Just like everything else in the world of networking, firewalls must be incorporated into the right setup to prove any use. Placement of a firewall is crucial for different applications of use. For instance, most web servers will opt for the “dual firewall” setup that will allow users to communicate with the server, but in a way that is safe to the web server.
Of course, a dual firewall can be extremely expensive, which is why we have three basic firewall topologies.
What to Choose, and Why:
The Bastion Host
The most basic firewall topology is the bastion host. This type of firewall setup is best suited for very small networks. In its design, only one boundary exists between the private network and the outside world. This boundary can be either a hardware firewall, or even a dedicated computer installed with a trusted firewall application. By allowing only this one computer access to the outside world, the network will be relatively safe from attack, as there is only one point of entry.
However, the bastion host example does have a major drawback. Since there is only one boundary, hackers will be glad to find that once the defenses are penetrated, they are free to do as they wish to the entire network. Obviously, this method of firewall topology is best suited for smaller networks that hold little to no importance.
The Screened Subnet
The screened subnet is a greatly improved form of the bastion host. Interestingly, the screened subnet only uses one firewall - just like the bastion host topology. In this setup, the screened subnet makes use of a demilitarized zone, or DMZ. This can be considered a “neutral” zone, between the private network and the outside world. The subnet portion of the screened subnet name refers to the DMZ. This allows a network to connect to the internet through one network address - not multiple. This allows points of access from the outside world be limited to just one - which is great for keeping security strict.
The DMZ typically acts as a buffer zone, in which documents like corporate websites are stored. The outside world can view these documents, but can’t access other crucial files that exist in the private network. Even if the DMZ is penetrated, only non-crucial files are corrupted - which is great for trying to keep losses fairly low in the event of an attack. As an added security benefit, users on the private network must go through the same DMZ to access the outside world.
The Dual Firewalls
Dual firewalls are fairly self-explanatory. This setup will incorporate two firewalls, but also use the screened subnet setup. Both firewalls are placed around the demilitarized zone, or DMZ. This adds an extra layer of security for the private network’s users who may unwittingly create security risks. Since this is one of the most securitized forms of firewall topologies, it is used in most large network applications. Web companies, corporations, and governments have all come to appreciate the dual firewall setup.
The dual firewall topology works well with VLANs - or virtual local area networks. This design will allow a firewall to apply different “zones” of security for different computers. This also allows things such as bandwidth allocations to be placed. Most of these types of applications are present in college campuses, who limit student’s access to bandwidth to ensure a healthy network.
Each topology has its own use and application. Home users will be glad to know that a basic software firewall will do - so these types of applications are reserved for larger networks and companies. The bastion host will likely be a great choice for the smaller network. The screened subnet is also great for smaller networks, but provides a better sense of security. And finally, the dual firewall topology will provide the best security if properly configured.
Since more security generally means more cost, figuring out what kind of budget your company has is the first step in creating a secure network. Thousands of dollars can go into just buying a demilitarized zone from Cisco, so be sure to weigh all the needs and resources out before ultimately deciding on a setup for your network.