Using Firewalls in a Front-End and Back-End Topology
Topic Last Modified: 2005-05-24
If your network is visible to the Internet, it is highly recommended that you use either a software or hardware firewall solution. Firewalls control traffic to the network by using such methods as port filtering, IP filtering, and, in advanced firewall solutions, application filtering.
There are several options for incorporating a firewall into a front-end and back-end topology; Scenarios for Deploying a Front-End and Back-End Topology describes these options. Generally, it is recommended that you use an advanced firewall server in your topology (for more information about using an advanced firewall, see Advanced Firewall in a Perimeter Network).
At a minimum, any firewall you use to help protect servers from the Internet must use port filtering. Port filtering restricts the type of network traffic that comes through the firewall by allowing access only to information sent to specific ports. For example, you may configure the firewall facing the Internet to accept only HTTPS traffic by opening TCP/IP port 443.
The following two sections describe two important concepts related to TCP/IP connections: source port versus destination port, and direction of the TCP/IP connection.
When computer A opens a TCP/IP connection to computer B, two ports are used: the source port (on computer A), and the destination port (on computer B). The network stack on the computer that initiates the connection generally selects source ports at random. Destination ports are the ports on which the specified service is listening (for example, port 443 for HTTPS). In this guide, any reference to a port used by a specific service refers to the destination port.
When you open firewall ports, most firewalls require you to specify the direction of the connection. For example, to allow a front-end server to contact back-end servers, you must open port 80 for HTTP traffic. However, back-end servers never initiate new TCP/IP connections to the front-end server; they only respond to requests that were initiated by the front-end. Therefore, on your firewall, you need to only enable allow HTTP port 80 connections from the front-end to the back-end. In this guide, such connections are referred to as "inbound" (in other words, the connections are inbound to the corporate network).
Many firewall solutions also support IP filtering. IP filtering improves the reliability of the firewall by allowing you to restrict traffic through the firewall to specific servers. For example, in a perimeter network, you may want to configure DSAccess to use specific domain controllers and global catalog servers, and then use IP filtering to ensure that the front-end servers connect to only those domain controllers and global catalog servers.
Advanced firewalls such as ISA Server can provide advanced inspection at the application protocol level. This inspection allows the firewall to perform functions such as filtering RPC interfaces and validating HTTP request syntax. Application filtering is the main reason why using an advanced firewall in your topology provides the most security.