 |  |
6.4. Architectures with Multiple Screened Subnets
Some networks will need more than one screened subnet. This happens when there are multiple things that need to happen on a screened subnet that have different security implications.6.4.1. Split-Screened Subnet
In a split-screened subnet, there is still a single interior router and an exterior router, but multiple networks are between the two routers. In general, the screened networks are connected to each other by one or more dual-homed hosts, not by yet another router.Some sites use this architecture purely to provide defense in depth, protecting a proxy host with the routers. The routers provide protection from forgery, and protection from failures where the dual-homed host starts to route traffic. The dual-homed host provides finer controls on the connections than packet filtering. This is a belt-and-suspenders firewall, providing excellent multilayered protection, although it requires careful configuration on the dual-homed host to be sure you're taking full advantage of the possibilities. (There's no point in running simple, straight-through proxies.) Figure 6-5 shows this configuration.
Figure 6-5. Split-screened subnet with dual-homed host
Others use this architecture to provide administrative access to machines that also provide service to the Internet. This allows administrators to use protocols that are too dangerous to allow to the Internet on a sensitive machine (for instance, the NT-native protocols used for remote User Manager and Performance Monitor use) without relying solely on the exterior router as protection. It also may be useful for performance reasons on machines making intense use of the network; it prevents administrative traffic from using bandwidth that could be used to serve user requests. Figure 6-6 shows this sort of architecture.In fact, machines that can drive multiple high-speed network interfaces at full speed may benefit from having three network interfaces; one to speak to the external users, one to speak to the internal administrators, and one with no connections to other networks that is used for backups and/or communications among bastion hosts. Figure 6-8 shows this sort of architecture.
Figure 6-6. Split-screened subnet with no through traffic
6.4.1.1. Appropriate uses
Split-screened subnets are appropriate for networks that need high security, particularly if they are providing services to the Internet.
6.4.2. Independent Screened Subnets
In some cases you will want to have multiple, independent screened subnets, with separate exterior routers. Figure 6-7 shows this configuration.
Figure 6-7. Architecture using multiple perimeter nets (multiple firewalls)
You might put in multiple perimeter nets to provide redundancy. It doesn't make much sense to pay for two connections to the Internet, and then run them both through the same router or routers. Putting in two exterior routers, two perimeter nets, and two interior routers ensures that no single point of failure is between you and the Internet.[15][15]Providing, of course, that your two Internet providers are actually running on different pieces of cable, in different conduits. Never underestimate the destructive power of a backhoe or a jackhammer.You might also put in multiple perimeter nets for privacy, so that you can run moderately confidential data across one, and an Internet connection across the other. In that case, you might even attach both perimeter nets to the same interior router.
You might also want to use multiple perimeter nets to separate inbound services (services that you provide to the Internet, like publicly accessible web servers) from outbound services (services that allow your users to get to the Internet, like a caching web proxy). It is much easier to provide truly strong security to these functions if you separate them, and if you use a split perimeter net for the inbound services.
Having multiple perimeter nets is less risky than having multiple interior routers sharing the same internal net, but it's still a maintenance headache. You will probably have multiple interior routers, presenting multiple possible points of compromise. Those routers must be watched very carefully to keep them enforcing appropriate security policies; if they both connect to the Internet, they need to enforce the same policy. Figure 6-8 shows the sort of firewall an Internet service provider might use, with many perimeter nets and multiple connections to the Internet.
Figure 6-8. An intricate firewall setup
6.4.2.1. Appropriate uses
Independent screened subnets are appropriate in networks with a particularly strong need for redundancy, or with high security requirements and several independent uses of the Internet.
