|Conditions||Functions to use|
|No zoning architecture is in use||Use firewall functions in a reactive mode only.|
|The separation is between a DMZ and an internal zone||Use network address translation (NAT).|
|The separation is used to defend a low surety server||Use proxy servers.|
|The separation is between different servers in the DMZ||Use demilitarized zone (DMZ) subzones.|
|A zoning architecture is in use||Use access control lists (ACLs).|
|A layered zoning architecture is used||Use session initiation and directional controls.|
|The separation defends a medium or high risk zone with standard characteristics||Use stateful inspection|
|The separation defends a high risk zone or system||Use application-specific input and output in state controls.|
|The separation defends a high risk system with well-defined limited interactions||Use limited function interfaces.|
|Scanning through the firewall is not required from the source||Use passive deception.|
Firewalls are sometimes used purely as a response mechanisms to assure that, in case of an incident, some control point is available. If no zoning approach is in use, this is a reasonable use of firewalls.
Use network address translation (NAT).
The simplest and most common firewall technique is called NAT. In NAT one external IP address is used to allow an unlimited number of internal machines to access the Internet. This lowers ISP fees in many cases by reducing the number of IP addresses required for the business. It also prevents direct attack on internal computers and allows changes of ISP to be done more quickly and easily than would otherwise be possible. By translating all internal traffic into a single external IP address, attackers cannot directly reach internal computers, and this means that most Internet worms and other direct attacks will fail.
Use demilitarized zone (DMZ) subzones.
DMZ subzones are used to partition systems within the DMZ environment from each other so as to limit the effects of attacks on one DMZ system on other DMZ systems.
Use proxy servers.
Proxy servers are used to rewrite datagrams, normalize content, and perform other inspection and normalization functions, as well as to audit and surveil content. They are particularly important when systems they protect have inadequate controls over datagram-level attacks or are not updated immediately upon detection of new vulnerabilities.
Use access control lists (ACLs).
ACLs are useful for limiting the address and port pairs that can communicate through the firewall. Any time such limits can be reasonably put in place, they should be, since there is no legitimate reason for unauthorized communications to take place, and limiting them reduces the available surface area, in terms of addresses and ports, for attack and configuration errors. when attackers try to exploit systems after entry, this also limits their ability to explore and exploit other systems.
Use session initiation and directional controls.
Session initiation controls are used to assure that the paths traffic takes are properly limited to authorize information flows. They are also effective at compensating for misconfigurations and, when attackers try to exploit systems after entry, to limit their ability to explore and exploit other systems.
Use stateful inspection
Stateful inspection tends to take time and overhead and has value only when the firewall can properly interpret the state in light of other information. For protocol-level events, such as the use of replies when no original datagrams were sent, it is very useful in limiting intelligence and other low-level problems, but when NAT or other similar measures are in place, such traffic is normally limited anyway.
Use application-specific input and output in state controls.
Application-specific input and output state controls are useful at mitigating the lack of adequate controls in applications running on servers. Unless applications are properly designed and implemented to only accept proper inputs in proper states, such controls are likely to reduce the number of application exploits available to the attacker. As a fundamental notion, in order to meet this condition, input checking as a function of state at each point where input could cause harm should be done and only known valid inputs should be allowed to pass. At a minimum such checks should include minimum and maximum length and allowed symbols.
Use limited function interfaces.
Limited function interfaces are primarily used when separation would normally be required but some specific control, sensory, or actuation mechanism is required. A typical example is a manufacturing facility that has to send out status information from an older system that requires requests in order to give responses, but in which those requests need to be limited because the system cannot be upgraded to protect against exploits. A limited function interface provides a way to limit inputs while retaining function.
Use passive deception.
Unless there is a specific reason to allow scanning of one portion or location of the network from another portion or location, passive deception has essentially no cost and substantial benefit in reduced intelligence across zones and subzones and should be applied.