Firewall Architecture
It is a good idea to you use a screened subnet architecture as mentioned
in "Building Internet Firewalls" (D.Brent Chapman,
Elizabeth D. Zwicky, O'Reilly & Associates, Inc.).
The figure below illustrates a screened subnet architecture with an
internal net and a perimeter net:
The most important services will be served from three servers on
the perimeter network :
-
one INternet-server for services like ftp, www, news.
-
one LocalNet-server for services like dns, mail which
are needed in the internal network.
-
one GateWay for login from the internet.
A host named trusted will be connected to the internal net
by a seperate device (ippp1).
The internal network can use all "secure services" directly
in outgoing direction.
The perimeter network contains all hosts which are using "unsecure
services" like ftp. Also a gateway (GW) for login is located on
the perimeter network.
The firewall acts like an exterior and interior router together. The
outgoing device is ippp0, the device to the perimeter network is eth1 and
the internal network is connected through device eth0. An external trusted
host is connected to the firewall through a seperate device ippp1.
The above architecture supports most configurations:
-
If you don´t have an internal and/or perimeter network,
ignore the internal interface(s) and the connected network(s).
-
If you don´t have more external interfaces (ippp1) ignore the trusted
connections.
In either of these two situations you have to setup only the services which
are available on the firewall itself - otherwise you have to additionally
define the Screening rules of the services to the internal
and/or perimeter networks.
(c) 1998 Jens Hellmerichs-Friedrich