.. include:: global.rst ********************************************** Chapter 7: Firewall Deployment Considerations ********************************************** Overview ======== This chapter focuses on the **strategic deployment of firewalls** within an enterprise network. While earlier material may explain what firewalls do, this chapter emphasizes **how and where they should be deployed** to effectively protect organizational infrastructure. Proper firewall deployment is critical when designing secure network environments. Incorrect placement, misconfiguration, or weak access controls can create vulnerabilities that attackers may exploit. The concepts in this chapter are especially relevant when designing secure networks such as the **Regional Insurance Group network redesign project**, where firewall placement, segmentation, and monitoring play a major role in protecting internal systems. Key Learning Objectives ======================= After studying this chapter, you should be able to: * Explain different **firewall deployment strategies** * Design networks that incorporate **DMZ architecture** * Understand the role of **reverse proxies and bastion hosts** * Implement **secure authentication and access control mechanisms** * Utilize **log monitoring and analysis** to maintain network security * Apply the **principle of least privilege** and **separation of duties** * Evaluate firewall **fail-open vs. fail-closed behavior** Firewall Deployment Strategies ============================== Firewall deployment must be carefully planned to balance **security, performance, and accessibility**. Common deployment considerations include: DMZ (Demilitarized Zone) ------------------------ A **DMZ** is a segmented network area used to host systems that must be accessible from the internet while protecting internal networks. Typical systems placed in a DMZ include: * Web servers * Mail servers * Public DNS servers * Reverse proxy servers Benefits of a DMZ include: * Isolates publicly accessible systems from internal networks * Limits attacker movement if a public server is compromised * Provides controlled entry points into the network Port Forwarding --------------- Port forwarding allows external traffic to reach specific internal services. Example: * External Port 443 → Internal Web Server While useful, improper port forwarding can: * Expose internal systems unnecessarily * Increase attack surface * Bypass segmentation protections Best practices include: * Forward only required ports * Limit allowed source addresses when possible * Monitor forwarded connections through logs AAA (Authentication, Authorization, Accounting) =============================================== AAA frameworks control **who can access resources and how those actions are tracked**. Authentication -------------- Verifies the identity of a user or system. Examples: * Passwords * Multi-factor authentication * Certificates Authorization ------------- Determines **what resources a user is allowed to access** after authentication. Examples: * Access to internal file servers * Permission to manage firewall settings * Department-based access controls Accounting ---------- Tracks user activity for monitoring and auditing purposes. Examples: * Login attempts * Configuration changes * Network usage records AAA systems are essential for maintaining **accountability and traceability** within enterprise networks. Reverse Proxies and Bastion Hosts ================================= Reverse Proxies --------------- A **reverse proxy** sits between external users and internal servers. It performs functions such as: * Filtering requests * Hiding internal IP addresses * Load balancing * SSL termination Benefits include: * Improved security * Reduced exposure of internal systems * Centralized traffic control Bastion Hosts ------------- A **bastion host** is a hardened system placed on the network edge that is designed to withstand attacks. Characteristics include: * Minimal installed services * Strong security configuration * Frequent patching and monitoring Bastion hosts are commonly used to: * Provide secure remote access * Act as gateways into sensitive network segments Log Management and Monitoring ============================== Firewalls generate logs that record network activity. These logs provide valuable information such as: * Connection attempts * Blocked traffic * Authentication failures * System alerts Effective log management includes: * Centralized log storage * Real-time monitoring * Automated alerts for suspicious activity In environments with **remote workers**, monitoring becomes especially important because: * Users connect from unmanaged networks * Attack attempts may originate from external locations * VPN and authentication systems must be carefully tracked Security Principles for Network Design ====================================== Principle of Least Privilege ---------------------------- The **principle of least privilege** states that users and systems should only have the **minimum level of access necessary** to perform their tasks. Benefits include: * Reduces accidental misuse * Limits damage if credentials are compromised * Improves overall system security Example: * Accounting systems should only be accessible to accounting staff. * Sales systems should not have access to financial databases. Separation of Duties -------------------- **Separation of duties** divides responsibilities among multiple individuals to prevent abuse or fraud. Examples include: * One administrator manages firewall configuration. * Another administrator reviews firewall logs. * System access approvals require managerial authorization. This practice reduces the likelihood of **insider threats and configuration errors**. Fail-Open vs Fail-Closed Behavior ================================= Firewalls must define how they behave during a failure. Fail-Open --------- If a firewall **fails open**, traffic continues to flow even when the firewall stops functioning. Advantages: * Maintains network availability Disadvantages: * Security protections may be bypassed Fail-Closed ----------- If a firewall **fails closed**, traffic is blocked when the firewall fails. Advantages: * Maintains security protections Disadvantages: * Network services may become unavailable Organizations must carefully choose the appropriate behavior depending on their **security priorities and operational requirements**. Application to Network Security Design ====================================== Understanding firewall deployment strategies allows security professionals to move beyond basic configuration and begin thinking like **security architects**. These concepts are directly applicable when designing secure enterprise networks, including: * Creating **segmented network architectures** * Protecting internal resources from internet exposure * Managing access between departments * Monitoring network activity for threats * Designing systems that remain secure during failures When designing networks such as the **Regional Insurance Group infrastructure**, firewall deployment decisions significantly affect both **security and operational reliability**. Summary ======= Effective firewall deployment requires more than installing a device at the network edge. Security architects must carefully consider: * Network segmentation * Controlled access points * Authentication and monitoring * Role-based access control * System resilience during failures By applying these principles, organizations can design networks that are both **secure and functional**, supporting business operations while minimizing risk.