Defense in Depth: Firewall Topologies

Publisher Summary This chapter focuses on independent utilities that may be assembled to provide an in-depth defense against intrusion, extrusion, and collusion. Two major areas in this defense involve Demilitarized zone (DMZ) and virtual private network (VPN). A VPN allows organizations to leverage the backbone of the Internet to build their own secure wide area network (WAN). A remote office VPN differs from a remote user VPN in that there exists, on each side of the connection, a firewall that has remote office VPN capabilities. An improperly configured firewall, VPN, or DMZ can gravely compromise critical and private data, can hammer the bandwidth to next to nothing, and can literally bring an operation to its knees. Generally, the advantages of remote user VPN over Point-to-Point Tunneling Protocol (PPTP) VPN reside in the greater configurability and flexibility of the remote user VPN client to operate successfully in harsher network environments, where a great level of convolution or complexity exists. A DMZ, unlike a VPN, is an area that is like a bastion between the internal network, the firewall device, and the Internet. Many firewall remote user VPN solutions offer remote access dial-in user service (RADIUS) compatibility, and an administrative screen may exist whereby the RADIUS server IP address and other configuration options may be entered. In addition, many firewall products are RADIUS compatible and use key-chain tokens and intrusion prevention for security.