Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`Building Internet Firewalls
`By D. Brent Chapman & Elizabeth D. Zwicky
`1st Edition September 1995
`1-56592-124-0, Order Number: 1240
`544 pages, $34.95
`
`Chapter 4. Firewall Design
`Contents:
`Some Firewall Definitions
`Firewall Architectures
`Variations on Firewall Architectures
`Internal Firewalls
`What the Future Holds
`In Chapter 1, Why Internet Firewalls?, we introduced Internet firewalls and summarized
`what they can and cannot do to improve network security. In this chapter, we present
`major firewalls concepts. What are the terms you will hear in discussions of Internet
`firewalls? What types of firewall architectures are used at sites today? What are the
`components that can be put together to build these common firewall architectures? In the
`remaining chapters of this book, we'll describe these components and architectures in
`detail.
`4.1 Some Firewall Definitions
`You may be familiar with some of the firewall terms listed below, and some may be new
`to you. Some may seem familiar, but they may be used in a way that is slightly different
`from what you're accustomed to (though we try to use terms that are as standard as
`possible). Unfortunately, there is no completely consistent terminology for firewall
`architectures and components. Different people use terms in different - or, worse still,
`conflicting - ways. Also, these same terms sometimes have other meanings in other
`networking fields; the definitions below are for a firewalls context.
`These are very basic definitions; we describe these terms in greater detail elsewhere.
`Firewall
`
`1 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 1
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`A component or set of components that restricts access between a protected
`network and the Internet, or between other sets of networks.
`
`Host
`
`A computer system attached to a network.
`Bastion host
`A computer system that must be highly secured because it is vulnerable to attack,
`usually because it is exposed to the Internet and is a main point of contact for users
`of internal networks. It gets its name from the highly fortified projections on the
`outer walls of medieval castles.[1]
`[1] Marcus Ranum, who is generally held responsible for the
`popularity of this term in the firewalls professional community, says,
`"Bastions...overlook critical areas of defense, usually having stronger
`walls, room for extra troops, and the occasional useful tub of boiling
`hot oil for discouraging attackers."
`Dual-homed host
`A general-purpose computer system that has at least two network interfaces (or
`homes)
`Packet
`The fundamental unit of communication on the Internet.
`Packet filtering
`The action a device takes to selectively control the flow of data to and from a
`network. Packet filters allow or block packets, usually while routing them from one
`network to another (most often from the Internet to an internal network, and vice
`versa). To accomplish packet filtering, you set up a set of rules that specify what
`types of packets (e.g., those to or from a particular IP address or port) are to be
`allowed and what types are to be blocked. Packet filtering may occur in a router, in
`a bridge, or on an individual host. It is sometimes known as screening.[2]
`[2] Some networking literature (in particular, the BSD UNIX release
`from Berkeley) uses the term "packet filtering" to refer to something
`else entirely (selecting certain packets off a network for analysis, as is
`done by the etherfind or tcpdump programs).
`Perimeter network
`A network added between a protected network and an external network, in order to
`provide an additional layer of security. A perimeter network is sometimes called a
`
`2 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 2
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`DMZ, which stands for De-Militarized Zone (named after the zone separating
`North and South Korea).
`Proxy server
`A program that deals with external servers on behalf of internal clients. Proxy
`clients talk to proxy servers, which relay approved client requests on to real
`servers, and relay answers back to clients.
`The next few sections briefly describe packet filtering and proxy services, two major
`approaches used to build firewalls today.
`4.1.1 Packet Filtering
`Packet filtering systems route packets betweeen internal and external hosts, but they do it
`selectively. They allow or block certain types of packets in a way that reflects a site's own
`security policy as shown in Figure 4.1. The type of router used in a packet filtering
`firewall is known as a screening router.
`Figure 4.1: Using a screening router to do packet filtering
`
`As we discuss in Chapter 6, Packet Filtering, every packet has a set of headers containing
`certain information. The main information is:
`IP source address
`IP destination address
`Protocol (whether the packet is a TCP, UDP, or ICMP packet)
`TCP or UDP source port
`
`3 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 3
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`TCP or UDP destination port
`ICMP message type
`In addition, the router knows things about the packet that aren't reflected in the packet
`headers, such as:
`The interface the packet arrives on
`The interface the packet will go out on
`The fact that servers for particular Internet services reside at certain port numbers lets the
`router block or allow certain types of connections simply by specifying the appropriate
`port number (e.g., TCP port 23 for Telnet connections) in the set of rules specified for
`packet filtering. (Chapter 6 describes in detail how you construct these rules.)
`Here are some examples of ways in which you might program a screening router to
`selectively route packets to or from your site:
`Block all incoming connections from systems outside the internal network, except
`for incoming SMTP connections (so that you can receive email).
`Block all connections to or from certain systems you distrust.
`Allow email and FTP services, but block dangerous services like TFTP, the X
`Window System, RPC, and the "r" services (rlogin, rsh, rcp, etc.).
`To understand how packet filtering works, let's look at the difference between an ordinary
`router and a screening router.
`An ordinary router simply looks at the destination address of each packet and picks the
`best way it knows to send that packet towards that destination. The decision about how to
`handle the packet is based solely on its destination. There are two possibilities: the router
`knows how to send the packet towards its destination, and it does so; or the router does
`not know how to send the packet towards its destination, and it returns the packet, via an
`ICMP "destination unreachable" message, to its source.
`A screening router, on the other hand, looks at packets more closely. In addition to
`determining whether or not it can route a packet towards its destination, a screening
`router also determines whether or not it should. "Should" or "should not" are determined
`by the site's security policy, which the screening router has been configured to enforce.
`Although it is possible for only a screening router to sit between an internal network and
`the Internet, as shown in Figure 4.1, this places an enormous responsibility on the
`screening router. Not only does it need to perform all routing and routing decision-
`making, but it is the only protecting system; if its security fails (or crumbles under
`attack), the internal network is exposed. Furthermore, a straightforward screening router
`can't modify services. A screening router can permit or deny a service, but it can't protect
`
`4 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 4
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`individual operations within a service. If a desirable service has insecure operations, or if
`the service is normally provided with an insecure server, packet filtering alone can't
`protect it.
`A number of other architectures have evolved to provide additional security in packet
`filtering firewall implementations. Later in this chapter, we show the way that additional
`routers, bastion hosts, and perimeter networks may be added to the firewall
`implementations in the screened host and screened subnet architectures.
`4.1.2 Proxy Services
`Proxy services are specialized application or server programs that run on a firewall host:
`either a dual-homed host with an interface on the internal network and one on the external
`network, or some other bastion host that has access to the Internet and is accessible from
`the internal machines. These programs take users' requests for Internet services (such as
`FTP and Telnet) and forward them, as appropriate according to the site's security policy,
`to the actual services. The proxies provide replacement connections and act as gateways
`to the services. For this reason, proxies are sometimes known as application-level
`gateways.[3]
`[3] Firewall terminologies differ. Whereas we use the term proxy service to
`encompass the entire proxy approach, other authors refer to application-level
`gateways and circuit-level gateways. Although there are small differences
`between the meanings of these various terms, which we'll explore in Chapter
`7, Proxy Systems, in general our discussion of proxies refers to the same type
`of technology other authors mean when they refer to these gateway systems.
`Proxy services sit, more or less transparently, between a user on the inside (on the internal
`network) and a service on the outside (on the Internet). Instead of talking to each other
`directly, each talks to a proxy. Proxies handle all the communication between users and
`Internet services behind the scenes.
`Transparency is the major benefit of proxy services. It's essentially smoke and mirrors. To
`the user, a proxy server presents the illusion that the user is dealing directly with the real
`server. To the real server, the proxy server presents the illusion that the real server is
`dealing directly with a user on the proxy host (as opposed to the user's real host).
`NOTE: Proxy services are effective only when they're used in conjunction
`with a mechanism that restricts direct communications between the internal
`and external hosts. Dual-homed hosts and packet filtering are two such
`mechanisms. If internal hosts are able to communicate directly with external
`hosts, there's no need for users to use proxy services, and so (in general) they
`won't. Such a bypass probably isn't in accordance with your security policy.
`How do proxy services work? Let's look at the simplest case, where we add proxy
`services to a dual-homed host. (We'll describe these hosts in some detail in "Dual-Homed
`
`5 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 5
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`Host Architectures" later in this chapter.)
`As Figure 4.2 shows, a proxy service requires two components: a proxy server and a
`proxy client. In this situation, the proxy server runs on the dual-homed host. A proxy
`client is a special version of a normal client program (i.e., a Telnet or FTP client) that
`talks to the proxy server rather than to the "real" server out on the Internet; in addition, if
`users are taught special procedures to follow, normal client programs can often be used as
`proxy clients. The proxy server evaluates requests from the proxy client, and decides
`which to approve and which to deny. If a request is approved, the proxy server contacts
`the real server on behalf of the client (thus the term "proxy"), and proceeds to relay
`requests from the proxy client to the real server, and responses from the real server to the
`proxy client.
`Figure 4.2: Using proxy services with a dual-homed host
`
`In some proxy systems, instead of installing custom client proxy software, you'll use
`standard software, but set up custom user procedures for using it. (We'll describe how this
`works in Chapter 7.)
`A proxy service is a software solution, not a firewall architecture per se. You can use
`proxy services in conjunction with any of the firewall architectures described in the
`section called "Firewall Architectures" below.
`The proxy server doesn't always just forward users' requests on to the real Internet
`services. The proxy server can control what users do, because it can make decisions about
`the requests it processes. Depending on your site's security policy, requests might be
`allowed or refused. For example, the FTP proxy might refuse to let users export files, or it
`might allow users to import files only from certain sites. More sophisticated proxy
`services might allow different capabilities to different hosts, rather than enforcing the
`
`6 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 6
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`same restrictions on all hosts.
`There is some excellent software available for proxying. SOCKS is a proxy construction
`toolkit, designed to make it easy to convert existing client/server applications into proxy
`versions of those same applications. The Trusted Information Systems Internet Firewall
`Toolkit (TIS FWTK) includes proxy servers for a number of common Internet protocols,
`including Telnet, FTP, HTTP, rlogin, X11, and others; these proxy servers are designed to
`be used in conjunction with custom user procedures. See the discussion of these packages
`in Chapter 7.
`Many standard client and server programs, both commercial and freely available, now
`come equipped with their own proxying capabilities, or with support for generic proxy
`systems like SOCKS. These capabilities can be enabled at run time or compile time.
`4.1.3 Using a Combination of Techniques and Technologies
`The "right solution" to building a firewall is seldom a single technique; it's usually a
`carefully crafted combination of techniques to solve different problems. Which problems
`you need to solve depend on what services you want to provide your users and what level
`of risk you're willing to accept. Which techniques you use to solve those problems
`depend on how much time, money, and expertise you have available.
`Some protocols (e.g., Telnet and SMTP) can be more effectively handled with packet
`filtering. Others (e.g., FTP, Archie, Gopher, and WWW) are more effectively handled
`with proxies. (Chapter 8, Configuring Internet Services describes how to handle specific
`services in a firewall environment.) Most firewalls use a combination of proxying and
`packet filtering.
`4.2 Firewall Architectures
`This section describes a variety of ways to put various firewalls components together.
`4.2.1 Dual-Homed Host Architecture
`A dual-homed host architecture is built around the dual-homed host computer, a
`computer which has at least two network interfaces. Such a host could act as a router
`between the networks these interfaces are attached to; it is capable of routing IP packets
`from one network to another. However, to implement a dual-homed host type of firewalls
`architecture, you disable this routing function. Thus, IP packets from one network (e.g.,
`the Internet) are not directly routed to the other network (e.g., the internal, protected
`network). Systems inside the firewall can communicate with the dual-homed host, and
`systems outside the firewall (on the Internet) can communicate with the dual-homed host,
`but these systems can't communicate directly with each other. IP traffic between them is
`completely blocked.
`The network architecture for a dual-homed host firewall is pretty simple: the dual homed
`
`7 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 7
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`host sits between, and is connected to, the Internet and the internal network. Figure 4.3
`shows this architecture.
`Figure 4.3: Dual-homed host architecture
`
`Dual-homed hosts can provide a very high level of control. If you aren't allowing packets
`to go between external and internal networks at all, you can be sure that any packet on the
`internal network that has an external source is evidence of some kind of security problem.
`In some cases, a dual-homed host will allow you to reject connections that claim to be for
`a particular service but that don't actually contain the right kind of data. (A packet
`filtering system, on the other hand, has difficulty with this level of control.) However, it
`takes considerable work to consistently take advantage of the potential advantages of
`dual-homed hosts.
`A dual-homed host can only provide services by proxying them, or by having users log
`into the dual-homed host directly. As we discuss in Chapter 5, Bastion Hosts, user
`accounts present significant security problems by themselves. They present special
`problems on dual-homed hosts, where they may unexpectedly enable services you
`consider insecure. Furthermore, most users find it inconvenient to use a dual-homed host
`by logging into it.
`Proxying is much less problematic, but may not be available for all services you're
`interested in. Chapter 7 discusses some workarounds for this situation, but they do not
`apply in every case. The screened subnet architecture we describe in the next section
`offers some extra options for providing new and/or untrusted services (e.g., you can add
`to the screened subnet a worthless machine that provides only an untrusted service).
`4.2.2 Screened Host Architecture
`Whereas a dual-homed host architecture provides services from a host that's attached to
`
`8 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 8
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`multiple networks (but has routing turned off), a screened host architecture provides
`services from a host that's attached to only the internal network, using a separate router.
`In this architecture, the primary security is provided by packet filtering. (For example,
`packet filtering is what prevents people from going around proxy servers to make direct
`connections.)
`Figure 4.4 shows a simple version of a screened host architecture.
`Figure 4.4: Screened host architecture
`
`The bastion host sits on the internal network. The packet filtering on the screening router
`is set up in such a way that the bastion host is the only system on the internal network that
`hosts on the Internet can open connections to (for example, to deliver incoming email).
`Even then, only certain types of connections are allowed. Any external system trying to
`access internal systems or services will have to connect to this host. The bastion host thus
`needs to maintain a high level of host security.
`The packet filtering also permits the bastion host to open allowable connections (what is
`"allowable" will be determined by your site's particular security policy) to the outside
`world. The section about bastion hosts in the discussion of the screened subnet
`architecture later in this chapter, contains more information about the functions of bastion
`hosts, and Chapter 5 describes in detail how to build one.
`The packet filtering configuration in the screening router may do one of the following:
`Allow other internal hosts to open connections to hosts on the Internet for certain
`services (allowing those services via packet filtering, as discussed in Chapter 6),
`Disallow all connections from internal hosts (forcing those hosts to use proxy
`services via the bastion host, as discussed in Chapter 7).
`
`9 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 9
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`You can mix and match these approaches for different services; some may be allowed
`directly via packet filtering, while others may be allowed only indirectly via proxy. It all
`depends on the particular policy your site is trying to enforce.
`Because this architecture allows packets to move from the Internet to the internal
`networks, it may seem more risky than a dual-homed host architecture, which is designed
`so that no external packet can reach the internal network. In practice, however, the
`dual-homed host architecture is also prone to failures that let packets actually cross from
`the external network to the internal network. (Because this type of failure is completely
`unexpected, there are unlikely to be protections against attacks of this kind.) Furthermore,
`it's easier to defend a router, which provides a very limited set of services, than it is to
`defend a host. For most purposes, the screened host architecture provides both better
`security and better usability than the dual-homed host architecture.
`Compared to other architectures, however, such as the screened subnet architecture
`discussed in the following section, there are some disadvantages to the screened host
`architecture. The major one is that if an attacker manages to break in to the bastion host,
`there is nothing left in the way of network security between the bastion host and the rest
`of the internal hosts. The router also presents a single point of failure; if the router is
`compromised, the entire network is available to an attacker. For this reason, the screened
`subnet architecture has become increasingly popular.
`4.2.3 Screened Subnet Architecture
`The screened subnet architecture adds an extra layer of security to the screened host
`architecture by adding a perimeter network that further isolates the internal network from
`the Internet.
`Why do this? By their nature, bastion hosts are the most vulnerable machines on your
`network. Despite your best efforts to protect them, they are the machines most likely to
`be attacked, because they're the machines that can be attacked. If, as in a screened host
`architecture, your internal network is wide open to attack from your bastion host, then
`your bastion host is a very tempting target. There are no other defenses between it and
`your other internal machines (besides whatever host security they may have, which is
`usually very little). If someone successfully breaks into the bastion host in a screened host
`architecture, he's hit the jackpot.
`By isolating the bastion host on a perimeter network, you can reduce the impact of a
`break-in on the bastion host. It is no longer an instantaneous jackpot; it gives an intruder
`some access, but not all.
`With the simplest type of screened subnet architecture, there are two screening routers,
`each connected to the perimeter net. One sits between the perimeter net and the internal
`network, and the other sits between the perimeter net and the external network (usually
`the Internet). To break into the internal network with this type of architecture, an attacker
`would have to get past both routers. Even if the attacker somehow broke in to the bastion
`
`10 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 10
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`host, he'd still have to get past the interior router. There is no single vulnerable point that
`will compromise the internal network.
`Some sites go so far as to create a layered series of perimeter nets between the outside
`world and their interior network. Less trusted and more vulnerable services are placed on
`the outer perimeter nets, fathest from the interior network. The idea is that an attacker
`who breaks into a machine on an outer perimeter net will have a harder time successfully
`attacking internal machines because of the additional layers of security between the outer
`perimeter and the internal network. This is only true if there is actually some meaning to
`the different layers, however; if the filtering systems between each layer allow the same
`things between all layers, the additional layers don't provide any additional security.
`Figure 4.5 shows a possible firewall configuration that uses the screened subnet
`architecture. The next few sections describe the components in this type of architecture.
`Figure 4.5: Screened subnet architecture (using two routers)
`
`4.2.3.1 Perimeter network
`The perimeter network is another layer of security, an additional network between the
`external network and your protected internal network. If an attacker successfully breaks
`into the outer reaches of your firewall, the perimeter net offers an additional layer of
`protection between that attacker and your internal systems.
`Here's an example of why a perimeter network can be helpful. In many network setups,
`it's possible for any machine on a given network to see the traffic for every machine on
`that network. This is true for most Ethernet-based networks, (and Ethernet is by far the
`most common local area networking technology in use today); it is also true for several
`
`11 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 11
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`other popular technologies, such as token ring and FDDI. Snoopers may succeed in
`picking up passwords by watching for those used during Telnet, FTP, and rlogin sessions.
`Even if passwords aren't compromised, snoopers can still peek at the contents of sensitive
`files people may be accessing, interesting email they may be reading, and so on; the
`snooper can essentially "watch over the shoulder" of anyone using the network.
`With a perimeter network, if someone breaks into a bastion host on the perimeter net,
`he'll be able to snoop only on traffic on that net. All the traffic on the perimeter net should
`be either to or from the bastion host, or to or from the Internet. Because no strictly
`internal traffic (that is, traffic between two internal hosts, which is presumably sensitive
`or proprietary) passes over the perimeter net, internal traffic will be safe from prying eyes
`if the bastion host is compromised.
`Obviously, traffic to and from the bastion host, or the external world, will still be visible.
`Part of the work in designing a firewall is ensuring that this traffic is not itself confidential
`enough that reading it will compromise your site as a whole. (This is discussed in Chapter
`5.)
`4.2.3.2 Bastion host
`With the screened subnet architecture, you attach a bastion host (or hosts) to the
`perimeter net; this host is the main point of contact for incoming connections from the
`outside world; for example:
`For incoming email (SMTP) sessions to deliver electronic mail to the site
`For incoming FTP connections to the site's anonymous FTP server
`For incoming domain name service (DNS) queries about the site
`and so on.
`Outbound services (from internal clients to servers on the Internet) are handled in either
`of these ways:
`Set up packet filtering on both the exterior and interior routers to allow internal
`clients to access external servers directly.
`Set up proxy servers to run on the bastion host (if your firewall uses proxy
`software) to allow internal clients to access external servers indirectly. You would
`also set up packet filtering to allow the internal clients to talk to the proxy servers
`on the bastion host and vice versa, but to prohibit direct communications between
`internal clients and the outside world.
`In either case, the packet filtering allows the bastion host to connect to, and accept
`connections from, hosts on the Internet; which hosts, and for what services, are dictated
`by the site's security policy.
`
`12 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 12
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`Much of what the bastion host does is act as proxy server for various services, either by
`running specialized proxy server software for particular protocols (such as HTTP or
`FTP), or by running standard servers for self-proxying protocols (such as SMTP).
`Chapter 5 describes how to secure the bastion host, and Chapter 8 describes how to
`configure individual services to work with the firewall.
`4.2.3.3 Interior router
`The interior router (sometimes called the choke router in firewalls literature) protects the
`internal network both from the Internet and from the perimeter net.
`The interior router does most of the packet filtering for your firewall. It allows selected
`services outbound from the internal net to the Internet. These services are the services
`your site can safely support and safely provide using packet filtering rather than proxies.
`(Your site needs to establish its own definition of what "safe" means. You'll have to
`consider your own needs, capabilities, and constraints; there is no one answer for all
`sites.) The services you allow might include outgoing Telnet, FTP, WAIS, Archie,
`Gopher, and others, as appropriate for your own needs and concerns. (For detailed
`information on how you can use packet filtering to control these services, see Chapter 6.)
`The services the interior router allows between your bastion host (on the perimeter net
`itself) and your internal net are not necessarily the same services the interior router allows
`between the Internet and your internal net. The reason for limiting the services between
`the bastion host and the internal network is to reduce the number of machines (and the
`number of services on those machines) that can be attacked from the bastion host, should
`it be compromised.
`You should limit the services allowed between the bastion host and the internal net to just
`those that are actually needed, such as SMTP (so the bastion host can forward incoming
`email), DNS (so the bastion host can answer questions from internal machines, or ask
`them, depending on your configuration), and so on. You should further limit services, to
`the extent possible, by allowing them only to or from particular internal hosts; for
`example, SMTP might be limited only to connections between the bastion host and your
`internal mail server or servers. Pay careful attention to the security of those remaining
`internal hosts and services that can be contacted by the bastion host, because those hosts
`and services will be what an attacker goes after - indeed, will be all the attacker can go
`after - if the attacker manages to break in to your bastion host.
`4.2.3.4 Exterior router
`In theory, the exterior router (sometimes called the access router in firewalls literature)
`protects both the perimeter net and the internal net from the Internet. In practice, exterior
`routers tend to allow almost anything outbound from the perimeter net, and they
`generally do very little packet filtering. The packet filtering rules to protect internal
`machines would need to be essentially the same on both the interior router and the
`
`13 of 33
`
`5/27/14 9:00 PM
`
`Google Ex. 1212, pg. 13
`
`

`

`Building Internet Firewalls: [Chapter 4] Firewall Design
`
`http://oreilly.com/catalog/fire/chapter/ch04.html
`
`exterior router; if there's an error in the rules that allows access to an attacker, the error
`will probably be present on both routers.
`Frequently, the exterior router is provided by an external group (for example, your
`Internet provider), and your access to it may be limited. An external group that's
`maintaining a router will probably be willing to put in a few general packet filtering rules,
`but won't want to maintain a complicated or frequently changing rule set. You also may
`not trust them as much as you trust your own routers. If the router breaks and they install
`a new one, are they going to remember to reinstall the filters? Are they even going to
`bother to mention that they replaced the router so that you know to check?
`The only packet filtering rules that are really special on the exterior router are those that
`protect the machines on the perimeter net (that is, the bastion hosts and the internal
`router). Generally, however, not much protection is necessary, because the hosts on the
`perimeter net are protected primarily through host security (although redundancy never
`hurts).
`The rest of the rules that you could put on the exterior router are duplicates of the rules on
`the interior router. These are the rules that prevent insecure traffic from going between
`internal hosts and the Internet. To support proxy services, where the interior router will
`let the internal hosts send some protocols as long as they are talking to the bastion host,
`the exterior router could let those protocols through as long as they are coming from the
`bastion host. These rules are desirable for an extra level of security, but they're
`theoretically blocking only packets that can't exist because they've already been blocked
`by the interior router. If they do exist, either the interior router has failed, or somebody
`has connected an unexpected host to the perimeter network.
`So, what