Classic Topologies Using Stateful Firewalls

Figure 1-15 summarizes classic network topologies in which stateful firewalls have been largely deployed:

• Internet access: This simple arrangement protects internal users that need access to the Internet. The firewall policy specifies what traffic is enables outbound and simply prohibits inbound connection initiation. Inbound packets are allowed only when they correspond to an existent entry in the firewall state table.

• Internet presence: This scenario includes a Demilitarized Zone (DMZ), in which the publicly accessible servers are located. The firewall policy basically defines which services in each DMZ host (server) should be visible on the outside. The firewall watches dmz-bound connection setup and keeps track of return traffic. Typically, the DMZ servers are not allowed to initiate outbound connections. For instance, this measure helps on blocking content upload to the outside in the eventuality of a server compromise.

• E-commerce: This topology enhances the Internet presence arrangement by adding extra separation tiers between the various servers involved in a typical e-commerce environment. It is convenient to combine different classes of firewall (commonly stateful firewalls and application proxies) to increase security in such a critical part of the network.