Configuration for Transparently Redundant Firewalls
Firewalls play a critical role in modern networks, and their importance is increasing as organizations recognize the vulnerabilities of internetworking. We can no longer be satisfied merely to have accomplished communications. The ability to communicate is now a given and the challenge is to do so safely and efficiently. It's possible and practical to configure redundant firewalls to provide continued operation despite router, access network, or firewall failure, and this article illustrates one way that it can be done with no dependence on proprietary firewall or router capabilities. Impact on security is minimal because the only communication between inside and outside routers is through the firewalls, and the only information trusted is whether a particular firewall can be used to reach a particular router on the other side. The firewalls don't exchange routing information with or otherwise trust any routers, and can continue to run in a conservative, secure configuration using network address translation, arbitrary state-sensitive filters, proxies, and static routing.
Any time you have a connection between networks with differing security policies, you need to provide protection. Firewalls can provide enforcement of security policies between networks, simplifying and strengthening the access controls already in place on services and user systems. For example, a firewall may be configured to allow only web requests to get to the web server, only DNS requests to get to the domain name server, and yet let inside users access outside resources unhindered. That way, the web administrators can devote their time to strengthening the web services rather than protecting services not provided to the outside network.
There are many styles of firewall operation, from simple address and socket filters to transparent proxies, and many conflicting claims as to which is better in terms of providing higher security or superior user transparency. But from the viewpoint of the network design, all you care about is whether the path through the firewall is state-sensitive and whether the firewall appears to your routers as an end system or as another router.
The former distinction is usually referred to as static versus dynamic filtering. The latter distinction is usually ignored by security experts, as it has no impact on firewall operation or effectiveness. It does, however, have considerable impact on the design of the networks supporting the firewalls. Since there is no formal lexicon to describe the two modes, let's refer to them here as router mode and end-system mode.