Multifirewall Design

This design has a number of variations. It is primarily used for e-commerce or other sensitive transactions. Such transactions generally require multiple trust levels as opposed to just inside, outside, and server. One such example of this design is shown in Figure 7-7. There are many others.

Figure 7-7. Multifirewall Design

Figure 7-7. Multifirewall Design

Link Port Layer2 Gigabit Anschlu

In this design, the set of trusted servers often supports transaction requests from the semitrusted servers. These semitrusted servers service requests from the untrusted servers. The untrusted servers support requests from the Internet at large. Internet users can reach only the untrusted servers directly. If attackers try to compromise trusted servers, they first must compromise the untrusted servers. From the untrusted servers, they can attack the semitrusted servers, but only on a very narrow range of ports needed to support the interaction of these two servers. If the semitrusted servers are compromised, the trusted servers can be attacked from the semitrusted servers but, again, only on a narrow range of ports.

Some security professionals have advocated using firewalls from multiple vendors to increase security. The line of reasoning is that even if a vulnerability exists in one firewall, it might not exist in another. This was sound reasoning back in the early 1990s when firewalls were the one and only network security tool available. Today you have many tools. Each one helps your security system more than having three firewalls from different vendors but each with the same basic capabilities. In addition, maintaining security policy and aggregating log events is hard enough with a single vendor, let alone trying to do it with multiple vendors.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment