
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
21
Chapter 2
CHAPTER 2
Designing Perimeter
Networks
A well-designed perimeter network (the part or parts of your internal network that
have direct contact with the outside world—e.g., the Internet) can prevent entire
classes of attacks from even reaching protected servers. Equally important, it can pre-
vent a compromised system on your network from being used to attack other sys-
tems. Secure network design is therefore a key element in risk management and
containment.
But what constitutes a “well-designed” perimeter network? Since perimeter net-
works always involve firewalls, you might be tempted to think that a well-configured
firewall equals a secure perimeter, but there’s a bit more to it than that. In fact,
there’s more than one “right” way to design the perimeter, and this chapter describes
several. One simple concept, however, drives all good perimeter network designs:
systems that are at a relatively high risk of being compromised should be segregated
from the rest of the network. Such segregation is, of course, best achieved (enforced)
by firewalls and other network access-control devices.
This chapter, then, is about creating network topologies that isolate your publicly
accessible servers from your private systems while still providing those public sys-
tems some level of protection. ...