7.3 Firewall


Firewalls are used to control communication between two networks. Usually a firewall protects a network against attacks originating from networks requiring a lower degree of protection, e.g. when a sub-network requiring protection is connected to an institution-wide network or when a company network is connected to the Internet.

In this chapter, a firewall is a combination of hardware and software which acts as the sole junction between two separate TCP/IP networks, one of which requires a higher degree of protection. As a firewall of this kind is often used to protect the internal network from attacks through the Internet, it is also called an Internet firewall.

In this chapter, only the threats and safeguards specific to a firewall are described. Furthermore, the threats and safeguards specific to the IT system with which the fire wall is implemented are also to be considered. It is assumed that a firewall is implemented on a Unix system, i.e. the threats and safeguards described in Chapter 6.2 should be observed in addition to those contained below.

Threat Scenario

The following typical threats are assumed for a firewall as part of IT baseline protection:

Organisational Shortcomings:

Human Failure:

Technical Failure:

Deliberate Acts:

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

A firewall protects the internal network against attacks from outside. In order to protect the internal network against attacks from inside, all necessary safeguards should also be taken even when a firewall is in place. If the internal network is a Unix or a PC network, for example, the safeguards described in Chapter 6.1 and Chapter 6.2 should also be implemented.

The firewall should be sited in a separate server room. The appropriate measures are described in Chapter 4.3.2. If no server room is available, the firewall can alternatively be set up in a server cabinet (see chapter 4.4 Protective Cabinets).

In order to successfully set up a firewall, a series of measures should be taken, including the conception, purchase and operation of a firewall. The steps and measures involved are described below:

1. Concept of the network coupling using a firewall: (c.f. S 2.70 Developing a Firewall Concept)

2. Security policy of the firewall: (c.f. S 2.71 Determining a Security Policy for a Firewall)

3. Procuring the firewall:

4. Implementation of the firewall:

5. Operating the firewall: (see S 2.78 Correct Operation of a Firewall)

6. Operation of clients connected to the firewall:

There can be various reasons for deciding against the installation of a firewall. For example, not only the purchase costs or the high administration expenditure, but also the fact that the existing remaining risks cannot be accepted. If an Internet connection is nonetheless desired, a stand-alone system can alternatively be installed (see S 5.46 Installing stand-alone systems for Internet usage).

The safeguards package for "Firewall" is presented in the following.


Hardware / Software:


© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000