Using a Perimeter Network

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A perimeter network protects your intranet or enterprise LAN from intrusion by controlling access from the Internet or other large network. The perimeter network (also known as a demilitarized zone or DMZ) is bounded by firewalls. A firewall is not a single component, but rather a system or combination of systems that enforces a boundary between two or more networks.

Figure 1.11 shows a perimeter network bounded by firewalls placed between a private network and the Internet in order to secure the private network.

Figure 1.11   Perimeter Network Securing an Internal Network

Organizations vary in their use of firewalls for providing security. IP packet filtering offers weak security, is cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and easier to manage because they pertain only to a few specific applications, such as a particular e-mail system. Circuit gateways are most effective when the user of a network application is of greater concern than the data being passed by that application. The proxy server — the recommended solution — is a comprehensive security tool that includes an application gateway, safe access for anonymous users, and other services.

IP packet filtering   You can configure packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted because the port numbers are encrypted and therefore cannot be examined.

In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection.

Application gateways   Used when the actual content of an application is of greatest concern, application gateways do not adapt easily to changes in technology. However, unlike IP packet filtering, application gateways can be used in conjunction with encryption.

Circuit gateways   As tunnels connecting specific processes or systems on each side of a firewall, circuit gateways are best employed in situations where the person using an application is potentially a greater risk than the information that the application carries. The circuit gateway differs from a packet filter in its capability for connecting to an out-of-band application scheme that can add additional information.

Proxy servers   Proxy servers are comprehensive security tools that include firewall and application gateway functionality to manage Internet traffic to and from a private intranet. Proxy servers also provide document caching and access control. A proxy server can improve performance by caching and directly supplying frequently requested data such as a popular Web page. A proxy server also can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.

Take advantage of those firewall security features that can help you. Position a perimeter network in your network topology at a point where all traffic from outside the corporate network must pass through the perimeter that the external firewall maintains. You can fine-tune access control for the firewall to meet your needs and can configure firewalls to report all attempts at unauthorized access.