;
- Policy verification has to be periodically reviewed in order not to hinder the functioning of new services;
- New services or protocols may not be adequately addressed by already implemented proxies;
- A firewall may not be able to prevent malicious activity that originates and is intended for the internal network;
- A firewall may not be able to identify malicious activity that happens due to the user's carelessness - when the user accesses a fake bank website by clicking on a link in an e-mail message, for example;
- Firewalls need to be "watched". Malware or experienced attackers can try to discover or exploit security holes in such solutions;
- A firewall cannot intercept a connection that does not pass through it. If, for example, a user accesses the internet on his computer from a 3G connection (just to circumvent network restrictions, perhaps), the firewall will not be able to interfere.
Finishing
As you can see, firewalls are important security solutions - it is not surprising that they emerged in the 1980s and are widely used today. But, as evidenced by the topic about limitations, a firewall is not able to fully protect a network or a computer, which is why it must be used in conjunction with other features, such as antivirus, intrusion detection systems, VPN ( Virtual Private Network ) and so on.
The thought that one should have is that the firewall is part of security, not security itself, in the same way, that it happens in a building, for example, walls, gates, surveillance cameras, and alarms do the security together, with less efficiency if only one or the other item is used.
Comments
Post a Comment