Page 588

556 Chapter 15: Network Security Technologies

Figure 15-2

Bastion Host

What Is a Firewall?

By definition, a firewall is a system or group of systems that enforce a security policy or control
policy between two different networks. Because this definition is very generic, any network
access control mechanism can be a firewall. Firewalls can set up access control lists on routers,
application proxies, or a dedicated piece of hardware such as the PIX 520.

Why Use Firewalls?

Firewalls were developed because a customer cannot make global networks follow their own
security policy. A customer can't make the Internet behave in a certain way. In the early days
of the Internet, an installation might have had 1000 UNIX systems connected to the Internet
without a firewall. When a security hole was discovered in the UNIX system, 1000 devices had
to be upgraded, as illustrated in Figure 15-3.

Firewalls have made this job a bit easier. Now, only a few devices must be upgraded. The 1000
devices are protected behind the firewall. It is much easier to monitor one box rather than 1000.
Also, today's networks have many more devices running other operating systems, such as
Windows, Novell, and so on, that have their own security weaknesses. Firewalls are not the best
solution because they add an element of delay and must be monitored extensively. Using
firewalls together with securing systems is the best solution for now.

Internet

Inside network, sometimes

referred to as Òthe clean sideÓ

Bastion host

PIX firewall

DMZ sometimes referred

to as Òthe dirty sideÓ or

Òthe isolation LANÓ

I have Web pages for the

world to look at!

87200333.book Page 556 Wednesday, August 22, 2001 1:41 PM