Understanding Firewalls Overview Nations without controlled borders cannot ensure the security and safety of their citizens, nor can they prevent piracy and theft. Networks without controlled access cannot ensure the security or privacy of stored data, nor can they keep network resources from being exploited by hackers. The communication efficiency provided by the Internet has caused a rush to attach private networks directly to it. Direct Internet connections make it easy for hackers to exploit private network resources. Prior to the Internet, the only widely available way for a hacker to connect from home to a private network was by direct dialing with modems and the public telephony network. Remote access security was a relatively small issue. When you connect your private network to the Internet, you are actually connecting your network directly to every other network that's attached to the Internet directly. There's no inherent central point of security control—in fact, there's no inherent security at all. Firewalls are used to create security checkpoints at the boundaries of private networks. At these checkpoints, firewalls inspect all packets passing between the private network and the Internet and determine whether to pass or drop the packets depending on how they match the policy rules programmed into the firewall. If your firewall is properly configured, is capable of inspecting every protocol you allow to pass, and contains no serious exploitable bugs, your network will be as free from risk as possible. There are literally hundreds of firewall products available, and there are different theories from different security experts on how firewalls should be used to secure your network. This chapter will explore the operation of a generic firewall in detail, outline the important features you need in a firewall, and discuss how firewalls should be deployed in networks of any size. Firewall Elements Firewalls keep your Internet connection as secure as possible by inspecting and then approving or rejecting each connection attempt made between your internal network and external networks like the Internet. Strong firewalls protect your network at all software layers—from the Data Link layer up through the Application layer. Firewalls sit on the borders of your network, connected directly to the circuits that provide access to other networks. For that reason, firewalls are frequently referred to as border security. The concept of border security is important—without it, every host on your network would have to perform the functions of a firewall themselves, needlessly consuming computer resources and increasing the amount of time required to connect, authenticate, and encrypt data in local area, high speed− networks. Firewalls allow you to centralize all external security services in machines that are optimized for and dedicated to the task. Inspecting traffic at the border gateways also has the benefit of preventing hacking traffic from consuming the bandwidth on your internal network. By their nature, firewalls create bottlenecks between the internal and external networks, because all traffic transiting between the internal network and the external must pass through a single point of control. This is a small price to pay for security. Since external leased line connections are− relatively slow compared to the speed of modern computers, the latency caused by firewalls can be 7 completely transparent. For most users, relatively inexpensive firewall devices are more than sufficient to keep up with a standard T1 connection to the Internet. For businesses and ISPs whose Internet traffic is far higher, a new breed of extremely high speed (and high cost) firewalls have− − been developed, which can keep up with even the most demanding private networks. Some countries actually censor the Internet using high speed firewalls.− Firewalls function primarily by using three fundamental methods: • Packet Filtering Rejects TCP/IP packets from unauthorized hosts and reject connection attempts to unauthorized services. • Network Address Translation (NAT) Translates the IP addresses of internal hosts to hide them from outside monitoring. You may hear of NAT referred to as IP masquerading. • Proxy Services Makes high level application connections on behalf of internal hosts in− order to completely break the network layer connection between internal and external hosts. You can use devices or servers that perform only one of the above functions; for instance, you could have a router that performs packet filtering, and then a proxy server in a separate machine. This way, the packet filter must either pass traffic through to the proxy server, or the proxy server must sit outside your network without the protection of packet filtering. Both are more dangerous than using a single firewall product that performs all the security functions in one place. Most firewalls also perform two other important security services: • Encrypted Authentication Allows users on the public network to prove their identity to the firewall, in order to gain access to the private network from external locations. • Virtual Private Networking Establishes a secure connection between two private networks over a public medium like the Internet. This allows physically separated networks to use the Internet rather than leased line connections to communicate. VPNs are also called− encrypted tunnels. Some firewalls also provide additional subscription based services that are not strictly related to− security, but which many users will find useful: • Virus Scanning Searches inbound data streams for the signatures of viruses. Keeping up with current virus signatures requires a subscription to the virus update service provided by the firewall vendor. • Content Filtering Allows you to block internal users from accessing certain types of content by category, such as pornography, hate group propaganda, pornography, hacking− information, and pornography. Keeping up with the current list of blocked sites for a specific category also requires a subscription. Nearly all firewalls use these basic methods to provide a security service. There are literally hundreds of firewall products on the market now, all vying for your security dollar. Most are very strong products that vary only in superficial details. The remainder of this section covers the five primary functions that most firewalls support. Packet Filters The first Internet firewalls were simply packet filters, and packet filtering remains one of the key functions of today's firewalls. Filters compare network protocols (such as IP) and transport protocol packets (such as TCP) to a database of rules and forward only those packets that conform to the criteria specified in the database of rules. Filters can either be implemented in routers or in the TCP/IP stacks of servers (see Figure 1.1). 8 Figure 1.1: Filtered Internet connections block undesired traffic. Filters implemented inside routers prevent suspicious traffic from reaching the destination network, whereas TCP/IP filter modules in servers merely prevent that specific machine from responding to suspicious traffic. The traffic still reaches the network and could target any machine on it. Filtered routers protect all the machines on the destination network from suspicious traffic. For that reason, filtering in the TCP/IP stacks of servers (such as that provided by Windows NT) should only be used in addition to router filtering, not instead of it. Filters typically follow these rules: • Drop inbound connection attempts but allow outbound connection attempts to pass. • Eliminate TCP packets bound for those ports that shouldn't be available to the Internet (such as the NetBIOS session port) but allow packets that should be available (such as SMTP) to pass. Most filters can specify exactly which server a specific sort of traffic should go to—for instance, SMTP traffic on port 25 should only go to the IP address of a mail server. • Restrict inbound access to certain IP ranges. Warning Simple packet filters or routers with a packet filtering function that requires opening ports above 1023 for return channels are not effective security devices. These packet filters do not prevent internal users or Trojan horses from setting up a service on a client station in the port range above 1024 and simply listening for connection attempts from the outside. Firewalls (stateful inspection filters and security proxies) only open channels for servers that have been invited back in by a connection attempt from inside the security perimeter; choose them over simple packet filters that can't maintain the state of a connection. Sophisticated filters examine the states of all connections that flow through them, looking for the telltale signs of hacking, such as source routing, ICMP redirection, and IP spoofing. Connections that exhibit these characteristics are dropped. Internal clients are generally allowed to create connections to outside hosts, and external hosts are usually prevented from initiating connection attempts. When an internal host decides to initiate a TCP connection, it sends a TCP message to the IP address and port number of the public server (for example, http://www.microsoft.com/ to connect to Microsoft's website). In the connection initiation message, it tells the remote server what its IP address is and on which port it is listening for a response (for example, localhost:2050). 9 The external server sends data back by transmitting it to the port given by the internal client. Since your firewall inspects all the traffic exchanged between both hosts, it knows that the connection was initiated by an internal host attached to its internal interface, what that host's IP address is, and on what port that host expects to receive return traffic. The firewall then remembers to allow the host addressed in the connection message to return traffic to the internal host's IP address only at the port specified. When the hosts involved in the connection close down the TCP connection, the firewall removes the entry in its state table (its connection memory) that allows the remote host to return traffic to the internal host. If the internal host stops responding before closing the TCP connection (because, for example, it has crashed), or if the protocol in question does not support sessions (for example, UDP), the firewall will remove the entry in its state table after a programmed timeout of a few minutes. Operating System Filtering You might not be aware that most versions of UNIX and Windows include packet filtering in the TCP/IP protocol interface. You can use this filtering in addition to a strong firewall to control access to individual servers; you can also use this filtering to provide an additional measure of internal security inside your organization without the cost of a firewall. Just as filtering alone is not sufficient to protect your network entirely, your operating system's internal filtering is not sufficient to create a completely secure environment. Security Limitations of Packet Filtering Filtering does not completely solve the Internet security problem. First, the IP addresses of computers inside the filter are present in outbound traffic, which makes it somewhat easy to determine the type and number of Internet hosts inside a filter and to target attacks against those addresses. Filtering does not hide the identity of hosts inside the filter. Additionally, filters cannot check all the fragments of an IP message based on higher level− protocols like TCP headers because the header exists only in the first fragment. Subsequent fragments have no header information and can only be compared to IP level rules, which are usually relaxed to allow some traffic through the filter. This allows bugs in the destination IP stacks of computers on the network to be exploited, and could allow communications with a Trojan horse installed inside the network. More modern true firewalls support rebuilding fragmented packets and then applying firewall rules to them. Finally, filters are not complex enough to check the legitimacy of the protocols inside the network layer packets. For example, filters don't inspect the HTTP packets contained in TCP packets to determine if they contain exploits that target the web browser or web server on your end of the connection. Most modern hacking attempts are based upon exploiting these higher level services− because firewalls have nearly eliminated successful Network layer hacking beyond the nuisance of− denial of service attacks.− − Variants of Windows There are three major strains of Windows: • 16 bit versions of Windows that run on top of MS DOS including Windows 3.0, 3.1, and− − 3.11. • 32 bit versions of Windows that run on MS DOS including Windows 95, 98, and ME− − 10 • 32 bit versions of Windows that run on the NT Kernel, including NT 3.1, NT 3.5, NT 3.51,− NT 4, 2000, and XP. Throughout this book, when we use the term "Windows" we're talking about those versions based on the NT Kernel architecture unless we state otherwise. Do not rely upon your operating system's built in filtering alone to protect your network. You should− use your operating system's filtering functions inside your network to establish filters to pass only those protocols you explicitly intend to serve. This prevents software from working in ways you don't expect and keeps Trojan horses from functioning even if they manage to get installed. Basic OS filtering allows you to define acceptance criteria for each network adapter in your computer for incoming connections based on the following: • IP protocol number • TCP port number • UDP port number The filtering usually does not apply to outbound connections (those originating on your server), and is defined separately for each adapter in your system. Note Windows 2000 supports outbound filtering; Windows NT 4 does not. A typical server sets up services to listen on the following ports. These ports must be open through your filter in order for these services to work correctly. Simple TCP/IP services usually listen on the following ports: • Port TCP/IP Service 7 Echo 9 Discard 13 Daytime 17 Quote of the Day 19 Character Generator Internet Servers usually listen on the following ports: • Port Server 21 File Transfer Protocol (FTP) 23 Telnet 70 Gopher 80 World Wide Web (HTTP) 119 Net News (NNTP) 22 Secure Shell 443 Secure HTTP (HTTPS) 11 File Servers usually listen on the following ports: • Port 53 135 137 139 515 530 3389 Service Domain Name Service (DNS service, if installed) RPC Locator Service (Windows NT only) NetBIOS Name Service (WINS servers only) NetBIOS Session Service (Windows network and SMB/CIFS servers only) LPR is used by the TCP/IP print service, if installed. Remote Procedure Call (RPC connections are used by the Windows NT WinLogon service as well as many other high level network applications.)− Windows Terminal Services accepts connections on this port using the RDP protocol Mail Servers are usually configured to listen on the following ports: • Port Mail Server 25 Simple Mail Transfer Protocol (Mail server to server exchanges) 110 Post Office Protocol version 3 (Server to client mail exchanges) 143 Internet Mail Access Protocol (Client access to mail server) If you install other service software, you must make sure your server's filter is set up to listen on the ports required by the service—otherwise the service will not work. Find out from the software manufacturer which ports are required for that service. This does not apply to border firewalls, which should only be configured to pass a service if you intend to provide that service to the public. General Rules for Packet Filtering There are two basic approaches you can take to security: Pessimistic, where you disable all access except that which you know is necessary, and optimistic, where you allow all traffic except that which you know is harmful. For security purposes, you should always take a pessimistic approach, because the optimistic approach presumes that you know every possible threat in advance, which is not possible. Consider the following general guidelines when you use packet filtering: • Disallow all protocols and addresses by default, and then explicitly allow services and hosts you wish to support. • Disallow all connection attempts to hosts inside your network. By allowing any inbound connections, you allow hackers to establish connections to Trojan horses or exploit bugs in service software. • Filter out and do not respond to ICMP redirect and echo (ping) messages. Drop all packets that are TCP source routed. Source routing is rarely used for legitimate purposes. • Drop all external routing protocol (RIP, OSPF) updates bound for internal routers. No one outside your network should be transmitting RIP updates. • Consider disallowing fragments beyond number zero, since this functionality is largely obsolete and often exploited. • Place public service hosts like web servers and SMTP servers outside your packet filters rather than opening holes through your packet filters. • Do not rely upon packet filtering alone to protect your network. 12 Network Address Translation Network Address Translation (NAT) solves the problem of hiding internal hosts. NAT is actually a network layer proxy: A single host makes requests on behalf of all internal hosts, thus hiding their identity from the public network. Windows 2000 and XP, Linux, and many modern UNIX operating systems provide this function as part of the operating system distribution. Windows NT does not. NAT hides internal IP addresses by converting all internal host addresses to the address of the firewall. The firewall then retransmits the data payload of the internal host from its own address using the TCP port number to keep track of which connections on the public side map to which hosts on the private side. To the Internet, all the traffic on your network appears to be coming from one extremely busy computer. NAT effectively hides all TCP/IP level information about your internal hosts from prying eyes on the− Internet. Address translation also allows you to use any IP address range you want on your internal network even if those addresses are already in use elsewhere on the Internet. This means you don't have to request a large block of IP addresses from ARIN or reassign network numbers from those you simply plugged in before you connected your network to the Internet. Warning Although you can use any block of IP addresses behind a firewall with NAT, be aware that you may encounter strange problems accessing Internet hosts that have the same public IP address as a computer inside your network. For that reason, use the reserved 192.168.0.0 network or the 10.0.0.0 network inside your firewall to avoid these problems. Finally, NAT allows you to multiplex a single public IP address across an entire network. Many small companies rely upon the services of an upstream Internet service provider that may be reluctant to provide large blocks of addresses because their own range is relatively restricted. You may want to share a single dial up or cable modem address without telling your ISP. These options are all− possible using network address translation. On the down side, NAT is implemented only at the TCP/IP level. This means that information hidden in the data payload of TCP/IP traffic could be transmitted to a higher level service and used to− exploit weaknesses in higher level traffic or to communicate with a Trojan horse. You'll still have to− use a higher level service like a proxy to prevent higher level service security breaches.− − Additionally, many protocols also include the host's IP address in the data payload, so when the address is rewritten while passing through the NAT, the address in the payload becomes invalid. This occurs with active mode FTP, H.323, IPSec, and nearly every other protocol that relies upon− establishing a secondary communication stream between the client and the server. NAT is also a problem for network administrators who may want to connect to clients behind the NAT for administrative purposes. Because the NAT has only one IP address, there's no way to specify which internal client you want to reach. This keeps hackers from connecting to internal clients, but it also keeps legitimate users at bay as well. Fortunately, most modern NAT implementations allow you to create port forwarding rules that allow internal hosts to be reached.− Proxies NAT solves many of the problems associated with direct Internet connections, but it still doesn't completely restrict the flow of packets through your firewall. It's possible for someone with a network monitor to watch traffic coming out of your firewall and determine that the firewall is translating addresses for other machines. It is then possible for a hacker to hijack TCP connections or to spoof 13 connections back through the firewall. Application level proxies prevent this. They allow you to completely disconnect the flow of− network level protocols through your firewall and restrict traffic only to higher level protocols like− − HTTP, FTP, and SMTP. Application level proxies are a combination of a server and a client for the− specific protocol in question. For example, a web proxy is a combination of a web server and a web client. The protocol server side of the proxy accepts connections from clients on the internal network, and the protocol client side of the proxy connects to the public server. When the client side of the proxy receives data from the public server, the server side of the proxy application sends it to the ultimate inside client. Figure 1.2 shows exactly how this works. Figure 1.2: Proxy servers receive requests on the private network and regenerate them on the public network. Proxies straddle two networks that are not connected by routers. When a client on the protected network makes a connection to a server on the public side, the proxy receives the connection request and then makes the connection on behalf of the protected client. The proxy then forwards the response from the public server onto the internal network. Proxies essentially perform a benign man in the middle attack, and they provide a good example of how any intermediate system− − − between you and another end system could potentially perform a more malicious sort of processing without your permission. Application proxies (like Microsoft Proxy Server) are unlike Network Address Translators and filters in that the Internet client application is (usually) set up to talk to the proxy. For instance, you tell Internet Explorer the address of your web proxy, and Internet Explorer sends all web requests to that server rather than resolving the IP address and establishing a connection directly. Application proxies don't have to run on firewalls; any server, either inside or outside your network, can perform the role of a proxy. Without a firewall, you still don't have any real security, so you need both. At least some sort of packet filter must be in place to protect the proxy server from network layer denial of service attacks (like the infamous "ping of death"). And, if the proxy doesn't run on− − the firewall, you'll have to open a channel through your firewall one way or another. Ideally, your firewall should perform the proxy function. This keeps packets from the public side from being forwarded through your firewall. 14 Some firewall proxies are more sophisticated than others. Some have the functionality of an IP filter and masquerade, so they can simply block outbound connection attempts (on port 80 in the case of HTTP) to remote hosts rather than having the client software configured to address the proxy service specifically. The firewall proxy then connects to the remote server and requests data on behalf of the blocked client. The retrieved data is returned to the requesting client using the firewall's NAT functionality in order to look just like the actual remote server. Proxies that operate in this manner are said to be transparent. Security proxies are even capable of performing application level filtering for specific content. For− instance, some firewall HTTP proxies look for tags in HTML pages that refer to Java or ActiveX embedded applets and then strip out that content from them. This prevents the applet from executing on your client computers and eliminates the risk that a user will accidentally download a Trojan horse. This sort of filtering is extremely important because filtering, proxying, and masquerading can't prevent your network from being compromised if your users are lured into downloading a Trojan horse embedded in an ActiveX applet. You may have noticed that as we climb through the networking layers, the security services have gotten more specific. For instance, filtering is specific to IP and then to TCP and UDP. Applications that use IP with other protocols like Banyan Vines must use special high cost or unusually robust− firewalls. Proxies are extremely specific because they can only work for a specific application. For instance, you must have a proxy software module for HTTP, another proxy module for FTP, and another module for Telnet. As these protocols evolve (HTTP is particularly fast moving), the proxy module for that protocol will have to be updated. Many protocols are either proprietary or rare enough that no security proxies exist. Proxies don't exist for proprietary application protocols like Lotus Notes, so those protocols must either be sent through a Network layer filter or be proxied by a generic TCP proxy that regenerates the packet but simply transfers the payload. SOCKS is a specific form of generic proxy, which are sometimes called circuit level gateways. Although generic proxying cannot prevent attacks from the content of− a protocol, it is still more secure than filtered routing because the Network layer packets are completely regenerated and thus scrubbed of malformations that might not be detected by the firewall. In many cases, you "roll your own" proxy by using a combination of the protocol server and the− − protocol's client on the same machine. For example, say you've got a network that is disconnected from the Internet, but a Windows server has two network interfaces, one on the Internet and one on the private network. If you use the Terminal Services functionality of Windows 2000 to attach to the server on its public side, you can then run a Terminal Services client on that machine to reach a machine on the interior of the network. In practice, this actually works a lot better than you might presume, although it's not a particularly good security practice. Whenever possible, use proxy servers for all application protocols. Consider disallowing services for which you do not have proxy servers. Use high level proxies capable of stripping executable− content, like ActiveX and Java, from web pages. Virtual Private Networks Virtual Private Networks (VPNs), also called encrypted tunnels, allow you to securely connect two physically separated networks over the Internet without exposing your data to viewing by unauthorized intermediate parties. VPNs by themselves could be subject to redirection attempts, 15 spoofed connection initiation, and all manner of hacking indignity while the tunnel is being established. But when implemented as an integral part of a firewall, the firewall authentication and security services can be used to prevent exploitation while the tunnel is being established. Once established, VPNs are impervious to exploitation so long as the encryption remains secure. And, since firewalls sit at the Internet borders, they exist at the perfect terminal points for each end of the tunnel. Essentially, your private networks can pass traffic as if they were two subnets in the same domain. VPNs also allow users to address remote internal hosts directly by their hidden IP addresses; Network Address Translators and packet filters would prevent this if the connection attempt came directly from the Internet. Tip The Point to Point Tunneling Protocol for Windows NT provides an encrypted tunnel using the− − security services of the Remote Access Server. Windows 2000 provides support for the more modern Layer 2 Tunneling Protocol (L2TP) and IP Security (IPSec) in transport mode. Most− distributions of Linux include support for encrypted tunnels, such as the Point to Point Protocol− − (PPP) over Secure Socket Layer (SSL). Use leased lines rather than VPNs whenever it is cost effective. Use VPNs for all communications over the Internet between organizational units when leased lines are not available or are cost prohibitive. If you are using VPNs as your primary connection method between organizational units, you'll have far better performance if you use the same ISP at every site, because the VPN traffic won't have to be routed through the congested commercial Internet exchanges. Never communicate private information between organizational units over the Internet without using some form of encryption. Unencrypted packet headers contain valuable nuggets of information about the structure of your internal network. Note Technically, leased lines are not guaranteed to be secure either, but they are free of Internet hackers. If you need to secure your data from the possibility of government wiretaps or serious corporate espionage, you should use a VPN over leased lines as well. Encrypted Authentication Encrypted authentication allows external users on the Internet to prove to a firewall that they are authorized users and thereby authorized to open a connection through the firewall to the internal network. The encrypted authentication might use any number of secure authentication protocols. Once the connection is established, it may or may not be encrypted, depending upon the firewall product in use and whether additional software has been installed on the client to support tunneling. Using encryption authentication is convenient because it occurs at the transport level between a client software package and the firewall. Once the connection is open, all normal application software and operating system logon software will run without hindrance—so you don't have to use special software packages that support your specific firewall. Unfortunately, encrypted authentication reduces the security of your firewall. By its nature, it causes the following problems: • The firewall must respond on some port because it listens for connection attempts. This can show hackers that the firewall exists. • The connection could be redirected using ICMP after establishment, especially if it's not encrypted. 16 [...]... requires its own firewall or network interface Enterprise Firewalls Enterprise firewalls are those products that share a single, centralized firewall policy among multiple firewalls Enterprise firewalls allow you to retain central control of security policy without having to worry about whether or not the policy is correctly implemented on each of the firewalls in your organization The firewall policy is... is replicated among all firewalls in the enterprise • Security Features Many firewalls offer important security features such as virtual private networking and encrypted authentication to allow remote office networking with a high degree of security In many firewalls, VPN is an extra−cost feature that must be enabled by purchasing an additional license • Service Features Some firewalls include services... firewalls for Windows NT−based networks In fact, there's no functional reason why the operating system used by a firewall should be the same as that used by the network, since (and only in very special circumstances) you'll never run any other software on the firewall computer In fact, these days, most firewalls come as preconfigured computers running a completely proprietary operating system All firewalls. .. criterion for firewalls should be security The next most important feature is ease of use for you; you must be able to correctly configure a firewall for it to work correctly Flashy features, performance, and services galore are tertiary considerations after the key issues of security and ease of use Problems Firewalls Can't Solve No network attached to the Internet can be made completely secure Firewalls. .. (in order of security risk from highest to lowest): 1 Filtered packet services 2 Single firewall with internal public servers 3 Single firewall with external public servers 4 Dual firewalls or DMZ firewalls 5 Enterprise firewalls 6 Disconnection The following sections discuss each method in detail, along with relative risks and issues Filtered Packet Services Most Internet service providers provide... your network—a very dangerous situation For this reason, most organizations put public servers outside their firewalls and simply do not allow any external connections in through the firewall Dual Firewalls and Demilitarized Zones You can reduce the risk of having exposed public servers with two firewalls and two levels of firewall protection Basically, you put the first firewall at your Internet connection... and hides the identity of internal clients Figure 1.6 shows a network with two firewalls providing two levels of security 23 Figure 1.6: Two firewalls acting in concert to completely protect a network Most modern firewall products allow the use of demilitarized zones (DMZ), which provide the functionality of having two firewalls by having different security policies for each attached interface in the... configure the firewall correctly Most Windows−based firewalls are easier to set up than Unix −based firewalls, but many Unix−based firewalls are catching up by using Java or web−based graphical interfaces that run remotely on the administrator's PC Some firewall vendors claim that their products are superior to firewalls based on Windows or standard versions of Unix because the products are based on a "hardened"... of your firewalls can compromise your entire network, especially Warning if you use secure tunneling or private leased lines to connect offices Hackers can be relied upon to use the path of least resistance Comparing Firewall Functionality There is a common misconception among network administrators that a firewall has to be based on the same operating system as the network file servers—Unix firewalls. .. used for remote authentication • Interface Some firewalls are very difficult to configure because you must administer them via Telnet or an attached console and learn some cryptic command −line interface Others use very intuitive graphical interfaces that make configuration easy and obvious (well, obvious to us geeks, anyway) • Enterprise Functionality Some firewalls are fortresses unto themselves, while . Enterprise Firewalls Enterprise firewalls are those products that share a single, centralized firewall policy among multiple firewalls. Enterprise firewalls. 3. Single firewall with external public servers 4. Dual firewalls or DMZ firewalls 5. Enterprise firewalls 6. Disconnection The following sections discuss