Introduction to Firewall Architecture
The firewall is a very vast concept. Day by day, there are new improvements coming with better design, new firmware, new software upgrades, new features, etc. There is different architecture available in the firewall like screened host firewall architecture, packet filtering routers firewall architecture, dual-homed firewall architecture, screened subnet firewall architecture. As per the industrial requirement, network design, we need to choose suitable firewall architecture.
The basic concept of a firewall is to protect the internal or organisational environment from any external security attack. Similarly, three major aspects will define the configuration of the firewall, like the objective of the network in terms of the organization point of view, the development ability, and how we need to implement it. While considering it in terms of the hardware level, then we need to consider the budget also.
Firewall Architecture in Detail
There are different types of architecture available in the firewall. Below are the types of architecture:
1 Screened host firewall architecture
We have some improvements in the packet filtering routers firewall architecture in the screened host firewall architecture. In this architecture, we are using the packet filtering routers firewall technique with the dedicated or the separate firewall. It is known as the application proxy server. In the packet filtering router’s firewall architecture, we have a very big overhead to filter the network traffic (once the access control list increases). Due to this, we are facing lots of issues. Here, we have tried to overcome it, and we have added the dedicated firewall. This technique will allow the router to the firewall. Due to this architecture, the routers will pre-screen the network traffic or the packets to minimize the network overhead. It will also help to distribute the load as well.
The separate application proxy server will work on layer 7 (on the TCP protocol). It will filter the packets on the application level. It is having the capability to filter out the packets like HTTP, HTTPS, FTP, SFTP, etc. In other words, the separate application proxy server is also known as the bastion host also. It will be a high chance for an external attack, and it will be less secure also. The action host or the separate application proxy server is holding the cached copies of the web documents. But in this architecture, the external attacker needs to compromise the two different systems. Before doing any attack, it will access the internal data also.
- Work Flow: As per the above architecture, there is a separate host is available, i.e. the bastion host. It acts like a proxy server to balance the load on the firewall. The firewall is holding all the set of rules and access control. The bastion server will help to filter out the network traffic. If it is a valid packet, it will allow it via proxy access to the internal filter router, moving further in the internal network.
2. Packet filtering routers firewall architecture
Many of the organization want the internet connectivity. If we enable internet connectivity, the organization without a firewall will be exposed to the external world. To avoid an external security attack, we need to install and configure the firewall. In the packet filtering routers, we have the router concept. Here, the router interface acts as the internet provider to the organization. The router is acting as an intermediate between the organization and the internet provider. On the same level, we are enabling the network packet filtering process.
If any unwanted packets may come, so it will filter them out on the same level. Hence the packages will drop or be rejected. It will not come in the organization level network. It is a very simple way to implement it. It will also help to lower the risk from external security threats. But it has few concerns also. If we go with the packet filtering routers, then it will be less auditing on the network traffic. Similarly, we are also having the drawback of the strong authentication mechanism also. Day by day, the access control list will grow. Hence, it will be a very big overhead to filter the incoming network packets. Due to which it will decrease the network performance also. In few cases, we will face the lag.
- Work Flow: It is the basic technique to implement the firewall. Here, the ISP will provide an internet connection to the organization. Then, it is attached to the external filter router. First, on the firewall, we need to add the list of ACL’s and configurations. Then, with the help of the same configuration, the network traffic will filter and pass to the internal filter router. Further, the internal filter router will separate out the network traffic into the internal organization-level network.
3. dual-homed firewall architecture
Now the architectural complexity is more increasing because we need high performance and less network lag. In the previous firewall architecture, we are using the single network interphase card. But when we are using such type of firewall architecture, the bastion host will contain the two different network interphase cards. In this architecture, the one network interphase card will connect with the external network, and the other network interphase card will connect with the internal network. Here, all the network traffic will physically travel from the firewall, which is in-between in internal and external network interphase cards.
- Work Flow: In this architecture, there is no separate proxy server. In this firewall architecture, there are two different NIC’s are available. In one NIC, the external ISP connection will connect. In the second NIC, the internal network will connect. Once the traffic comes, the firewall will filter the traffic and pass it to the internal network. If the traffic is not valid, the firewall will drop the packet and not flow it further.
Conclusion – Firewall Architecture
We have seen the uncut concept of the “firewall architecture” with the proper explanation. There is a number of firewall architecture available; we need to choose it as per our own requirements and budget. The firewall will track the traffic on the application level also.
This is a guide to Firewall Architecture. Here we discuss the introduction and firewall architecture in detail for better understanding. You may also have a look at the following articles to learn more –