This is my second post on firewall, I'll be using the abbreviations that I described in the first post. This post is aimed at the firewall configurations in brief.
The following three firewall configurations are the most used.
Screened Host Firewall Single Homed Bastion
Whatever is coming from the internet is checked by packet filter. Packet filter checks the header of packets and then it proceeds to AGW where word-by-word checking is performed. However, in this configuration, incentive given to regular packets is that they are identified differently and are not checked thoroughly every time they visit. Such frequently visiting packets are by-passed directly to the LAN without being checked by AGW. This is where the configuration lacks and is prone to spoofing attacks. Hence, though it is faster, cannot be used practically.
Screened Host Firewall Dual Homed Bastion
This configuration was introduced to overcome the flaw in single homed bastion. Here, in order to enter LAN, every packet must undergo packet filter and AGW checking. Packets are allowed to enter the LAN only after these checks. So, there is no compromise in security but this makes the configuration slow, which becomes the major drawback for the system operations.
Screened Subnet Firewall
This configuration is like a hybrid of above two configurations. Here, two packets filters and one AGW is present which makes up the design of firewall. The packet coming from the internet towards the LAN is checked by the outside filter and AGW while the packet going out from the LAN is checked by the inside filter and AGW. This configuration combines the advantages of both of the above configurations and also overcomes their drawbacks. This is why, it is the best suited for practical use.
The following three firewall configurations are the most used.
Screened Host Firewall Single Homed Bastion
Whatever is coming from the internet is checked by packet filter. Packet filter checks the header of packets and then it proceeds to AGW where word-by-word checking is performed. However, in this configuration, incentive given to regular packets is that they are identified differently and are not checked thoroughly every time they visit. Such frequently visiting packets are by-passed directly to the LAN without being checked by AGW. This is where the configuration lacks and is prone to spoofing attacks. Hence, though it is faster, cannot be used practically.
Screened Host Firewall Dual Homed Bastion
This configuration was introduced to overcome the flaw in single homed bastion. Here, in order to enter LAN, every packet must undergo packet filter and AGW checking. Packets are allowed to enter the LAN only after these checks. So, there is no compromise in security but this makes the configuration slow, which becomes the major drawback for the system operations.
Screened Subnet Firewall
This configuration is like a hybrid of above two configurations. Here, two packets filters and one AGW is present which makes up the design of firewall. The packet coming from the internet towards the LAN is checked by the outside filter and AGW while the packet going out from the LAN is checked by the inside filter and AGW. This configuration combines the advantages of both of the above configurations and also overcomes their drawbacks. This is why, it is the best suited for practical use.


