Network Layouts with Firewalls

You are here: Technology Topics » Computer & Gadgets » Computer & Network Security » Firewalls - VPN » Network Layouts with Firewalls

This chapter  is part of the guide about “Firewalls and Firewall Policy in your Network”. The starting chapter is Firewalls and Network Architectures.

In the figure below you can see  a typical network layout with a hardware firewall device acting as a router. The unprotected side of the firewall connects to the single path labeled “WAN,” and the protected side connects to three paths labeled “LAN1,” “LAN2,” and “LAN3.” The firewall acts as a router for traffic between the Wide Area Network (WAN) path and the Local Area Network (LAN) paths.

Many hardware firewall devices have a feature called DMZ (demilitarized zones). A DMZ is one of  the most common security zones you’ll encounter.While no single technical definition exists for firewall DMZs,  a DMZ is an area in a network that allows restrictive access to untrusted users and isolates the internal network from access by external users and systems. It does so by using routers and firewalls to limit access to sensitive network resources.

The major difference is that traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied.

An example of this is the figure below, a simple network layout of a firewall with a DMZ. Traffic from the Internet goes into the firewall, and is routed to systems on the firewall’s protected side or to systems on the DMZ. Traffic between systems on the DMZ and systems on the protected network goes through the firewall, and can optionally have firewall policies applied.

Most network architectures are hierarchical, meaning that a single path from an outside network splits into multiple paths on the inside network—and it is generally most efficient to place a firewall at the node where the paths split. This has the advantage of positioning the firewall where there is no question as to what is “outside” and what is “inside.” However, there may be reasons to have additional firewalls on the inside of the network, such as to protect one set of computers from another.

If a network’s architecture is not hierarchical, the same firewall policies should be used on all ingresses to the network. In many organizations, there is only supposed be one ingress to the network, but other ingresses are set up on an ad-hoc basis, often in ways that are not allowed by overall policy. In these situations, if a properly configured firewall is not placed at each entry point, malicious traffic that would normally be blocked by the main ingress can enter the network by other means.

The network in the figure below is similar to that shown in in the figure below, except that a user has added an unauthorized connection in LAN2.  This connection might be an accidental wireless connection from a network run by a neighbor—or it may have been set up intentionally to avoid specific policies on the firewall. Regardless of the reason, the connection allows traffic that did not pass through the firewall to traverse the network and have access to LAN1, LAN2, and LAN3.



14 Responses to “Network Layouts with Firewalls”

1. Kary says:

   In which area a computer security plan should focus ?
2. admin says:

   1) Physical security
   2) Operational security
   3) Management and policies
3. Alex says:

   What is a Mandatory Access Control(MAC) model ?
4. admin says:

   The Mandatory Access Control (MAC) model is a static model that uses a predefined set of access privileges for files on the system. The system administrators establish these parameters and associate them with an account, files, or resources
5. Alex says:

   What is the difference between Discretionary Access Control (DAC) model and the Mandatory Access Control (MAC) model ?
6. admin says:

   The difference between DAC and MAC is that labels are not mandatory but can be applied as needed.The DAC model allows a user to share a file or use a file that someone else has shared.
7. Row says:

   What factors are at the base of an authentication system ?
8. admin says:

   1) Something you know, such as a password or PIN
   2) Something you have, such as a smart card or an identification device
   3) Something physically unique to you, such as your fingerprints or retinal pattern
9. LKL says:

   What is PAP ?
10. admin says:

    PAP means Password Authentication Protocol and it’s one of the simplest forms of authentication.
11. Robin says:

    What areas security topology covers ?
12. admin says:

    1) Design goals
    2) Security zones
    3) Technologies
    4) Business requirements
13. Alex says:

    What are Intranets ?
14. admin says:

    Intranets are private networks implemented and maintained by an individual company or organization
15. Ken says:

    interesting post
16. P. Silva says:

    a very good article about Network Layouts with Firewalls