« Fake AV and Rogue Security Software: The Scareware Class of 2010 | Main | FCC Paper on IPv6 Transition says little about security: or is this all they can say? »

Wednesday, 05 January 2011

Choke and screen firewall: the modern day concentric castle

Security experts often use terms of warfare to describe Internet security. Some of the terms come from the castle building era. Castle design evolved over time to incorporate multiple lines of defenses to defeat attacks and resist sieges. These principles are included in Internet security under the rubric

Defenses in Depth

Castles protected people, their property and possessions against attacks from rival lords and invading armies.

Initially, castle fortifications consisted of a single line of defense.

An earthwork called a motte protected a keep. The motte surrounded the area to be defended and was frequently located on a hilltop.

Motte_castle
Photo by jayneandd
DGlosmotte

Durham County Council

The Motte

The motte is similar to the field fortifications a Roman legion built around each encampment during a campaign.

Legionnaires would dig a ditch  around their camp and pile the dirt behind the trench. This effectively doubled the height of the wall.

Mottes were in many cases much larger and wider. The ditch was also often dug deeper and wider than a Romain camp entrenchment.

Castle designers were engineers. Like modern engineers, they learned from failures as often as successes.

As siege tactics improved and the motte became too regularly breached, engineers determined that multiple lines of defense would offer more protection than any single wall, no matter how formidable that wall might be.

They added a wall within the outer wall. 

 

Concentric-castle

HistoryOnTheNet.com

Concentric_walls

Wikipedia

Concentric Castles

Concentric castles relied on the outer wall to blunt the bulk of the attack.

The inner wall was used to bolster the defenses of the outer wall and to defend against any attackers who managed to penetrate the outer wall.

Checkpoints at gateways were used at both walls to permit access to residents and visitors and deny access to intruders.

Firewall Evolution

The early evolution of firewalls tracks closely with castle defenses. Initially, a single perimeter defense, the Internet firewall, protected an enterprise’s clients and servers against network attacks. This arrangement proved effective while organizations hosted applications primarily or exclusively for users behind the Internet firewall.

As Internet presence became a business imperative, organizations had to find ways to separate applications intended for internal users from external visitors or customers. Look carefully at concentric wall design and you can see that firewalls could be similarly deployed. An outer, Internet firewall would blunt or screen attack traffic and serve as a checkpoint to allow traffic to public facing applications intended for external visitors. These applications would be situated behind the Internet firewall. An inner firewall would serve as a choke point to ensure that no traffic intended for public facing applications gained access to the organization’s internal (private) applications and hosts.

Screen_and_choke

Screen and Choke Firewall

The screen and choke firewall arrangement, like its concentric castle predecessor, proved effective. Evolving business needs (intranets, Wikis, secure application access), technology (WLANs) and attack targets (client as well as web applications and services) have forced us to think beyond the original deployment, the choke and screen firewall arrangement is remains popular. Today, web application firewalls (WAPs), firewall load balancers (FWLBs), and interdepartmental firewalls serve as the screening firewall in many screen and choke deployments.

Posted at 01:00 AM in All matters security, Firewalls, Intrusion Detection, UTM |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories