Enhancing Security Through Network Topology


Background.  This web page will focus on the presentation of some network topologies that improve security.  Secure topologies are designed using firewalls.  Firewalls perform two very basic functions blocking some traffic and permitting some traffic.  Firewalls can be configured to emphasize one or the other to varying extents.

Probably, the simplest firewall configuration is represented in the following diagram.



It is important to notice in this sort of design, the firewall can very easily become a bottleneck if it has insufficient throughput capacity or reliability.

Even some people configure this sort of system at home with just a server, a couple printers and a couple computers.  It can be very important to make sure that people from the outside cannot gain undesired access to your resources.

A more sophisticated, yet quite common configuration is represented in the following diagram.



The three main portions to this firewall system as outlined in Teare are
  1. An isolation LAN that is a buffer between the corporate internetwork and the outside world.
  2. A inside router that acts as an inside packet filter between the corporate network and the isolation LAN.
  3. An outside router that acts an outside packet filter between the isolation LAN and the outside internetwork.

Some example services that may be provided to the outside world that are located on the bastion hosts in the isolation LAN follow.

  • Anonymous FTP server
  • Web server
  • Domain Name Service
  • Telnet
  • Specialized security software such as TACACS - Terminal Access Controller Access Control System

The isolation LAN has a unique network number that differs from the corporate network number.  Only the isolation LAN is visible to the outside world and advertises its services only to the isolation LAN.

The following lists some rules for the three part firewall system.

  • The inside packet filter should only allow inbound TCP packets from established session originating from inside the corporate network.
  • The outside packet filter should allow inbound TCP packets from established TCP sessions.
  • The outside packet filter should also allow packets sent to specific TCP or UDP ports going to specific bastion hosts with specific verification.
  • One should make sure to block traffic from firewall routers and hosts to the internal network.
    • A hacker might gain access to a firewall router or bastion host and use this as the jumping off point to get in to the corporate network.
  • Keep bastion hosts and firewall routers simple.  They should run as few programs as possible.

Particular firms make particular routers with enhanced properties for security such as CISCO PIX Firewalls.