Although every firewall implementation is truly unique, a couple of fundamental designs from which virtually all firewall designs are created. The first question to ask when implementing a firewall is whether the firewall is going be located at a central location or a remote location. When you have answered that question, you need to examine the resources that need to be protected. With that in mind, the next step is to determine how many demilitarized zones (DMZs), if any, need to be implemented. Although most of these design questions are based on protecting internal resources, they should be equally applied to the question of how the firewall will screen Internet access for your internal resources, essentially protecting the Internet from your systems, while at the same time enabling you to restrict and filter the kinds of Internet-based traffic that will be allowed from your internal resources. Central OfficeAlthough referred to as a central office implementation, the key to this implementation is not necessarily that it exists at the central office. Rather, the central office implementation refers to an implementation that has a number of common elements:
As a result, the central office implementation is applicable in any environment that matches these elements. For example, many large companies have multiple locations that would all warrant the central office design, because there may be two or more "hub" locations with a high concentration of users, resources, and administrators. The central office implementation is highlighted by an implementation that tends to be more complex than the remote office implementation and tends to utilize higher end hardware and software to achieve the objective of protecting resources. For example, the central office may utilize multiple firewalls in a dual-firewall implementation to protect resources and may have multiple firewalls implemented in a task-specific fashion. You might have a separate Internet-screening firewall, web-application firewall, and e-mail-filtering firewall. Central office implementation are also frequently underpinned by more advanced firewallssuch as Cisco Secure PIX Firewalls, NetScreen, Check Point, or Microsoft ISA Serveras opposed to smaller Network Address Translation (NAT) routers or small office/home office (SOHO) firewall products. As a general rule, the central office implementation tends to provide for the most hardened and secure firewall implementation. Remote OfficeThe remote office implementation tends to revolve around a more simple, point solution design. As opposed to the central office, remote offices typically have few technical resources at the location with the expertise required to effectively manage and maintain a firewall. Remote offices also rarely have internal resources that must be accessed by remote sources, which means that often the firewall implementation is little more than an Internet-screening firewall, keeping all Internet sources from accessing internal resources and restricting Internet access by internal resources. Although the central office implementation lends itself to protecting literally thousands of users and resources, the remote office implementation is really only effective at protecting a relatively small number of users and resources, generally fewer than 100 users and resources. Consequently, the remote office implementation lends itself to the use of SOHO firewall solutions ranging from lower-end firewalls such as the Cisco PIX 506E, NetScreen 5, or NetScreen 25 all the way down to the basic NAT filtering routers such as some of the Linksys or D-Link product lines. |