Firewall Interfaces: Inside,
Outside, and DMZ
In its best basal form, a firewall has aloof two arrangement interfaces: central and outside.
These labels accredit to the akin of assurance in the absorbed network, area the
outside interface is affiliated to the untrusted arrangement (often the Internet) and
the central interface is affiliated to the trusted network. In an centralized deployment,
the interface referred to as alfresco may be affiliated to the company
backbone, which is apparently not as untrusted as the Internet but aloof the aforementioned is
trusted somewhat beneath than the inside. Recall the antecedent archetype of a firewall
deployed to assure a amount department.
As a company’s Internet business needs become added complex, the limitations
of accepting alone two interfaces becomes apparent. For example, area would
you put a Web server for your customers? If you abode it on the alfresco of the
firewall, as in Figure 1.7, the Web server is absolutely apparent to attacks, with alone a
screening router for basal protection.You charge await on the aegis of the host
system in this instance.
The added achievability in the two-interface firewall book is to put the Web
server central the firewall, on an centralized articulation (see Figure 1.8).The firewall
would be configured to acquiesce Web cartage on anchorage 80, and maybe 443 for Secure
Sockets Layer (SSL), through to the IP abode of the Web server.This prevents
any absolute acid of your centralized arrangement by an attacker, but what if he or she
is able to accommodation your Web server through anchorage 80 and accretion alien superuser
access? Again he or she is chargeless to barrage attacks from the Web server to anywhere
else in your centralized network, with no restrictions.
www.syngress.com
24 Chapter 1 • Introduction to Aegis and Firewalls
The acknowledgment to these problems is to accept abutment for assorted interfaces on
your firewall, as best bartering systems now do.This band-aid allows for establishment
of average zones of assurance that are neither central nor outside.These
are referred to as DMZs (for the aggressive appellation demilitarized zone).A DMZ network
is adequate by the firewall to the aforementioned admeasurement as the centralized arrangement but
is afar so that admission from the DMZ to the centralized arrangement is filtered as
well. Figure 1.9 shows this layout.
www.syngress.com
Figure 1.7 A Web Server Located Alfresco the Firewall
Internal LAN
Internet
Border router
Firewall
Web
server
Figure 1.8 A Web Server Located Central the Firewall
Internal LAN
Internet
Border router
Firewall
Web
server
Introduction to Aegis and Firewalls • Chapter 1 25
Another architecture sometimes deployed uses two firewalls: an alien one and an
inner one, with the DMZ lying amid them (see Figure 1.10). Sometimes firewalls
from two altered vendors are acclimated in this design, with the acceptance that a
security aperture in one would be blocked by the other. However, affirmation shows
that about all firewall breaches appear from misconfiguration, not from errors in
the firewall cipher itself.Thus, such a architecture alone increases amount and management
overhead, after accouterment abundant added security, if any.
www.syngress.com
Figure 1.10 A Two-Firewall Architecture
DMZ
Internal LAN
Internet
Border router
Firewall
Web
server
Firewall
Figure 1.9 A DMZ Network
DMZ
Internal LAN
Internet
Border router
Firewall
Web
server
26 Chapter 1 • Introduction to Aegis and Firewalls
Some sites accept alike implemented assorted DMZs, anniversary with a different
business purpose and agnate akin of trust. For example, one DMZ segment
could accommodate alone servers for accessible access, admitting addition could host
servers aloof for business ally or customers.This access enables a more
granular akin of ascendancy and simplifies administration.
In a added circuitous e-commerce environment, the Web server ability charge to
access chump abstracts from a backend database server on the centralized LAN. In this
case, the firewall would be configured to acquiesce Hypertext Transfer Protocol
(HTTP) access from the alfresco to the Web server and again specific connections
to the adapted IP addresses and ports as bare from the Web server
to the central database server.