380 Chapter 16 ■ Evading IDSs, Firewalls, and Honeypots
■ In some cases, a firewall may also act as a form of phone tap, allowing for the
identification of attempts to dial into the network.
■ A firewall uses rules that determine how traffic will be handled. Rules exist for traffic
entering and exiting the network, and it is possible for traffic going one way not to be
allowed to go the other.
■ For traffic that passes the firewall, the device will also act as a router, helping guide
traffic flowing between networks.
■ Firewalls can filter traffic based on a multitude of criteria, including destination,
origin, protocol, content, or application.
■ In the event that traffic of a malicious nature tries to pass the firewall, an alarm can be
configured that will alert a system administrator or other party as needed.In many cases, a firewall works in conjunction with a router. The
motivation behind this layout is that placing a router in front of a firewall
can help reduce the load placed on it, allowing it to perform more
efficiently. It is also worth mentioning that an NIDS can also be installed
alongside a firewall to provide additional monitoring capabilities and
identify how well the firewall itself is functioning.Firewall Configurations
Not all firewalls or firewall setups are created equal, so you need to be familiar with each
setup and how it works. Firewalls can be set up and arranged in several ways, each offering
its own advantages and disadvantages. In this section we’ll cover each method.Bastion Host
A bastion host is intended to be the point through which traffic enters and exits the
network. It is a computer system that hosts nothing other than what it needs to perform its
defined role, which, in this case, is to protect resources from attack. This type of host has
two interfaces: one connected to the public network and the other to the internal network.Screened Subnet
This type of setup uses a single firewall with three built-in interfaces. The three interfaces
are connected to the Internet, the DMZ (more on this in a moment), and the intranet. The
obvious advantage of this setup is that the individual areas are separated from one another
by virtue of the fact that each is connected to its own interface. This offers the advantage of
preventing a compromise in one area from affecting one of the other areas.Multihomed Firewall
A multihomed firewall refers to two or more networks. Each interface is connected to its
own network segment logically and physically. A multihomed firewall is commonly used to
increase efficiency and reliability of an IP network. In this case, more than three interfaces