{ "id": "45bb7797-0b09-44a6-bbf9-41d628ad5c85", "created_at": "2026-04-06T03:37:49.867651Z", "updated_at": "2026-04-10T03:21:27.805083Z", "deleted_at": null, "sha1_hash": "0cd605eb2f12e5fa7b3ccdc1264d837051fe827b", "title": "Perimeter Firewall Design", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 168721, "plain_text": "Perimeter Firewall Design\r\nBy Archiveddocs\r\nArchived: 2026-04-06 03:15:45 UTC\r\nUpdated : February 6, 2004\r\nIn This Module\r\nObjectives\r\nApplies To\r\nHow To Use This Module\r\nDesign Guidelines\r\nSystem Attacks and Defense\r\nDevice Definition\r\nFirewall Features\r\nFirewall Classes\r\nClass 1 - Personal Firewall\r\nClass 2 - Router Firewall\r\nClass 3 - Low-end Hardware Firewall\r\nClass 4 - High-end Hardware Firewall\r\nClass 5 - High-end Server Firewall\r\nPerimeter Firewall Usage\r\nPerimeter Firewall Rules\r\nHardware Requirements\r\nFirewall Availability\r\nSecurity\r\nScalability\r\nPerformance\r\nConsolidation\r\nStandards and Guidelines\r\nSummary\r\nReferences\r\nThis module helps you to select a suitable firewall product for your organization's perimeter network. It presents\r\nthe different classes of available firewalls and highlights their significant features. It also gives you guidance in\r\ndetermining your own requirements and helps you to select the most appropriate product.\r\nUse this module to:\r\nIdentify the features necessary in your perimeter firewall.\r\nClassify firewall products.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 1 of 35\n\nSelect the best firewall product for your perimeter firewall.\r\nThis module applies to the following technologies:\r\nEthernet/IP-based firewall products\r\nBefore reading this module, you should have an understanding of the TCP/IP protocol, your own network\r\narchitecture, and in particular the devices in your perimeter network. It would also be useful to find out what\r\ninbound traffic from the Internet can be considered valid and what is invalid.\r\nThe design guidelines presented in this module will help you select the features you need from your firewall,\r\ntaking into account major considerations such as growth and cost. The module will also provide you with\r\ninformation on some of the most damaging intrusions so that you can determine which are most likely to occur in\r\nyour environment and how intrusions can be prevented, not just by installing a firewall but, for example, by\r\ntightening up server configurations or discussing controls with your Internet Service Provider (ISP). This module\r\nalso defines different classes of firewalls and using the design guidelines you should be able to select the most\r\nappropriate class of firewall to meet your requirements. From the knowledge provided in this module and the\r\ntechnical terminology, you should be able to discuss with firewall manufacturers the products they can provide\r\nand evaluate their suitability for your requirements.\r\nNetwork intrusions from both internal and external users occur with increasing frequency, and protection from\r\nthese intrusions must be established. Although a firewall offers protection for your network, it also costs money\r\nand creates an impediment to traffic flow, so you should look for one that is as cost effective and efficient as\r\npossible.\r\nIn an enterprise network architecture, there will generally be three zones:\r\nBorder network\r\nThis network faces directly onto the Internet via a router which should provide an initial layer of\r\nprotection, in the form of basic network traffic filtering. The router feeds data through to the perimeter\r\nnetwork via a perimeter firewall.\r\nPerimeter network\r\nThis network, often called the DMZ (demilitarized zone network) or edge network, links incoming users to\r\nthe Web servers or other services. The Web servers then link to the internal networks via an internal\r\nfirewall.\r\nInternal Networks\r\nThe internal networks link the internal servers, such as SQL Server and the internal users.\r\nThese networks are depicted in Figure 1.\r\nCc700828.networkcomponents-0-0(en-us,TechNet.10).gif\r\nFigure 1. Enterprise Network Architecture\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 2 of 35\n\nA firewall checks incoming IP packets and blocks those it believes are intrusive. Some blocking can be done by\r\nrecognizing by default that certain packets are illegal, others by configuring the firewall to block them. The\r\nTCP/IP protocol was designed many years ago, without any concept of hacking or intrusion, and it has many\r\nweaknesses. For example, the ICMP protocol was designed as a signaling mechanism within TCP/IP, but this\r\nprotocol is open to abuse and can lead to such problems as denial-of-service (DoS) attacks. A perimeter firewall\r\ncan have a more restricted capability than an internal firewall, because incoming traffic is more limited since its\r\nlegal destination is the Web server or other special services.\r\nMany types of firewalls are available, differentiated partly by price, but also on features and performance.\r\nGenerally, the more expensive the firewall, the more power and features it has. Later on this module, the firewalls\r\nare grouped into classes to differentiate them, but before selecting a firewall, you need to determine what your\r\nrequirements are, taking the following considerations into account:\r\nBudget\r\nExisting facilities\r\nAvailability\r\nScalability\r\nFeatures required\r\nWhat is the available budget? Every firewall in the environment should provide the highest possible level of\r\nservice while remaining cost-effective, but be aware of the resultant damage to your business if the firewall is too\r\nrestricted by cost. Consider the downtime costs in your organization if the service is suspended by a denial of\r\nservice attack.\r\nAre there existing facilities that can be used to save costs? There may already be firewalls in the environment that\r\ncan be reused and routers that can have a firewall feature set installed. Your ISP can often implement firewall\r\nrestrictions on your link, such as rate-limiting, i.e. limiting the rate at which certain packets are sent to you in\r\norder to reduce distributed denial of service attacks, DDoS, when your network is bombarded simultaneously by\r\nmany other computers. Ask your ISP if they perform filtering according to RFCs 1918 and 2827.\r\nDoes the firewall need to be available at all times? If you are offering a public Web server facility when users may\r\nwant to connect 24 hours a day, you need almost 100% uptime. With any firewall there is always a chance of\r\nfailure, so you need to mitigate against that. The availability of a firewall can be improved by two methods:\r\nRedundant components\r\nDuplicating those components more likely to fail, such as the power supply, improves the resilience of the\r\nfirewall, as the first component can fail with no effect on operations. Low cost firewalls usually do not\r\nhave any redundant options, and adding resilience to your firewall adds to the cost without increasing the\r\nprocessing power.\r\nDuplicate devices\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 3 of 35\n\nDuplicating the firewall device provides a totally resilient system, but again at a considerable cost, as it\r\nalso requires totally duplicate network cabling and duplicate connectivity in the routers or switches to\r\nwhich the firewall connects. However, depending upon the type of firewall, it may also double the\r\nthroughput to compensate. In theory, all firewalls from the smallest to the largest could be duplicated, but\r\nin practice you also need a software switchover mechanism which may not be present in the smaller\r\nfirewalls.\r\nWhat is the throughput requirement of the firewall? Throughput can be considered both in terms of bits per second\r\nand packets transferred per second. If it is a new venture, you may not know the throughput rates, and if the\r\nventure is successful, the throughput from the Internet could escalate rapidly. In order to handle the change, you\r\nneed to select a firewall solution that can scale up as the throughput increases, either by adding more components\r\nto your firewall, or by installing another firewall in parallel.\r\nWhich firewall features are required? Based on risk assessments conducted against the services provided in your\r\norganization, you can determine which firewall features are required to protect the assets that provide the services.\r\nIf VPNs (Virtual Private Networks) are required, then this will affect the design.\r\nThis section provides a summary of some of the better known system attacks, along with reasons for using a\r\nfirewall service as the first line of defense.\r\nThe Internet is a haven for those who want to adversely affect organizations or steal trade secrets to gain\r\ncompetitive advantage. If you install a perimeter firewall and look at the log of intrusions, you will be surprised by\r\nthe volume. Most of these intrusions are just probes to see if your machine responds and to find out what services\r\nyou are running. This may seem innocuous, but if the attacker discovers your machine he may then attack your\r\nservice, knowing what weaknesses it has.\r\nIn addition to providing protection from Internet-based attacks, sensitive information must be protected. Most\r\norganizations have sensitive information that should be protected from certain users on the internal network,\r\nincluding employees but also vendors, contractors, and customers. While a perimeter firewall is primarily there to\r\nprotect against external intrusions, knowledgeable internal users may try to enter via the Internet.\r\nIntrusion threats can take many forms, and describing them all here would serve only a limited purpose, because\r\nnew ones are created on a daily basis. Some intrusions, such as pinging a server address, may seem harmless, but\r\nafter discovering the presence of a server, the hacker might attempt a more serious attack. In other words, all\r\nintrusions should be considered potentially harmful. Some of the major intrusions are:\r\nPacket Sniffers\r\nA sniffer is a software application or hardware device that attaches to the LAN and captures information\r\nfrom Ethernet frames. The original intention of these systems was to troubleshoot and analyze Ethernet\r\ntraffic or to delve deeper into the frames to examine individual IP packets. Sniffers operate in promiscuous\r\nmode; that is, they listen to every packet on the physical wire. Many applications, such as Telnet, send user\r\nname and password information in clear text that can be read by sniffer products, and therefore a hacker\r\nwith a sniffer could gain access to many applications.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 4 of 35\n\nSniffing cannot be prevented by a firewall as a sniffer does not generate network traffic. There are various\r\nmeasures to counter sniffing, primarily by ensuring that strong encrypted passwords are used, but this is\r\nbeyond the scope of this module.\r\nIP Spoofing\r\nIP spoofing occurs when the source address of an IP packet is changed to hide the identity of the sender.\r\nBecause the routing operation within the Internet uses only the destination address to send a packet on its\r\nway and ignores the source address, a hacker can send a destructive packet to your system disguising the\r\nsource without you knowing where it came from. Spoofing is not necessarily destructive, but it signals that\r\nan intrusion is at hand. The address may be outside your network (to hide the identity of the intruder) or it\r\nmay be one of your trusted internal addresses with privileged access. Spoofing is typically used for denial\r\nof service attacks, which are described later in this module.\r\nIt is possible to prevent IP spoofing by implementing either or both of the following mechanisms:\r\nAccess control\r\nDeny access to incoming packets from the Internet with a source address that is on your internal\r\nnetwork.\r\nRFC 2827 filtering\r\nIt is important to ensure that no IP spoofing takes place on your outgoing traffic. Spoofed packets\r\nmust originate on somebody's network; you want to be certain that your network is not being used\r\nas a source for spoofing. Therefore, you should prevent all outgoing traffic from your network that\r\ndoes not have a source address within your own allocation. Your ISP might also be able to drop\r\nspoofed traffic from your network by checking if the source address is one that belongs to your\r\nnetwork. This technique is known as RFC 2827 filtering; contact your ISP for more information\r\nabout how to implement it. Filtering outbound traffic has no benefit for you, but another network\r\nperforming similar filtering could prevent a spoofed attack on your network. Most modern firewalls\r\nhave the ability to prevent inbound IP spoofing.\r\nDenial-of-Service Attacks\r\nDenial of service (DoS) attacks are among the hardest to prevent. They differ from other types of attack in\r\nthat they do not cause permanent damage to your network; instead, they try to stop the network functioning\r\nby bombarding a particular computer (either a server or a network device), or by degrading the throughput\r\nof network links to the point where performance is so abysmal it causes ill-will among customers and loss\r\nof business to the organization. A distributed DoS (DDoS) attack is an attack initiated from many other\r\ncomputers concentrating the bombardment on your system. The attacking computers have not necessarily\r\ninitiated the attack themselves, but due to their own security vulnerabilities, they have allowed themselves\r\nto be infiltrated by a hacker who has directed them to send high volumes of data to your network,\r\ncongesting either the link to your ISP or one of your devices.\r\nApplication Layer Attacks\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 5 of 35\n\nApplication layer attacks are often the most publicized attacks, and usually exploit well-known weaknesses\r\nin applications, such as Web servers and database servers. The problem, particularly for Web servers, is that\r\nthey are designed to be accessed by public users, who are unknown and cannot be trusted. Most attacks are\r\nagainst known deficiencies in the product, so the best defense is to install the latest updates from the\r\nmanufacturers. The infamous Structured Query Language (SQL) Slammer worm affected 35,000 systems\r\nwithin a very short time of its release in January 2003. The worm exploited a known problem in Microsoft\r\nSQL Serverâ„¢ 2000 for which Microsoft had already issued a fix four months earlier in August 2002, thus\r\ntaking advantage of the fact that many administrators had neither applied the recommended update nor had\r\nadequate firewalls in place (which could have dropped packets destined for the port that the worm used).\r\nNote that a firewall is just a backstop in these situations; manufacturers recommend that upgrades should\r\nbe applied to all products, particularly to prevent application layer attacks.\r\nNetwork Reconnaissance\r\nNetwork reconnaissance is the scanning of networks to discover valid IP addresses, domain name system\r\n(DNS) names, and IP ports prior to launching an attack. Although network reconnaissance is harmless by\r\nitself, discovering which addresses are in use can help someone launch a hostile attack. In fact, if you look\r\nat the logs for a firewall, you will find that most intrusions are of this nature; typical probes include\r\nscanning for listening transport control protocol (TCP) and user datagram protocol (UDP) ports, as well as\r\nfor other well-known listening ports, such as those used by Microsoft SQL Server, NetBIOS, HTTP, and\r\nSMTP. All such probes seek a reply, which tells the hacker that the server exists and runs one of these\r\nservices. Many of these probes can be prevented by the border router or by a firewall. Many services are\r\npresent by default, but turn off any unrequired services, but turning off some of them may restrict your\r\nnetwork diagnostics capabilities.\r\nViruses/Trojan Horses\r\nViruses generally cannot be detected by firewalls, as they are often embedded in email attachments.\r\nTraditional viruses tended to just damage the device that they had contaminated, but modern viruses often\r\ntry to replicate and damage either other local machines or spread out onto the Internet by sending multiple\r\nemails with the virus attached. Many of these viruses install a Trojan Horse program on the contaminated\r\ndevice. A Trojan Horse program may not do any direct damage, but rather sends information from the\r\ndevice on which it is installed over the Internet to the hacker, who can then launch a targeted attack on that\r\ndevice, knowing what software it is running and where it is vulnerable. While the primary defense against\r\nviruses is always to maintain up-to-date anti-virus software on the device, the perimeter firewall may be\r\nuseful in limiting the effectiveness of the Trojan Horse program.\r\nA firewall is a mechanism for controlling the flow of IP traffic between two networks. Firewall devices typically\r\noperate at L3 of the OSI model, although some models can operate at higher levels as well.\r\nFirewalls generally provide the following benefits:\r\nDefending internal servers from network attacks\r\nEnforcing network usage and access policies\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 6 of 35\n\nMonitoring traffic and generating alerts when suspicious patterns are detected\r\nIt is important to note that firewalls mitigate only certain types of security risks. A firewall does not usually\r\nprevent the damage that can be inflicted against a server with a software vulnerability. Firewalls should be\r\nimplemented as part of an organization's comprehensive security architecture.\r\nDepending on the features that a firewall supports, traffic is either allowed or blocked using a variety of\r\ntechniques. These techniques offer varying degrees of protection, based on the capabilities of the firewall. The\r\nfollowing firewall features are listed in increasing order of complexity:\r\nNetwork adapter input filters\r\nStatic packet filters\r\nNetwork address translation (NAT)\r\nStateful inspection\r\nCircuit-level inspection\r\nProxy\r\nApplication layer filtering\r\nIn general, firewalls that provide complex features will also support the simpler features. However, you should\r\nread vendor information carefully when choosing a firewall, because there can be subtle differences between its\r\nimplied and actual capabilities. When selecting a firewall, you must inquire about the features and test it to ensure\r\nthat the product can indeed perform according to specifications.\r\nNetwork adapter input filtering examines source or destination addresses and other information in the incoming\r\npacket, and either blocks the packet or allows it through. It applies only to incoming traffic and cannot control\r\noutgoing traffic. It matches IP addresses, port numbers for UDP and TCP, as well as the protocol of the traffic,\r\nTCP, UDP, and generic routing encapsulation (GRE).\r\nFor a perimeter firewall protecting a Web server, legal incoming traffic should only be able to access the Web\r\nserver IP address and usually a limited range of port numbers, such as 80 for HTTP or 443 for HTTPS. Although\r\nthe perimeter firewall should have this control, it should also be implemented in the border router.\r\nNetwork adapter input filtering allows a quick and efficient denial of standard incoming packets that meet the rule\r\ncriteria configured in the firewall. However, this form of filtering can easily be evaded, as it only matches the\r\nheaders of the IP traffic, working on the basic assumption that the traffic being filtered follows IP standards and is\r\nnot crafted to evade the filtering.\r\nStatic packet filters are similar to network adapter input filters in the sense that they simply match IP headers to\r\ndetermine whether or not to allow the traffic to pass through the interface. However, static packet filters allow\r\ncontrol over outbound as well as inbound communications to an interface. Furthermore, static packet filters\r\ntypically allow an additional function over the network adapter filtering, which is to check if the Acknowledged\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 7 of 35\n\n(ACK) bit is set on the IP header. The ACK bit gives information on whether the packet is a new request or a\r\nreturn request from an original request. It does not verify that the packet was originally sent by the interface\r\nreceiving it; it merely checks whether the traffic coming into the interface appears to be return traffic, based on the\r\nconventions of the IP headers.\r\nThis technique only applies to the TCP protocol and not the UDP protocol. Like network adapter input filtering,\r\nstatic packet filtering is very fast, but its capabilities are limited, and it can be evaded by specifically crafted\r\ntraffic.\r\nAs with network adapter input filtering, static packet filtering should also be implemented on the border router in\r\naddition to the perimeter firewall.\r\nIn the worldwide IP address range, certain address ranges are designated as private addresses. These are intended\r\nto be used in your organization and have no meaning in the Internet. Traffic destined for any of these IP addresses\r\ncannot be routed through the Internet, so assigning a private address to your internal devices gives them some\r\nprotection against intrusion. However, these internal devices often need to access the Internet themselves and so\r\nNetwork Address Translation (NAT) converts the private address into an Internet address.\r\nAlthough NAT is not strictly a firewall technology, concealing the real IP address of a server prevents attackers\r\nfrom gaining valuable fingerprinting information about the server.\r\nIn stateful inspection, all outgoing traffic is logged in a state table. When the connection traffic returns to the\r\ninterface, the state table is checked to ensure that the traffic originated from this interface. Stateful inspection is a\r\nbit slower than static packet filtering; however, it ensures that the traffic is allowed to pass only if it matches the\r\noutgoing traffic requests. The state table contains items such as destination IP address, source IP address, port\r\nbeing called, and originating host.\r\nCertain firewalls may store more information in the state table than others (such as IP fragments sent and\r\nreceived). The firewall can verify that the traffic is processed when all or just some of the fragmented information\r\nreturns. Different vendors' firewalls implement the stateful inspection feature differently; so you should read the\r\nfirewall documentation carefully.\r\nThe stateful inspection feature typically assists in mitigating the risk posed by network reconnaissance and IP\r\nspoofing.\r\nWith circuit-level filtering, it is possible to inspect sessions, as opposed to connections or packets. Sessions are\r\nestablished only in response to a user request and may include multiple connections. Circuit-level filtering\r\nprovides built-in support for protocols with secondary connections, such as FTP and streaming media. It typically\r\nassists in mitigating the risks posed by network reconnaissance, DoS, and IP spoofing attacks.\r\nProxy firewalls request information on behalf of a client. In contrast to the firewall technologies discussed above,\r\nthe communication does not occur directly between the client and the server hosting the service. Instead, the proxy\r\nfirewall gathers information on behalf of the client and returns the data it receives from the service back to the\r\nclient. Because the proxy server gathers this information for one client, it also caches the content to disk or\r\nmemory. If another client makes an identical data request, the request can be satisfied from the cache, resulting in\r\nreduced network traffic and server processing time.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 8 of 35\n\nFor non-encrypted sessions, such as FTP read-only and HTTP sessions, a proxy firewall actually creates\r\nindividual sessions with both the client and the server, so there is never a direct connection between the two. For\r\nencrypted sessions, on the other hand, the proxy server verifies that the header information conforms to the\r\nstandards of Secure Sockets Layer (SSL) communication before allowing the traffic to pass. However, the proxy\r\ncannot inspect the data passing by, because it is encrypted end-to-end by the client and the server.\r\nThe advantages of a proxy server over the firewall technologies discussed above include:\r\nNo direct connections between client and server\r\nThe client and server do not usually make direct connections to each other; even if they do (such as with\r\nSSL), protocol header and traffic inspection is performed.\r\nThe server can cache the content of frequently requested sites\r\nCaching saves bandwidth and prevents unnecessary requests from exiting the environment.\r\nValidation of protocols that pass through it\r\nIn addition to validating the port number through which the communication travels, proxy servers also\r\nvalidate the protocols that pass through them. The most typical protocols that are inspected are FTP\r\ndownload only, HTTP, SSL, and some text messaging services (such as text only, no video, audio, or file\r\ntransfers).\r\nCan be configured to forward requests based on a user's ID\r\nProxy servers can often be configured to forward requests based on user ID (that is, restrictions can be set\r\nonly for certain users), rather than just source IP, port, or protocol.\r\nThe main drawback to a proxy server is that it requires much more processing power to perform protocol\r\ninspection. However, processing power is increasing all the time, so this is becoming less of an issue. Still, proxy\r\nservers do not have the throughput of a stateful or packet filtering firewall. Arguably, the added benefits of\r\nprotocol inspection are necessary in a world where high-speed networks abound for home users and where\r\nInternet connectivity is becoming increasingly available to non-trusted nodes that are connected by ISPs with little\r\nor no legal obligation to provide trusted Internet services.\r\nThe proxy feature typically assists in mitigating the risk posed by network reconnaissance, DoS, IP spoofing\r\nattacks, virus/Trojan horse, and some application layer attacks.\r\nThe most sophisticated level of firewall traffic inspection is application-level filtering. Good application filters\r\nallow you to analyze a data stream for a particular application and provide application-specific processing,\r\nincluding inspecting, screening or blocking, redirecting, and modifying data as it passes through the firewall.\r\nThis mechanism is used to protect against things like unsafe SMTP commands or attacks against internal Domain\r\nName System (DNS) servers. Third-party tools for content screening, such as virus detection, lexical analysis, and\r\nsite categorization, can usually be added to your firewall.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 9 of 35\n\nAn application layer firewall has the ability to inspect many different protocols, based on the traffic that passes\r\nthrough it. Unlike a proxy firewall, which usually inspects the Internet traffic (such as HTTP, FTP download, and\r\nSSL) the application layer firewall has much greater control over the way that traffic travels through the firewall.\r\nFor example, an application layer firewall is capable of allowing only the UDP traffic that originates inside the\r\nfirewall boundary to pass through. If an Internet host was to port scan a stateful firewall to see if it allowed DNS\r\ntraffic into the environment, the port scan would probably show that the well-known port associated with DNS\r\nwas open, but once an attack is mounted, the stateful firewall would reject the requests, because they did not\r\noriginate internally. An application layer firewall might open ports dynamically, based on whether or not the\r\ntraffic originates internally.\r\nThe application layer firewall feature assists in mitigating the risks posed by IP spoofing, DoS, some application\r\nlayer attacks, network reconnaissance, and virus/Trojan horse attacks. Drawbacks of an application layer firewall\r\nare similar to the proxy, in the sense that it requires much more processing power and is typically much slower at\r\npassing traffic than stateful or static filtering firewalls. The most important consideration when using an\r\napplication layer firewall is determining what the firewall is capable of doing at the application layer.\r\nThe application layer feature ensures that the traffic being passed over a port is appropriate. Unlike a packet filter\r\nor stateful inspection firewall that simply looks at the port and at the source and destination IP addresses, firewalls\r\nthat support the application layer filtering feature have the ability to inspect the both data and the commands being\r\npassed back and forth.\r\nMost firewalls that support the application layer feature only have application layer filtering for clear text traffic,\r\nsuch as a proxy-aware messaging service, HTTP, and FTP. It is important to keep in mind that a firewall which\r\nsupports this feature can govern traffic going in and out of the environment. Another advantage of this feature is\r\nthe ability to inspect DNS traffic as it goes through the firewall to look for DNS-specific commands. This\r\nadditional layer of protection ensures that users or attackers cannot conceal information in allowed types of traffic.\r\nIf your organization has an online store, which collects credit card numbers and other personal information about\r\ncustomers, it is prudent to take the highest level of precautions in protecting this information. In these cases, it is\r\nessential that this type of high security data is encrypted between the user's PC and your Web servers, using the\r\nSecure Sockets Layer (SSL) protocol.\r\nIt is important to distinguish those cases where the application layer feature is used in conjunction with SSL. SSL\r\nis encrypted, and the firewall cannot understand the protocol commands because they are located within the\r\nencrypted packet. Each firewall that supports the application layer feature handles this differently, so it is\r\nimportant to read the fine print of the documentation for whichever firewall you choose.\r\nThe problem is that no device is supposed to be able to inspect data once an SSL session is established and the\r\nencryption is negotiated. For example, a client using a firewall that supports the proxy-type application layer\r\nfeature requests the firewall to initiate a connection to a secure Web server on its behalf. The firewall and the\r\nserver do the initial setup of the TCP connection, and the firewall hands over the connection to the client to set up\r\nthe encryption with the server. After the connection is handed over to the client, the firewall no longer has the\r\nability to inspect the data.\r\nWhen the application layer feature is used to expose Internet services publicly, the following options are available:\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 10 of 35\n\nTerminating the SSL traffic at the firewall\r\nThis allows the firewall to inspect incoming SSL connections for legitimate Web traffic and to discard\r\ntraffic as the firewall decrypts the data for the Internet service.\r\nRegenerating SSL traffic from the firewall to the exposed Web service\r\nThis is particularly helpful if basic credentials (such as clear text user name and password) are used within\r\nthe SSL tunnel. Individuals who can sniff traffic between the internal interface of the firewall and the\r\npublished Web service cannot get at the traffic because it is re-encrypted.\r\nAllowing the SSL traffic to pass through the firewall to the back-end server\r\nThis is essentially the reverse approach of the SSL connection between the internal client and the external\r\nserver.\r\nThese options provide numerous ways of controlling how far an encrypted session can be allowed to tunnel into\r\nan environment. In general, the closer you can keep encrypted traffic to the edge of your environment the better,\r\nbecause nothing in between can really see what is inside that tunnel.\r\nThis section presents a number of firewall classes, each of which provides certain features. Specific firewall\r\nclasses can be used to respond to specific requirements in the IT architecture design.\r\nGrouping firewalls into classes allows for the abstraction of the hardware from the requirements of the service, so\r\nthat service requirements can be matched against class features. As long as a firewall fits into a specific class, you\r\ncan assume it supports all the services of that class.\r\nThe various classes are as follows:\r\nPersonal firewalls\r\nRouter firewalls\r\nLow-end hardware firewalls\r\nHigh-end hardware firewalls\r\nServer firewalls\r\nIt is important to understand that some of these classes overlap; this is by design. The overlap allows one type of\r\nfirewall solution to span multiple classes. Many classes can also be served by more than one hardware model from\r\nthe same vendor, so that an organization can select a model that best suits their needs both now and in the future.\r\nApart from the price and feature set, firewalls can be classified on the basis of performance (or throughput).\r\nHowever, many manufacturers do not provide any throughput figures for their firewall. Where they are provided\r\n(usually for hardware firewall devices), no standard measurement process is followed, which makes comparisons\r\nbetween manufacturers difficult. For example, one measure is the number of bits per second (bps), but as the\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 11 of 35\n\nfirewall is actually passing IP packets, this measure is meaningless if the packet size used in measuring the rate is\r\nnot included.\r\nThe following sections define each firewall class in detail.\r\nA personal firewall is defined as a software service that provides a simple firewall capability for a personal\r\ncomputer. As the number of permanent Internet connections (as opposed to dial-up connections) has grown, the\r\nuse of personal firewalls has increased.\r\nAlthough designed to protect a single computer, a personal firewall can also protect a small network, if the\r\ncomputer on which it is installed is sharing its connection to the Internet with other computers on the internal\r\nnetwork. However, the performance of personal firewall software is limited and it degrades the performance of the\r\npersonal computer on which it is installed. The protection mechanisms are usually less effective than a dedicated\r\nfirewall solution, because they are usually restricted to blocking IP and port addresses, although generally\r\nspeaking a lower level of protection is needed on a personal computer.\r\nPersonal firewalls may be supplied with an operating system or at a very low cost. They are suitable for their\r\nintended purpose, but because of their restricted performance and functionality, they should not be considered for\r\nuse in an enterprise, even in small satellite offices. They are, however, particularly suitable for mobile users on\r\nlaptop computers.\r\nPersonal firewalls vary tremendously in their capabilities and price. However, lack of a specific feature, especially\r\non a laptop, might not be of great importance. The following table shows the features commonly available in\r\npersonal firewalls.\r\nTable 1. Class 1 - Personal Firewalls\r\nFirewall Attribute Value\r\nBasic features supported\r\nMost personal firewalls support static packet filters, NAT, and stateful\r\ninspection, while some support circuit-level inspection and/or application\r\nlayer filtering.\r\nConfiguration Automatic (manual option also available)\r\nBlock or allow IP addresses Yes\r\nBlock or allow protocol or\r\nport numbers\r\nYes\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 12 of 35\n\nFirewall Attribute Value\r\nBlock or allow incoming\r\nICMP messages\r\nYes\r\nControl outgoing access Yes\r\nApplication protection Possibly\r\nAudible or visible alerts Possibly\r\nLog file of attacks Possibly\r\nReal-time alerts Possibly\r\nVPN support Typically no\r\nRemote management Typically no\r\nManufacturer support Varies widely (depends on the product)\r\nHigh-availability option No\r\nNumber of concurrent\r\nsessions\r\n1 to 10\r\nModular upgradeability\r\n(hardware or software)\r\nNone to limited\r\nPrice range Low (free in some cases)\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 13 of 35\n\nPersonal firewalls offer the following advantages and disadvantages.\r\nThe advantages of personal firewalls include:\r\nInexpensive\r\nWhen only a limited number of licenses are required, personal firewalls are an inexpensive option. A\r\npersonal firewall is integrated into versions of the Microsoft Windows XP operating system. Additional\r\nproducts that work with other versions of Windows or other operating systems are available for free or at\r\nlimited cost.\r\nEasy to configure\r\nPersonal firewall products tend to have basic configurations that work out-of-the-box with straightforward\r\nconfiguration options.\r\nThe disadvantages of personal firewalls include:\r\nDifficult to manage centrally\r\nPersonal firewalls need to be configured on every client, which adds to the management overhead.\r\nOnly basic control\r\nConfiguration tends to be a combination of static packet filtering and permission-based blocking of\r\napplications only.\r\nPerformance limitations\r\nPersonal firewalls are designed to protect a single personal computer. Using them on a computer that serves\r\nas a router for a small network will lead to degraded performance.\r\nRouters usually support one or more of the firewall features discussed previously; they can be subdivided into\r\nlow-end devices designed for Internet connections and high-end traditional routers. The low-end routers provide\r\nbasic firewall features for blocking and allowing specific IP addresses and port numbers, and use NAT to hide\r\ninterior IP addresses. They often provide the firewall feature as standard, optimized to block intrusions from the\r\nInternet, and while they need no configuration, they can be refined with further configuration.\r\nHigh-end routers can be configured to tighten up access by barring the more obvious intrusions, such as pings, and\r\nby implementing other IP address and port restrictions through the use of ACLs. Additional firewall features may\r\nbe available, which provide stateful packet filtering in some routers. In high-end routers, the firewall capability is\r\nsimilar to that of a hardware firewall device at a lower cost, but also with a lower throughput.\r\nTable 2. Class 2 - Router Firewall\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 14 of 35\n\nFirewall Attribute Value\r\nBasic features supported\r\nMost router firewalls support static packet filters. Lower-end routers typically\r\nsupport NAT. Higher-end routers may support stateful inspection and/or\r\napplication layer filtering.\r\nConfiguration\r\nTypically automatic on lower-end routers (with manual options). Often manual\r\non higher-end routers.\r\nBlock or allow IP addresses Yes\r\nBlock or allow\r\nprotocol/port numbers\r\nYes\r\nBlock or allow incoming\r\nICMP messages\r\nYes\r\nControl outgoing access Yes\r\nApplication protection Possibly\r\nAudible or visible alerts Typically\r\nLog file of attacks In many cases\r\nReal-time alerts In many cases\r\nVPN Support\r\nCommon in lower-end routers, not as common in higher-end routers. Separate\r\ndedicated devices or servers for this task are available.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 15 of 35\n\nFirewall Attribute Value\r\nRemote management Yes\r\nManufacturer support Typically limited in lower-end routers and good in higher-end routers.\r\nHigh-availability option\r\navailable\r\nLow End: No - High End: Yes\r\nNumber of concurrent\r\nsessions\r\n10 - 1,000\r\nModular upgradeability\r\n(hardware or software)\r\nLow End: No - High End: Limited\r\nPrice range Low to High\r\nRouter firewalls offer the following advantages and disadvantages.\r\nThe advantages of router firewalls include:\r\nLow cost solution\r\nActivation of an existing router firewall feature may not add any cost to the price of the router, and it\r\nrequires no additional hardware.\r\nConfiguration can be consolidated\r\nRouter firewall configuration can be accomplished when the router is configured for normal operations,\r\nthereby minimizing the management effort. This solution is particularly suitable for satellite branch offices,\r\nsince network hardware and manageability are simplified.\r\nInvestment protection\r\nRouter firewall configuration and management is familiar to the operations staff, so no retraining is\r\nrequired. Network cabling is simplified, because no additional hardware is installed, which also simplifies\r\nnetwork management.\r\nThe disadvantages of router firewalls include:\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 16 of 35\n\nLimited functionality\r\nIn general, low-end routers only offer basic firewall features. High-end routers typically offer higher-level\r\nfirewall features, but may need considerable configuration, much of which is done through the addition of\r\ncontrols that are easily forgotten, making it somewhat difficult to configure correctly.\r\nOnly basic control\r\nConfiguration tends to be a combination of static packet filtering and permission-based blocking of\r\napplications only.\r\nPerformance impact\r\nUsing a router as a firewall detracts from the performance of the router and slows the routing function,\r\nwhich is its primary task.\r\nLog file performance\r\nUse of a log file to catch unusual activities can seriously reduce the performance of the router, especially\r\nwhen it is already under attack.\r\nAt the low end of the hardware firewall market are Plug-and-Play units, which require little or no configuration.\r\nThese devices often incorporate switch and/or VPN functionality as well. Low-end hardware firewalls are targeted\r\nat small businesses and for internal use in larger organizations. They generally offer static filtering capabilities and\r\nbasic remote management functionality. Devices from larger manufacturers may run the same software as their\r\nhigher-end counterparts, providing an upgrade path should one be required.\r\nTable 3. Class 3 - Low-end Hardware Firewall\r\nFirewall Attribute Value\r\nBasic features supported\r\nMost low-end hardware firewalls support static packet filters and NAT.\r\nMay support stateful inspection and/or application layer filtering.\r\nConfiguration Automatic (manual option also available)\r\nBlock or allow IP addresses Yes\r\nBlock or allow protocol/port\r\nnumbers\r\nYes\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 17 of 35\n\nFirewall Attribute Value\r\nBlock or allow incoming\r\nICMP messages\r\nYes\r\nControl outgoing access Yes\r\nApplication protection Typically not\r\nAudible or visible alerts Typically not\r\nLog file of attacks Typically not\r\nReal-time alerts Typically not\r\nVPN Support Sometimes\r\nRemote management Yes\r\nManufacturer support Limited\r\nHigh-availability option\r\navailable\r\nTypically not\r\nNumber of concurrent sessions \u003e 10 - 7500\r\nModular upgradeability\r\n(hardware or software)\r\nLimited\r\nPrice range Low\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 18 of 35\n\nLow-end hardware firewalls offer the following advantages and disadvantages.\r\nThe advantages of low-end hardware firewalls include:\r\nLow cost\r\nLow-end firewalls can be purchased inexpensively.\r\nSimple Configuration\r\nAlmost no configuration is required.\r\nThe disadvantages of low-end hardware firewalls include:\r\nLimited functionality\r\nIn general, low-end hardware firewalls only offer basic firewall functionality. They cannot be run in\r\nparallel for redundancy.\r\nPoor throughput\r\nLow-end hardware firewalls are not designed to handle high-throughput connections, which may cause\r\nbottlenecks.\r\nLimited manufacturer support\r\nAs these are low cost items, manufacturer support is usually limited to e-mail and/or a Web site.\r\nLimited upgradeability\r\nUsually there can be no hardware upgrades, though there are often periodic firmware upgrades available.\r\nAt the high end of the hardware firewall market, there are high-performance, highly resilient products, which are\r\nsuitable for the enterprise or service provider. These usually offer the best protection, without reducing the\r\nperformance of the network.\r\nResilience can be achieved by adding a second firewall running as a hot standby unit, which maintains the current\r\ntable of connections through automatic stateful synchronization.\r\nFirewalls should be used in every network connected to the Internet, because intrusion happens constantly; DoS\r\nattacks, theft, and data corruption are being attempted all the time. High-end hardware firewall units should be\r\nconsidered for deployment in central or headquarters locations.\r\nTable 4. Class 4 - High-end Hardware Firewall\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 19 of 35\n\nFirewall Attribute Value\r\nBasic features supported\r\nMost high-end hardware firewalls support static packet filters and NAT.\r\nThey may support stateful inspection and/or application layer filtering.\r\nConfiguration Typically manual\r\nBlock or allow IP addresses Yes\r\nBlock or allow protocol/port\r\nnumbers\r\nYes\r\nBlock or allow incoming\r\nICMP messages\r\nYes\r\nControl outgoing access Yes\r\nApplication protection Potentially\r\nAudible or visible alerts Yes\r\nLog file of attacks Yes\r\nReal-time alerts Yes\r\nVPN support Potentially\r\nRemote management Yes\r\nManufacturer support Good\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 20 of 35\n\nFirewall Attribute Value\r\nHigh-availability option\r\navailable\r\nYes\r\nNumber of concurrent\r\nsessions\r\n\u003e 7500 - 500,000\r\nModular upgradeability\r\n(hardware or software)\r\nYes\r\nPrice range High\r\nHigh-end hardware firewalls offer the following advantages and disadvantages.\r\nThe advantages of high-end hardware firewalls include:\r\nHigh performance\r\nHardware firewall products are designed for a single purpose and provide high levels of intrusion-blocking\r\ntogether with the least degradation of performance.\r\nHigh availability\r\nHigh-end hardware firewalls can be connected together for optimal availability and load balancing.\r\nModular systems\r\nBoth hardware and software can be upgraded for new requirements. Hardware upgrades may include\r\nadditional Ethernet ports, while software upgrades may include detection of new methods of intrusion.\r\nRemote management\r\nHigh-end hardware firewalls offer better remote management functionality than their low-end counterparts.\r\nResilience\r\nHigh-end hardware firewalls may have availability and resilience features, such as hot or active standby\r\nwith a second unit.\r\nApplication layer filtering\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 21 of 35\n\nUnlike their low-end counterparts, high-end hardware firewalls provide filtering for well-known\r\napplications at the L4, L5, L6, and L7 layers of the OSI model.\r\nThe disadvantages of high-end hardware firewalls include:\r\nHigh cost\r\nHigh-end hardware firewalls tend to be expensive. Although they can be purchased for as little as $100, the\r\ncost is much higher for an enterprise firewall, since the price is often based on the number of concurrent\r\nsessions, throughput, and availability requirements.\r\nComplex configuration and management\r\nBecause high-end hardware firewalls have much greater capability than low-end firewalls, they are also\r\nmore complex to configure and manage.\r\nA variety of products are available that add firewall capability to a high-end server, providing robust fast\r\nprotection on standard hardware and software systems. The benefits of this approach are the use of familiar\r\nhardware or software, which provides a reduced number of inventory items, simplified training and management,\r\nreliability, and expandability. Many of the high-end hardware firewall products are implemented on an industry-standard hardware platform running an industry-standard operating system (but hidden from view) and therefore\r\nhave little difference, either technically or in performance, from a server firewall. However, because the operating\r\nsystem is still visible, the server firewall feature can be upgraded and made more resilient by techniques such as\r\nclustering.\r\nBecause the server firewall is a server running a commonly-used operating system, additional software, features,\r\nand functionality can be added to the firewall from a variety of vendors (not just one vendor, which is the case\r\nwith a hardware firewall). Familiarity with the operating system can also lead to more effective firewall\r\nprotection, because some of the other classes need considerable expertise for full and correct configuration.\r\nThis class is suitable where there is a high investment in a particular hardware or software platform, because using\r\nthe same platform for the firewall makes the management task simpler.\r\nThe caching capability of this class can also be very effective.\r\nTable 5. Class 5 - High-end Server Firewall\r\nFirewall Attribute Value\r\nFeatures supported\r\nMost high-end server firewalls support static packet filters and NAT. They\r\nmay also support stateful inspection and/or application layer filtering.\r\nConfiguration Typically manual\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 22 of 35\n\nFirewall Attribute Value\r\nBlock or allow IP addresses Yes\r\nBlock or allow protocol/port\r\nnumbers\r\nYes\r\nBlock or allow incoming\r\nICMP messages\r\nYes\r\nControl outgoing access Yes\r\nApplication protection Potentially\r\nAudible or visible alerts Yes\r\nLog file of attacks Yes\r\nReal-time alerts Yes\r\nVPN support Potentially\r\nRemote management Yes\r\nManufacturer support Good\r\nHigh-availability option\r\navailable\r\nYes\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 23 of 35\n\nFirewall Attribute Value\r\nNumber of concurrent\r\nsessions\r\n\u003e50,000 (across multiple network segments)\r\nModular upgradeability\r\n(hardware or software)\r\nYes\r\nOther Commonly used operating system\r\nPrice range High\r\nServer firewalls offer the following general advantages and disadvantages.\r\nThe advantages of server firewalls include:\r\nHigh performance\r\nWhen run on a suitably sized server, these firewalls can offer high levels of performance.\r\nIntegration and consolidation of services\r\nServer firewalls can make use of various features of the operating system on which they run. For example,\r\nfirewall software that runs on the Microsoft Windows Serverâ„¢ 2003 operating system can take advantage\r\nof the Network Load Balancing functionality built into the operating system. Additionally, the firewall\r\ncould serve as a VPN server, again utilizing functionality in the Windows Server 2003 operating system.\r\nAvailability, resilience, and scalability\r\nBecause this firewall runs on standard personal computer hardware, it has all the availability, resilience,\r\nand scalability features of the personal computer platform on which it runs.\r\nThe disadvantages of server firewalls include:\r\nRequires high-end hardware\r\nFor high performance, most server firewall products require high-end hardware in terms of central\r\nprocessing unit (CPU), memory, and network interfaces.\r\nSusceptible to vulnerabilities\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 24 of 35\n\nBecause server firewall products run on well-known operating systems, they are susceptible to the\r\nvulnerabilities present in the operating system and other software running on the server. Although this is\r\nalso the case for hardware firewalls, their operating systems are not usually as familiar to attackers as most\r\nserver operating systems.\r\nA perimeter firewall exists to serve the requirements of users outside the boundaries of the organization. User\r\ntypes may include:\r\nTrusted\r\nEmployees of the organization, such as branch office workers, remote users, or users that work from home.\r\nSemi-trusted\r\nBusiness partners of the organization, for whom a higher level of trust exists than with untrusted users.\r\nHowever, it is often still a somewhat lower level of trust than that with the organization's employees.\r\nUntrusted\r\nFor example, users of the organization's public Web site.\r\nIt is important to consider the fact that the perimeter firewall is particularly open to external attack, because it\r\nmust be broken for an intruder to get further into your network. It therefore becomes an obvious goal to break.\r\nFirewalls used in a border capacity are an organization's gateway to the outside world. In many large\r\norganizations, the firewall class implemented here is typically a high-end hardware or server firewall, although\r\nsome organizations use router firewalls. When selecting the firewall class to use as a perimeter firewall there are a\r\nnumber of issues that should be considered. The following table highlights these issues.\r\nTable 6. Perimeter Firewall Class Choice Issues\r\nIssue Typical Characteristics of a Firewall Implemented in This Capacity\r\nRequired firewall features,\r\nas specified by the security\r\nadministrator\r\nThis is a balance between the degree of security required versus the cost of the\r\nfeature and the potential degradation of performance that increased security\r\nmay cause. While many organizations want the maximum security for a\r\nperimeter firewall, some are not willing to take the performance hit. For\r\nexample, very high-volume Web sites not involved with e-commerce may\r\nallow lower levels of security, based on higher levels of throughput obtained\r\nby using static packet filters instead of application layer filtering.\r\nWhether the device will be\r\na dedicated physical device,\r\nprovide other functionality,\r\nAs the gateway between the Internet and the enterprise's network, the\r\nperimeter firewall is often implemented as a dedicated device, in order to\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 25 of 35\n\nIssue Typical Characteristics of a Firewall Implemented in This Capacity\r\nor be a logical firewall on a\r\nphysical device\r\nminimize the attack surface and accessibility of internal networks that would\r\noccur if the device were breached.\r\nManageability requirements\r\nfor the device, as specified\r\nby the organization's\r\nmanagement architecture\r\nSome form of logging is typically used, while an event monitoring mechanism\r\nis also often required. Remote administration may not be allowed here, in\r\norder to prevent a malicious user from remotely administering the device and\r\nonly local administration will be allowed.\r\nThroughput requirements\r\nwill likely be determined by\r\nthe network and service\r\nadministrators within the\r\norganization\r\nThese will vary for each environment, but the power of the hardware in the\r\ndevice or server and the firewall features being used will determine the overall\r\nnetwork throughput available.\r\nAvailability requirements\r\nAs the gateway to the Internet in large enterprises, high levels of availability\r\nare often required, especially when a revenue-generating Web site is protected\r\nby a perimeter firewall.\r\nIn the following discussion, the term bastion host means a server located in your perimeter network that provides\r\nservices to both internal and external users. Examples of bastion hosts include Web servers, and VPN servers.\r\nTypically, your perimeter firewall will need the following rules implemented, either by default or by\r\nconfiguration:\r\nDeny all traffic unless explicitly allowed.\r\nBlock incoming packets that claim to have an internal or perimeter network source IP address.\r\nBlock outgoing packets that claim to have an external source IP address (traffic should only originate from\r\nbastion hosts).\r\nAllow for UDP-based DNS queries and answers from the DNS resolver to DNS servers on the Internet.\r\nAllow for UDP-based DNS queries and answers from the Internet DNS servers to the DNS advertiser.\r\nAllow external UDP-based clients to query the DNS advertiser and provide an answer.\r\nAllow TCP-based DNS queries and answers from Internet DNS servers to the DNS advertiser.\r\nAllow outgoing mail from the outbound SMTP bastion host to the Internet.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 26 of 35\n\nAllow incoming mail from the Internet to the inbound SMTP bastion host.\r\nAllow proxy-originated traffic from the proxy servers to reach the Internet.\r\nAllow proxy-responses from the Internet to be directed to the proxy servers on the perimeter.\r\nThe hardware requirements for a perimeter firewall are different for software-based and hardware-based firewalls,\r\nas summarized below:\r\nHardware-based firewall\r\nThese devices usually run specialized code on a custom-built hardware platform. They are typically scaled\r\n(and priced) based on the number of connections they can handle and the complexity of the software that is\r\nto be run.\r\nSoftware-based firewalls\r\nThese are also configured based on the number of concurrent connections and the complexity of the\r\nfirewall software. Calculators exist that can compute the processor speed, memory size, and disk space\r\nneeded for a server, based on the number of connections supported. You should take into account other\r\nsoftware that may also be running on the firewall server, such as load balancing and VPN software. Also,\r\nconsider the methods for scaling the firewall both upward and outward. These methods include increasing\r\nthe power of the system by adding additional processors, memory, and network cards, and also using\r\nmultiple systems and load balancing to spread the firewall task across them (see the \"Scalability\" section\r\nlater on in this module). Some products take advantage of symmetrical multiprocessing (SMP) to boost\r\nperformance. The Network Load Balancing service of Windows Server 2003 can offer fault tolerance, high\r\navailability, efficiency, and performance improvements for some software firewall products.\r\nTo increase the availability of the perimeter firewall, it can be implemented as a single firewall device with\r\nredundant components or as a redundant pair of firewalls incorporating some type of failover and/or load\r\nbalancing mechanism. The advantages and disadvantages of these options are presented in the following\r\nsubsections.\r\nA single firewall without redundant components is depicted in Figure 2:\r\nCc700828.pfnoredundancy-0-0(en-us,TechNet.10).gif\r\nFigure 2. Single Firewall Without Redundant Components\r\nThe use of a single firewall without redundant components offers the following advantages and disadvantages.\r\nThe advantages of a single firewall with no redundancy include:\r\nLow cost\r\nBecause there is only one firewall, the hardware and licensing costs are low.\r\nSimplified management\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 27 of 35\n\nManagement is simplified, because there is only one firewall for the site or enterprise.\r\nSingle logging source\r\nAll traffic logging is central to one device.\r\nThe disadvantages of a single firewall with no redundancy include:\r\nSingle point of failure\r\nThere is a single point of failure for inbound and/or outbound Internet access.\r\nPossible traffic bottleneck\r\nA single firewall could be a traffic bottleneck, depending on the number of connections and the throughput\r\nrequired.\r\nA single firewall tier with redundant components is depicted in Figure 3:\r\nCc700828.pfwithredundancy-0-0(en-us,TechNet.10).gif\r\nFigure 3. Single Firewall with Redundant Components\r\nUse of a single firewall with redundant components offers the following advantages and disadvantages.\r\nThe advantages of a single firewall with redundant components include:\r\nLow cost\r\nBecause there is only one firewall, the hardware and licensing costs are low. The cost of the redundant\r\ncomponents, such as a power supply, is not high.\r\nSimplified management\r\nManagement is simplified because there is only one firewall for the site or enterprise.\r\nSingle logging source\r\nAll traffic logging is central to one device.\r\nThe disadvantages of a single firewall with redundant components include:\r\nSingle point of failure\r\nDepending on the number of redundant components, there may still be a single point of failure for inbound\r\nand/or outbound Internet access.\r\nCost\r\nThe cost is higher than a firewall without redundancy, and may also require a higher class of firewall to be\r\nable to incorporate redundancy.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 28 of 35\n\nPossible traffic bottleneck\r\nA single firewall could be a traffic bottleneck, depending on the number of connections and the throughput\r\nrequired.\r\nA fault tolerant firewall set would include a mechanism to duplicate each of the firewalls, as shown in Figure 4.\r\nFigure 4. Fault Tolerant Firewalls\r\nFigure 4. Fault Tolerant Firewalls\r\nUse of a fault tolerant firewall set offers the following advantages and disadvantages.\r\nThe advantages of a fault tolerant firewall set include:\r\nFault tolerance\r\nUsing pairs of servers or devices can help provide the required level of fault tolerance.\r\nCentral logging\r\nAll traffic logging is central to a pair of devices with good connectivity between them.\r\nState sharing possible\r\nDepending on the device vendor, firewalls in this tier may be able to share the state of sessions between\r\nthem.\r\nThe disadvantages of a fault tolerant firewall set include:\r\nIncreased complexity\r\nThe setup and support of this type of solution is more complex due to the multi-path nature of the network\r\ntraffic.\r\nComplex configuration\r\nThe separate sets of firewall rules can lead to security holes and support issues if not correctly configured.\r\nIn the preceding scenarios, the firewall could be hardware- or software-based. In the previous figures, the firewall\r\nis serving as the gateway between the organization and the Internet but the border router is placed outside the\r\nfirewall. This router is extremely vulnerable to intrusion, and so it also must have certain firewall features\r\nconfigured. Limited firewall capabilities could be implemented without a full firewall feature set, relying on the\r\nfirewall device to prevent total intrusion. Alternatively, the firewall could be consolidated within the router with\r\nno additional stand-alone firewall device.\r\nWhen implementing a fault tolerant firewall set (often referred to as a cluster), there are two primary approaches,\r\nas described in the following sections.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 29 of 35\n\nIn an active/passive fault tolerant firewall set, one device handles all the traffic while the other device does\r\nnothing. There is typically a convention through which both devices are communicating either the availability\r\nand/or the state of the connection to partner nodes. This communication is often called a heartbeat, which each\r\nsystem signals to the other, several times a second, to ensure connections are being handled by the partner node.\r\nWhen the passive node does not receive a heartbeat from the active node at a specific user-defined interval, it then\r\nassumes the active role.\r\nAn active/passive fault tolerant firewall set is depicted in the Figure 5:\r\nFigure 5. Active/Passive Fault-Tolerant Firewall Set\r\nFigure 5. Active/Passive Fault-Tolerant Firewall Set\r\nThe use of an active/passive fault tolerant firewall set has the following advantages and disadvantages.\r\nThe advantages of the active/passive fault tolerant firewall set include:\r\nSimple configuration\r\nThis configuration is simple to set up and troubleshoot, because only a single network path is active at any\r\none time.\r\nPredictable failover load\r\nBecause the whole traffic load switches to the passive node at failover, it is easy to plan for the traffic that\r\nthe passive node is expected to manage.\r\nThe disadvantages of the active/passive fault tolerant firewall set include:\r\nInefficient configuration\r\nThe active/passive fault tolerant firewall set is inefficient, because the passive node provides no useful\r\nfunction to the network during normal operation.\r\nIn an active/active fault tolerant firewall set, two or more nodes are actively listening to all of the requests sent to a\r\nvirtual IP address that every node shares. The load is distributed between the nodes through algorithms unique to\r\nthe fault tolerance mechanism in use, or through static user-based configuration, so that each node is actively\r\nfiltering different traffic at the same time. In the event that one node fails, the surviving nodes distribute the\r\nprocessing of the load that the failed node had previously assumed.\r\nAn active/active fault tolerant firewall set is depicted in Figure 6:\r\nFigure 6. Active/Active Fault Tolerant Firewall Set\r\nFigure 6. Active/Active Fault Tolerant Firewall Set\r\nUse of an active/active fault tolerant firewall set offers the following advantages and disadvantages.\r\nThe advantages of the active/active fault tolerant firewall set include:\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 30 of 35\n\nGreater efficiency\r\nBecause both firewalls are providing a service to the network, this configuration is more efficient than an\r\nactive/passive fault tolerant firewall set.\r\nHigher throughput\r\nDuring normal operation, this configuration can handle higher levels of traffic compared with the\r\nactive/passive configuration, because both firewalls can provide service to the network simultaneously.\r\nThe disadvantages of the active/active fault tolerant firewall set include:\r\nSubject to potential overload\r\nIf one node fails, the hardware resources on the remaining node(s) may be insufficient to handle the total\r\nthroughput requirement. It is important to plan for this accordingly, understanding that performance\r\ndegradation is likely to occur as the surviving nodes take on the additional workload when a node fails.\r\nIncreased complexity\r\nBecause the network traffic can pass through two routes, troubleshooting becomes more complex.\r\nSecurity of firewall products is of paramount importance. Although there are no industry standards for firewall\r\nsecurity, the vendor-independent International Computer Security Association (ICSA) runs a certification program\r\naimed at testing the security of commercially available firewall products. The ICSA tests a significant number of\r\nproducts available in the market today (for further information, refer to www.icsalabs.com).\r\nYou must take care to ensure that a firewall achieves the requisite security standards; one way of doing this is to\r\nachieve ICSA certification. In addition, check whether your chosen firewall has an existing track record. A number\r\nof security vulnerability databases are available on the Internet; you should scan these to see how many\r\nvulnerabilities the product has been susceptible to in the past and their significance.\r\nUnfortunately, all products (hardware- and software-based) have bugs. In addition to determining the number and\r\nseverity of bugs that have affected the product you are thinking of buying, you should also assess the\r\nresponsiveness of the vendor to the exposed vulnerabilities.\r\nThis section addresses the scalability requirement of a firewall solution. Scalability of firewalls is largely\r\ndetermined by the performance characteristics of the device, and it is wise to select a firewall that will scale to\r\nmeet the scenarios it will face in practice. There are two basic ways to achieve scalability. They are:\r\nVertical Scaling (Scaling Up)\r\nWhether the firewall is a hardware device or a software solution running on a server, varying degrees of\r\nscalability can be achieved by increasing the amount of memory, CPU processing power, and throughput of\r\nnetwork interfaces. However, each device or server has a finite cap in terms of how far it can be vertically\r\nscaled. For example, while you may purchase a server that has sockets for four CPUs and you start with\r\ntwo, you will only ever be able to add two more CPUs.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 31 of 35\n\nHorizontal Scaling (Scaling Out)\r\nOnce a server has been vertically scaled to its limit, horizontal scaling becomes important. Most firewalls\r\n(hardware- and software-based) have the ability to scale out through the use of some form of load\r\nbalancing. In such a scenario, multiple servers are arranged into a cluster, which is seen by the clients on\r\nthe network as just one server. This scenario is essentially the same as the active/active cluster described in\r\nthe \"Firewall Availability\" section earlier in the module. The technology used to provide this functionality\r\nmay or may not be the same as that described earlier, and will be dependent on the vendor.\r\nScaling up hardware firewalls can be difficult. However, some hardware firewall manufacturers offer scale out\r\nsolutions because their devices can be stacked to operate as a single, load balanced unit.\r\nSome software-based firewalls are designed to scale up through the use of multiple processors. The firewall itself\r\ndoes not usually address multiprocessing, which is controlled by the underlying operating system. However, the\r\nfirewall needs to be able to address the hardware to be able to fully use this capability. This approach allows\r\nscaling on single or redundant devices, as opposed to hardware-based firewalls, which are usually set to whatever\r\nhardware limitations are built into the device at the time of manufacture. Most firewalls are classified by the\r\nnumber of concurrent connections that a device can handle. Hardware devices often need to be replaced if\r\nconnection requirements exceed what is available to the fixed-scale model of the device.\r\nAs discussed earlier, fault tolerance may be built into the operating system of a firewall server. In the case of a\r\nhardware firewall, fault tolerance is likely to be an extra cost.\r\nA number of technologies are available to enhance the performance of a firewall, including:\r\nGigabit Ethernet/Fiber Support\r\nProxy, Reverse Web Proxy, and Caching\r\nSSL Off-loading Interfaces\r\nIPSec Off-loading Interfaces\r\nFor software-based firewalls, each one of these technologies is commercially available from multiple vendors,\r\nwhich keeps the costs low. While there may be similar third party solutions available for hardware devices, often\r\nthey can only be obtained from the manufacturer of the hardware firewall itself.\r\nThe following sections discuss each of these performance-enhancing technologies.\r\nMany switches, routers, and firewalls can handle Ethernet gigabit speed interfaces, and the reduction in cost of\r\nthese interfaces has increased their popularity. This capability greatly reduces the likelihood of interfaces\r\nbecoming bottlenecks in firewall deployments.\r\nTypically, the caching ability is only available on software-based firewalls, because it requires the use of a disk to\r\ncache traffic or data.\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 32 of 35\n\nSSL accelerator cards can improve the performance of publicly exposed Web sites that use SSL-based encryption\r\nby offloading the encryption processing from the CPU of the firewall. When SSL is terminated at the firewall,\r\nthese devices offer significant benefits.\r\nIPSec accelerator cards can improve the performance of publicly exposed services that use IPSec-based\r\nencryption, such as VPN. These devices offload the encryption processing from the CPU of the firewall. IPSec\r\noff-loading can be used for traffic that communicates between the internal interface of the firewall and a published\r\nservice, thus ensuring that the traffic traversing the perimeter network is encrypted between the perimeter network\r\nhosts.\r\nConsolidation means either incorporating the firewall service in another device, or incorporating other services in\r\nthe firewall. Consolidation benefits include:\r\nLower purchase price\r\nBy incorporating the firewall service in another service, for example in a router, you can save the cost of a\r\nhardware device, although you must still purchase the firewall software. Similarly, by incorporating other\r\nservices in the firewall, you can save the cost of additional hardware.\r\nReduced inventory and management costs\r\nBy reducing the number of hardware devices, you can reduce operating costs, since fewer hardware\r\nupgrades are required, cabling is simplified, and management is simpler.\r\nHigher performance\r\nDepending upon what consolidation is achieved, you can improve performance. For example, by\r\nincorporating Web server caching in the firewall, you may cut out additional devices, allowing the services\r\ntalk to each other at high speed rather than over an Ethernet cable.\r\nExamples of consolidation include:\r\nAdding firewall services to the border router\r\nMost routers can have a firewall service available in them. The capabilities of this firewall service may be\r\nvery simple in low cost routers, but high-end routers will usually have a very capable firewall service. In\r\npractice, although you may have a separate perimeter firewall, the border router should always have its\r\nfirewall service active, to protect both the router itself and the border switches.\r\nAdding firewall services to the border switch\r\nDepending upon the border switch selected, it may be possible to add in the perimeter firewall as a blade,\r\nreducing costs, and improving performance.\r\nAdding proxy cache to the perimeter firewall\r\nProxy caching stores frequently-accessed Web pages, so that the next requestor is delivered a page from the\r\ncache rather than having to re-access the Web server, which improves response times and reduces the Web\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 33 of 35\n\nserver load. Generally, this can only be incorporated in a server firewall, as it requires a local hard disk to\r\nhold the cache.\r\nWhen considering consolidating other services onto the same server or device that provides the firewall service,\r\nyou should take care to ensure that the use of a given service does not compromise the availability, security,\r\nmanageability, or performance of the firewall. Performance considerations are also important, as the load\r\ngenerated by additional services will degrade the performance of the firewall service.\r\nAn alternative approach to consolidating services onto the same device, or server hosting the firewall service, is to\r\nconsolidate a firewall hardware device as a blade in a switch. This approach usually costs less than a standalone\r\nfirewall of any type, and can take advantage of the availability features of the switch, such as dual power supplies.\r\nSuch a configuration is also easier to manage, because it is not a separate device. In addition, it usually runs faster,\r\nbecause it uses the switch's bus, which is much faster than external cabling.\r\nMost Internet protocols that use version 4 of the Internet Protocol (IPv4) can be protected by a firewall, including\r\nlower-level protocols such as TCP and UDP, and higher-level protocols such as HTTP, SMTP, and FTP. Any\r\nfirewall product under consideration should be reviewed to ensure that it supports the required type of traffic.\r\nSome firewalls can also interpret GRE, which is the encapsulation protocol for the point-to-point tunneling\r\nprotocol (PPTP) used in some VPN implementations.\r\nSome firewalls have built-in application layer filters for protocols such as HTTP, SSL, DNS, FTP, SOCKS v4,\r\nRPC, SMTP, H. 323, and post office protocol (POP).\r\nThis module has provided a practical process for the successful selection of firewall products. This process covers\r\nall aspects of firewall design, including the various evaluation and classification processes required to reach a\r\nsolution.\r\nNo firewall is 100% safe: the only way to ensure that your network cannot be attacked electronically from the\r\noutside is to implement an air gap between it and all other systems and networks. The result would be a secure\r\nnetwork that is virtually unusable. Firewalls enable you to implement an appropriate level of security protection\r\nwhen connecting your network to an external network, or when joining two internal networks.\r\nThe firewall strategies and design processes outlined in this module should be considered only as part of an\r\noverall security strategy, because a strong firewall is of limited value if there are weaknesses in other parts of the\r\nenvironment. Security must be applied to every component of the network, and a security policy that addresses the\r\nrisks inherent in the environment must be defined for every component.\r\nYou can find further information about design and deployment of firewall services from the following URLs.\r\nFor an overview of firewalls:\r\nwww.microsoft.com/technet/security/guidance/networksecurity/firewall.mspx\r\nFor detailed security information on Microsoft Windows Server 2003, refer to the \"Windows Server 2003\r\nSecurity Center\" document:\r\nhttps://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 34 of 35\n\nFor information on Microsoft Internet Security \u0026 Acceleration Server firewall and Web proxy product,\r\nrefer to:\r\nhttps://www.microsoft.com/isaserver/\r\nFor a free e-mail notification service that Microsoft uses to send information about the security of\r\nMicrosoft products to subscribers, visit the Microsoft Security Notification Service Web site:\r\nwww.microsoft.com/technet/security/bulletin/notify.mspx\r\nThe SANS (SysAdmin, Audit, Network, and Security) Institute security resources are available from:\r\nhttps://www.sans.org\r\nThe Computer Emergency Response Team (CERT) organization records and publishes security alerts and a\r\ncenter for security expertise at:\r\nhttps://www.cert.org\r\nDownload the Complete Solution\r\nWindows Server System Reference Architecture\r\nSource: https://technet.microsoft.com/en-us/library/cc700828.aspx\r\nhttps://technet.microsoft.com/en-us/library/cc700828.aspx\r\nPage 35 of 35", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://technet.microsoft.com/en-us/library/cc700828.aspx" ], "report_names": [ "cc700828.aspx" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446669, "ts_updated_at": 1775791287, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0cd605eb2f12e5fa7b3ccdc1264d837051fe827b.pdf", "text": "https://archive.orkl.eu/0cd605eb2f12e5fa7b3ccdc1264d837051fe827b.txt", "img": "https://archive.orkl.eu/0cd605eb2f12e5fa7b3ccdc1264d837051fe827b.jpg" } }