Question

Explain the strengths and weaknesses of each of the following firewall deployment scenarios in defending servers, desktop machines, and laptops against network threats.

a. A firewall at the network perimeter.

b. Firewalls on every end-host machine.

c. A network perimeter firewall and firewalls on every end-host machine.

Answer 1

Answer:--------------

a. A firewall at the network perimeter:----------------------
Strengths:--------------------

• Mediates all incoming traffic from external hosts and can protect against many attacks by outsiders;
• Easier to manage and to update policies, because of single central location;
• Protects against some kinds of DoS attacks launched from the outside.

Weaknesses:-------------------

• No protection against malicious insiders;
• No protection for mobile laptops while they are connected to other networks;
• No protection if laptops get infected while travelling and then spread infection when they re-connect to our internal network.

b. Firewalls on every end-host machine:-----------------------
Strengths:---------------------

• Protects against malicious insiders and infected internal machines as well as outside attackers;
• Protects laptops even while they are travelling and connected to other networks;
• May be easier to customize firewall protection on a per-machine basis.

Weaknesses:-----------------

• Potentially more difficult to manage policies, due to the number of machines whose rule-sets must be configured and updated;
• Uncooperative users may be able to modify settings or disable firewalls on their own machines, and viruses/worms may be able to do the same to machines they infect;
• Potentially less resistant to DDoS, since DoS attacks can still flood internal network links;
• Depending upon firewall configuration, may block legitimate internal traffic and/or make some internal services harder to use.

c. A network perimeter firewall and firewalls on every end-host machine:-------------------------------
Strengths:-------------------------------

• Layered defense provides redundancy in case one firewall fails;
• Can easily update policy against external attacks if a new threat develops, which gives some time to update the rule-sets on internal hosts.
• Mediates all incoming traffic from external hosts and can protect against many attacks by outsiders;
• Protects against malicious insiders and infected internal machines as well as outside attackers;
• Protects laptops even while they are travelling and connected to other networks;
• May be easier to customize firewall protection on a per-machine basis.

Weaknesses:----------------------

• Potential for over blocking of legitimate traffic, since traffic flows only if permitted by both firewalls.
• Potentially more difficult to manage policies, due to the number of machines whose rule-sets must be configured and updated;
• Depending upon firewall configuration, may block legitimate internal traffic and/or make some internal services harder to use.