Setting up a DMZ (DeMilitarized Zone)
A DMZ
is is an area outside the firewall, in a portion of the network that remains in
the public network. A DMZ has been compared the front yard of a house. The front
yard is visible to the public and anyone can access the yard, but the yard still
belongs to whomever owns the house. The owner will lock anything of value inside
the house but will usually prepare the yard to receive visitors.
To set up a DMZ, install a computer that does not contain
critical data between the firewall and the internet connection. This computer
will become a “gateway” computer. Most software-based firewalls will allow
you to designate a directory on the gateway computer so that the network will
know it’s the DMZ.
How Many Firewalls?
A firewall should be installed at every connection to the
Internet. For instance, if you have more than one T1 line coming into the
building, you’ll need a firewall on each line.
The Rules
You con establish rules on each fire wall so that it will allow
or deny traffic. Some examples of rules a firewall will accept include:
- Whether to accept e-mail traffic.
- Whether to allow telnet service.
- Whether to allow file transfers.
The Methods
Firewalls use one or more of these three methods to control
traffic flowing in and out of the network:
- Packet filtering – Packet headers are analyzed and compared
against the set of filters you implemented when you configured the firewall.
Packets the firewall allows in are routed to the destination node. Those not
allowed in will be discarded.
- Proxy server – Data packets from the Internet are intercepted by
a firewall set up to act as a proxy server, and examined before they are
sent to the destination node. Those packets that are not permitted will be
discarded. Note: the Proxy server also will examine requests for
Internet access coming from an internal node and attempting to leave the
network. If a request is to a site not permitted, it will be discarded and
the requesting node will be sent a message. See a fuller explanation of
Proxy Servers in the next objective.
- Stateful inspection – This is a fairly new firewall service. This
method does not examine the contents of each packet. Instead, it compares
certain key parts of the packet to a database of trusted information. A
packet traveling from behind the firewall and trying to access the public
network outside the firewall will be monitored for specific defining
characteristics. Incoming packets are compared to these same
characteristics. If the comparison turns up a reasonable match, the packet
will be allowed through. Otherwise it will be discarded.
Filters
Traffic can be filtered through a firewall a number of ways.
Those ways include:
- IP address – Blocking traffic according to the destinations or
sender’s IP address.
- Domain names – Blocking traffic according to the destinations or
sender’s domain
name.
- Protocols - Blocking traffic based on what protocol is used to send
that traffic. Protocols that may also be blocked include TCP, HTTP, FTP, UDP,
ICMP, SMTP and Telnet. You also have the option of configuring your firewall
to route blocked protocols only to one or two or more computers that will
accept traffic via the otherwise forbidden protocols.
- Port - Blocking traffic based on what port a node is using to gain
access to the Internet or other services. For instance, if you don’t want
a node to run web services (HTTP), you will configure the firewall to black
traffic from that node on Port 80. For a list of common TCP and UDP ports,
see objective 2.6.
- Specific words and phrases: Blocking traffic based on a specific
word or phrase that may turn up in a packet.
Click here
for a firewall FAQ.
Firewall Guide
How-to
Guide for Firewall and Proxy Server
How
to set up a Cisco router with standard IOS as a basic Firewall.
The
Truth About Ping
3.9 Identify the purpose, benefits, and characteristics of
using a proxy.
One way to strengthen the security offered by your firewall is
to combine it with a proxy server, which is a server that sits between a client
application and a "real" server. For instance, a web proxy server will
intercept all requests for web access and will search its access control list
for the webpage requested. If it has it in cache, it will send the page back to
the client. If it does not, and if the page is not on its list of restricted
sites, then it will fetch the page from the Internet for the client.
Proxy servers have two main purposes:
- Improve performance by caching frequently requested resources, making them
more readily available than they would be if the client had to get them from
a remote source.
- Filter Requests as a way of making sure the client or client user is
permitted access to the resource being requested.
Benefits of proxy servers include:
- More efficient access to the Internet.
- Improves network performance by functioning as a caching server.
- Improves on security offered by a firewall.
Types of Proxy Server:
| IP
Proxy |
Hides IP
addresses of all nodes on a network, sending instead its own IP address.
This is better known as Network Address Translation (NAT). |
| Web
(HTTP) Proxy |
Handles
Internet access requests on behalf of any node on the network. The most
popular of all web proxy servers is the Proxy
Cache Server. |
| FTP
Proxy |
Handles
uploading and downloading of files from a server on behalf of a
workstation in an operation similar to a web proxy. |
| SMTP
Proxy |
Handles
Internet e-mail. Many SMTP proxy servers have added network virus
protection and will scan each e-mail for viruses. |
How-to
Guide for Firewall and Proxy Server
History of
Proxy Servers
Microsoft’s
Proxy Server Page
Overview
of Web Proxy Servers