The dual-homed gateway (fig. 
) is a better
alternative to packet filtering router firewalls.
It consists of a host system with two network interfaces, and with the
host's IP forwarding capability disabled (i.e., the default condition is
that the host can no longer route packets between the two connected networks).
In addition, a packet filtering router can be placed at the Internet connection
to provide additional protection.
This would create an inner, screened subnet that could be used for
locating specialized systems such as information servers and modem pools.
Unlike the packet filtering firewall, the dual-homed gateway
is a complete block to IP traffic between the Internet and protected
site.
Services and access is provided by proxy servers on
the gateway.
It is a simple firewall, yet very secure.
Figure: Dual-homed Gateway Firewall with Router.
This type of firewall implements the second design policy, i.e., deny all services unless they are specifically permitted, since no services pass except those for which proxies exist. The ability of the host to accept source-routed packets would be disabled, so that no other packets could be passed by the host to the protected subnet. It can be used to achieve a high degree of privacy since routes to the protected subnet need to be known only to the firewall and not to Internet systems (because Internet systems cannot route packets directly to the protected systems). The names and IP addresses of site systems would be hidden from Internet systems, because the firewall would not pass DNS information.
A simple setup for a dual-homed gateway would be to provide proxy services for TELNET and FTP, and centralized e-mail service in which the firewall would accept all site mail and then forward it to site systems. Because it uses a host system, the firewall can house software to require users to use authentication tokens or other advanced authentication measures. The firewall can also log access and log attempts or probes to the system that might indicate intruder activity.
The dual-homed gateway firewall, as well as the screened subnet firewall
mentioned later in this chapter, provides the ability to segregate traffic
concerned with an information server from other traffic to and from the
site.
An information server could be located on the subnet between the gateway
and the router, as shown in figure .
Assuming that the gateway provides the appropriate proxy services for
the information server (e.g., ftp, gopher, or http), the router can
prevent direct Internet access to the firewall and force access to go
through the firewall.
If direct access is permitted to the server (which is the less secure
alternative), then the server's name and IP address can be advertised by
DNS.
Locating the information server there also adds to the security of the site, as
any intruder penetration of the information server would still be prevented from
reaching site systems by the dual-homed gateway.
The inflexibility of the dual-homed gateway could be a disadvantage
to some sites.
Since all services are blocked except those for which proxies exist,
access to other services cannot be opened up; systems that require
the access would need to be placed on the Internet side of the gateway.
However, a router could be used as shown in figure to create
a subnet between the gateway and the router, and the systems that require
extra services could be located there (this is discussed more in
section with screened subnet firewalls).
Another important consideration is that the security of the host system used for the firewall must be very secure, as the use of any vulnerable services or techniques on the host could lead to break-ins. If the firewall is compromised, an intruder could potentially subvert the firewall and perform some activity such as to re-enable IP routing.
[Garf92], [Ran93], and [Ches94] discuss advantages and disadvantages of dual-homed gateways used as firewalls.