How can I deploy a firewall correctly?

FirewallIn the actual application deployment process, it is often deployed at the gateway location, that is, it is often deployed at the "Intermediate Separation Point" inside and outside the network, in such a deployment environment, there are also many methods and many "traps". This article will analyze several methods.

Please read full text: http://netsecurity.51cto.com/art/201105/261341.htm

 

FirewallIn the actual application deployment process, it is often deployed at the gateway location, that is, it is often deployed at the "Intermediate Separation Point" inside and outside the network, in such a deployment environment, there are also many methods and many "traps". This article will analyze several methods.

Solution 1: Incorrect firewall deployment Method

The traditional firewall deployment method may be considered very simple by everyone. It is deployed between the external network and the internal network. If there are shared resources such as FTP servers and Web servers in the internal network, this is a very dangerous deployment method, as shown in 1. The reason is actually very simple. Once these shared servers attack and install Trojan penetration viruses, the clients and resources on the internal network will not be secure. In this case, Trojans and viruses already exist in the internal network, while the client and the shared resource server are in the same network segment. This is tantamount to a security risk on the Intranet, and the firewall cannot do anything about this, the meaning of deployment is also lost.

650) this. length = 650; "class =" fit-image "height =" 266 "alt =" Figure 1 incorrect firewall deployment method "src =" http://www.bkjia.com/uploads/allimg/131227/0SR03944-0.jpg "width =" 387 "border =" 0 "/>

Figure 1 incorrect firewall deployment Method
 

Solution 2: Use DMZ

A popular and correct method is to use the DMZ firewall deployment method, as shown in figure 2. That is to say, add a NIC to the firewall to strictly isolate the servers providing external services from the clients on the Intranet. In this way, security risks and vulnerabilities may occur in DMZ, the harm to the internal network can also be well controlled, thus avoiding the disadvantages of solution 1.

650) this. length = 650; "class =" fit-image "height =" 315 "alt =" Figure 2 Use DMZ's firewall deployment method "src =" http://www.bkjia.com/uploads/allimg/131227/0SR03X6-1.jpg "width =" 445 "border =" 0" />

Figure 2 firewall deployment using DMZ
 

Solution 3: Use DMZ + two-way Firewall

To enhance the security strength of the firewall in solution 2, some enterprises have optimized the architecture in Figure 2 to the architecture in Figure 3, that is, using the DMZ + 2 firewall. In addition, the firewall should be selected in this structure, and the products of two different companies should be used as much as possible, so as to take advantage of this architecture.

650) this. length = 650; "class =" fit-image "height =" 319 "alt =" Figure 3 deploy a DMZ + two-way firewall "src =" http://www.bkjia.com/uploads/allimg/131227/0SR02026-2.jpg "width =" 440 "border =" 0 "/>

Figure 3 deployment method using DMZ + two-way Firewall

Solution 4: transparent Firewall

In the previous solutions, the firewall itself is a router, and you must carefully consider the routing problem during use. If the network environment is complex or needs to be adjusted, the corresponding routes need to be changed, and maintenance and operations are difficult and labor-intensive.

Transparent firewall can better solve the above problem 4 ). This type of Firewall is a bridge device and provides filtering capabilities on the bridge device. Because the bridging device works on the second layer of the OSI model, that is, the data link layer, there will be no routing problems. In addition, the firewall itself does not need to specify an IP address. Therefore, the firewall's deployment and stealth capabilities are quite powerful, so as to better cope with hacker attacks on the firewall itself, it is difficult for hackers to obtain accessible IP addresses.

650) this. length = 650; "class =" fit-image "height =" 332 "alt =" Figure 4 Transparent firewall deployment method "src =" http://www.bkjia.com/uploads/allimg/131227/0SR02c0-3.jpg "width =" 442 "border =" 0 "/>

Figure 4 Transparent firewall deployment

This article is from the blog "excellence begins with the foot" and will not be reproduced!