Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50
135
Firewall
This contradiction shows the dilemma of the responsible administrators who
have developed subsequently different strategies to solve this problem.
Allow All
The Allow All strategy favours unhindered communication of the employees
compared over security. Any communication is allowed at first, the LAN is still
open for attackers. The LAN becomes gradually more secured by configuration
of the a dminis trator, b y setti ngs of more and more ne w rule s, whic h restr ict or
prevent parts of communication.
Deny All
The Deny All strategy proceeds at first according to the method “Block all!”.
The Firewall blocks completely the communication between the protected
network and the rest of the world. In a second step, the administrator opens
address ranges or ports, which are necessary e.g. for daily communication
with the Internet.
This approach ensures superior security for the LAN security compared to the
Allow All strategy, but may lead especially in its initial stages to difficulties for
the users. After activation of the Deny All strategy, some things just may
behave differently than before, some stations may not reached any more etc.
Firewall with DMZ
The demilitarized zone (DMZ) is a special range of the local network, which is
shielded by a Firewall both against the Internet and against the normal LAN.
All stations or servers that should be accessible from the unsecured network
(Internet) should be placed into this network. These include for example own
FTP and web servers.
The Firewall protects at first the DMZ against attacks from the Internet. Addi-
tionally, the Firewall protects also the LAN against the DMZ. To do so, the Fire-
wall is configured in this way that only the following accesses are possible:
Stations from the Internet can access to the servers in the DMZ, but no
access from the Internet to the LAN is possible.
The stations of the LAN can access the Internet, as well as servers in the
DMZ.
Servers of the DMZ have no access to the stations of the LAN. That guar-
antees that no “cracked” server of the DMZ becomes a security risk for the
LAN.