Operating firewalls outside the LAN perimeter

Abstract

Firewalls are well known for their task of securing the enterprise intranet from untrusted users attempting to gain access. The concept of firewalls got its start when routers began to be used to balance network load. The effort to balance network traffic load at the transport level was extended to the server operating system where application proxy service and application level filtering is provided. Firewalls allow selected communications data to pass from one side of the corporate network perimeter to the other side. Since the firewall is the primary entry point to a corporate LAN from the Internet, the firewall frequently comes under attack by hackers and crackers. One form of attack is "denial-of-service". "Denial-of-service" attacks are easier to detect than are attacks that allow the attacker through the firewall on a valid password that they obtained by performing social engineering. Spamming the corporate email system is one form of "denial-of-service" attack, while many other forms simply flood the firewall with useless packets to prevent other authorized users from gaining access through the firewall. The paper presents a plan to place firewalls outside the corporate network boundaries, into the Internet. By having firewalls out in the Internet acting as agents for the corporations we expect to see attackers stopped closer to their source gateway. This changes the firewall task from a defensive mode to an offensive one. By having firewalls working together to seek out and locate or block the attacker at the source gateway, we gain several benefits. The paper proposes that the gateway protocol be modified to include this filtering function.