Firewall
BAT54-Rail/F..
Release
7.54
06/08
8.3
The BAT Firewall
279
8.3.6 Strategies for Firewall settings
Firewalls are the interface between networks, and they restrict to a smaller
or larger extent an unhindered data exchange. Thus Firewalls have opposite
objectives than networks, although they are a part of them: networks should
connect workstations, Firewalls should prevent the connection.
This contradiction shows the dilemma of the responsible administrators who
have developed subsequently different strategies to solve this problem.
U Allow All
The Allow All strategy favours unhindered communication of the employees
compared over security. Any communication is allowed at first, the LAN is still
open for attackers. The LAN becomes gradually more secured by configura-
tion of the administrator, by settings of more and more new rules, which re-
strict or prevent parts of communication.
U Deny All
The Deny All strategy proceeds at first according to the method “Block all!”.
The Firewall blocks completely the communication between the protected
network and the rest of the world. In a second step, the administrator opens
address ranges or ports, which are necessary e.g. for daily communication
with the Internet.
This approach ensures superior security for the LAN security compared to
the Allow All strategy, but may lead especially in its initial stages to difficulties
for the users. After activation of the Deny All strategy, some things just may
behave differently than before, some stations may not reached any more etc.
U Firewall with DMZ
The demilitarized zone (DMZ) is a special range of the local network, which
is shielded by a Firewall both against the Internet and against the normal
LAN. All stations or servers that should be accessible from the unsecured
network (Internet) should be placed into this network. These include for ex-
ample own FTP and web servers.
The Firewall protects at first the DMZ against attacks from the Internet. Addi-
tionally, the Firewall protects also the LAN against the DMZ. To do so, the
Firewall is configured in this way that only the following accesses are possi-
ble:
D Stations from the Internet can access to the servers in the DMZ, but no
access from the Internet to the LAN is possible.
To Next Page
Loading...
Need help?
General
