Firewall Deployment Architecture

Firewall is the first layer of protection to your internal network. Depending on the security strategy of the organization, firewalls can be deployed at different layers in the network. The following deployment scenarios are the most common.

Option 1: Bastion Host

This is the basic option where the firewall is placed in between the internal and external network as shown in Figure 10-13. This topology is well suited for simple networks. This has a single boundary, hence, once someone penetrates the firewall, they have gained unrestricted access to the protected network.

Figure 10-13. Bastion Host

Option 2: Staging Area or Demilitarized Zone (DMZ)

This topology allows organizations to host servers which face the internet directly, and separates the trusted network and the Internet (see Figure 10-14), thus allowing the users to access the internet securely. If a malicious user manages to compromise the firewall, he or she will not have access to the intranet services (provided the firewall is properly configured). This is the most commonly deployed architecture. The DMZ hosts all the servers offering public services, which face the Internet. The private zone contains all internal network resources such as the file server, the application server, the database servers, user workstations, and printers, which do not have any business connecting to the Internet. The DMZ zone hosts your public Web server, mail server, DNS servers, and other similar systems.

Figure 10-14. Multiple Firewall Deployment DMZ

As more and more of the networks grow, the need to create a zone to protect internal assets has become imminent. Hence, many deployments now have a separate zone called Demilitarized Zone (DMZ) to separate the internal assets and the assets connecting to the Internet.

Multiple Firewall

In this scenario, you will deploy two or more firewalls to create two or more zones, as shown in Figure 10-15. Since you have more zones, the network is more secured and you can plan your organization security policy better. One division is to place your sensitive resources in a separate zone, for example, all accounting and finance servers in one zone, public facing servers such as the Web server, the Mail server, and the DNS server in a more secured DMZ zone. Systems that provide services to the general public (web server) may be placed in a different zone than systems which offer authenticated users services such as intranet applications.

Figure 10-15. Multiple Firewall Architecture

< Prev   CONTENTS   Next >