Define the required defense capabilities
Firewall monitoring, redundancy, and control level need to be defined. Through the design of enterprise system policies, IT personnel should determine the acceptable risk level (to what extent) of the enterprise ). Next, IT personnel need to list what transmission must be monitored, what transmission traffic must be allowed, and what transmission should be rejected. In other words, IT personnel first list the overall goal and then combine requirement analysis and risk assessment to pick out the demands that are always opposite to risks and add them to the planned work list.
Focus on financial issues
Many experts have suggested that enterprise IT personnel can only describe this issue in a vague manner. However, it is important to try to quantify the proposed solution based on the cost of purchasing or implementing the solution. For example, a complete high-end firewall product may be worth $0.1 million, while a low-end product may be free of charge; it may take several months to build a high-end firewall from scratch. In addition, system management overhead also needs to be considered. Building a self-developed firewall is good, but it is important that the firewall does not require high maintenance and update costs.
Reflects the enterprise's system strategy
IT personnel need to understand that the installed firewall is to explicitly reject all services except those that are critical to the network. Alternatively, the installed firewall provides a metering and auditing method for non-threatening access. There is a certain degree of paranoia in these options, and the final function of the firewall may be administrative results, rather than engineering decisions.
Network Design
For practical purposes, enterprises are currently concerned with the static transmission stream routing service between routers and their internal networks. Therefore, based on this fact, several technical decisions need to be made: the transmission Flow Routing service can be implemented at the IP layer by filtering rules such as routers, or through the Proxy gateway and service at the application layer.
The IT staff must decide whether to place the exposed simple machine on an external network to run proxy services such as Telnet, Ftp, and News, or whether to set a shield router such as a filter, allow communication with one or more internal computers. Both methods have advantages and disadvantages. The agent can provide higher levels of audit and potential security, but the cost is the increase of configuration costs and the decrease of service levels.