Areas of a Network
Areas of the network are defined by where the traffic is initiated from and where it is flowing to. For example, as traffic on the corporate side of a firewall flows toward the Internet, it is known as traffic flowing from the trusted inside (corporate) to the untrusted outside area of the network.
Firewalls help us divide the networks into the trusted, DMZ, and untrusted areas. The most basic firewall configuration contains only two interfacesthe inside (trusted) and the outside (untrusted)and there is no official DMZ (see Figure 3.1). If two basic firewalls are stacked together, a DMZ area can be created between them, as shown in Figure 3.2. However, most high-end models of firewalls contain at least three interfaces and are correspondingly called three-pronged firewalls, as shown in Figure 3.3. The inside interface connects to the trusted area; the outside connects to the untrusted area; and the DMZ connects to the semi-trusted area. In all these types of setups, most environments contain a perimeter router used to provide Internet service provider (ISP) connection.
Figure 3.1 Standard firewall without a DMZ.
Figure 3.2 Stacked firewall with a DMZ.
Figure 3.3 Three-pronged firewall.
The inside interface connects the trusted section of the network to untrusted areas such as the DMZ and Internet. It's worth keeping in mind that trusted areas might not always be made up of users needing protection only from the Internet; they might also require protection from other internal corporate users. For example, an engineering team might need to protect its secret widget network from the probing eyes of other users within the company; the computers hosting the top-secret widget data would then be attached to the inside interface of a PIX firewall.
The outside interface connects the firewall to the most untrusted areas, such as the Internet. A firewall's primary function is to protect the DMZ and inside areas from undesired traffic originating from the outside interface. Traffic from the inside and DMZ can travel through the outside interface to the untrusted area, but traffic from the untrusted area is blocked from entering. Consider Jack, for example, a user on the inside interface who is allowed to connect to the Internet and check for the latest GPS software release dates. On the other hand, Jimmy the evil hacker cannot connect to Jack's computer because Jimmy's traffic is originating on the outside interface.
If necessary, a firewall can allow traffic initiated from the outside to connect to computers within the DMZ or inside area. However, you must manually configure the firewall to allow this traffic, and in doing so you effectively allow a security hole. So, be careful. The more traffic you allow from the outside to inside or DMZ areas, the higher probability a hacker will find an open IP address or port and send an attack toward it. So, typically a few holes are created to allow only what is required through. For example, port 80 might be opened to allow traffic to pass through the firewall to a Web server in a DMZ area and all other traffic would be blocked.
Demilitarized Zone Details
The demilitarized zone is an isolated portion of the network that contains computers called bastion hosts. Bastion hosts are systems that have been hardened by applying lock-down procedures, turning off unnecessary services, and installing security patches. These hosts are placed in the DMZ when access from the outside areas need to reach services on these computers. Web, email, and FTP programs are a few of these types of services with which you might be familiar. As an example, if Company B has a Web server that it needs to allow Internet users to access, Company B places the Web server in the DMZ, hardens the system, and configures the firewall so that outside users can have access to this single system. Because bastion hosts can be accessed from the Internet or other untrusted areas, always remember that Jimmy the evil hacker can potentially be attacking this system. So, always have backups of your bastion hosts!
Computers in the DMZ can be non-bastion hosts also, meaning they have not been hardened with software patches and have had unused services and programs removed or disabled. However, they are high-risk systems just looking for trouble from hackers.
Perimeter routers, also called border routers, provide the final connection to the Internet or untrusted networks. Typically, these devices do not provide many security features; their function is simply to provide an interface to an ISP or a wide area network (WAN) connection. A perimeter router can, for instance, connect an Ethernet local area network (LAN) to a digital subscriber line (DSL) modemor, better yet, a high-speed, enterprise-grade satellite link. They can provide a basic isolation from the ISP and also provide basic packet filtering to traffic before it reaches the firewall, adding to your security suite.