Focus on details tailored to the firewall layout

Define the defensive capabilities that are required

The level of monitoring, redundancy, and control of firewalls needs to be defined. Through the design of enterprise system policies, IT staff determine the level of risk acceptable to the enterprise (how paranoid it is). The IT staff then needs to list a list of what transmissions must be monitored, what traffic must be allowed, and what transmissions should be rejected. In other words, the IT staff first lists the overall goals, then combines the requirements analysis with the risk assessment, singling out the requirements that are always antagonistic to the risk and adding to the planned work list.

Focus on Financial Issues

Many experts suggest that an enterprise's IT staff can only discuss the problem in vague terms. However, it is important to try to quantify the proposed solution by how much it costs to purchase or implement the solution. For example, a high-end product with a full firewall could be worth 100,000 of dollars, while low-end products could be free; it could take months to build a high-end firewall from scratch. In addition, the system administration overhead is also a problem to consider. Building a home-grown firewall is good, but it is important that the firewall does not require high maintenance and update costs.

Reflect the enterprise's system strategy

It personnel need to understand that the post-installation firewall is intended to be explicitly rejected-except for all services that are critical to connecting to the network. Alternatively, the installed firewall provides a way to measure and audit access to "Marin" in a way that is not a threat. There is some degree of paranoia in these choices, and the final function of the firewall may be administrative results, not engineering decisions.

Network design

For practical purposes, the enterprise is concerned about the static transmission stream routing service between the router and its internal network. Therefore, based on this fact, a number of technical decisions need to be made: the Transport Stream routing service can be implemented at the IP layer through filtering rules such as routers, or through proxy gateways and services at the application layer.

The decision the IT staff needs to make is whether to place the exposed improvised machines on the external network to run proxy services for Telnet, FTP, news, etc., or to set up a shielded router such as a filter to allow communication with one or more internal computers. Both approaches have advantages and disadvantages, and agents can provide a higher level of audit and potential security, but at the expense of increased configuration costs and lower levels of service delivery.